How do I enable 2FA for specific routes in Laravel using DragonZap2FA?

Use the `twofactor` middleware in your route definitions. For example, `Route::group(['middleware' => ['auth', 'twofactor:always']], ...)` forces 2FA on all users, while `twofactor:if-enabled` only requires it for users who’ve opted in. The package automatically enables 2FA on the user’s account after successful verification.

Does DragonZap2FA support TOTP (Google/Microsoft Authenticator) out of the box?

Yes, the package includes TOTP support by default. Users can scan a QR code generated by the package to set up authenticator apps. The `php-otp` library handles TOTP generation under the hood, ensuring compatibility with major authenticator apps.

What Laravel versions does DragonZap2FA support?

The package is tested with Laravel 9 and 10. Check the `composer.json` constraints for exact version requirements, but it adheres to Laravel’s modern authentication contracts (e.g., `MustVerifyEmail`, `Authenticatable`), making it compatible with most recent Laravel setups.

How do I customize the 2FA flow or override default behaviors?

DragonZap2FA is designed for extensibility. You can override provided classes (e.g., `TwoFactorMiddleware`, `TwoFactorController`) by publishing the vendor files with `php artisan vendor:publish` and modifying the published stubs. The config file (`config/dragonzap_2fa.php`) also allows tuning settings like TOTP issuer names or backup code policies.

What happens if a user loses their TOTP device or backup codes?

The package includes a recovery mechanism via email-based 2FA codes, which act as a fallback. Users can regenerate backup codes through the provided Blade directives or API endpoints. Ensure your `config/dragonzap_2fa.php` is configured to send recovery emails to the correct address.

Can I integrate DragonZap2FA with Laravel Sanctum or Passport for API-based 2FA?

Yes, but you’ll need to manually validate 2FA tokens in your API middleware or guards. The package provides the underlying logic, but API integrations (e.g., Sanctum/Passport) require custom middleware to verify 2FA tokens alongside existing auth tokens. Test thoroughly to avoid breaking existing API flows.

Are there performance concerns with TOTP generation under high traffic?

TOTP generation can be CPU-intensive if not optimized. The package doesn’t include built-in caching, so for high-traffic routes (e.g., 10K+ RPS), cache TOTP secrets in Redis or Memcached to reduce database load. Monitor query performance during load testing, especially for backup code checks.

Does DragonZap2FA support hardware tokens like YubiKey or Duo?

No, the package currently supports email-based 2FA and TOTP (authenticator apps). For hardware tokens, consider alternatives like `laravel-duo` or `laravel-yubikey`, or extend DragonZap2FA by overriding the `TwoFactorGenerator` class to integrate custom providers.

How do I handle multi-device synchronization for users with multiple sessions?

DragonZap2FA doesn’t include built-in session synchronization. To support multi-device access, implement a shared secret or token system (e.g., store the same TOTP secret across sessions in the database). Alternatively, use Laravel’s session drivers to replicate 2FA state, but test thoroughly to avoid race conditions.

What’s the upgrade path if DragonZap2FA becomes abandoned or unsupported?

Since the package is modular, you can fork it on GitHub to maintain it yourself. Document all customizations (e.g., overridden classes, config changes) to ease migration to another package like `laravel-2fa` or `overtrue/laravel-2fa`. Always back up your database and test migrations before upgrading.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

2Fa Laravel Package

dragonzap/2fa

Laravel 2FA package with email-based codes by default and optional TOTP for Google/Microsoft Authenticator. Protect routes via the twofactor middleware (always or if-enabled). Publish config, run migrations, and override classes to fully customize the flow.

