Two-Factor Authentication (2FA) in Laravel Starter Kits: A Practical Guide

Security isn’t just a feature—it’s a promise. As Laravel developers, we owe it to our users to protect their data and identities. One of the simplest yet most powerful ways to do that is by implementing Two-Factor Authentication (2FA).

In this guide, we’ll explore how to add 2FA to Laravel Starter Kits like Breeze and Jetstream, using packages like PragmaRX Google2FA and Laravel’s own Fortify.

🧠 What is 2FA and Why Does It Matter?

2FA adds a second layer of security to your login process. Instead of just a password, users must enter a time-based code from an app like Google Authenticator or Authy. This means even if a password is compromised, the account remains protected.

⚙️ Starter Kit Overview

🛠️ Option 1: Add 2FA to Laravel Breeze with Google2FA

Step 1: Install Breeze

composer require laravel/breeze --dev
php artisan breeze:install
npm install && npm run dev
php artisan migrate

Step 2: Install Google2FA

composer require pragmarx/google2fa-laravel
php artisan vendor:publish --provider="PragmaRX\Google2FALaravel\ServiceProvider"

Step 3: Update User Model

Add a column to store the 2FA secret:

php artisan make:migration add_google2fa_secret_to_users_table
Schema::table('users', function (Blueprint $table) {
    $table->text('google2fa_secret')->nullable();
});

In User.php:

protected $fillable = [
    'name', 'email', 'password', 'google2fa_secret',
];

Step 4: Generate QR Code for Setup

Use a controller to generate the secret and QR code:

use PragmaRX\Google2FAQRCode\Google2FA;

public function enable2FA(Request $request)
{
    $google2fa = new Google2FA();
    $secret = $google2fa->generateSecretKey();

    $request->user()->update(['google2fa_secret' => $secret]);

    $QR_Image = $google2fa->getQRCodeInline(
        'YourAppName',
        $request->user()->email,
        $secret
    );

    return view('2fa.setup', compact('QR_Image'));
}

🧰 Option 2: Use Jetstream’s Built-In 2FA

Jetstream comes with 2FA powered by Fortify. Just install Jetstream with Livewire or Inertia:

composer require laravel/jetstream
php artisan jetstream:install livewire
npm install && npm run dev
php artisan migrate

Enable 2FA in config/fortify.php:

'features' => [
    Features::twoFactorAuthentication([
        'confirmPassword' => true,
    ]),
],

Jetstream handles everything—from secret generation to recovery codes and validation.

🔍 Bonus: Customizing the Flow

Want to send OTP via SMS or email instead of using an authenticator app? You can build your own flow using Laravel Notifications:

Notification::route('sms', $user->phone)
    ->notify(new SendOtpNotification($otp));

Or use Laravel’s built-in Mail system for email-based OTP.

🧪 Testing 2FA with Laravel Dusk

Since you’re big on automated testing, here’s a quick tip: mock the 2FA flow in Dusk by bypassing the OTP screen or using test secrets. You can stub the verification logic to simulate success during tests.

🧠 Final Thoughts

Whether you’re using Breeze for simplicity or Jetstream for full-stack features, adding 2FA is a must-have for modern Laravel apps. It’s not just about security—it’s about trust.

Fuel my creative spark with a virtual coffee! Your support keeps the ideas percolating—grab me a cup at Buy Me a Coffee and let’s keep the magic brewing!

Leave a Reply

Your email address will not be published. Required fields are marked *