This error occurs when a user with multi-factor authentication (MFA) enabled tries to sign in. Firebase requires completing the second factor challenge before granting access. Handle this error by catching it and using the MultiFactorResolver to prompt the user for their second factor.
The "auth/second-factor-required" error (also known as "auth/multi-factor-auth-required") is thrown by Firebase Authentication when a user has enrolled in multi-factor authentication and attempts to sign in. This is a security feature that ensures users complete an additional verification step beyond their password. When this error is thrown during a sign-in attempt, Firebase provides a MultiFactorResolver object containing hints about the user's enrolled second factors (such as SMS or TOTP) and maintains an underlying session proving the user successfully authenticated with their first factor (email/password or other provider). This error is not a failure conditionโit's an expected part of the MFA sign-in flow that requires your application to handle the second factor challenge.
When a user with MFA tries to sign in, catch the error and check its code:
import { signInWithEmailAndPassword, getMultiFactorResolver } from "firebase/auth";
import { auth } from "./firebase-config";
try {
await signInWithEmailAndPassword(auth, email, password);
// User signed in successfully (no MFA required)
} catch (error) {
if (error.code === "auth/multi-factor-auth-required") {
// User has MFA enrolled - handle second factor
const resolver = getMultiFactorResolver(auth, error);
// Continue to next step
} else {
// Other authentication error
console.error("Sign-in failed:", error.message);
}
}The resolver contains hints about which second factors are enrolled:
if (error.code === "auth/multi-factor-auth-required") {
const resolver = getMultiFactorResolver(auth, error);
// Get list of enrolled second factors
const hints = resolver.hints;
// Each hint contains information about a second factor
hints.forEach((hint) => {
if (hint.factorId === "phone") {
console.log("SMS to:", hint.displayName); // Shows phone number like "+1 (555) 123-****"
} else if (hint.factorId === "totp") {
console.log("TOTP authenticator app");
}
});
// Typically there will be one enrolled factor, but users can have multiple
}Display the enrolled second factors to the user and let them choose which one to use:
const resolver = getMultiFactorResolver(auth, error);
const hints = resolver.hints;
// For a single SMS factor, automatically use it
const phoneHint = hints.find(h => h.factorId === "phone");
if (phoneHint) {
// Send SMS code to the user's phone
try {
const phoneAuthProvider = new PhoneAuthProvider(auth);
const verificationId = await phoneAuthProvider.verifyPhoneNumber(
phoneHint.phoneNumber,
window.recaptchaVerifier // or your RecaptchaVerifier instance
);
// Store verificationId for use in next step
// Prompt user to enter SMS code they received
} catch (error) {
console.error("Failed to send SMS:", error);
}
}After the user provides their second factor code (SMS or TOTP), verify it and complete the sign-in:
import {
signInWithEmailAndPassword,
getMultiFactorResolver,
PhoneAuthProvider,
PhoneMultiFactorGenerator,
RecaptchaVerifier
} from "firebase/auth";
// After user enters SMS code
const smsCode = userEnteredCode; // "123456"
const verificationId = storedVerificationId; // From previous step
try {
const resolver = getMultiFactorResolver(auth, error);
// Create PhoneMultiFactorAssertion from the SMS code
const phoneAssertion = PhoneMultiFactorGenerator.assertion(
PhoneAuthProvider.credential(verificationId, smsCode)
);
// Complete sign-in with the second factor
const result = await resolver.resolveSignIn(phoneAssertion);
// User is now signed in
console.log("Successfully signed in:", result.user.email);
} catch (error) {
console.error("Invalid code or sign-in failed:", error);
}If the user has TOTP (Time-based One-Time Password) enabled instead of SMS:
import {
getMultiFactorResolver,
TOTPMultiFactorGenerator
} from "firebase/auth";
const resolver = getMultiFactorResolver(auth, error);
const totpHint = resolver.hints.find(h => h.factorId === "totp");
if (totpHint && userSelectedTOTP) {
// User enters 6-digit code from their authenticator app
const totpCode = userEnteredCode; // "123456"
try {
// Create TOTP assertion from the code
const totpAssertion = TOTPMultiFactorGenerator.assertion(
totpHint,
totpCode
);
// Complete sign-in with TOTP
const result = await resolver.resolveSignIn(totpAssertion);
console.log("Signed in with TOTP:", result.user.email);
} catch (error) {
console.error("Invalid TOTP code:", error);
}
}MFA requires a paid Firebase plan (Blaze plan or higher); the free Spark plan does not support multi-factor authentication. Email verification must be enabled for MFA to workโthis prevents attackers from registering with emails they don't own and locking out legitimate users.
Firebase supports multiple second factors per user, and when prompting for a factor, show all available options (SMS phone numbers and TOTP authenticators). The resolver maintains a temporary session valid for 15 minutes, so users have time to retrieve their second factor code.
In mobile apps (Flutter, React Native), catch FirebaseAuthMultiFactorException instead of a generic error. The underlying session is stored securely and users only need to complete second factor verification once per 30 days on the same device by default (depending on your security policy).
For web apps, you must provide a working RecaptchaVerifier instance when sending SMS codes, as this helps Firebase prevent abuse. If the user doesn't complete the second factor within the session timeout, they will need to sign in again from the first factor.
messaging/UNSPECIFIED_ERROR: No additional information available
How to fix "messaging/UNSPECIFIED_ERROR: No additional information available" in Firebase Cloud Messaging
App Check: reCAPTCHA Score Too Low
App Check reCAPTCHA Score Too Low
storage/invalid-url: Invalid URL format for Cloud Storage reference
How to fix invalid URL format in Firebase Cloud Storage
auth/missing-uid: User ID identifier required
How to fix "auth/missing-uid: User ID identifier required" in Firebase
auth/invalid-argument: Invalid parameter passed to method
How to fix "auth/invalid-argument: Invalid parameter passed to method" in Firebase