New: Learn Statamic on Laracasts!


2FA Main Screenshot

Statamic 3.0+ Codacy Badge

Two Factor Login for Statamic 3

Statamic 2FA is a middleware addon for Statamic 3 that adds 2FA (2 factor) auth to the control panel of Statamic 3 using time based codes.


Statamic 2FA is commercial software. You do not need a licence for development but when you are ready to deploy the site to production please purchase a licence per site on the Statamic Marketplace.


Install the addon using composer

You can install this addon via composer with the following command or from the Statamic control panel.

composer require kind-work/two-fa


Add the two_fa field to your user blueprint. Edit your user profile in the control panel (CP) to set up 2FA protection for your account.

title: User
    display: Main
      - handle: name
          type: text
          display: Name
      - handle: email
          type: text
          input: email
          display: 'Email Address'
      - handle: roles
          type: user_roles
          width: 50
      - handle: groups
          type: user_groups
          width: 50
      - handle: avatar
          type: assets
          max_files: 1
      - handle: two_fa
          type: two_fa
          localizable: false
          display: 'Two FA'

Force 2FA Login

To force 2FA for all users set an environment variable FORCE_2FA to true.

To force 2FA for specific roles, publish the config file and edit as appropriate.

php artisan vendor:publish --tag="two-fa-config"

QRCode Rendering

By default QR codes are rendered as inline PNG files. This requires the Imagick PHP extension. If you would rather not or can not install Imagick you can render the QR codes as SVGs instead. You can customize this in your configuration file or by setting the environment variable QR_CODE_TYPE to SVG.

Max Attempts

By default accounts are locked out after 5 attempts to enter a 2FA code. You can change this in the config or by setting the environment variable 2FA_MAX_ATTEMPTS.

Remember Time

A user can choose to remember the browser when they enter their 2FA code, so they do not have to re-enter their 2FA code on each login. By default the time to remember the code is 30 days. You can change this default by setting the number of minutes that the browser should be remembered in the config or the environment variable 2FA_REMEMBER_TIME.


If you store your users in a database run the following command to generate a database migration.

php artisan vendor:publish --tag="twofa-migrations"

Migration from V1 to V2

File Based Users (default)

If you store your users in files you can optionally run the following migration to move over remember tokens and the 2FA-enabled visual indicator field to their new names.

php please 2fa:migrate:fields

Database Users

To migrate your MySQL database to the new column names, run the following commands to copy over and run the migration.

php artisan vendor:publish --tag="twofa-migrations"
php artisan migrate


Please see the Release Notes for more information what has changed recently.


If you discover any security-related issues, please email [email protected] instead of using the issue tracker.


This is commercial software. You may use the package for your sites. Each site requires its own license. You can purchase a licence from The Statamic Marketplace.