How to enable 2-steps authentication?

Hello strapi community !

I want to know if is there a way to make 2-step authentification with Strapi ?

To let my users confirmed their identity thanks to their phone number ?

1 Like


Strapi doesn’t provide this feature by default but thanks to the customization, you will be able to create it by yourself.

Then, how could it work?

Well based on the curent process, instead of having the JWT and user info as response of the /auth/local you want this route send a SMS to the user.
And you want a way to validate the code received by the SMS.

Here is the customization concept you will have to follow:

Here I will make it simple, but the most important is to understand the logic to let you then improve the system if needed.

  1. Create a new number field in your User model.
    You will use the Content Type Builder plugin to do that.
    Call this field code for example.

  2. Do not send the JWT as response as the auth route but generate a code.
    Here is the code you will have to replace - strapi/Auth.js at master · strapi/strapi · GitHub

Here you will have to generate a code and update the current user with this code.
await strapi.query('user', 'users-permissions').update({id:}, {code: 123456});

Then write the code to send a text message to the user (I suppose the user will have a phone field)
So with you will get the phone number and by installing and configuring the node module you want to send a text message, you will be able to send a text message containing the code.

Then in the response of the API, send the, we will use it to match the code and the user ID.

  1. Create a route to match your user ID and the code to get the JWT and user information.
    To do that, you can follow this documentation:
    You will have to create a POST routes to retrieve user ID and the code as parameter.

You can create this route un the users-permissions plugin by following the customization docs I linked previously.

In your controller function you will have to execute this request;

const {id, code} = ctx.request.body;
const user = await strapi.query('user', 'users-permissions').findOne({id, code})`

In user you will have the user (if the info you sent are correct).
So do some validation here and finally, send the auth info like it’s done here:

And here it is, you have the 2-steps authentication with a text message.


Thank you @lauriejim !

Sorry my answer was not send

1 Like

Hello, I have implemented the same on this github repo -

A user is authenticated only through the OTP verification and all auth requests are made using the JWT token.

Hi @lauriejim,

I work for Manageable and we’re currently looking for a Strapi expert that feels confident that they can install two-factor authentication for our Strapi CMS.

If you’d be interested in working on this project with us then we’d love to hear from you. My email is

Best wishes,