otplib vs speakeasy vs authy
Two-Factor Authentication Libraries
Search packages..
otplibspeakeasyauthySimilar Packages:

Two-Factor Authentication Libraries

Two-factor authentication (2FA) libraries provide mechanisms to enhance security by requiring two forms of verification before granting access to an account or system. These libraries facilitate the generation and validation of time-based one-time passwords (TOTP) or SMS-based codes, ensuring that even if a password is compromised, unauthorized access is still prevented. They are essential for applications that prioritize user security, protecting sensitive data and user accounts from unauthorized access.

Npm Package Weekly Downloads Trend

3 Years

Github Stars Ranking

Stat Detail

Package
Downloads
Stars
Size
Issues
Publish
License
otplib2,107,8152,241524 kB62 months agoMIT
speakeasy940,5682,757-6710 years agoMIT
authy11,6169722.5 kB5-MIT

Feature Comparison: otplib vs speakeasy vs authy

Authentication Methods

  • otplib:

    otplib focuses exclusively on TOTP and HOTP methods, providing a simple and efficient way to generate time-based or counter-based one-time passwords. It does not handle SMS or voice call verification, making it a more specialized tool for developers who want to implement TOTP in their applications.

  • speakeasy:

    Speakeasy provides support for both TOTP and HOTP, allowing developers to choose the method that best fits their needs. It emphasizes simplicity and ease of integration, making it a good choice for projects that require quick implementation of 2FA.

  • authy:

    Authy supports multiple authentication methods, including TOTP, SMS, and voice calls. This flexibility allows developers to implement various verification strategies based on user preferences or security requirements, enhancing the user experience while maintaining security.

Ease of Integration

  • otplib:

    otplib is designed for easy integration, requiring minimal setup. It is a lightweight library with no external dependencies, making it straightforward for developers to include in their projects and start generating one-time passwords quickly.

  • speakeasy:

    Speakeasy is known for its simple API and minimal configuration requirements. It allows developers to quickly add 2FA functionality to their applications with just a few lines of code, making it an attractive option for those looking for rapid deployment.

  • authy:

    Authy offers a comprehensive API that simplifies the integration process, with extensive documentation and SDKs available for various programming languages. This makes it easier for developers to implement 2FA without dealing with the complexities of SMS gateways or phone number management.

Security Features

  • otplib:

    otplib provides robust security through the implementation of TOTP and HOTP algorithms, which are widely recognized as secure methods for generating one-time passwords. However, it does not include additional features like SMS verification, placing the onus on developers to implement their own security measures.

  • speakeasy:

    Speakeasy offers strong security by utilizing TOTP and HOTP algorithms, ensuring that the generated codes are time-sensitive and difficult to predict. However, like otplib, it does not provide built-in SMS or voice call features, requiring developers to manage those aspects separately.

  • authy:

    Authy includes advanced security features such as device recognition and the ability to disable 2FA for specific devices. This adds an extra layer of security by ensuring that only recognized devices can bypass 2FA, reducing the risk of unauthorized access.

Community and Support

  • otplib:

    otplib is an open-source library with a growing community of developers. While it may not have the same level of commercial support as Authy, it has a dedicated user base that contributes to its development and documentation.

  • speakeasy:

    Speakeasy has a smaller community compared to Authy but is still actively maintained. It offers good documentation and examples, making it accessible for developers looking to implement 2FA quickly.

  • authy:

    Authy is backed by Twilio, a well-established company in the communication space, which provides extensive support and resources for developers. The community around Authy is active, and developers can find numerous tutorials and guides to assist with integration.

Customization

  • otplib:

    otplib allows for significant customization, enabling developers to tailor the TOTP and HOTP generation process to their specific requirements. This flexibility is beneficial for applications that need to implement unique security protocols or workflows.

  • speakeasy:

    Speakeasy offers a balance of customization and simplicity, allowing developers to adjust settings for TOTP and HOTP generation. However, it is less flexible than otplib in terms of customization options, focusing on ease of use.

  • authy:

    Authy provides limited customization options as it is a service-oriented platform. While it offers various authentication methods, the overall flow and user experience are largely dictated by the Authy service, which may not suit all applications' needs.

