2FA/OTP Config

The 2FA/OTP Config Module

The user_2fa_otp_config module provides opt-in, configuration, and viewing of Two-Factor Authentication via One-Time-Password (2FA/OTP) settings. In order to allow users access to 2FA/OTP, the system must be properly configured. See Security for more information.

:information_source: By default, the 2FA/OTP configuration menu may only be accessed by users connected securely (ACS SC). It is highly recommended to leave this default as accessing these settings over a plain-text connection could expose private secrets!


Config Block

Available config block entries:

  • infoText: Overrides default informational text string(s). See Info Text below.
  • statusText: Overrides default status text string(s). See Status Text below.


config: {
    infoText: {
        googleAuth: Google Authenticator available on mobile phones, etc.
    statusText: {
        saveError: Doh! Failed to save :(

Info Text (infoText)

Overrides default informational text relative to current selections. Available keys:

  • disabled: Displayed when OTP switched to enabled.
  • enabled: Displayed when OTP switched to disabled.
  • rfc6238_TOTP: Describes TOTP.
  • rfc4266_HOTP: Describes HOTP.
  • googleAuth: Describes Google Authenticator OTP.

Status Text (statusText)

Overrides default status text for various conditions. Available keys:

  • otpNotEnabled
  • noBackupCodes
  • saveDisabled
  • saveEmailSent
  • saveError
  • qrNotAvail
  • emailRequired


The following MCI codes are available:

  • MCI 1: (ie: TM1): Toggle 2FA/OTP enabled/disabled.
  • MCI 2: (ie: SM2): 2FA/OTP type selection.
  • MCI 3: (ie: TM3): Submit/cancel toggle.
  • MCI 10…99: Custom entries with the following format members available:
    • {infoText}: Info Text for current selection.

Web and Email Templates

A template system is also available to customize registration emails and the landing page.


Multipart MIME emails are send built using template files pointed to by users.twoFactorAuth.otp.registerEmailText and users.toFactorAuth.otp.registerEmailHtml supporting the following variables:

  • %BOARDNAME%: BBS name.
  • %USERNAME%: Username receiving email.
  • %TOKEN%: Temporary registration token generally used in URL.
  • %REGISTER_URL%: Full registration URL.

Landing Page

The landing page template is pointed to by users.twoFactorAuth.otp.registerPageTemplate and supports the following variables:

  • %BOARDNAME%: BBS name.
  • %USERNAME%: Username receiving email.
  • %TOKEN%: Temporary registration token generally used in URL.
  • %OTP_TYPE%: OTP type such as googleAuth.
  • %POST_URL%: URL to POST form to.
  • %QR_IMG_DATA%: QR code in URL image data format. Not always available depending on OTP type and will be set to blank in these cases.
  • %SECRET%: Secret for manual entry.