Authenticator Apps (TOTP) with Flows

This guide will walk you through integrating TOTP Authenticator Apps into your Descope Flows. TOTP (Time-Based One-Time Password) adds an extra layer of security by requiring users to enter a code generated by an authenticator app.

Flow Actions

When using TOTP, the following actions are available:

  • Sign Up or In / TOTP - Verifies the TOTP code and either signs the user up if they do not exist or signs them in if they do.
  • Sign In / TOTP - Verifies the TOTP code and signs the user in if they already exist; fails if they do not.
  • Update User / TOTP - Links an authenticator app to an existing user, so they can use it as an authentication method in the future.

How to Use TOTP Actions

To learn more about Actions in general, you can refer to our guide on them.

These actions can be integrated into your application like any other Action.

This is an example of using the Sign Up or In / TOTP action in a flow:

generate-totp-secret-flow-action

To verify and set up an authenticator app using TOTP, you'll need to scan the QR code automatically created from the action, and verify the code with Descope.

totp-qr-code

Flow Screens

There's not much you need to handle in flow screens when using TOTP. However, you can develop your own screens and drop in your own TOTP QR Code for verification purposes using the TOTP QR Code action.

totp-qr-code-action

How to Delete TOTP for users

Descoper can remove or delete TOTP for a user who has signed up with it. Once the user is enabled with the TOTP authentication method, their record appears in the user management console. Descope provides an option to clear or reset TOTP for that user if necessary. This can be done by selecting the user record and choosing one of two methods. One method is to click on the three dots on the right and select Delete TOTP Seed or by clicking Delete TOTP Seed at the top of the table. This allows you to reset TOTP for users who have registered with TOTP auth method.

totp-delete

Error Handling

Error handling is handled like any other action. You can refer to our Flow Error Handling guide for more details.

Was this helpful?

On this page