<h3 id="heading-how-otp-2fa-works-with-oauth-20">How OTP 2FA works with OAuth 2.0</h3>
<ol>
<li>Initial Authentication (Username/Password + OAuth 2.0):
<ul>
<li>The user first logs in with their username and password.
</li>
<li>This process uses OAuth 2.0 to authenticate the user. Upon success, an access token (JWT) is issued.
</li>
</ul>
</li>
<li>Trigger OTP (Mobile/Email):
<ul>
<li>Once the user is authenticated with their username and password, before granting access, the system will trigger the second authentication factor.
</li>
<li>The system sends an OTP to either the user's mobile number via SMS or to their email address (based on the user's preferred method of 2FA).
</li>
</ul>
</li>
<li>Verify OTP:
<ul>
<li>The user receives the OTP on their mobile or email and enters it into the application.
</li>
<li>The backend system verifies the OTP against the one stored on the server (which could be stored temporarily in memory or in a database).
</li>
<li>If the OTP is correct and valid, the user is authenticated successfully and granted access.
</li>
</ul>
</li>
<li>JWT Token Generation/Refresh:
<ul>
<li>Once the OTP is validated, the backend system issues or refreshes the JWT for the user, allowing them to make further authenticated requests without needing to re-enter the password or OTP.</li>
</ul>
</li>
</ol>

### How OTP 2FA works with OAuth 2.0

1. **Initial Authentication (Username/Password + OAuth 2.0)**:
    
    * The user first logs in with their **username and password**.
        
    * This process uses **OAuth 2.0** to authenticate the user. Upon success, an **access token (JWT)** is issued.
        
2. **Trigger OTP (Mobile/Email)**:
    
    * Once the user is authenticated with their username and password, before granting access, the system will trigger the second authentication factor.
        
    * The system sends an **OTP** to either the user's **mobile number** via SMS or to their **email address** (based on the user's preferred method of 2FA).
        
3. **Verify OTP**:
    
    * The user receives the OTP on their mobile or email and enters it into the application.
        
    * The backend system **verifies** the OTP against the one stored on the server (which could be stored temporarily in memory or in a database).
        
    * If the OTP is correct and valid, the user is authenticated successfully and granted access.
        
4. **JWT Token Generation/Refresh**:
    
    * Once the OTP is validated, the backend system issues or refreshes the **JWT** for the user, allowing them to make further authenticated requests without needing to re-enter the password or OTP.

2Factor Oauth2.0 with JWT(Mobile and Email based) - TradePulse (Part 2)

How OTP 2FA works with OAuth 2.0