2FA Module
The 2FA module adds an extra account security step during login.
Current implementation is code-based verification, focused on predictable login flows.
Core vs Extensions
| Area | Type | Required to use 2FA? | Notes |
|---|---|---|---|
System status (/system) | Core | Yes | Reads global toggle + available methods |
User methods (/methods) | Core | Yes | Reads configured user methods |
Start challenge (/{method}/start) | Core | Yes | Sends verification code |
Verify (/verify) | Core | Yes | Promotes pending session to active (login flow) |
Setup endpoints (/email/setup, /sms/setup) | Core | Yes | Method provisioning |
| Toggle and delete method | Core | Yes | Account-level control |
| Optional extensions | Extension | No | No separate 2FA extension pack documented right now |
Important note
Unlike Blog, 2FA does not currently expose a separate optional extension family in docs.
So today, 2FA is treated as one cohesive module. You enable it as a capability, not as multiple plugin packs.