Secure Authentication: Implementing MFA (Multi-Factor) with NextAuth.js

The High-Stakes Problem: Identity is the Perimeter

By 2026 standards, single-factor authentication (SFA) is not an authentication strategy; it is a vulnerability management failure. With the commoditization of AI-driven credential stuffing and advanced phishing kits available for pennies on the dark web, relying solely on a password—no matter how complex—is negligent architecture.

For enterprise applications, the "Identity Perimeter" is the only one that matters. Firewalls do not stop a compromised admin session. If you are building high-scale fintech, healthcare, or SaaS platforms, Multi-Factor Authentication (MFA) is the baseline requirement for SOC2 and ISO 27001 compliance.

However, implementing MFA in the Next.js ecosystem using NextAuth.js (Auth.js v5+) requires moving beyond standard library documentation. It demands a rigorous approach to state management, secret encryption, and the authentication lifecycle.

Technical Deep Dive: The Solution & Code

We will implement Time-based One-Time Password (TOTP) MFA. This standard (RFC 6238) is preferable to SMS-based 2FA, which is susceptible to SIM swapping.

1. The Schema Architecture

Your database schema must support the TOTP lifecycle. Do not store MFA secrets in plain text. In a real-world high-scale environment, these should be encrypted at the application level before touching the database, or stored in a dedicated Vault service.

For this implementation, we assume a Prisma/Postgres stack.

model User {
  id            String    @id @default(cuid())
  email         String    @unique
  password      String    // Hashed (Argon2id)
  
  // MFA Fields
  isTwoFactorEnabled    Boolean @default(false)
  twoFactorSecret       String? // Encrypted string
  twoFactorRecoveryCodes String[] // Hashed recovery codes
  
  // Session/Audit
  lastLogin     DateTime?
  updatedAt     DateTime @updatedAt
}

2. The Logic Flow

The standard authorize callback in NextAuth is insufficient for complex flows out of the box. We must engineer a conditional logic gate.

1. Phase 1: Validate Username/Password.
2. Phase 2: Check isTwoFactorEnabled.
3. Phase 3: If enabled, halt session issuance and demand the TOTP token.

3. Implementation: The Authorize Callback

We utilize otplib for token verification. Note the rigorous error handling; we do not want to leak whether a user has MFA enabled to an unauthenticated attacker, though in some UX flows this trade-off is acceptable for usability.

// auth.config.ts
import Credentials from "next-auth/providers/credentials";
import { authenticator } from "otplib";
import bcrypt from "bcryptjs";
import { getUserByEmail } from "@/data/user"; // Data access layer
import { decrypt } from "@/lib/encryption"; // AES-256-GCM implementation

export const authConfig = {
  providers: [
    Credentials({
      async authorize(credentials) {
        // 1. Validate Input
        if (!credentials?.email || !credentials?.password) return null;

        const user = await getUserByEmail(credentials.email);
        if (!user || !user.password) return null;

        // 2. Verify Password (Argon2 or Bcrypt)
        const passwordsMatch = await bcrypt.compare(
          credentials.password as string,
          user.password
        );

        if (!passwordsMatch) return null;

        // 3. MFA Logic Gate
        if (user.isTwoFactorEnabled) {
          const otpCode = credentials.code as string; // Passed from frontend

          // If no code is present, throw error to trigger UI specific for MFA input
          if (!otpCode) {
            throw new Error("MFA_REQUIRED");
          }

          // Decrypt the stored secret
          const decryptedSecret = decrypt(user.twoFactorSecret);

          // Verify TOTP
          const isValidToken = authenticator.check(otpCode, decryptedSecret);

          if (!isValidToken) {
            throw new Error("INVALID_MFA_CODE");
          }
        }

        // 4. Return User (Session Issued)
        return {
          id: user.id,
          email: user.email,
          name: user.name,
        };
      },
    }),
  ],
  callbacks: {
    async jwt({ token, user }) {
      if (user) {
        token.sub = user.id;
        token.mfaVerified = user.isTwoFactorEnabled ? true : false;
      }
      return token;
    },
    async session({ session, token }) {
      if (token.sub && session.user) {
        session.user.id = token.sub;
      }
      return session;
    }
  }
};

4. Handling the Frontend State

The frontend must catch the MFA_REQUIRED error and pivot the UI without redirecting.

// login-form.tsx (Client Component)
const onSubmit = async (values: z.infer<typeof LoginSchema>) => {
  try {
    const data = await signIn("credentials", {
      email: values.email,
      password: values.password,
      code: values.code, // Initially undefined
      redirect: false,
    });

    if (data?.error === "MFA_REQUIRED") {
      setShowTwoFactor(true); // Switch UI to show OTP input
      return;
    }

    if (data?.error) {
        // Handle Invalid Credentials or Invalid OTP
        setError("Invalid credentials or code");
    } else {
        window.location.href = "/dashboard";
    }
  } catch (error) {
    setError("Something went wrong");
  }
};

Architecture & Performance Benefits

Implementing MFA at this level of granularity offers distinct architectural advantages over offloading to third-party providers (like Auth0) when strict data sovereignty is required.

1. Zero-Trust Session Integrity: By verifying the TOTP code synchronously within the authorize callback, we ensure that a session token (JWT) is never minted until full verification is complete. There is no "partial session" state that an attacker can exploit.
2. Database Performance: While crypto operations (bcrypt/AES) are CPU intensive, they are negligible at scale compared to network latency. Moving MFA logic to the edge (via Next.js Middleware) allows for verifying session validity before hitting the primary database for resource fetching.
3. Auditability: Owning the auth stack allows for granular logging of MFA failures, which is a critical signal for Intrusion Detection Systems (IDS).

How CodingClave Can Help

The code provided above is functional, but it is not a complete security strategy.

Implementing 'Secure Authentication: Implementing MFA with NextAuth.js' is complex and carries significant risk for internal teams. A single misconfiguration in the encryption layer, a flaw in the recovery code logic, or improper handling of session invalidation can leave your entire user base exposed. Writing the code is the easy part; ensuring it withstands a dedicated penetration test is the challenge.

CodingClave specializes in high-scale identity architecture.

We don't just paste code; we architect defense-in-depth strategies. From implementing hardware-key support (WebAuthn/Passkeys) to auditing your existing JWT rotation policies, we ensure your authentication layer is an asset, not a liability.

If you are handling sensitive user data and cannot afford a security breach, it is time to bring in the experts.

Book a Technical Security Audit with CodingClave