View on GitHub

Deep Wiki

Context7

Used for building two factor authentication in laravel

Frequently asked questions about 2Fa

How do I enable 2FA for specific routes in Laravel using DragonZap2FA?: Use the `twofactor` middleware in your route definitions. For example, `Route::group(['middleware' => ['auth', 'twofactor:always']], ...)` forces 2FA on all users, while `twofactor:if-enabled` only requires it for users who’ve opted in. The package automatically enables 2FA on the user’s account after successful verification.
Does DragonZap2FA support TOTP (Google/Microsoft Authenticator) out of the box?: Yes, the package includes TOTP support by default. Users can scan a QR code generated by the package to set up authenticator apps. The `php-otp` library handles TOTP generation under the hood, ensuring compatibility with major authenticator apps.
What Laravel versions does DragonZap2FA support?: The package is tested with Laravel 9 and 10. Check the `composer.json` constraints for exact version requirements, but it adheres to Laravel’s modern authentication contracts (e.g., `MustVerifyEmail`, `Authenticatable`), making it compatible with most recent Laravel setups.
How do I customize the 2FA flow or override default behaviors?: DragonZap2FA is designed for extensibility. You can override provided classes (e.g., `TwoFactorMiddleware`, `TwoFactorController`) by publishing the vendor files with `php artisan vendor:publish` and modifying the published stubs. The config file (`config/dragonzap_2fa.php`) also allows tuning settings like TOTP issuer names or backup code policies.
What happens if a user loses their TOTP device or backup codes?: The package includes a recovery mechanism via email-based 2FA codes, which act as a fallback. Users can regenerate backup codes through the provided Blade directives or API endpoints. Ensure your `config/dragonzap_2fa.php` is configured to send recovery emails to the correct address.
Can I integrate DragonZap2FA with Laravel Sanctum or Passport for API-based 2FA?: Yes, but you’ll need to manually validate 2FA tokens in your API middleware or guards. The package provides the underlying logic, but API integrations (e.g., Sanctum/Passport) require custom middleware to verify 2FA tokens alongside existing auth tokens. Test thoroughly to avoid breaking existing API flows.
Are there performance concerns with TOTP generation under high traffic?: TOTP generation can be CPU-intensive if not optimized. The package doesn’t include built-in caching, so for high-traffic routes (e.g., 10K+ RPS), cache TOTP secrets in Redis or Memcached to reduce database load. Monitor query performance during load testing, especially for backup code checks.
Does DragonZap2FA support hardware tokens like YubiKey or Duo?: No, the package currently supports email-based 2FA and TOTP (authenticator apps). For hardware tokens, consider alternatives like `laravel-duo` or `laravel-yubikey`, or extend DragonZap2FA by overriding the `TwoFactorGenerator` class to integrate custom providers.
How do I handle multi-device synchronization for users with multiple sessions?: DragonZap2FA doesn’t include built-in session synchronization. To support multi-device access, implement a shared secret or token system (e.g., store the same TOTP secret across sessions in the database). Alternatively, use Laravel’s session drivers to replicate 2FA state, but test thoroughly to avoid race conditions.
What’s the upgrade path if DragonZap2FA becomes abandoned or unsupported?: Since the package is modular, you can fork it on GitHub to maintain it yourself. Document all customizations (e.g., overridden classes, config changes) to ease migration to another package like `laravel-2fa` or `overtrue/laravel-2fa`. Always back up your database and test migrations before upgrading.

Popularity trends

Recorded values over time (once-a-day snapshots). May 11, 2026 – Jun 9, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

Favorites

Forks

Score

1.2

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 0

+0.0
Forks

input: 0

+0.0
Open issues + PRs

input: 0

+0.0
Releases

input: 4

+1.2
Recency

input: —

+0.0
Issue opportunity

input: 0

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 1.2

License

—

Dependents

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

milito/query-filter

apiboxsym/user-bundle

apiboxsym/health-check-bundle

jayeshmepani/jpl-moshier-ephemeris-php

elnasnato/laraliveui

labrodev/rest-sdk

sampaui/sampaui

babelqueue/php-sdk

facebook/capi-param-builder-php

babelqueue/symfony

hamzi/corewatch

minionfactory/raw-hydrator

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours