Code Workshop

🔒

Auth & Users

How Much Does Two-Factor Authentication (2FA) Cost to Add?

Adding two-factor authentication to your app costs roughly $1,000–$2,000 AUD. It's one of the highest-impact security improvements you can make.

Adds approximately

$1,000$2,000

48 hours · Australian dev rates

What is two-factor authentication?

Two-factor authentication (2FA) requires users to provide a second proof of identity after entering their password. Even if a password is compromised, an attacker still cannot log in without access to the second factor. It's widely considered the single most effective control against account takeover.

The two most common implementations are TOTP (Time-based One-Time Password) — the 6-digit codes generated by apps like Google Authenticator or Authy — and SMS OTP, where a code is sent to the user's mobile number. TOTP is more secure (SMS can be intercepted via SIM-swapping) but requires the user to install an authenticator app. SMS has higher adoption but real security limitations.

A complete 2FA implementation also includes backup codes — a set of single-use codes the user can download and store safely to regain access if they lose their device.

When does your app need it?

  • You handle sensitive personal or financial data and want to meaningfully reduce account takeover risk
  • You operate in a regulated sector — fintech, healthcare, superannuation — where the Australian Privacy Act or ASIC/APRA guidance expects strong authentication
  • Your enterprise customers require 2FA as a condition of procurement
  • You want to offer 2FA as an optional upgrade for security-conscious users, with the ability to enforce it for admin roles
  • Your app has administrator accounts with broad access that would cause significant damage if compromised
  • You're seeking security certifications (ISO 27001, SOC 2) that require demonstrable MFA controls

How much does it cost?

Adding two-factor authentication typically adds 4–8 hours of development — roughly $1,000–$2,000 AUD.

At the lower end: TOTP-only 2FA using a library like otplib or speakeasy. The user scans a QR code to enrol their authenticator app, and subsequent logins verify the 6-digit code. Backup codes add a small amount of time.

At the higher end: TOTP plus SMS OTP (via Twilio or similar), enforcement policies (mandatory for certain roles, optional for others), recovery flows for lost devices, and audit logging of 2FA events. SMS delivery requires a Twilio account and introduces an ongoing per-message cost — in Australia, SMS rates via Twilio are roughly $0.08–$0.10 per message.

How it's typically built

TOTP is implemented server-side using a library that generates and validates 6-digit codes. During enrolment, the server generates a secret key per user, renders it as a QR code (typically using qrcode), and the user scans it into their authenticator app. On login, the user's submitted code is verified against the server-side secret using the current timestamp.

SMS OTP involves generating a short-lived code (typically 6 digits, valid for 5–10 minutes), storing it server-side, and sending it via an SMS provider. Twilio is the most common choice in Australia. The code is verified on submission and immediately invalidated.

Backup codes are generated as a set of 8–10 random codes at enrolment time, shown to the user once for safekeeping, then stored as individual hashes. Each is marked used on consumption.

Enforcement policies (requiring 2FA for certain roles or making it mandatory app-wide) are implemented as middleware checks after the password step.

Questions to ask your developer

  • TOTP, SMS, or both? TOTP is more secure and has no per-message cost; SMS has better adoption with less technical users. Consider which fits your user base.
  • Is 2FA enforced for admin roles? Optional 2FA for regular users but mandatory for admins is a sensible default that reduces risk without friction.
  • How does recovery work? If a user loses their phone, how do they regain access? Backup codes are the standard answer — ensure they're part of the implementation.
  • Are 2FA events logged? Enrolment, successful verification, failed attempts, and recovery code use should all be audit-logged.
  • What's the ongoing SMS cost? If using SMS OTP, get an estimate of per-message cost based on expected monthly active users.

See also: Email & password login · Biometric authentication · Enterprise SSO · App cost calculator

Get a full project estimate

Use the calculator to build your complete feature list. We'll call you back within one business day to scope it properly.

All app features