diff --git a/README.md b/README.md
index 7034012..0a8a66c 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,8 @@ This package _silently_ enables authentication using 6 digits codes, without Int
     + [Deactivation](#deactivation)
 * [Events](#events)
 * [Middleware](#middleware)
+* [Validation](#validation)
+* [Translations](#translations)
 * [Protecting the Login](#protecting-the-login)
 * [Configuration](#configuration)
     + [Listener](#listener)
@@ -35,6 +37,7 @@ This package _silently_ enables authentication using 6 digits codes, without Int
     + [Cache Store](#cache-store)
     + [Recovery](#recovery)
     + [Safe devices](#safe-devices)
+    + [Confirmation Middleware](#confirmation-middleware)
     + [Secret length](#secret-length)
     + [TOTP configuration](#totp-configuration)
     + [QR Code Configuration](#qr-code-configuration)
@@ -58,17 +61,15 @@ This package was made to be the less invasive possible, but you can go full manu
 
 ## Usage
 
-First, publish the migration with:
-
-    php artisan vendor:publish --provider="DarkGhostHunter\Laraguard\LaraguardServiceProvider" --tag="migrations"
-
-> The default migration assumes you are using integers for your user model IDs. If you are using UUIDs, or some other format, adjust the format of the morphs `authenticatable` fields in the published migration before continuing.
-
-After publishing the migration, you can create the `two_factor_authentications` table by running the migration:
+First, create the `two_factor_authentications` table by running the migration:
 
     php artisan migrate
 
-This will create a table to handle the Two Factor Authentication information for each model you set.
+This will create a table to handle the Two Factor Authentication information for each model you want to attach to 2FA.
+
+> If you need to modify the migration from this package, you can publish it to override whatever you need.
+>
+>     php artisan vendor:publish --provider="DarkGhostHunter\Laraguard\LaraguardServiceProvider" --tag="migrations"
 
 Add the `TwoFactorAuthenticatable` _contract_ and the `TwoFactorAuthentication` trait to the User model, or any other model you want to make Two Factor Authentication available. 
 
@@ -114,14 +115,16 @@ public function prepareTwoFactor(Request $request)
 
 > When you use `createTwoFactorAuth()` on someone with Two Factor Authentication already enabled, the previous data becomes permanently invalid. This ensures a User **never** has two Shared Secrets enabled at any given time.
 
-Then, the User must confirm the Shared Secret with a Code generated by their Authenticator app. This `confirmTwoFactorAuth()` method will automatically enable it if the code is valid.
+Then, the User must confirm the Shared Secret with a Code generated by their Authenticator app. The `confirmTwoFactorAuth()` method will automatically enable it if the code is valid.
 
 ```php
 public function confirmTwoFactor(Request $request)
 {
-    return $request->user()->confirmTwoFactorAuth(
+    $activated = $request->user()->confirmTwoFactorAuth(
         $request->input('2fa_code')
     );
+    
+    // ...
 }
 ```
 
@@ -146,7 +149,7 @@ public function confirmTwoFactor(Request $request)
 
 You're free on how to show these codes to the User, but **ensure** you show them one time after a successfully enabling Two Factor Authentication, and ask him to print them somewhere.
 
-> These Recovery Codes are handled automatically when the User issues a Code. If it's a recovery code, the package will use it and invalidate it.
+> These Recovery Codes are handled automatically when the User validates one. If it's a recovery code, the package will use and mark it as invalid.
 
 The User can generate a fresh batch of codes using `generateRecoveryCodes()`, which automatically invalidates the previous batch.
 
@@ -194,27 +197,93 @@ The following events are fired in addition to the default Authentication events.
 * `TwoFactorRecoveryCodesGenerated`: An User has generated a new set of Recovery Codes.
 * `TwoFactorDisabled`: An User has disabled Two Factor Authentication.
 
-> You can use `TwoFactorRecoveryCodesDepleted` to notify the User to create more Recovery Codes, send him to his email a new batch of codes.
+> You can use `TwoFactorRecoveryCodesDepleted` to tell the User to create more Recovery Codes.
 
 ## Middleware
 
-If you need to ensure the User has Two Factor Authentication enabled before entering a given route, you can use the `2fa` middleware.
+Laraguard comes with two middleware for your routes: `2fa.require` and `2fa.confirm`.
+
+> To avoid unexpected results, these middleware only act on your users models with `TwoFactorAuthenticatable`. If a user model doesn't implements it, the middleware bypass any 2FA logic.
+
+### Require 2FA
+
+If you need to ensure the User has Two Factor Authentication enabled before entering a given route, you can use the `2fa.require` middleware.
 
 ```php
 Route::get('system/settings')
     ->uses('SystemSettingsController@show')
-    ->middleware('2fa');
+    ->middleware('2fa.require');
 ```
 
 This middleware works much like the `verified` middleware: if the User has not enabled Two Factor Authentication, it will be redirected to a route name containing the warning, which is `2fa.notice` by default. 
 
