ClawHub

Two Factor Authentication Best Practices

v0.1.0

This skill provides guidance and enforcement rules for implementing secure two-factor authentication (2FA) using Better Auth's twoFactor plugin.

0· 368·1 current·1 all-time
bySteven Lee@stevenfengli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the SKILL.md content: all examples and guidance relate to configuring Better Auth's twoFactor plugin. The skill does not request unrelated credentials, binaries, or config paths.
Instruction Scope
Runtime instructions are limited to library usage, configuration options, and example handlers (e.g., sendOTP via sendEmail). There are no instructions to read unrelated files, exfiltrate data, or call unexpected external endpoints.
Install Mechanism
No install spec and no code files — instruction-only content. Nothing will be downloaded or written to disk by the skill itself.
Credentials
The skill declares no environment variables or credentials. The examples reference implementing a sendEmail function and database migrations, which are expected for a 2FA integration and do not require hidden credentials from the skill itself.
Persistence & Privilege
The skill does not request persistent presence (always is false) and does not attempt to modify other skills or system-wide settings.
Assessment
This skill is an instructional guide and appears internally consistent, but exercise normal caution before using any third-party auth guidance: 1) Verify the authenticity and security record of the better-auth package and its CLI (review its repository, npm package, and maintainers) before installing into production. 2) Ensure you implement secure sendEmail/sendOTP delivery and protect any mailer credentials separately. 3) Run database migrations in a safe way (backup data first) and review what fields/tables are added. 4) Store OTPs/backup codes using encrypted or hashed storage as recommended; display backup codes only once and advise users to save them. 5) Avoid skipVerificationOnEnable in production unless you understand the recovery/attack tradeoffs. 6) Confirm rate limits, allowedAttempts, and trust-device settings align with your threat model. The skill itself makes no surprising requests, but you should audit the actual dependencies and your implementation before deployment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c2ps3x4g98yp5s96sg482n981xqe7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments