Ask A Question


You’re not receiving notifications from this thread.

Two Factor Authentication With Devise Discussion

Was looking at this the other week... perfect timing Chris. Legend.

Naga Krushna Yelisetty Naga Krushna Yelisetty

Hi i'm getting this error when entering 2fa and after click login
Help me
Please check my code

https://uploads.disquscdn.c... '


Your code snippets use of the incorrect unicode quote characters just wasted me a lot of time in debugging. Need to fix that.


I've had that issue before when copying code from Medium for example. You get in the habit of looking for it after a while, but it does also highlight it can be better to write out the code which helps you to understand it opposed to just copy and pasting.


Up and running :) thanks

One step from gem doc that I dont think was covered
"Filtering sensitive parameters from the logs
To prevent two-factor authentication codes from leaking if your application logs get breached, you'll want to filter sensitive parameters from the Rails logs. Add the following to config/initializers/filter_parameter_logging.rb:"

Rails.application.config.filter_parameters += [:otp_attempt]


Really great Chris. You can even extend this to send SMS quite easily

def pre_otp
    user = User.find_by(otp_params)
    @two_factor_enabled = user && user.otp_required_for_login

    respond_to do |format|
      format.js {
        # Users should be able to receive their one-time password via SMS
        # through a service like Twilio
        @otp = user.current_otp if @two_factor_enabled
        # ...logic to send @otp

I am trying to send the user their current_otp via email, but whenever i call current_otp I get an error of NoMethodError (undefined method `scan' for nil:NilClass): ...


I'm having the same issue. Were you able to resolve it?


It works fine but once I disabled the 2FA and enabled again, I can't log in with the one time password. Did I miss anything?


Facing same issue. Please share if you got any solution.


I got this error when I login with 2 factor authenication.

NoMethodError in Users::SessionsController#create
undefined method `each' for #String:0x000055ad15249060

    codes = self.otp_backup_codes || []
    codes.each do |backup_code|
      next unless, backup_code, code)

The Error is strange to me.  There is no Create method in Users::SessionsController in your example code

Can you create a gist with the Users::SessionsController and your Two Factor Auths controller? The above example isn't enough context to see what's going on


The Error is caused by the Sqllite database which does not support array. Once I change the database to postgresql, it is OK.

Thanks for feedback.


No worries, as a rule of thumb postgres is much more powerful than SQL Lite. To configure your next Rails app for Postgres, run this command: rails new myapp --database=postgresql


My issues is: it is easier to use SqlLite as development platform before posting the system.


There is any way to use the 2FA only in a specific action of a controller, after a non-2fa login?
Example: To autheticate a money transfer operation. So I can login without 2FA and see my operation's history, but to do a new transfer it should force the 2FA.


Amazing tutorial, really clear explanations and overall short solution! My first interaction with the lessons and I feel blessed for stumbling upon this resource.


I'm about 13 minutes into this tutorial and get a routing error.

No route matches {:action=>"show", :controller=>"two_factor"}, missing required keys: [:id]

I've checked and double checked my typing, but I often have routing errors.


This is one is caused by a missing OTP_KEY. You need to set it up.


Are you getting this on the delete? There is no show method for that controller. Check yoru code in _two_factor.html.erb. Do you have the method: :post or method: :delete on the items?


Amazing work Chris. 2021 and still found this tutorial to be of great help. Thank you.


Working on this and I have a variation on the login that does login OR email per the Devise wiki ( and it has something similar at the bottom, but that code seems outdated and isn't working. So I have email, login , and a virtual attribute of userlogin setup with attr_accessor. When passing to the pre_otp check, it errors that userlogin isn't a column, which is correct. But the form works when not split.

(I did change Pro to Proc in the wiki example as Pro was unknown; That then results in a undefined method 'where' for Proc:Class error, so the issue may be there as opposed to something else)

Any ideas?


Hi @chris. Thanks for the awsm work.
However I realised that there is a bug with devise when used with lockable and two_factor_authenticatable/two_factor_backupable models.
Whenever, I validate the username and password and render the otp prompt screen, devise updates the failed_attempts twice.

This is already a burning issue with a lot of open threads. Please let me know if there is any solution or workaround.
Related threads

Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 82,329+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.