-You can implement this easily using this package:
+You can implement the view easily with the one included in this package:
+
+```php
+Route::view('2fa-required', 'laraguard::notice')->name('2fa.notice');
+```
+
+Alternatively, you can use a custom controller action to also include a link to where he can enable Two Factor Authentication.
+
+```php
+public function notice()
+{
+    return view('2fa.notice', [
+        'url' => url('account/settings')
+    ]);
+}
+```
+
+### Confirm 2FA
+
+Much like the [`password.confirm` middleware](https://laravel.com/docs/authentication#password-confirmation), you can also ask the user to confirm an action using `2fa.confirm`.
+
+```php
+Route::get('api/token')
+    ->uses('ApiTokenController@show')
+    ->middleware('2fa.confirm');
+```
+
+Laraguard automatically uses the [`Confirm2FACodeController`](src/Http/Controllers/Confirm2FACodeController.php) to handle the form view and the code confirmation for you.
+
+Alternatively, [you can point your own controller actions](#confirmation-middleware) to handle the form view and confirmation. Better yet, you can start with the [`Confirms2FACode`](src/Http/Controllers/Confirms2FACode.php) trait to avoid reinventing the wheel.
+
+## Validation
+
+Sometimes you may want to manually trigger a TOTP validation in any part of your application for the authenticated user. You can validate a TOTP code for the authenticated user using the `totp_code` rule.
+
+```php
+public function checkTotp(Request $request)
+{
+    $request->validate([
+        'code' => 'required|totp_code'
+    ]);
+
+    // ...
+}
+```
+
+This rule will succeed if the user is authenticated, is has Two Factor Authentication enabled, and the code is correct.
+
+## Translations
+
+Laraguard comes with translation files (only for english) that you can use immediately in your application. These are also used for the [validation rule](#validation).
 
 ```php
-Route::view('2fa-required', 'laraguard::notice')
-    ->name('2fa.notice');
+public function disableTwoFactorAuth()
+{
+    // ...
+
+    session()->flash('2fa_disabled', trans('laraguard::messages.disabled'));
+
+    return back();
+}
 ```
 
+To add your own in your language, publish the translation files. These will be located in `resources/vendor/laraguard`:
+
+    php artisan vendor:publish --provider="DarkGhostHunter\Laraguard\LaraguardServiceProvider" --tag="translations"
+
 ## Protecting the Login
 
 Two Factor Authentication can be victim of brute-force attacks. The attacker will need between 16.000~34.000 requests each second to get the correct code, or less depending on the lifetime of the code.
@@ -269,7 +338,12 @@ return [
         'enabled' => false,
         'max_devices' => 3,
         'expiration_days' => 14,
-	],    
+	],
+    'confirm' => [
+        'timeout' => 10800,
+        'view' => 'DarkGhostHunter\Laraguard\Http\Controllers\Confirm2FACodeController@showConfirmForm',
+        'action' => 'DarkGhostHunter\Laraguard\Http\Controllers\Confirm2FACodeController@confirm'
+    ],
     'secret_length' => 20,
     'issuer' => env('OTP_TOTP_ISSUER'),
     'totp' => [
@@ -376,6 +450,24 @@ You can change the maximum number of devices saved and the amount of days of val
 
 > When re-enabling Two Factor Authentication, the list of devices is automatically invalidated.
 
