🔐 How to Enable Two-Factor Authentication (2FA) in Laravel Starter Kits

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) adds an extra layer of security to your login process.
After a user enters their email and password, they must also provide a one-time verification code (usually generated via an app like Google Authenticator, Authy, or sent by SMS/email).

Laravel Starter Kits Overview

Laravel offers official starter kits that already support 2FA (or can easily add it):

Starter Kit	2FA Support	Description
Jetstream	✅ Built-in	Provides 2FA out of the box via Laravel Fortify
Breeze	⚙️ Add manually	Lightweight, but can use Fortify for 2FA
Fortify	✅ Core package	Handles authentication, including 2FA backend logic

Step-by-Step Setup (Using Laravel Jetstream)

Step 1. Install Laravel Jetstream

composer create-project laravel/laravel twofactor-demo
cd twofactor-demo

Install Jetstream with Livewire or Inertia.js (choose one):

composer require laravel/jetstream
php artisan jetstream:install livewire

Then run:

npm install
npm run dev
php artisan migrate

Step 2. Register and Login

Start your local server:

php artisan serve

Visit: http://localhost:8000/register

Register a test user and log in.
You’ll now be able to manage 2FA settings in your profile.

Step 3. Enable 2FA

Navigate to your Profile Page → Two Factor Authentication section.

Click “Enable” → Jetstream automatically:

• Generates a QR Code

• Shows Recovery Codes

• Uses Laravel Fortify’s 2FA backend

Scan the QR code using Google Authenticator or Authy.

Step 4. Verify 2FA on Login

After enabling, when you log out and back in:

• You’ll be prompted to enter a 6-digit code from your authenticator app.

• You can also use Recovery Codes if you lose access to your phone.

Behind the Scenes: How Jetstream Handles 2FA

• Uses Laravel Fortify internally.

• The user’s 2FA secret and recovery codes are stored in the users table.

• Fortify manages:

  • Enabling/disabling 2FA

  • Verifying tokens

  • Generating recovery codes

In app/Actions/Fortify/ You can see how it’s implemented:

• EnableTwoFactorAuthentication

• DisableTwoFactorAuthentication

• GenerateNewRecoveryCodes

Optional: Adding 2FA to Laravel Breeze

If you’re using Breeze, you can manually add 2FA by installing Fortify:

composer require laravel/fortify

Then publish and configure Fortify:

php artisan vendor:publish --provider="Laravel\Fortify\FortifyServiceProvider"

Enable 2FA in config/fortify.php:

'features' => [
    Features::twoFactorAuthentication([
        'confirmPassword' => true,
    ]),
],

Finally, create the UI for enabling and verifying 2FA (you can reference Jetstream’s components or copy its blade files).

Example: 2FA Database Fields

Your The users table will include:

$table->text('two_factor_secret')
      ->nullable();
$table->text('two_factor_recovery_codes')
      ->nullable();
$table->timestamp('two_factor_confirmed_at')
      ->nullable();

Summary

Step	Action	Description
1	Install Jetstream	Comes with 2FA out of the box
2	Migrate DB	Creates user + 2FA columns
3	Enable 2FA	From the profile page
4	Test Login	Requires code verification
5	Manage Recovery Codes	Backup in case the device is lost

Useful Commands

# Reset 2FA for user
php artisan tinker
>>> $user = App\Models\User::find(1);
>>> $user->two_factor_secret = null;
>>> $user->save();