Skip to content

Add 2FA Support with TOTP and SMS Verification #333

Open
Open
Add 2FA Support with TOTP and SMS Verification#333
Labels
BackendStellar WaveIssues in the Stellar wave programcriticalenhancementNew feature or requestsecurity
@llinsss

Description

@llinsss
llinsss
opened on Apr 21, 2026

Problem

User accounts only protected by password. Need two-factor authentication for enhanced security, especially for high-value accounts.

Proposed Solution

Implement 2FA using TOTP (Time-based One-Time Password) and SMS verification with backup codes.

Technical Implementation

New Files:

  • backend/services/TwoFactorAuthService.js - 2FA service
  • backend/services/2fa/TotpService.js - TOTP implementation
  • backend/services/2fa/SmsVerificationService.js - SMS verification
  • backend/services/2fa/BackupCodeService.js - Backup codes
  • backend/models/TwoFactorAuth.js - 2FA settings model
  • backend/models/BackupCode.js - Backup codes model
  • backend/controllers/twoFactorAuthController.js - 2FA endpoints
  • backend/routes/twoFactorAuth.js - 2FA routes
  • backend/middleware/require2FA.js - 2FA enforcement middleware
  • backend/migrations/20260327000018_create_two_factor_auth.js - Migration
  • backend/migrations/20260327000019_create_backup_codes.js - Migration
  • backend/tests/twoFactorAuth.test.js - Test suite

Modify:

  • backend/models/User.js - Add two_factor_enabled field
  • backend/controllers/authController.js - Add 2FA verification step
  • backend/services/AuthService.js - Integrate 2FA checks
  • backend/middleware/auth.js - Enforce 2FA for sensitive operations
  • backend/package.json - Add speakeasy, qrcode packages

2FA Flow

// Enable 2FA
POST /api/2fa/enable
Response: {
  secret: "JBSWY3DPEHPK3PXP",
  qrCode: "data:image/png;base64,...",
  backupCodes: [
    "1234-5678-9012",
    "2345-6789-0123",
    // ... 8 more codes
  ]
}

// Verify and activate
POST /api/2fa/verify
Body: { code: "123456" }

// Login with 2FA
POST /api/auth/login
Body: { email, password }
Response: { requiresTwoFactor: true, tempToken: "..." }

POST /api/auth/verify-2fa
Body: { tempToken: "...", code: "123456" }
Response: { token: "...", user: {...} }

Acceptance Criteria

  • TOTP implementation with QR code generation
  • SMS verification as alternative
  • 10 backup codes generated on setup
  • Backup code single-use enforcement
  • 2FA required for withdrawals > $1000
  • 2FA recovery process
  • Rate limiting on verification attempts
  • Test coverage > 90%

Priority

Critical - Essential for security

Metadata

Metadata

Assignees

No one assigned

    Labels

    BackendStellar WaveIssues in the Stellar wave programcriticalenhancementNew feature or requestsecurity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions