# Build a custom flow for managing multi-factor authentication > This guide is for users who want to build a custom flow. To use a _prebuilt_ UI, use the [Account Portal pages](https://clerk.com/docs/guides/account-portal/overview.md) or [prebuilt components](https://clerk.com/docs/reference/components/overview.md). [Multi-factor verification (MFA)](https://clerk.com/docs/guides/configure/auth-strategies/sign-up-sign-in-options.md#multi-factor-authentication) is an added layer of security that requires users to provide a second verification factor to access an account. Clerk supports MFA through **SMS verification code**, **Authenticator application**, and **Backup codes**. This guide will walk you through how to build a custom flow that allows users to manage their MFA settings: - [SMS verification code & backup codes](#sms-verification-code) - [Authenticator application (TOTP) & backup codes](#authenticator-application-totp) ## SMS verification code 1. ### Enable multi-factor authentication For your users to be able to enable MFA for their account, you need to enable MFA for your application. 1. In the Clerk Dashboard, navigate to the [**Multi-factor**](https://dashboard.clerk.com/~/user-authentication/multi-factor) page. 2. For the purpose of this guide, toggle on both the **SMS verification code** and **Backup codes** strategies. 3. Select **Save**. 2. ### Build the custom flow This example consists of two pages: - The main page where users can manage their SMS MFA settings - The page where users can add a phone number to their account Use the following tabs to view the code necessary for each page. **Manage MFA page** filename: app/account/manage-mfa/page.tsx ```tsx 'use client' import * as React from 'react' import { useUser, useReverification, useClerk, useSession } from '@clerk/nextjs' import { BackupCodeResource, PhoneNumberResource } from '@clerk/shared/types' import Link from 'next/link' import { useRouter } from 'next/navigation' // Display phone numbers reserved for MFA const ManageMfaPhoneNumbers = () => { const { isSignedIn, user } = useUser() const clerk = useClerk() // Handle signed out state // If the user is trying to set up MFA, they should be able to access this page if (!isSignedIn && clerk.session?.currentTask?.key !== 'setup-mfa') return

You must be signed in to access this page

// Check if any phone numbers are reserved for MFA const mfaPhones = user?.phoneNumbers .filter((ph) => ph.verification.status === 'verified') .filter((ph) => ph.reservedForSecondFactor) .sort((ph: PhoneNumberResource) => (ph.defaultSecondFactor ? -1 : 1)) if (!mfaPhones || mfaPhones.length === 0) { return

There are currently no phone numbers reserved for MFA.

} return ( <>

Phone numbers reserved for MFA

) } // Display phone numbers that are not reserved for MFA const ManageAvailablePhoneNumbers = () => { const { isSignedIn, user } = useUser() const clerk = useClerk() const router = useRouter() const setReservedForSecondFactor = useReverification((phone: PhoneNumberResource) => phone.setReservedForSecondFactor({ reserved: true }), ) const destroyPhone = useReverification((phone: PhoneNumberResource) => phone.destroy()) // Complete the session task when phone number is picked for MFA const completeTask = async () => { try { await clerk.setActive({ session: clerk.session?.id, navigate: async ({ session, decorateUrl }) => { const url = decorateUrl('/') if (url.startsWith('http')) { window.location.href = url } else { router.push(url) } }, }) } catch (err) { // See https://clerk.com/docs/guides/development/custom-flows/error-handling // for more info on error handling console.error(JSON.stringify(err, null, 2)) } } // Handle signed out state // If the user is trying to set up MFA, they should be able to access this page if (!isSignedIn && clerk.session?.currentTask?.key !== 'setup-mfa') return

You must be signed in to access this page

// Get verified phone numbers that aren't reserved for MFA const availableForMfaPhones = user?.phoneNumbers .filter((ph) => ph.verification.status === 'verified') .filter((ph) => !ph.reservedForSecondFactor) // Enable a phone number for MFA const reservePhoneForMfa = async (phone: PhoneNumberResource) => { try { // Set the phone number as reserved for MFA await setReservedForSecondFactor(phone) if (clerk.session?.currentTask?.key === 'setup-mfa') completeTask() // Refresh the user information to reflect changes await user?.reload() } catch (err) { // See https://clerk.com/docs/guides/development/custom-flows/error-handling // for more info on error handling console.error(JSON.stringify(err, null, 2)) } } if (!availableForMfaPhones || availableForMfaPhones.length === 0) { return

There are currently no verified phone numbers available to be reserved for MFA.

} return ( <>

Phone numbers that are not reserved for MFA

) } // Generate and display backup codes function GenerateBackupCodes() { const { user } = useUser() const [backupCodes, setBackupCodes] = React.useState(undefined) const createBackupCode = useReverification(() => user?.createBackupCode()) const [loading, setLoading] = React.useState(false) React.useEffect(() => { if (backupCodes) return setLoading(true) void createBackupCode() .then((backupCode: BackupCodeResource | undefined) => { if (backupCode) setBackupCodes(backupCode) setLoading(false) }) .catch((err) => { // See https://clerk.com/docs/guides/development/custom-flows/error-handling // for more info on error handling console.error(JSON.stringify(err, null, 2)) setLoading(false) }) }, [backupCodes, createBackupCode]) if (loading) return

Loading...

if (!backupCodes) return

There was a problem generating backup codes

return (
    {backupCodes.codes.map((code, index) => (
  1. {code}
    2. ))}
) } export default function ManageMFA() { const [showBackupCodes, setShowBackupCodes] = React.useState(false) const { isLoaded, isSignedIn, user } = useUser() const { session } = useSession() const clerk = useClerk() const router = useRouter() // Complete the session task when phone number is picked for MFA const completeTask = async () => { try { await clerk.setActive({ session: clerk.session?.id, navigate: async ({ session, decorateUrl }) => { const url = decorateUrl('/') if (url.startsWith('http')) { window.location.href = url } else { router.push(url) } }, }) } catch (err) { // See https://clerk.com/docs/guides/development/custom-flows/error-handling // for more info on error handling console.error(JSON.stringify(err, null, 2)) } } // Handle loading state if (!isLoaded) return

Loading...

// Handle signed out state // If the user is trying to set up MFA, they should be able to access this page if (!isSignedIn && session?.currentTask?.key !== 'setup-mfa') return

You must be signed in to access this page

return ( <>

User MFA Settings

{/* Manage SMS MFA */} Add a new phone number {/* Manage backup codes */} {user?.twoFactorEnabled && (

Generate new backup codes? -{' '}

)} {showBackupCodes && ( <> )} ) } ``` **Add phone number page** filename: app/account/add-phone/page.tsx ```tsx 'use client' import * as React from 'react' import { useSession, useUser, useReverification } from '@clerk/nextjs' import { PhoneNumberResource } from '@clerk/shared/types' export default function Page() { const { isLoaded, isSignedIn, user } = useUser() const { session } = useSession() const createPhoneNumber = useReverification((phone: string) => user?.createPhoneNumber({ phoneNumber: phone }), ) const [phone, setPhone] = React.useState('') const [code, setCode] = React.useState('') const [isVerifying, setIsVerifying] = React.useState(false) const [successful, setSuccessful] = React.useState(false) const [phoneObj, setPhoneObj] = React.useState() // Handle loading state if (!isLoaded) return

Loading...