How to Choose: otplib vs speakeasy vs authy

  • otplib:

    Choose otplib if you prefer a lightweight, open-source library focused solely on TOTP and HMAC-based one-time passwords (HOTP). It is ideal for developers looking for a simple, customizable solution without external dependencies, especially for server-side implementations.

  • speakeasy:

    Choose Speakeasy if you want a straightforward library that supports TOTP and HOTP with a focus on ease of use. It is well-suited for applications that require quick integration of 2FA without extensive configuration, and it offers a straightforward API for generating and verifying codes.

  • authy:

    Choose Authy if you need a comprehensive solution that includes SMS and voice call verification along with TOTP. It offers a user-friendly API and handles the complexities of SMS delivery and phone number verification, making it suitable for applications that require multi-channel authentication.

Similar Npm Packages to otplib

otplib is a JavaScript library designed for One-Time Password (OTP) generation and validation, commonly used in two-factor authentication (2FA) systems. It supports both Time-based One-Time Password (TOTP) and HMAC-based One-Time Password (HOTP) algorithms, making it a versatile choice for developers looking to implement secure authentication mechanisms in their applications. With its straightforward API, otplib allows for easy integration into various projects, ensuring that user accounts are protected with an additional layer of security.

While otplib is a robust option for OTP generation, there are other libraries that provide similar functionalities. Here are a couple of alternatives:

  • authy is a popular service that provides two-factor authentication solutions. It offers a comprehensive API for integrating 2FA into applications, including SMS and voice call options for delivering OTPs. authy is particularly useful for developers who want a managed service that handles the complexities of 2FA, including user management and device recognition. If you prefer a more feature-rich solution that abstracts away the details of OTP generation and delivery, authy is a strong choice.

  • speakeasy is another library for implementing two-factor authentication using TOTP and HOTP. It is lightweight and focuses on providing a simple API for generating and verifying OTPs. speakeasy is ideal for developers who want a straightforward solution without the overhead of a managed service. It allows for easy integration into existing applications and can be used alongside other authentication methods.

For a detailed comparison of these packages, check out the link: Comparing authy vs otplib vs speakeasy.

Similar Npm Packages to speakeasy

speakeasy is a popular npm package used for implementing two-factor authentication (2FA) in applications. It provides a simple and efficient way to generate and verify Time-based One-Time Passwords (TOTP) and HMAC-based One-Time Passwords (HOTP). With its straightforward API, developers can easily integrate 2FA into their applications, enhancing security by requiring users to provide a second form of verification in addition to their passwords.

While speakeasy is a robust solution for 2FA, there are other libraries that offer similar functionalities. Here are a couple of alternatives:

  • authenticator is a library that focuses on generating and verifying TOTP codes, making it easy to implement two-factor authentication in applications. It is designed to work seamlessly with various authentication methods and provides a straightforward API for developers. If you are looking for a lightweight solution specifically for TOTP, authenticator is a solid choice that simplifies the implementation process.
  • otplib is another library that provides tools for generating and verifying OTPs, including both TOTP and HOTP. It is highly configurable and allows developers to customize the OTP generation process according to their needs. otplib is particularly useful for applications that require flexibility in their OTP implementation, offering features such as custom time steps and digit lengths.

To see how speakeasy compares with authenticator and otplib, check out the comparison: Comparing authenticator vs otplib vs speakeasy.

README for otplib

otplib

TypeScript-first library for HOTP and TOTP / Authenticator with multi-runtime (Node, Bun, Deno, Browser) support via plugins.

[!TIP]

A web based demo is available at https://otplib.yeojz.dev.

You can scan the TOTP / HOTP QR Code samples with your chosen authenticator app to test.

Features

  • Zero Configuration - Works out of the box with sensible defaults
  • RFC Compliant - RFC 6238 (TOTP) and RFC 4226 (HOTP) + Google Authenticator Compatible
  • TypeScript-First - Full type definitions
  • Plugin Interface - Flexible plugin system for customising your cryptographic and base32 requirements (if you want to deviate from the defaults)
  • Cross-platform - Tested against Node.js, Bun, Deno, and browsers
  • Security-audited plugins — Default crypto uses @noble/hashes and @scure/base, both independently audited
  • Async-first API — All operations are async by default; sync variants available for compatible plugins

[!IMPORTANT]

v13 is a complete rewrite with breaking changes. For example:

  • (Removed) Separate authenticator package — TOTP now covers all authenticator functionality with default plugins
  • (Removed) Outdated plugins — Legacy crypto adapters removed in favor of modern, audited alternatives

See Migration Guide for details.

