logto-io · wangsijie · Jun 20, 2025 · Jun 23, 2025 · Jun 24, 2025
@@ -284,28 +284,66 @@
       "post": {
         "operationId": "AddMfaVerification",
         "summary": "Add a MFA verification",
-        "description": "Add a MFA verification to the user, a logto-verification-id in header is required for checking sensitive permissions. Only WebAuthn is supported for now, a new identifier verification record is required for the webauthn registration verification.",
+        "description": "Add a MFA verification to the user, a logto-verification-id in header is required for checking sensitive permissions.",
         "requestBody": {
           "content": {
             "application/json": {
               "schema": {
-                "properties": {
-                  "newIdentifierVerificationRecordId": {
-                    "description": "The identifier verification record ID for the new WebAuthn registration verification."
-                  },
-                  "type": {
-                    "description": "The type of the MFA verification."
+                "oneOf": [
+                  {
+                    "type": "object",
+                    "properties": {
+                      "type": {
+                        "type": "string",
+                        "enum": ["WebAuthn"],
+                        "description": "The type of the MFA verification."
+                      },
+                      "newIdentifierVerificationRecordId": {
+                        "type": "string",
+                        "description": "The identifier verification record ID for the new WebAuthn registration verification."
+                      },
+                      "name": {
+                        "type": "string",
+                        "description": "The name of the MFA verification, if not provided, the name will be generated from user agent."
+                      }
+                    },
+                    "required": ["type", "newIdentifierVerificationRecordId"]
                   },
-                  "name": {
-                    "description": "The name of the MFA verification, if not provided, the name will be generated from user agent."
+                  {
+                    "type": "object",
+                    "properties": {
+                      "type": {
+                        "type": "string",
+                        "enum": ["TOTP"],
+                        "description": "The type of the MFA verification, for TOTP, one user can only bind one TOTP factor."
+                      },
+                      "secret": {
+                        "type": "string",
+                        "description": "The TOTP secret for the MFA verification. Use the generate endpoint to create a secret, and verify the generated code with the user before binding to make sure the user has setup the secret in their authenticator app."
+                      }
+                    },
+                    "required": ["type", "secret"]
                   }
-                }
+                ]
               }
             }
           }
         }
       }
     },
+    "/api/my-account/mfa-verifications/totp-secret/generate": {
+      "post": {
+        "operationId": "GenerateTotpSecret",
+        "summary": "Generate a TOTP secret",
+        "tags": ["Dev feature"],
+        "description": "Generate a TOTP secret for the user.",
+        "responses": {
+          "200": {
+            "description": "The TOTP secret was generated successfully."
+          }
+        }
+      }
+    },
     "/api/my-account/mfa-verifications/{verificationId}/name": {
       "patch": {
         "operationId": "UpdateMfaVerificationName",

@@ -10,10 +10,12 @@ import { z } from 'zod';
 
 import koaGuard from '#src/middleware/koa-guard.js';
 
+import { EnvSet } from '../../env-set/index.js';
 import RequestError from '../../errors/RequestError/index.js';
 import { buildVerificationRecordByIdAndType } from '../../libraries/verification.js';
 import assertThat from '../../utils/assert-that.js';
 import { transpileUserMfaVerifications } from '../../utils/user.js';
+import { generateTotpSecret, validateTotpSecret } from '../interaction/utils/totp-validation.js';
 import type { UserRouter, RouterInitArgs } from '../types.js';
 
 import { accountApiPrefix } from './constants.js';
@@ -57,11 +59,17 @@ export default function mfaVerificationsRoutes<T extends UserRouter>(
   router.post(
     `${accountApiPrefix}/mfa-verifications`,
     koaGuard({
-      body: z.object({
-        type: z.literal(MfaFactor.WebAuthn),
-        newIdentifierVerificationRecordId: z.string(),
-        name: z.string().optional(),
-      }),
+      body: z.discriminatedUnion('type', [
+        z.object({
+          type: z.literal(MfaFactor.WebAuthn),
+          newIdentifierVerificationRecordId: z.string(),
+          name: z.string().optional(),
+        }),
+        z.object({
+          type: z.literal(MfaFactor.TOTP),
+          secret: z.string(),
+        }),
+      ]),
       status: [204, 400, 401],
     }),
     async (ctx, next) => {
@@ -70,7 +78,6 @@ export default function mfaVerificationsRoutes<T extends UserRouter>(
         identityVerified,
         new RequestError({ code: 'verification_record.permission_denied', status: 401 })
       );
-      const { newIdentifierVerificationRecordId, name } = ctx.guard.body;
       const { fields } = ctx.accountCenter;
       assertThat(
         fields.mfa === AccountCenterControlValue.Edit,
@@ -82,46 +89,96 @@ export default function mfaVerificationsRoutes<T extends UserRouter>(
         new RequestError({ code: 'auth.unauthorized', status: 401 })
       );
 
-      // Check new identifier
-      const newVerificationRecord = await buildVerificationRecordByIdAndType({
-        type: VerificationType.WebAuthn,
-        id: newIdentifierVerificationRecordId,
-        queries,
-        libraries,
-      });
-      assertThat(newVerificationRecord.isVerified, 'verification_record.not_found');
-
-      const bindMfa = newVerificationRecord.toBindMfa();
+      // Feature flag check, throw 500
+      if (!EnvSet.values.isDevFeaturesEnabled && ctx.guard.body.type === MfaFactor.TOTP) {
+        throw new Error('TOTP is not supported yet');
+      }
 
       const user = await findUserById(userId);
 