+### Confirmation Middleware
+
+```php
+return [
+    'confirm' => [
+        'timeout' => 10800, // 3 hours
+        'view' => 'DarkGhostHunter\Laraguard\Http\Controllers\Confirm2FACodeController@showConfirmForm',
+        'action' => 'DarkGhostHunter\Laraguard\Http\Controllers\Confirm2FACodeController@confirm'
+    ],
+];
+```
+
+If the `view` or `action` are not `null`, the `2fa/notice` and `2fa/confirm` routes will be registered to handle 2FA code notice and confirmation for the [`2fa.confirm` middleware](#confirm-2fa). If you disable it, you will have to register the routes and controller actions yourself.
+
+This array also sets by how much to "remember" the 2FA Code confirmation, and the actions used to show the view to confirm the 2FA Code with also the action to handle the confirmation.
+
+You may want to change these, specially if you want your own view to show the confirmation form.
+
 ### Secret length
 
 ```php
@@ -416,7 +508,7 @@ This configuration values are always passed down to the authentication app as UR
 
 These values are printed to each 2FA data record inside the application. Changes will only take effect for new activations.
 
-> It's not recommended to edit these parameters if you plan to use publicly available Authenticator apps, since some of them **may not support non-standard configuration**, like more digits, different period of seconds or other algorithms.
+> Do not edit these parameters if you plan to use publicly available Authenticator apps, since some of them **may not support non-standard configuration**, like more digits, different period of seconds or other algorithms.
 
 ### QR Code Configuration 
 
@@ -438,9 +530,9 @@ This controls the size and margin used to create the QR Code, which are created
 You can override the view, which handles the Two Factor Code verification for the User. It receives this data:
 
 * `$action`: The full URL where the form should send the login credentials.
-* `$credentials`: An `array|null` containing the User credentials used for the login.
+* `$credentials`: An `array` containing the User credentials used for the login.
 * `$user`: The User instance trying to authenticate.
-* `$error`: If the Two Factor Code is invalid. 
+* `$error`: If the Two Factor Code is invalid.
 * `$remember`: If the "remember" checkbox has been filled.
 
 The way it works is very simple: it will hold the User credentials in a hidden input while it asks for the Two Factor Code. The User will send everything again along with the Code, the application will ensure its correct, and complete the log in.
diff --git a/config/laraguard.php b/config/laraguard.php
index b3f4c6f..d855747 100644
--- a/config/laraguard.php
+++ b/config/laraguard.php
@@ -53,8 +53,8 @@
     */
 
     'cache' => [
-        'store' => null,
-        'prefix' => '2fa.code'
+        'store'  => null,
+        'prefix' => '2fa.code',
     ],
 
     /*
@@ -70,8 +70,8 @@
 
     'recovery' => [
         'enabled' => true,
-        'codes' => 10,
-        'length' => 8,
+        'codes'   => 10,
+        'length'  => 8,
     ],
 
     /*
@@ -86,11 +86,28 @@
     */
 
     'safe_devices' => [
-        'enabled' => false,
-        'max_devices' => 3,
+        'enabled'         => false,
+        'max_devices'     => 3,
         'expiration_days' => 14,
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Require Two Factor Middleware
+    |--------------------------------------------------------------------------
+    |
+    | When using the "2fa.confirm" middleware a view with a form will be used
+    | to ask the user for a TOTP code, an a controller action to receive it.
+    | You can change both actions and also when to forget the confirmation.
+    |
+    */
+
+    'confirm' => [
+        'timeout' => 10800, // 3 hours
+        'view' => 'DarkGhostHunter\Laraguard\Http\Controllers\Confirm2FACodeController@showConfirmForm',
+        'action' => 'DarkGhostHunter\Laraguard\Http\Controllers\Confirm2FACodeController@confirm'
+    ],
+
     /*
     |--------------------------------------------------------------------------
     | Secret Length
@@ -118,9 +135,9 @@
     'issuer' => env('OTP_TOTP_ISSUER'),
 
     'totp' => [
-        'digits' => 6,
-        'seconds' => 30,
-        'window' => 1,
+        'digits'    => 6,
+        'seconds'   => 30,
+        'window'    => 1,
         'algorithm' => 'sha1',
     ],
 
@@ -136,7 +153,7 @@
     */
 
     'qr_code' => [
-        'size' => 400,
-        'margin' => 4
+        'size'   => 400,
+        'margin' => 4,
     ],
 ];
diff --git a/resources/lang/en/messages.php b/resources/lang/en/messages.php
new file mode 100644
index 0000000..a6dce76
--- /dev/null
+++ b/resources/lang/en/messages.php
@@ -0,0 +1,22 @@
+<?php
+
+return [
+    'required' => 'Two Factor Authentication is required.',
+    'continue' => 'To continue, open up your Authenticator app and issue your 2FA code.',
+    'enable'   => 'You need to enable Two Factor Authentication.',
+
+    'fail_confirm' => 'The code to activate Two Factor Authentication is invalid.',
+    'enabled'      => 'Two Factor Authentication has been enabled for your account.',
+    'disabled'     => 'Two Factor Authentication has been disabled for your account.',
+
+    'safe_device' => 'We won\'t ask you for Two Factor Authentication codes in this device for some time.',
+
+    'confirm'   => 'Confirm code',
+    'switch_on' => 'Go to enable Two Factor Authentication.',
+
+    'recovery_code' => [
+        'used'      => 'You have used a Recovery Code. Remember to regenerate them if you have used almost all.',
+        'depleted'  => 'You have used all your Recovery Codes. Please use alternate authentication methods to continue.',
+        'generated' => 'You have generated a new set of Recovery Codes. Any previous set of codes have been invalidated.',
+    ],
+];
\ No newline at end of file
diff --git a/resources/lang/en/validation.php b/resources/lang/en/validation.php
new file mode 100644
index 0000000..46e2815
--- /dev/null
+++ b/resources/lang/en/validation.php
@@ -0,0 +1,5 @@
+<?php
+
+return [
+    'totp_code' => 'The Code is invalid or has expired.',
+];
\ No newline at end of file
