CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Two-Factor Authentication (2FA)

Security OWASP A7:2021 PHP 7.0+ Beginner
debt(d7/e7/b5/t5)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The detection_hints field explicitly states 'automated: no' and describes the code pattern as 'Authentication flow with no second factor check after password verification' — there is no listed tool that catches missing 2FA, no linter rule, and no SAST signature. A reviewer must manually trace the authentication flow to detect absence of a second factor or a weak SMS-only implementation.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix mentions integrating a TOTP library and generating backup codes, but the common_mistakes reveal systemic gaps: fixing all bypass vectors (account recovery, re-verification for high-risk actions, plaintext TOTP secret storage) touches authentication flows, database schema, and multiple application entry points. This is not a single-file patch — it requires coordinated changes across the auth layer, recovery flows, and sensitive action gates.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). 2FA applies only to web contexts (per applies_to) but its authentication and re-verification logic must be threaded through every privileged route, account recovery path, and high-risk action. It doesn't reshape the entire architecture (ruling out b7+), but it creates an ongoing tax whenever new privileged features are added, as each must integrate the second-factor check.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap (a documented gotcha most devs eventually learn)' (t5). The misconception field directly states that developers wrongly assume 'any 2FA method provides equal protection' — SMS is widely deployed but vulnerable to SIM-swapping and SS7 interception. This is a well-known gotcha in the security community but genuinely surprises developers who implement SMS 2FA thinking it provides strong protection. The additional common mistake of bypass via weak recovery flows compounds the trap.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

2FA MFA multi-factor authentication two-step verification

TL;DR

Requiring a second verification factor (OTP, hardware key) in addition to a password dramatically reduces account takeover risk.

Explanation

2FA adds a second authentication layer — something the user has (TOTP app, hardware key) — to something they know (password). Even if an attacker obtains valid credentials through phishing or a data breach, they cannot authenticate without the second factor. Implementation considerations include: using TOTP (RFC 6238) rather than SMS (vulnerable to SIM-swapping), providing recovery codes, enforcing 2FA on admin accounts, and protecting the 2FA setup flow from being bypassed.

Diagram 

sequenceDiagram
    participant U as User
    participant APP as Application
    participant TOTP as TOTP / SMS
    U->>APP: Username and Password
    APP-->>APP: Password correct
    APP-->>U: Request 2FA code
    APP->>TOTP: Generate or send OTP
    U->>APP: Submit OTP
    APP-->>APP: Verify OTP time-based
    APP-->>U: Authenticated successfully
    Note over U,APP: Even if password stolen<br/>attacker needs the second factor

Common Misconception

Any 2FA method provides equal protection. SMS-based 2FA is vulnerable to SIM-swapping and SS7 interception. TOTP apps are significantly stronger, and hardware keys (FIDO2/WebAuthn) are phishing-resistant in ways that SMS and TOTP are not.

Why It Matters

2FA requires something you know (password) plus something you have (phone, hardware key) — a stolen password alone is not enough to authenticate, neutralising credential stuffing and phishing attacks.

Common Mistakes

  • SMS-based 2FA as the only option — SIM swapping defeats it; offer TOTP or hardware keys.
  • 2FA bypass via account recovery — a weak recovery flow lets attackers skip 2FA entirely.
  • Not requiring 2FA re-verification for high-risk actions (password change, payment method update).
  • Storing TOTP secrets in plaintext in the database — should be encrypted at rest.

Avoid When

  • Do not make 2FA optional for high-privilege accounts — treat it as mandatory for admins.
  • Do not implement 2FA over SMS for high-security contexts — SS7 attacks and SIM swapping make it interceptable.

When To Use

  • Enable 2FA for all admin accounts, privileged roles, and any account with access to sensitive data.
  • Use TOTP (authenticator app) as the default second factor — more secure than SMS which is vulnerable to SIM swap.

Code Examples

✗ Vulnerable 
// 2FA check bypassable via recovery:
if ($user->hasTwoFactor() && !$this->verifyTotp($code)) {
    return $this->offerRecovery(); // Recovery flow has weaker verification
    // Attacker: 'forgot my 2FA device' → answers security questions → bypasses 2FA
}
✓ Fixed 
// TOTP (Google Authenticator compatible) — use spomky-labs/otphp
use OTPHP\TOTP;

// Setup — generate secret and QR code URI
$totp = TOTP::generate();
$totp->setLabel($user->email);
$totp->setIssuer('MyApp');
$secret = $totp->getSecret();   // store encrypted in DB
$uri    = $totp->getProvisioningUri(); // display as QR code

// Verify — check the 6-digit code
function verifyTotp(string $secret, string $code): bool {
    $totp = TOTP::createFromSecret($secret);
    return $totp->verify($code, null, 1); // ±1 time window tolerance
}

// Recovery codes — generate 8 codes, hash and store, show once
$codes = array_map(fn() => bin2hex(random_bytes(5)), range(1, 8));
Added 15 Mar 2026
Edited 31 Mar 2026
Views 65

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 1 ping S 5 pings S 3 pings M 2 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 1 ping M 1 ping T 0 pings W
Agents 0
No pings yet today
PetalBot 1
Scrapy 12 Perplexity 9 Amazonbot 7 SEMrush 5 Ahrefs 4 Google 4 ChatGPT 4 PetalBot 2 Claude 1 Bing 1 Meta AI 1 Sogou 1
Also referenced
PHP Session 57 Brute Force Attack 57 Account Enumeration 55
How they use it
crawler 47 crawler_json 4
Related categories
php 13.2k security 8k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Implement TOTP with a library like RobThree/TwoFactorAuth; generate backup codes with random_bytes(10); never use SMS as sole 2FA
📦 Applies To
PHP 7.0+ web
🔗 Prerequisites
🔍 Detection Hints
Authentication flow with no second factor check after password verification
Auto-detectable: ✗ No
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✗ Manual fix Fix: High Context: File Tests: Update
CWE-308
✓ schema.org compliant