Two Factor Authentication Best Practices
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill gives coherent 2FA implementation guidance; review the database migration step and sensitive authentication-code handling before applying it.
This appears safe to install as guidance-only content. Before applying it, review any generated auth changes, validate the Better Auth migration command, and handle passwords, OTPs, TOTP URIs, backup codes, and trusted-device settings as sensitive account-security material.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the command may modify database tables and fields, so applying it in the wrong environment could affect authentication data.
This asks the user or agent to run a CLI command that can execute package tooling and change the application's database schema. It is disclosed and purpose-aligned for 2FA setup.
After adding the plugin, run `npx @better-auth/cli migrate` to add the required database fields and tables.
Review the migration output and package provenance, run it in development or staging first, and require explicit approval before applying it to production.
If implemented carelessly, account passwords, setup secrets, OTPs, or backup codes could be exposed or stored insecurely.
The guidance handles sensitive authentication materials such as passwords, TOTP setup URIs, and recovery codes. This is expected for a 2FA skill but needs careful implementation.
When a user enables 2FA, require their password for verification. The enable endpoint returns a TOTP URI for QR code generation and backup codes for account recovery.
Do not log authentication secrets, limit backup-code display to enrollment or regeneration, store OTPs and recovery codes securely, and make trusted-device behavior explicit to users.