diff --git a/resources/views/auth.blade.php b/resources/views/auth.blade.php
index d7473f5..3b1c467 100644
--- a/resources/views/auth.blade.php
+++ b/resources/views/auth.blade.php
@@ -9,26 +9,26 @@
         @if($remember)
             <input type="hidden" name="remember" value="on">
         @endif
-
         <p class="text-center">
-            {{ __('To log in, open up your Authenticator app and issue the 6-digit code.') }}
+            {{ trans('laraguard::messages.continue') }}
         </p>
         <div class="form-row justify-content-center py-3">
             <div class="col-sm-8 col-8 mb-3">
-                <input type="text" name="2fa_code" id="2fa_code"
+                <input type="text" name="{{ $input }}" id="{{ $input }}"
                        class="@if($error) is-invalid @endif form-control form-control-lg"
                        minlength="6" placeholder="123456" required>
                 @if($error)
                     <div class="invalid-feedback">
-                        {{ __('The Code is invalid or has expired.') }}
+                        {{ trans('laraguard::validation.totp_code') }}
                     </div>
                 @endif
             </div>
-        </div>
-        <div class="col-auto mb-3">
-            <button type="submit" class="btn btn-primary btn-lg">
-                {{ __('Log in') }}
-            </button>
+            <div class="w-100"></div>
+            <div class="col-auto mb-3">
+                <button type="submit" class="btn btn-primary btn-lg">
+                    {{ trans('laraguard::messages.confirm') }}
+                </button>
+            </div>
         </div>
     </form>
 @endsection
diff --git a/resources/views/confirm.blade.php b/resources/views/confirm.blade.php
new file mode 100644
index 0000000..2047024
--- /dev/null
+++ b/resources/views/confirm.blade.php
@@ -0,0 +1,32 @@
+@extends('laraguard::layout')
+
+@section('card-body')
+    <form action="{{ route('2fa.confirm') }}" method="post">
+        @csrf
+        <p class="text-center">
+            {{ trans('laraguard::messages.continue') }}
+        </p>
+        <div class="form-row justify-content-center py-3">
+            @if($errors->hasAny())
+                <div class="col-12 alert alert-danger pb-0">
+                    <ul>
+                        @foreach ($errors->all() as $error)
+                            <li>{{ $error }}</li>
+                        @endforeach
+                    </ul>
+                </div>
+            @endif
+            <div class="col-sm-8 col-8 mb-3">
+                <input type="text" name="{{ $input = config('laraguard.input') }}" id="{{ $input }}"
+                       class="@error($input) is-invalid @enderror form-control form-control-lg"
+                       minlength="6" placeholder="123456" required>
+            </div>
+            <div class="w-100"></div>
+            <div class="col-auto mb-3">
+                <button type="submit" class="btn btn-primary btn-lg">
+                    {{ trans('laraguard::messages.confirm') }}
+                </button>
+            </div>
+        </div>
+    </form>
+@endsection
diff --git a/resources/views/layout.blade.php b/resources/views/layout.blade.php
index 0c1c4bc..80469e3 100644
--- a/resources/views/layout.blade.php
+++ b/resources/views/layout.blade.php
@@ -5,8 +5,7 @@
     <meta name="viewport"
           content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
     <meta http-equiv="X-UA-Compatible" content="ie=edge">
-    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css"
-          integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
+    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css" integrity="sha384-9aIt2nRpC12Uk9gS9baDl411NQApFmC26EwAOH8WgZl5MYYxFfc+NcPb1dKGj7Sk" crossorigin="anonymous">
     <title>Two Factor Authentication</title>
     <style>
         #box-container {
@@ -31,7 +30,7 @@
         <div id="form-container" class="col-lg-6 col-md-8 col-sm-10 col-12">
             <div id="box" class="card border-0 cool-shadow">
                 <section class="card-body">
-                    <h2 class="card-title h5 text-center ">{{ __('Two Factor Authentication Required') }}</h2>
+                    <h2 class="card-title h5 text-center">{{ trans('laraguard::messages.required') }}</h2>
                     <hr>
                     @yield('card-body')
                 </section>
diff --git a/resources/views/notice.blade.php b/resources/views/notice.blade.php
index d5fdbf9..01d1493 100644
--- a/resources/views/notice.blade.php
+++ b/resources/views/notice.blade.php
@@ -2,12 +2,12 @@
 
 @section('card-body')
     <p class="text-center">
-        {{ __('To proceed, you need to enable Two Factor Authentication.') }}
+        {{ trans('laraguard::messages.enable') }}
     </p>
     @isset($url)
     <div class="col-auto mb-3">
         <a href="{{ $url }}" class="btn btn-primary btn-lg">
-            {{ __('Enable') }} &raquo;
+            {{ trans('laraguard::messages.switch_on') }} &raquo;
         </a>
     </div>
     @endisset
diff --git a/src/Http/Controllers/Confirm2FACodeController.php b/src/Http/Controllers/Confirm2FACodeController.php
new file mode 100644
index 0000000..43e4c38
--- /dev/null
+++ b/src/Http/Controllers/Confirm2FACodeController.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace DarkGhostHunter\Laraguard\Http\Controllers;
+
+use Illuminate\Routing\Controller;
+
+class Confirm2FACodeController extends Controller
+{
+    use Confirms2FACode;
+
+    /*
+    |--------------------------------------------------------------------------
+    | Confirm Two Factor Code Controller
+    |--------------------------------------------------------------------------
+    |
+    | This controller handles the 2FA TOTP code confirmation automatically.
+    | Instead of copying this controller you can create your own using the
+    | "Confirms2FACode" trait to modify how to confirm the 2FA TOTP code.
+    |
+    */
+
+    /**
+     * Create a new controller instance.
+     *
+     * @return void
+     */
+    public function __construct()
+    {
+        $this->middleware(['auth']);
+    }
