Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi
In a v8.4.0 Laravel Jetstream build, I need to set authentication more secure. I want to make sure every authenticating user uses 2FA.
How can I require this for each login?
Maybe some extra parameter in \config\fortify.php ?
Features::twoFactorAuthentication([
'confirmPassword' => true,
]),
Thank you!
You cannot turn it on unless the user has first logged in to access their 2FA codes.
You could perhaps check if 2fa is enabled and block access to the majority of the site until they have successfully enabled 2fa. You could do this check in middleware.
Hi. Was about to start a new thread but found this one, so i'll bring this to life again instead. I have the same challenge for a site im building. Two factor will be mandatory. Im building a site for a customer and their employees and they want it that way.
For the moment i have built a Middleware after the Auth Middleware to check if the "two_factor_confirmed_at" is null. If so I will send them to the "Two factor onboarding" until they proceed and confirm. In the onboarding they will have to click "proceed" which makes them send the post request to "/user/two-factor-authentication" to enable the two factor. The click will also generate a new two_factor_secret, to prevent lockout if they cancelled the onboarding earlier.
This requires 'confirm' => true, in the Fortify config since Fortify will send them straight to the two factor auth if they logout and login without confirming the two factor auth. In that case you cant access the user object until after the two factor auth which they did not finalize, resulting in a lockout.
This works, and I will probably keep it this way. But it feels a little like a workaround. Ideally there would be an easier way to force this with every registration instead of putting middlewares after Fortify.
Does anyone have a prettier solution?
@SteveS Did you ever work out an easier way to enforce two factor authentication with Fortify?
@rhand I made a PR to Fortify to include this but unfortunately it was closed - Taylor recommended the best approach is to use middleware. laravel/fortify#556
You're welcome to use my fork if you'd like to have this functionality built into Fortify!
I am sure this isn't the best way to do it, but I do this in my layout. The following allows certain named routes to be shown if 2FA is not enabled and confirmed. Ideally a middleware would be added to handle these routes.
@auth
@if(auth()->user()->two_factor_secret && auth()->user()->two_factor_confirmed_at)
@yield('content')
@elseif(Route::is('profile.edit') || Route::is('password.confirm') || Route::is('welcome') || Route::is('verification.notice'))
@yield('content')
@else
<div class="container">
<div class="row justify-content-center">
<div class="col-md-8">
<div class="card">
<div class="card-header bg-danger text-white">
<strong>
{{ __('Security Alert') }}
</strong>
</div>
<div class="card-body">
<p class="mb-0">To use this application you must first enable
<strong>Two Factor Authentication</strong>, please go
<a href="/profile">here</a>
to enable your two-factor authentication settings.</p>
</div>
</div>
</div>
</div>
</div>
@endif
@else
@yield('content')
@endauth
Please or to participate in this conversation.