Home page
API

Login challenge

At the end of this guide, you will have a secure 2FA verification step during login with dual rate limiting and support for both TOTP codes and recovery codes.

When a user with two-factor authentication enabled submits valid credentials, the login endpoint returns a short-lived challenge token instead of a real credential. The consumer must then submit the challenge token together with a 6-digit TOTP code (or a single-use recovery code) to a separate verify endpoint, which issues the real credential on success.

The component includes:

  • Login controller modification to detect 2FA-enabled users and return a challenge token
  • A new challenge verify endpoint accepting TOTP and recovery codes
  • A short-lived encrypted challenge token bound to a two_factor_challenge purpose
  • Dual rate limiting on the challenge endpoint
Note

This guide requires you to complete the Two-Factor Setup, Two-Factor Enrollment, and Auth Login guides first.

Unlock access
Only Plus subscribers can access the documentation
Log in now
Kit Flow AI
Packages Kit Components
Terms & License Agreement