Just shipped 2FA to Uppale.com! 🔒
by•
Hey Hunters! 👋
​I wanted to share a quick milestone we just pushed live on Uppale.com, our community-driven visibility platform for local businesses. We just shipped a full vertical slice implementation of Two-Factor Authentication (TOTP) to protect our users' slots and account security.
​The most interesting part of this update is the architectural approach we chose, which was guided by two core principles: 100% privacy and zero infrastructure costs.
​Here is how it works under the hood:
​Adaptive / Risk-Based Auth: We hate tedious logins. Users are only challenged for a 6-digit security code if they log in from an unfamiliar device or location. Known devices rely on a secure httpOnly trust cookie to skip the prompt.
​Purely Cryptographic ($0 API Costs): Instead of using expensive SMS gateways that drain resources, we implemented a custom TOTP engine (otplib + Prisma). Secrets are stored AES-256-GCM encrypted in our Postgres DB, alongside HMAC-hashed, single-use recovery codes.
​Next.js 16 Stack: The feature is fully built on Next.js 16 (App Router) and React 18. It utilizes temporary session IDs stashed in Redis during the 2FA challenge window to completely withhold Supabase auth tokens until the user is verified.
​We wanted a production-ready system that is robust, accessible, and lightweight without paying a single cent for third-party API networks on every login, and 10/10 end-to-end tests are officially passing live on production.
​If you want to support the project, see how it's evolving, or drop some feedback on our backend approach, check out our launch page:
​👉 Check out our official Product Launch on Product Hunt:
https://producthunt.com/products...
15 views
Replies
smart call dropping sms gateways for cryptographic totp. sms auth providers are the unkillable monthly tax on every saas. one followup. are you exposing totp recovery (the aes-256-gcm hashed single-use codes) on a separate recovery url with rate limiting, or also requiring email confirmation for recovery code use? the second-factor recovery flow is where most teams ship 2fa and then realize they shipped a hole. good launch.