+}
\ No newline at end of file
diff --git a/src/Http/Controllers/Confirms2FACode.php b/src/Http/Controllers/Confirms2FACode.php
new file mode 100644
index 0000000..82ee9f3
--- /dev/null
+++ b/src/Http/Controllers/Confirms2FACode.php
@@ -0,0 +1,83 @@
+<?php
+
+namespace DarkGhostHunter\Laraguard\Http\Controllers;
+
+use Illuminate\Http\Request;
+
+trait Confirms2FACode
+{
+    /**
+     * Display the TOTP code confirmation view.
+     *
+     * @return \Illuminate\View\View
+     */
+    public function showConfirmForm()
+    {
+        return view('laraguard::confirm');
+    }
+
+    /**
+     * Confirm the given user's TOTP code.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Illuminate\Http\JsonResponse|\Illuminate\Http\RedirectResponse|\Illuminate\Http\Response
+     */
+    public function confirm(Request $request)
+    {
+        $request->validate($this->rules(), $this->validationErrorMessages());
+
+        $this->resetTotpConfirmationTimeout($request);
+
+        return $request->wantsJson()
+            ? response()->noContent()
+            : redirect()->intended($this->redirectPath());
+    }
+
+    /**
+     * Reset the TOTP code timeout.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return void
+     */
+    protected function resetTotpConfirmationTimeout(Request $request)
+    {
+        $request->session()->put('2fa.totp_confirmed_at', now()->timestamp);
+    }
+
+    /**
+     * Get the TOTP code validation rules.
+     *
+     * @return array
+     */
+    protected function rules()
+    {
+        return [
+            config('laraguard.input') => 'required|totp_code',
+        ];
+    }
+
+    /**
+     * Get the password confirmation validation error messages.
+     *
+     * @return array
+     */
+    protected function validationErrorMessages()
+    {
+        return [];
+    }
+
+    /**
+     * Return the path to redirect if no intended path exists.
+     *
+     * @return string
+     * @see \Illuminate\Foundation\Auth\RedirectsUsers
+     */
+    public function redirectPath()
+    {
+        if (method_exists($this, 'redirectTo')) {
+            return $this->redirectTo();
+        }
+
+        return property_exists($this, 'redirectTo') ? $this->redirectTo : '/home';
+    }
+}
\ No newline at end of file
diff --git a/src/Http/Middleware/ConfirmTwoFactorCode.php b/src/Http/Middleware/ConfirmTwoFactorCode.php
new file mode 100644
index 0000000..fef7d04
--- /dev/null
+++ b/src/Http/Middleware/ConfirmTwoFactorCode.php
@@ -0,0 +1,110 @@
+<?php
+
+namespace DarkGhostHunter\Laraguard\Http\Middleware;
+
+use Closure;
+use Illuminate\Contracts\Routing\UrlGenerator;
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Contracts\Routing\ResponseFactory;
+use DarkGhostHunter\Laraguard\Contracts\TwoFactorAuthenticatable;
+
+class ConfirmTwoFactorCode
+{
+    /**
+     * The response factory instance.
+     *
+     * @var \Illuminate\Contracts\Routing\ResponseFactory
+     */
+    protected $response;
+
+    /**
+     * The URL generator instance.
+     *
+     * @var \Illuminate\Contracts\Routing\UrlGenerator
+     */
+    protected $url;
+
+    /**
+     * Current user authenticated.
+     *
+     * @var \Illuminate\Contracts\Auth\Authenticatable|\DarkGhostHunter\Laraguard\Contracts\TwoFactorAuthenticatable
+     */
+    protected $user;
+
+    /**
+     * Create a new middleware instance.
+     *
+     * @param  \Illuminate\Contracts\Routing\ResponseFactory  $response
+     * @param  \Illuminate\Contracts\Routing\UrlGenerator  $url
+     * @param  \Illuminate\Contracts\Auth\Authenticatable  $user
+     */
+    public function __construct(ResponseFactory $response, UrlGenerator $url, Authenticatable $user = null)
+    {
+        $this->response = $response;
+        $this->url = $url;
+        $this->user = $user;
+    }
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @param  string  $redirectToRoute
+     * @param  bool  $useSafeDevice
+     * @return mixed
+     */
+    public function handle($request, Closure $next, $redirectToRoute = '2fa.confirm', $useSafeDevice = false)
+    {
+        if ($this->userHasTwoFactorEnabled()) {
+            if ($this->codeWasValidated($request) || $this->isSafeDevice($request, $useSafeDevice)) {
+                return $next($request);
+            }
+
+            return $request->expectsJson()
+                ? $this->response->json(['message' => trans('laraguard::messages.required')], 403)
+                : $this->response->redirectGuest($this->url->route($redirectToRoute));
+        }
+
+        return $next($request);
+    }
+
+    /**
+     * Check if the user is using Two Factor Authentication.
+     *
+     * @return bool
+     */
+    protected function userHasTwoFactorEnabled()
+    {
+        return $this->user instanceof TwoFactorAuthenticatable && $this->user->hasTwoFactorEnabled();
+    }
+
+    /**
+     * Check if the current Request was made from a Safe Device.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  string|bool  $useSafeDevice
+     * @return bool
+     */
+    protected function isSafeDevice($request, $useSafeDevice)
+    {
+        if ($useSafeDevice = filter_var($useSafeDevice, FILTER_VALIDATE_BOOLEAN)) {
+            return false;
+        }
+
+        return $this->user->isSafeDevice($request);
+    }
+
+    /**
+     * Determine if the confirmation timeout has expired.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return bool
+     */
+    protected function codeWasValidated($request)
+    {
+        $confirmedAt = now()->timestamp - $request->session()->get('2fa.totp_confirmed_at', 0);
+
+        return $confirmedAt < config('laraguard.confirm.timeout', 10800);
+    }
+}
\ No newline at end of file
diff --git a/src/Http/Middleware/EnsureTwoFactorEnabled.php b/src/Http/Middleware/EnsureTwoFactorEnabled.php
deleted file mode 100644
index a289936..0000000
--- a/src/Http/Middleware/EnsureTwoFactorEnabled.php
+++ /dev/null
@@ -1,30 +0,0 @@
-<?php
-
-namespace DarkGhostHunter\Laraguard\Http\Middleware;
-
-use Closure;
-use DarkGhostHunter\Laraguard\Contracts\TwoFactorAuthenticatable;
-
-class EnsureTwoFactorEnabled
-{
-    /**
-     * Handle an incoming request.
