2FA using Own Development in NodeJS

2FA: In a previous article, we talked about Swivel as an external tool to integrate our applications into Scriptcase, however, it is likely that it is possible to have a less robust application such as its own development.

In this example, an application was developed in NodeJS a system of double authentication where not only can have double authentication through an OTC (On Time Code) (Soft Token) but also with a device (Hard Token), in this case in particular that of the FIDO family of FEITIAN (https: //www.ftsafe.com/products/FIDO). In the case of OTC, this could be generated for example with Google Authenticator.

This document focuses on how Scriptcase uses those services. This implementation, although it was its own, special care was taken in the interfaces, for this reason, they were clearly documented for each of these options, PHP,.Net and Angular.

In the PHP documentation, we were given the following information:



auth2factor PHP Integration SDK


  • sudo apt-get install php5-curl
  • sudo apt-get install composer

Use Firebase JWT to sign HMAC. If you do not use Composer, copy the JWT Firebase libraries to your solution.


Setup hostname, API key, and secret

$HOST = “https://localhost”;

$API_KEY = “…”;

$API_SECRET = “…”;

$a2f_client = new auth2factor($HOST, $API_KEY, $API_SECRET);



Returns a temporary login token. Used to request an OTC/U2F verification.

$tokens = $a2f_client->delegate(“user@me.com”);

$req_token = $tokens[“x-app-sign-request”];

$u2f_req = $tokens[“x-u2f-sign-request”];


Verifies OTC. Returns a bearer token, otherwise false.

$sid = $a2f_client->validate_otc(“…temporary token”, “001122”);


Verifies U2F. Returns a bearer token, otherwise false. Must be called once successfully signed with u2f.sign.

$client_data = “eyJ0eXAiO…”;

$signature_data = “AQAAADUw…”;

$sid = $a2f_client->validate_u2f(“…temporary token”, $client_data, $signature_data);


Requests a U2F challenge to initiate key registration.

$challenge = $a2f_client->request_challenge(“a valid bearer token”);


Registers a U2F security key. Must be called once u2f.register returns successfully.

$client_data = “eyJ0eXAiO…”;

$registration_data = “AQAAADUw…”;

$a2f_client->register_key(“a valid bearer token”, $client_data, $registration_data);

Implementation U2F

FIDO U2F – Enrollment

One time authenticated, the user login in a configuration of the account in the solution and offereted a user enroll a key.


  • Give a U2F challenge: API request_challenge
  • Call a library client u2f.register with a challenge and call request sign
  • If proceed to join the key
  • If stores the successful confirmation in register_key.php: API register_key

FIDO U2F – Authentication

If the user has registered keys in the domain where he was authenticated in the 1st step.


  • Get a set of sign requests
  • Call client library u2f.sign with the sign requests and request sign
  • We proceed to enter the key
  • It is validated in sign_key.php and gets a bearer token: API validate_u2f

Library Javascript para U2F

Include minified library 


<script src=”js/a2f.js”></script>



  • Axios para AJAX / REST axios.min.js
  • Axios config axios-config.js
  • U2F u2f-api.js
  • U2F utils u2f-utils.js

Based on the above, it was analyzed and defined the next Macro Algorithm, so the program should:

  1. Define connection parameters.
  2. With the user logged on the 1st authentication (email), it connects to the server to request a Token.
  3. Upon receipt of the Token, the OTC is requested from the user.
  4. The OTC is sent.
  5. The response is received if the second authentication is authorized or not.
  6. If successful, redirect the application to the Menu

This image has an empty alt attribute; its file name is 2fa..nodejs.png

I wish you served these 3 articles of this interesting topic of 2FA, and whatever the method to use don’t forget to always review the documentation, make tests and finally implement it in Scriptcase.

Check out more articles on our blog!

By ,

April 15, 2019


You might also like…

How to Create and Read QR Codes and Barcodes

“Point your cell phone camera to read the QR code.” This phrase has been increasingly recurring...

Why is Low-Code essential for any business?

Low-Code is the IT term that refers to the process of using little code to develop software and app...

12 IT Trends to Keep an Eye on in 2023

The year 2023 has already started in full swing bringing news and projecting trends for the web dev...

You might also like…

Get new posts, resources, offers and more each week.

We will use the information you provide to update you about our Newsletter and Special Offers. You can unsubscribe any time you want by clinck in a link in the footer of any email you receive from us, or by contacting us at sales@scriptcase.net. Learn more about our Privacy Police.