// Handle signed-out state // If the user is trying to set up MFA, they should be able to access this page if (!isSignedIn && session?.currentTask?.key !== 'setup-mfa') return

You must be signed in to access this page

// Handle addition of the phone number const handleSubmit = async (e: React.FormEvent) => { e.preventDefault() try { // Add unverified phone number to user const res = await createPhoneNumber(phone) // Reload user to get updated User object await user.reload() // Create a reference to the new phone number to use related methods const phoneNumber = user.phoneNumbers.find((a) => a.id === res?.id) setPhoneObj(phoneNumber) // Send the user an SMS with the verification code phoneNumber?.prepareVerification() // Set to true to display second form // and capture the code setIsVerifying(true) } catch (err) { // See https://clerk.com/docs/guides/development/custom-flows/error-handling // for more info on error handling console.error(JSON.stringify(err, null, 2)) } } // Handle the submission of the verification form const verifyCode = async (e: React.FormEvent) => { e.preventDefault() try { // Verify that the provided code matches the code sent to the user const phoneVerifyAttempt = await phoneObj?.attemptVerification({ code }) if (phoneVerifyAttempt?.verification.status === 'verified') { setSuccessful(true) } else { // If the status is not complete, check why. User may need to // complete further steps. console.error(JSON.stringify(phoneVerifyAttempt, null, 2)) } } catch (err) { console.error(JSON.stringify(err, null, 2)) } } // Display a success message if the phone number was added successfully if (successful) return

Phone added

// Display the verification form to capture the code if (isVerifying) { return ( <>

Verify phone

verifyCode(e)}>
setCode(e.target.value)} id="code" name="code" type="text" value={code} />
) } // Display the initial form to capture the phone number return ( <>

Add phone

handleSubmit(e)}>
setPhone(e.target.value)} id="phone" name="phone" type="phone" value={phone} />
) } ``` ## Authenticator application (TOTP) 1. ### Enable multi-factor authentication For your users to be able to enable MFA for their account, you need to enable MFA for your application. 1. In the Clerk Dashboard, navigate to the [**Multi-factor**](https://dashboard.clerk.com/~/user-authentication/multi-factor) page. 2. For the purpose of this guide, toggle on both the **Authenticator application** and **Backup codes** strategies. 3. Select **Save**. 2. ### Build the custom flow This example consists of two pages: - The main page where users can manage their MFA settings - The page where users can add TOTP MFA Use the following tabs to view the code necessary for each page. **Manage MFA page** filename: app/account/manage-mfa/page.tsx ```tsx 'use client' import * as React from 'react' import { useUser, useReverification, useClerk, useSession } from '@clerk/nextjs' import Link from 'next/link' import { BackupCodeResource } from '@clerk/shared/types' import { useRouter } from 'next/navigation' // If TOTP is enabled, provide the option to disable it const TotpEnabled = () => { const { user } = useUser() const disableTOTP = useReverification(() => user?.disableTOTP()) return (

TOTP via authentication app enabled -

) } // If TOTP is disabled, provide the option to enable it const TotpDisabled = () => { return (

Add TOTP via authentication app -{' '}

) } // Generate and display backup codes export function GenerateBackupCodes() { const { user } = useUser() const [backupCodes, setBackupCodes] = React.useState(undefined) const createBackupCode = useReverification(() => user?.createBackupCode()) const [loading, setLoading] = React.useState(false) React.useEffect(() => { if (backupCodes) return setLoading(true) void createBackupCode() .then((backupCode: BackupCodeResource | undefined) => { setBackupCodes(backupCode) setLoading(false) }) .catch((err) => { // See https://clerk.com/docs/guides/development/custom-flows/error-handling // for more info on error handling console.error(JSON.stringify(err, null, 2)) setLoading(false) }) }, [backupCodes, createBackupCode]) if (loading) return

Loading...

if (!backupCodes) return

There was a problem generating backup codes

return (
    {backupCodes.codes.map((code, index) => (
  1. {code}
    2. ))}
) } export default function ManageMFA() { const { isLoaded, isSignedIn, user } = useUser() const clerk = useClerk() const router = useRouter() // Complete the session task when phone number is picked for MFA const completeTask = async () => { try { await clerk.setActive({ session: clerk.session?.id, navigate: async ({ decorateUrl }) => { const url = decorateUrl('/') if (url.startsWith('http')) { window.location.href = url } else { router.push(url) } }, }) } catch (err) { // See https://clerk.com/docs/guides/development/custom-flows/error-handling // for more info on error handling console.error(JSON.stringify(err, null, 2)) } } const [showNewCodes, setShowNewCodes] = React.useState(false) // Handle loading state if (!isLoaded) return

Loading...