-     *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
-     * @param  string  $redirectToRoute
-     * @return void|\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
-     */
-    public function handle($request, Closure $next, $redirectToRoute = '2fa.notice')
-    {
-        $user = $request->user();
-
-        if (! $user instanceof TwoFactorAuthenticatable || ! $user->hasTwoFactorEnabled()) {
-            return $request->expectsJson()
-                ? abort(403, __('Two Factor Authentication is not enabled.'))
-                : redirect()->route($redirectToRoute);
-        }
-
-        return $next($request);
-    }
-}
diff --git a/src/Http/Middleware/RequireTwoFactorEnabled.php b/src/Http/Middleware/RequireTwoFactorEnabled.php
new file mode 100644
index 0000000..8fd388d
--- /dev/null
+++ b/src/Http/Middleware/RequireTwoFactorEnabled.php
@@ -0,0 +1,66 @@
+<?php
+
+namespace DarkGhostHunter\Laraguard\Http\Middleware;
+
+use Closure;
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Contracts\Routing\ResponseFactory;
+use DarkGhostHunter\Laraguard\Contracts\TwoFactorAuthenticatable;
+
+class RequireTwoFactorEnabled
+{
+    /**
+     * Current User authenticated.
+     *
+     * @var \Illuminate\Contracts\Auth\Authenticatable|\DarkGhostHunter\Laraguard\Contracts\TwoFactorAuthenticatable|null
+     */
+    protected $user;
+
+    /**
+     * Response Factory.
+     *
+     * @var \Illuminate\Contracts\Routing\ResponseFactory
+     */
+    protected $response;
+
+    /**
+     * Create a new middleware instance.
+     *
+     * @param  \Illuminate\Contracts\Auth\Authenticatable|null  $user
+     * @param  \Illuminate\Contracts\Routing\ResponseFactory  $response
+     */
+    public function __construct(ResponseFactory $response, Authenticatable $user = null)
+    {
+        $this->response = $response;
+        $this->user = $user;
+    }
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @param  string  $redirectToRoute
+     * @return \Illuminate\Http\JsonResponse|\Illuminate\Http\RedirectResponse|mixed
+     */
+    public function handle($request, Closure $next, $redirectToRoute = '2fa.notice')
+    {
+        if ($this->hasTwoFactorAuthDisabled()) {
+            return $request->expectsJson()
+                ? $this->response->json(['message' => trans('laraguard::messages.enable')], 403)
+                : $this->response->redirectToRoute($redirectToRoute);
+        }
+
+        return $next($request);
+    }
+
+    /**
+     * Check if the user has Two Factor Authentication enabled.
+     *
+     * @return bool
+     */
+    protected function hasTwoFactorAuthDisabled()
+    {
+        return $this->user instanceof TwoFactorAuthenticatable && ! $this->user->hasTwoFactorEnabled();
+    }
+}
diff --git a/src/LaraguardServiceProvider.php b/src/LaraguardServiceProvider.php
index a82a1bb..617318a 100644
--- a/src/LaraguardServiceProvider.php
+++ b/src/LaraguardServiceProvider.php
@@ -8,6 +8,7 @@
 use Illuminate\Support\ServiceProvider;
 use Illuminate\Contracts\Events\Dispatcher;
 use Illuminate\Contracts\Config\Repository;
+use Illuminate\Contracts\Validation\Factory;
 
 class LaraguardServiceProvider extends ServiceProvider
 {
@@ -27,36 +28,32 @@ public function register()
      * @param  \Illuminate\Contracts\Config\Repository  $config
      * @param  \Illuminate\Routing\Router  $router
      * @param  \Illuminate\Contracts\Events\Dispatcher  $dispatcher
+     * @param  \Illuminate\Contracts\Validation\Factory  $validator
      * @return void
      */
-    public function boot(Repository $config, Router $router, Dispatcher $dispatcher)
+    public function boot(Repository $config, Router $router, Dispatcher $dispatcher, Factory $validator)
     {
-        $this->registerListener($config, $dispatcher);
-        $this->registerMiddleware($router);
-
         $this->loadViewsFrom(__DIR__ . '/../resources/views', 'laraguard');
         $this->loadFactoriesFrom(__DIR__ . '/../database/factories');
+        $this->loadTranslationsFrom(__DIR__ . '/../resources/lang', 'laraguard');
+        $this->loadMigrationsFrom(__DIR__ . '/../database/migrations');
+
+        $this->registerListener($config, $dispatcher);
+        $this->registerMiddleware($router);
+        $this->registerRules($validator);
+        $this->registerRoutes($config, $router);
 
         if ($this->app->runningInConsole()) {
             $this->publishFiles();
         }
     }
 
-    /**
-     * Register the middleware.
-     *
-     * @param  \Illuminate\Routing\Router  $router
-     */
-    protected function registerMiddleware(Router $router)
-    {
-        $router->aliasMiddleware('2fa', Http\Middleware\EnsureTwoFactorEnabled::class);
-    }
-
     /**
      * Register a listeners to tackle authentication.
      *
      * @param  \Illuminate\Contracts\Config\Repository  $config
      * @param  \Illuminate\Contracts\Events\Dispatcher  $dispatcher
+     * @return void
      */
     protected function registerListener(Repository $config, Dispatcher $dispatcher)
     {
@@ -72,6 +69,50 @@ protected function registerListener(Repository $config, Dispatcher $dispatcher)
         $dispatcher->listen(Validated::class, Contracts\TwoFactorListener::class . '@checkTwoFactor');
     }
 
+    /**
+     * Register the middleware.
+     *
+     * @param  \Illuminate\Routing\Router  $router
+     * @return void
+     */
+    protected function registerMiddleware(Router $router)
+    {
+        $router->aliasMiddleware('2fa.require', Http\Middleware\RequireTwoFactorEnabled::class);
+        $router->aliasMiddleware('2fa.confirm', Http\Middleware\ConfirmTwoFactorCode::class);
+    }
+
+    /**
+     * Register custom validation rules.
+     *
+     * @param  \Illuminate\Contracts\Validation\Factory  $validator
+     * @return void
+     */
+    protected function registerRules(Factory $validator)
+    {
+        $validator->extendImplicit('totp_code', Rules\TotpCodeRule::class, trans('laraguard::validation.totp_code'));
+    }
+
+    /**
+     * Register the routes for 2FA Code confirmation.
+     *
+     * @param  \Illuminate\Contracts\Config\Repository  $config
+     * @param  \Illuminate\Routing\Router  $router