Installation

# Node
npm install otplib
pnpm add otplib
yarn add otplib

# Other runtimes
bun add otplib
deno install npm:otplib

CDN / Script Tag

A self-contained IIFE build is available for use directly in browsers via a <script> tag:

<!-- unpkg -->
<script src="https://unpkg.com/otplib/dist/index.global.js"></script>

<!-- or jsdelivr -->
<script src="https://cdn.jsdelivr.net/npm/otplib/dist/index.global.js"></script>

<script>
  const { generateSecret, generate, verify } = otplib;

  const secret = generateSecret();
  generate({ secret }).then((token) => console.log("Token:", token));
</script>

The IIFE build bundles all dependencies (including crypto and base32 plugins) into a single file and exposes everything under the otplib global.

Quick Start

Functional API (Recommended)

import { generateSecret, generate, verify, generateURI } from "otplib";

// Generate a secret
const secret = generateSecret();

// Generate a TOTP token
const token = await generate({ secret });

// Verify a token — returns VerifyResult, not a boolean
const result = await verify({ secret, token });
console.log(result.valid); // true or false

// Generate QR code URI for authenticator apps
const uri = generateURI({
  issuer: "MyService",
  label: "user@example.com",
  secret,
});

Sync variants (generateSync, verifySync) are available when using a sync-compatible crypto plugin such as @otplib/plugin-crypto-node or @otplib/plugin-crypto-noble.

Class API

import { OTP } from "otplib";

// Create OTP instance (defaults to TOTP strategy)
const otp = new OTP();

// Generate a secret
const secret = otp.generateSecret();

// Generate a TOTP token
const token = await otp.generate({ secret });

// Verify a token — returns VerifyResult, not a boolean
const result = await otp.verify({ secret, token });
console.log(result.valid); // true or false

// Generate QR code URI for authenticator apps
const uri = otp.generateURI({
  issuer: "MyService",
  label: "user@example.com",
  secret,
});

The class also exposes generateSync and verifySync for use with sync-compatible crypto plugins.

HOTP (counter-based) with the Class API

Pass strategy: 'hotp' to switch to counter-based OTP. A counter value is required for generation and verification.

import { OTP } from "otplib";

const otp = new OTP({ strategy: "hotp" });
const secret = otp.generateSecret();

const token = await otp.generate({ secret, counter: 0 });
const result = await otp.verify({ secret, token, counter: 0 });
console.log(result.valid); // true or false

Compatibility with Authenticator Apps

Secret Format

By default, otplib expects secrets to be in Base32 format. This is the ensure broader compatiblity as it the standard format used by authenticator applications and QR code URIs.

While the core HOTP (RFC 4226) and TOTP (RFC 6238) specifications work with raw binary data and don't mandate Base32 encoding, Base32

// Base32 secret (standard format for authenticator compatibility)
const secret = "GEZDGNBVGY3TQOJQGEZDGNBVGY";

However, if you need to use secrets in other formats, you can either use the plugin-base32-alt plugin for raw strings or pass a byte array (using stringToBytes helper) for binary data.

For more details and examples, see the Secret Handling Guide and related plugin documentation in the guides directory.

Configuration Defaults

RFC 4226 (HOTP) and RFC 6238 (TOTP) define flexible algorithms that allow different hash functions, digit lengths, and time steps. However, most authenticator apps (Google Authenticator, Authy, Microsoft Authenticator, 1Password, etc.) and services offering 2 factor authentication use the following defaults:

ParameterValue
algorithmsha1
digits6
period30
secretBase32 string

If you are deviating from these values, do validate that it is supported by the target application.

If you need to provision an authenticator app via QR code, use @otplib/uri to generate an otpauth://totp/ URI.

Documentation

Refer to the Getting Started Guide, or check out the other sections in the guide:

License

MIT

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc, the official website for the npm registry. Note that npm is a registered trademark of npm, Inc. Please share your feedback via our GitHub repository. For more details, please refer to our Terms & Privacy.