Skip to main content

Two-Factor Authentication (2FA)

Peak provides robust security features out of the box, including built-in support for Two-Factor Authentication (2FA) powered by Laravel Jetstream and Laravel Fortify. With 2FA enabled, your users can secure their accounts with time-based one-time passwords (TOTP), adding a second layer of protection beyond just email and password.

Two-Factor Authentication Support in Peak​

By default, 2FA is supported and integrated into every Peak installation.

Users can enable 2FA directly from their Account Settings β†’ Security panel. Once enabled, their login flow will require a 6-digit code from an authenticator app in addition to their password.

Enabling 2FA (User Instructions)​

When a user enables two-factor authentication:

  1. A QR code is presented for scanning using any TOTP-compatible app such as:

    • Google Authenticator
    • Authy
    • 1Password
    • Microsoft Authenticator

  2. A list of recovery codes is also displayed. Users should copy these codes and store them in a secure password manager. These recovery codes serve as a backup if the user loses access to their mobile device.

Note: Users should treat these recovery codes as confidential. If lost, they will need to disable and re-enable 2FA to generate new ones.

Logging In with 2FA​

After enabling 2FA, the login process changes slightly:

  • After providing email and password, users will be prompted for a TOTP code from their authenticator app.
  • If the user no longer has access to their device, they can use one of their previously saved recovery codes to gain access.

Disabling Two-Factor Authentication​

To disable 2FA functionality across your application:

Admin Panel β†’ Settings β†’ Security β†’ Two-Factor Authentication β†’ Disable

This will:

  • Hide 2FA settings from user accounts
  • Prevent users from enabling 2FA

Actions​

For security, Jetstream’s 2FA implementation is encapsulated and does not require customization.

All enabling, disabling, and challenge processes are handled via Jetstream's Fortify configuration and middleware layers. This ensures consistent, secure behavior.

Views / Pages​

While customization is generally not needed, you may tweak presentation or styles in the following Vue components:

FeatureFile
Two-Factor Setup UIresources/js/Themes/Breeze/Pages/Dashboard/Partials/TwoFactorAuthenticationForm.vue
Two-Factor Login Challengeresources/js/Themes/Breeze/Pages/Auth/TwoFactorChallenge.vue

If you adjust these components, make sure to recompile your frontend assets:

npm run dev

Summary​

  • βœ… 2FA is supported in Peak by default
  • πŸ“± Uses TOTP (Google Authenticator, 1Password, etc.)
  • πŸ” Offers backup recovery codes for emergencies
  • πŸ”’ Login is secured via Fortify middleware and challenge
  • βš™οΈ 2FA can be globally disabled in Admin Settings