+     * @return void
+     */
+    protected function registerRoutes(Repository $config, Router $router)
+    {
+        if ($view = $config->get('laraguard.confirm.view')) {
+            $router->get('2fa/confirm', $view)
+                ->middleware('web')
+                ->name('2fa.confirm');
+        }
+
+        if ($action = $config->get('laraguard.confirm.action')) {
+            $router->post('2fa/confirm', $action)
+                ->middleware('web');
+        }
+    }
+
     /**
      * Publish config, view and migrations files.
      *
@@ -87,15 +128,16 @@ protected function publishFiles()
             __DIR__ . '/../resources/views' => resource_path('views/vendor/laraguard'),
         ], 'views');
 
+        $this->publishes([
+            __DIR__ . '/../resources/lang' => resource_path('lang/vendor/laraguard'),
+        ], 'translations');
+
         // We will allow the publishing for the Two Factor Authentication migration that
         // holds the TOTP data, only if it wasn't published before, avoiding multiple
         // copies for the same migration, which can throw errors when re-migrating.
         if (! class_exists('CreateTwoFactorAuthenticationsTable')) {
-            $timestamp = now()->format('Y_m_d_His');
-
             $this->publishes([
-                __DIR__ .
-                '/../database/migrations/2020_04_02_000000_create_two_factor_authentications_table.php' => database_path("/migrations/{$timestamp}_create_two_factor_authentications_table.php"),
+                __DIR__ . '/../database/migrations/2020_04_02_000000_create_two_factor_authentications_table.php' => database_path('migrations/' . now()->format('Y_m_d_His') . '_create_two_factor_authentications_table.php'),
             ], 'migrations');
         }
     }
diff --git a/src/Listeners/EnforceTwoFactorAuth.php b/src/Listeners/EnforceTwoFactorAuth.php
index 4e66777..cb6a2c0 100644
--- a/src/Listeners/EnforceTwoFactorAuth.php
+++ b/src/Listeners/EnforceTwoFactorAuth.php
@@ -69,8 +69,8 @@ public function __construct(Repository $config, Request $request)
      */
     public function saveCredentials(Attempting $event)
     {
-        $this->credentials = $event->credentials;
-        $this->remember = $event->remember;
+        $this->credentials = (array) $event->credentials;
+        $this->remember = (bool) $event->remember;
     }
 
     /**
@@ -106,6 +106,7 @@ protected function throwResponse(TwoFactorAuthenticatable $user, bool $error = f
             'user'        => $user,
             'error'       => $error,
             'remember'    => $this->remember,
+            'input'       => $this->input
         ]);
 
         return response($view, $error ? 422 : 403)->throwResponse();
diff --git a/src/Rules/TotpCodeRule.php b/src/Rules/TotpCodeRule.php
new file mode 100644
index 0000000..445767d
--- /dev/null
+++ b/src/Rules/TotpCodeRule.php
@@ -0,0 +1,53 @@
+<?php
+
+namespace DarkGhostHunter\Laraguard\Rules;
+
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Contracts\Translation\Translator;
+use DarkGhostHunter\Laraguard\Contracts\TwoFactorAuthenticatable;
+
+class TotpCodeRule
+{
+    /**
+     * The auth user.
+     *
+     * @var \Illuminate\Contracts\Auth\Authenticatable|\DarkGhostHunter\Laraguard\Contracts\TwoFactorAuthenticatable
+     */
+    protected $user;
+
+    /**
+     * Translator instance.
+     *
+     * @var \Illuminate\Contracts\Translation\Translator
+     */
+    protected $translator;
+
+    /**
+     * Create a new "totp code" rule instance.
+     *
+     * @param  \Illuminate\Contracts\Translation\Translator  $translator
+     * @param  \Illuminate\Contracts\Auth\Authenticatable|null  $user
+     */
+    public function __construct(Translator $translator, Authenticatable $user = null)
+    {
+        $this->user = $user;
+        $this->translator = $translator;
+    }
+
+    /**
+     * Validate that an attribute is a valid Two Factor Authentication TOTP code.
+     *
+     * @param  string  $attribute
+     * @param  mixed  $value
+     * @return bool
+     */
+    public function validate($attribute, $value)
+    {
+        if (is_numeric($value) && $this->user instanceof TwoFactorAuthenticatable) {
+            return $this->user->validateTwoFactorCode($value);
+        }
+
+        return false;
+    }
+
+}
\ No newline at end of file
diff --git a/tests/Http/Middleware/ConfirmTwoFactorEnabledTest.php b/tests/Http/Middleware/ConfirmTwoFactorEnabledTest.php
new file mode 100644
index 0000000..cf83a52
--- /dev/null
+++ b/tests/Http/Middleware/ConfirmTwoFactorEnabledTest.php
@@ -0,0 +1,171 @@
+<?php
+
+namespace Tests\Http\Middleware;
+
+use Tests\Stubs\UserStub;
+use Tests\RegistersPackage;
+use Illuminate\Http\Request;
+use Tests\CreatesTwoFactorUser;
+use Orchestra\Testbench\TestCase;
+use Tests\RunsPublishableMigrations;
+use Illuminate\Support\Facades\Date;
+use Illuminate\Foundation\Testing\DatabaseMigrations;
+
+class ConfirmTwoFactorEnabledTest extends TestCase
+{
+    use RegistersPackage;
+    use DatabaseMigrations;
+    use RunsPublishableMigrations;
+    use CreatesTwoFactorUser;
+
+    protected function setUp() : void
+    {
+        $this->afterApplicationCreated([$this, 'loadLaravelMigrations']);
+        $this->afterApplicationCreated([$this, 'runPublishableMigration']);
+        $this->afterApplicationCreated([$this, 'createTwoFactorUser']);
+
+        $this->afterApplicationCreated(function () {
+            $this->app['router']->get('intended', function () {
+                return 'ok';
+            })->name('intended')->middleware('web', 'auth', '2fa.confirm');
+        });
+
+        parent::setUp();
+    }
+
+    public function test_continues_if_user_is_not_2fa_instance()
+    {
+        $this->actingAs(UserStub::create([
+            'name'     => 'test',
+            'email'    => 'bar@test.com',
+            'password' => '$2y$10$K0WnjWfbVBYcCvoSAh0yRurrgXgWVgQE2JHBJ.zdQdGHXgJofgGKC',
+        ]));
+
+        $this->followingRedirects()->get('intended')->assertSee('ok');
+        $this->getJson('intended')->assertSee('ok');
+    }
+
+    public function test_continues_if_user_is_2fa_but_not_activated()
