2FA using Own Development in NodeJS

2FA: In a previous article, we talked about Swivel as an external tool to integrate our applications into Scriptcase, however, it is likely that it is possible to have a less robust application such as its own development.

In this example, an application was developed in NodeJS a system of double authentication where not only can have double authentication through an OTC (On Time Code) (Soft Token) but also with a device (Hard Token), in this case in particular that of the FIDO family of FEITIAN (https: //www.ftsafe.com/products/FIDO). In the case of OTC, this could be generated for example with Google Authenticator.

This document focuses on how Scriptcase uses those services. This implementation, although it was its own, special care was taken in the interfaces, for this reason, they were clearly documented for each of these options, PHP,.Net and Angular.

In the PHP documentation, we were given the following information:



auth2factor PHP Integration SDK


  • sudo apt-get install php5-curl
  • sudo apt-get install composer

Use Firebase JWT to sign HMAC. If you do not use Composer, copy the JWT Firebase libraries to your solution.


Setup hostname, API key, and secret

$HOST = “https://localhost”;

$API_KEY = “…”;

$API_SECRET = “…”;

$a2f_client = new auth2factor($HOST, $API_KEY, $API_SECRET);



Returns a temporary login token. Used to request an OTC/U2F verification.

$tokens = $a2f_client->delegate(“user@me.com”);

$req_token = $tokens[“x-app-sign-request”];

$u2f_req = $tokens[“x-u2f-sign-request”];


Verifies OTC. Returns a bearer token, otherwise false.

$sid = $a2f_client->validate_otc(“…temporary token”, “001122”);


Verifies U2F. Returns a bearer token, otherwise false. Must be called once successfully signed with u2f.sign.

$client_data = “eyJ0eXAiO…”;

$signature_data = “AQAAADUw…”;

$sid = $a2f_client->validate_u2f(“…temporary token”, $client_data, $signature_data);


Requests a U2F challenge to initiate key registration.

$challenge = $a2f_client->request_challenge(“a valid bearer token”);


Registers a U2F security key. Must be called once u2f.register returns successfully.

$client_data = “eyJ0eXAiO…”;

$registration_data = “AQAAADUw…”;

$a2f_client->register_key(“a valid bearer token”, $client_data, $registration_data);

Implementation U2F

FIDO U2F – Enrollment

One time authenticated, the user login in a configuration of the account in the solution and offereted a user enroll a key.


  • Give a U2F challenge: API request_challenge
  • Call a library client u2f.register with a challenge and call request sign
  • If proceed to join the key
  • If stores the successful confirmation in register_key.php: API register_key

FIDO U2F – Authentication

If the user has registered keys in the domain where he was authenticated in the 1st step.


  • Get a set of sign requests
  • Call client library u2f.sign with the sign requests and request sign
  • We proceed to enter the key
  • It is validated in sign_key.php and gets a bearer token: API validate_u2f

Library Javascript para U2F

Include minified library 


<script src=”js/a2f.js”></script>



  • Axios para AJAX / REST axios.min.js
  • Axios config axios-config.js
  • U2F u2f-api.js
  • U2F utils u2f-utils.js

Based on the above, it was analyzed and defined the next Macro Algorithm, so the program should:

  1. Define connection parameters.
  2. With the user logged on the 1st authentication (email), it connects to the server to request a Token.
  3. Upon receipt of the Token, the OTC is requested from the user.
  4. The OTC is sent.
  5. The response is received if the second authentication is authorized or not.
  6. If successful, redirect the application to the Menu

This image has an empty alt attribute; its file name is 2fa..nodejs.png

I wish you served these 3 articles of this interesting topic of 2FA, and whatever the method to use don’t forget to always review the documentation, make tests and finally implement it in Scriptcase.

Check out more articles on our blog!

By ,

April 15, 2019


You might also like…

AI-Driven Software Development: The Role of ChatGPT

In the rapidly evolving world of technology, artificial intelligence (AI) is playing an increasingl...

Low-Code: The Key to Accessible Digital Transformation

Digital transformation is imperative for companies wishing to remain competitive in the current era...

Web Development and IT Trends for 2024: Towards New Technological Horizons

The world of Information Technology (IT) and Web Development is constantly evolving, and the year 2...

You might also like…

Get new posts, resources, offers and more each week.

We will use the information you provide to update you about our Newsletter and Special Offers. You can unsubscribe any time you want by clinck in a link in the footer of any email you receive from us, or by contacting us at sales@scriptcase.net. Learn more about our Privacy Police.