docs(auth): mention TOTP official docs in MFA usage page

mikehardy · mikehardy · commit 4d72ba737fda · 2025-08-28T21:02:21.000-05:00
diff --git a/.spellcheck.dict.txt b/.spellcheck.dict.txt
@@ -198,6 +198,7 @@ TFUA
 thenable
 ThreadPoolExecutor
 timezones
+TOTP
 triaging
 TurboModule
 TurboModules
diff --git a/docs/auth/multi-factor-auth.md b/docs/auth/multi-factor-auth.md
@@ -5,16 +5,24 @@ next: /firestore/usage
 previous: /auth/oidc-auth
 ---
 
-# iOS Setup
+> Before a user can enroll a second factor they need to verify their email. See
+> [`User`](/reference/auth/user#sendEmailVerification) interface is returned.
+
+# TOTP MFA
+
+The [official guide for Firebase web TOTP authentication](https://firebase.google.com/docs/auth/web/totp-mfa) explains the TOTP process well, including project prerequisites to enable the feature, as well as code examples.
+
+The API details and usage examples may be combined with the full Phone auth example below to give you an MFA solution that fully supports TOTP or SMS MFA.
+
+# Phone MFA
+
+## iOS Setup
 
 Make sure to follow [the official Identity Platform
 documentation](https://cloud.google.com/identity-platform/docs/ios/mfa#enabling_multi-factor_authentication)
 to enable multi-factor authentication for your project and verify your app.
 
-# Enroll a new factor
-
-> Before a user can enroll a second factor they need to verify their email. See
-> [`User`](/reference/auth/user#sendEmailVerification) interface is returned.
+## Enroll a new factor
 
 Begin by obtaining a [`MultiFactorUser`](/reference/auth/multifactoruser)
 instance for the current user. This is the entry point for most multi-factor
@@ -57,7 +65,7 @@ await multiFactorUser.enroll(multiFactorAssertion, 'Optional display name for th
 You can inspect [`User#multiFactor`](/reference/auth/user#multiFactor) for
 information about the user's enrolled factors.
 
-# Sign-in flow using multi-factor
+## Sign-in flow using phone multi-factor
 
 Ensure the account has already enrolled a second factor. Begin by calling the
 default sign-in methods, for example email and password. If the account requires
@@ -103,7 +111,6 @@ if (resolver.hints.length > 1) {
   // Use resolver.hints to display a list of second factors to the user
 }
 
-// Currently only phone based factors are supported
 if (resolver.hints[0].factorId === PhoneMultiFactorGenerator.FACTOR_ID) {
   // Continue with the sign-in flow
 }
@@ -163,7 +170,6 @@ signInWithEmailAndPassword(getAuth(), email, password)
         // Use resolver.hints to display a list of second factors to the user
       }
 
-      // Currently only phone based factors are supported
       if (resolver.hints[0].factorId === PhoneMultiFactorGenerator.FACTOR_ID) {
         const hint = resolver.hints[0];
 
@@ -185,7 +191,7 @@ signInWithEmailAndPassword(getAuth(), email, password)
   });
 ```
 
-# Testing
+## Testing
 
 You can define test phone numbers and corresponding verification codes. The
 official[official