// Handle signed out state // If the user is trying to set up MFA, they should be able to access this page if (!isSignedIn && clerk.session?.currentTask?.key !== 'setup-mfa') return

You must be signed in to access this page

return ( <>

User MFA Settings

{/* Manage TOTP MFA */} {user?.totpEnabled ? : } {/* Manage backup codes */} {user?.backupCodeEnabled && user.twoFactorEnabled && (

Generate new backup codes? -{' '}

)} {showNewCodes && ( <> )} ) } ``` **Add TOTP page** filename: app/account/manage-mfa/add/page.tsx ```tsx 'use client' import { useUser, useReverification, useClerk, useSession } from '@clerk/nextjs' import { TOTPResource } from '@clerk/shared/types' import Link from 'next/link' import * as React from 'react' import { QRCodeSVG } from 'qrcode.react' import { GenerateBackupCodes } from '../page' import { useRouter } from 'next/navigation' type AddTotpSteps = 'add' | 'verify' | 'backupcodes' | 'success' type DisplayFormat = 'qr' | 'uri' function AddTotpScreen({ setStep, }: { setStep: React.Dispatch> }) { const { user } = useUser() const [totp, setTOTP] = React.useState(undefined) const [displayFormat, setDisplayFormat] = React.useState('qr') const createTOTP = useReverification(() => user?.createTOTP()) React.useEffect(() => { void createTOTP() .then((totp: TOTPResource | undefined) => { if (totp) setTOTP(totp) }) .catch((err) => // See https://clerk.com/docs/guides/development/custom-flows/error-handling // for more info on error handling console.error(JSON.stringify(err, null, 2)), ) }, [createTOTP]) return ( <>

Add TOTP MFA

{totp && displayFormat === 'qr' && ( <>
)} {totp && displayFormat === 'uri' && ( <>

{totp.uri}

)}

Once you have set up your authentication app, verify your code

) } function VerifyTotpScreen({ setStep, }: { setStep: React.Dispatch> }) { const { user } = useUser() const [code, setCode] = React.useState('') const verifyTotp = async (e: React.FormEvent) => { e.preventDefault() try { await user?.verifyTOTP({ code }) setStep('backupcodes') } catch (err) { console.error(JSON.stringify(err, null, 2)) } } return ( <>

Verify TOTP

verifyTotp(e)}> setCode(e.currentTarget.value)} />
) } function BackupCodeScreen({ setStep, }: { setStep: React.Dispatch> }) { const clerk = useClerk() const router = useRouter() // Complete the session task when phone number is picked for MFA const completeTask = async () => { try { await clerk.setActive({ session: clerk.session?.id, navigate: async ({ decorateUrl }) => { const url = decorateUrl('/') if (url.startsWith('http')) { window.location.href = url } else { router.push(url) } }, }) } catch (err) { // See https://clerk.com/docs/guides/development/custom-flows/error-handling // for more info on error handling console.error(JSON.stringify(err, null, 2)) } } return ( <>

Verification was a success!

Save this list of backup codes somewhere safe in case you need to access your account in an emergency

) } function SuccessScreen() { return ( <>

Success!

You have successfully added TOTP MFA via an authentication application.

) } export default function AddMFaScreen() { const [step, setStep] = React.useState('add') const { isLoaded, isSignedIn } = useUser() const { session } = useSession() // Handle loading state if (!isLoaded) return

Loading...

// Handle signed out state // If the user is trying to set up MFA, they should be able to access this page if (!isSignedIn && session?.currentTask?.key !== 'setup-mfa') return

You must be signed in to access this page

return ( <> {step === 'add' && } {step === 'verify' && } {step === 'backupcodes' && } {step === 'success' && } Manage MFA ) } ``` --- ## Sitemap [Overview of all docs pages](https://clerk.com/docs/llms.txt)