[nodebb-plugin-2factor] Two-Factor Authentication

  • Admin

    In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.

    The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
    devices and enabling this enhanced security on their account.


    • Requires NodeBB v0.7.2 or newer.


    Install the plugin via the ACP/Plugins page.


    Token Generation Step

    Token Generation Step

    Challenge Step

    Challenge Step



    • Added the ability to disassociate user tokens via the ACP page (in case users get locked out)


    • Bug: Fixed the browser title on the TFA settings page
    • Bug: Fixed issue where hitting enter while keying in the validation code would abort the process

  • Very nice! Works fine.

  • Admin

    Good to hear it @revunix 😄

    I hope to add support for reset keys and ACP deactivation, as currently, if you lose your device, you won't be able to bypass 😦

  • @julian I recently had my phone smashed by a drunk friend (I could just make out the numbers on a flickering screen) and discovered how terrible the "reset code" or "add code to another device" situation is with a new phone on sooo many websites where I had 2FA, even if you can get in with your current one.

  • Translator

    @drew Indeed, I don't know how many support tickets I will need to make for all the sites where I use 2 factor auth, 3 Google accounts, Steam, Cloudflare and much more...

    Anyways 2FA looks nice.

  • Admin

    Published an update. (Changelog in OP)

    @drew @kowlin At least now the administrator can reset TFA keys, although getting in touch with the admin is another matter altogether 😆

  • Are backup codes supported now btw? I see a closed GitHub issue for them, which suggests they are.

  • Admin

    @LB Yep, they are, although they are generated only when you start the 2FA setup process, so you will want to disable 2FA, trash your record, and re-generate one. The backup codes will be displayed a single time for you to record.

  • When I scan this with Authy or Google Authenticator it says "QR code is invalid" no matter how many times I create a new one. Is there a fix?

  • Anime Lovers

    @cookieman768 The same situation(((



Looks like your connection to NodeBB was lost, please wait while we try to reconnect.