-      // Check sign in experience, if webauthn is enabled
+      // Check sign in experience, if mfa factor is enabled
       const { mfa } = await findDefaultSignInExperience();
-      assertThat(
-        mfa.factors.includes(MfaFactor.WebAuthn),
-        new RequestError({ code: 'session.mfa.mfa_factor_not_enabled', status: 400 })
-      );
-
-      const updatedUser = await updateUserById(userId, {
-        mfaVerifications: [
-          ...user.mfaVerifications,
-          {
-            ...bindMfa,
-            id: generateStandardId(),
-            createdAt: new Date().toISOString(),
-            name,
-          },
-        ],
-      });
-
-      ctx.appendDataHookContext('User.Data.Updated', { user: updatedUser });
+      assertThat(mfa.factors.includes(ctx.guard.body.type), 'session.mfa.mfa_factor_not_enabled');
+
+      if (ctx.guard.body.type === MfaFactor.TOTP) {
+        // A user can only bind one TOTP factor
+        assertThat(
+          user.mfaVerifications.every(({ type }) => type !== MfaFactor.TOTP),
+          new RequestError({
+            code: 'user.totp_already_in_use',
+            status: 422,
+          })
+        );
+
+        // Check secret
+        assertThat(validateTotpSecret(ctx.guard.body.secret), 'user.totp_secret_invalid');
+
+        const updatedUser = await updateUserById(userId, {
+          mfaVerifications: [
+            ...user.mfaVerifications,
+            {
+              id: generateStandardId(),
+              createdAt: new Date().toISOString(),
+              type: MfaFactor.TOTP,
+              key: ctx.guard.body.secret,
+            },
+          ],
+        });
+
+        ctx.appendDataHookContext('User.Data.Updated', { user: updatedUser });
+
+        // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+      } else if (ctx.guard.body.type === MfaFactor.WebAuthn) {
+        const { newIdentifierVerificationRecordId, name } = ctx.guard.body;
+        // Check new identifier
+        const newVerificationRecord = await buildVerificationRecordByIdAndType({
+          type: VerificationType.WebAuthn,
+          id: newIdentifierVerificationRecordId,
+          queries,
+          libraries,
+        });
+        assertThat(newVerificationRecord.isVerified, 'verification_record.not_found');
+
+        const bindMfa = newVerificationRecord.toBindMfa();
+
+        const updatedUser = await updateUserById(userId, {
+          mfaVerifications: [
+            ...user.mfaVerifications,
+            {
+              ...bindMfa,
+              id: generateStandardId(),
+              createdAt: new Date().toISOString(),
+              name,
+            },
+          ],
+        });
+
+        ctx.appendDataHookContext('User.Data.Updated', { user: updatedUser });
+      }
 
       ctx.status = 204;
 
       return next();
     }
   );
 
+  if (EnvSet.values.isDevFeaturesEnabled) {
+    router.post(
+      `${accountApiPrefix}/mfa-verifications/totp-secret/generate`,
+      koaGuard({
+        status: [200],
+      }),
+      async (ctx, next) => {
+        const secret = generateTotpSecret();
+        ctx.body = {
+          secret,
+        };
+
+        return next();
+      }
+    );
+  }
+
   // Update mfa verification name, only support webauthn
   router.patch(
     `${accountApiPrefix}/mfa-verifications/:verificationId/name`,

diff --git a/packages/integration-tests/src/api/account-center.ts b/packages/integration-tests/src/api/account-center.ts
@@ -40,6 +40,7 @@ export const enableAllAccountCenterFields = async (api: KyInstance = authedAdmin
         profile: AccountCenterControlValue.Edit,
         social: AccountCenterControlValue.Edit,
         customData: AccountCenterControlValue.Edit,
+        mfa: AccountCenterControlValue.Edit,
       },
     },
     api

diff --git a/packages/integration-tests/src/api/my-account.ts b/packages/integration-tests/src/api/my-account.ts
@@ -1,4 +1,4 @@
-import { type UserProfileResponse } from '@logto/schemas';
+import { type UserMfaVerificationResponse, type UserProfileResponse } from '@logto/schemas';
 import { type KyInstance } from 'ky';
 
 const verificationRecordIdHeader = 'logto-verification-id';
@@ -74,3 +74,28 @@ export const updateOtherProfile = async (api: KyInstance, body: Record<string, u
 
 export const getUserInfo = async (api: KyInstance) =>
   api.get('api/my-account').json<Partial<UserProfileResponse>>();
+
+export const generateTotpSecret = async (api: KyInstance) =>
+  api.post('api/my-account/mfa-verifications/totp-secret/generate').json<{ secret: string }>();
+
+export const getMfaVerifications = async (api: KyInstance) =>
+  api.get('api/my-account/mfa-verifications').json<UserMfaVerificationResponse>();
+
+export const addMfaVerification = async (
+  api: KyInstance,
+  verificationRecordId: string,
+  body: Record<string, unknown>
+) =>
+  api.post('api/my-account/mfa-verifications', {
+    json: body,
+    headers: { [verificationRecordIdHeader]: verificationRecordId },
+  });
+
+export const deleteMfaVerification = async (
+  api: KyInstance,
+  verificationId: string,
+  verificationRecordId: string
+) =>
+  api.delete(`api/my-account/mfa-verifications/${verificationId}`, {
+    headers: { [verificationRecordIdHeader]: verificationRecordId },
+  });