+    {
+        $this->actingAs(tap($this->user)->disableTwoFactorAuth());
+
+        $this->followingRedirects()->get('intended')->assertSee('ok');
+        $this->getJson('intended')->assertSee('ok');
+    }
+
+    public function test_asks_for_confirmation()
+    {
+        $this->actingAs($this->user);
+
+        $this->followingRedirects()->get('intended')->assertViewIs('laraguard::confirm');
+
+        $this->getJson('intended')->assertJson(['message' => trans('laraguard::messages.required')]);
+    }
+
+    public function test_redirects_to_intended_when_code_valid()
+    {
+        $this->actingAs($this->user);
+
+        $this->followingRedirects()
+            ->get('intended')
+            ->assertSessionMissing('2fa.totp_confirmed_at')
+            ->assertViewIs('laraguard::confirm');
+
+        $this->followingRedirects()
+            ->post('2fa/confirm', [
+                config('laraguard.input') => $this->user->makeTwoFactorCode()
+            ])
+            ->assertSessionHas('2fa.totp_confirmed_at')
+            ->assertSee('ok');
+
+        $this->followingRedirects()
+            ->get('intended')
+            ->assertSee('ok');
+    }
+
+    public function test_returns_ok_on_json_response()
+    {
+        $this->actingAs($this->user);
+
+        $this->getJson('intended')
+            ->assertSessionMissing('2fa.totp_confirmed_at')
+            ->assertJson(['message' => 'Two Factor Authentication is required.'])
+            ->assertStatus(403);
+
+        $this->postJson('2fa/confirm', [
+                config('laraguard.input') => $this->user->makeTwoFactorCode()
+            ])
+            ->assertSessionHas('2fa.totp_confirmed_at')
+            ->assertNoContent();
+    }
+
+    public function test_returns_validation_error_when_code_invalid()
+    {
+        $this->actingAs($this->user);
+
+        $this->followingRedirects()
+            ->get('intended')
+            ->assertViewIs('laraguard::confirm');
+
+        $this->post('2fa/confirm', [
+                config('laraguard.input') => 'invalid'
+            ])
+            ->assertSessionHasErrors();
+    }
+
+    public function test_bypasses_check_if_below_timeout()
+    {
+        Date::setTestNow($now = Date::create(2020, 04, 01, 20, 20));
+
+        $this->actingAs($this->user);
+
+        session()->put('2fa.totp_confirmed_at', $now->timestamp - config('laraguard.confirm.timeout') - 1);
+
+        $this->followingRedirects()
+            ->get('intended')
+            ->assertSee('ok');
+
+        session()->put('2fa.totp_confirmed_at', $now->timestamp - config('laraguard.confirm.timeout'));
+
+        $this->followingRedirects()
+            ->get('intended')
+            ->assertViewIs('laraguard::confirm');
+    }
+
+    public function test_routes_to_alternate_named_route()
+    {
+        $this->app['router']->get('intended_to_foo', function () {
+            return 'ok';
+        })->name('intended')->middleware('web', 'auth', '2fa.confirm:foo');
+
+        $this->app['router']->get('foo', function () {
+            return 'foo';
+        })->name('foo');
+
+        $this->actingAs($this->user);
+
+        $this->get('intended_to_foo')
+            ->assertRedirect('foo');
+    }
+
+    public function test_bypasses_check_if_not_forced_and_using_safe_devices()
+    {
+        Date::setTestNow($now = Date::create(2020, 04, 01, 20, 20));
+
+        $this->app['router']->get('intended_forced', function () {
+            return 'ok';
+        })->name('intended')->middleware('web', 'auth', '2fa.confirm:2fa.confirm,false');
+
+        $this->actingAs($this->user);
+
+        $this->followingRedirects()
+            ->get('intended_forced')
+            ->assertViewIs('laraguard::confirm');
+
+        $this->user->addSafeDevice(new Request());
+
+        $this->followingRedirects()
+            ->get('intended_forced')
+            ->assertSee('ok');
+    }
+}
\ No newline at end of file
diff --git a/tests/Http/Middleware/EnsureTwoFactorEnabledTest.php b/tests/Http/Middleware/RequireTwoFactorEnabledTest.php
similarity index 70%
rename from tests/Http/Middleware/EnsureTwoFactorEnabledTest.php
rename to tests/Http/Middleware/RequireTwoFactorEnabledTest.php
index fd13d20..e6fff8b 100644
--- a/tests/Http/Middleware/EnsureTwoFactorEnabledTest.php
+++ b/tests/Http/Middleware/RequireTwoFactorEnabledTest.php
@@ -2,14 +2,14 @@
 
 namespace Tests\Http\Middleware;
 
-use Tests\RunsPublishableMigrations;
 use Tests\Stubs\UserStub;
 use Tests\RegistersPackage;
 use Tests\CreatesTwoFactorUser;
 use Orchestra\Testbench\TestCase;
+use Tests\RunsPublishableMigrations;
 use Illuminate\Foundation\Testing\DatabaseMigrations;
 
-class EnsureTwoFactorEnabledTest extends TestCase
+class RequireTwoFactorEnabledTest extends TestCase
 {
     use RegistersPackage;
     use DatabaseMigrations;
@@ -23,15 +23,18 @@ protected function setUp() : void
         $this->afterApplicationCreated([$this, 'createTwoFactorUser']);
 
         $this->afterApplicationCreated(function () {
+            $this->app['router']->get('login', function () {
+                return 'login';
+            })->name('login');
             $this->app['router']->get('test', function () {
                 return 'ok';
-            })->middleware('2fa');
+            })->middleware('web', 'auth', '2fa.require');
             $this->app['router']->get('notice', function () {
                 return '2fa.notice';
-            })->name('2fa.notice');
+            })->middleware('web', 'auth')->name('2fa.notice');
             $this->app['router']->get('custom', function () {
                 return 'custom-notice';
-            })->name('custom-notice');
+            })->middleware('web', 'auth')->name('custom-notice');
         });
 
         parent::setUp();
@@ -39,12 +42,12 @@ protected function setUp() : void
 
     public function test_guest_cant_access()
     {
-        $this->followingRedirects()->get('test')->assertSee('2fa.notice');
+        $this->get('test')->assertRedirect('login');
 
-        $this->getJson('test')->assertSee(__('Two Factor Authentication is not enabled.'))->assertForbidden();
+        $this->getJson('test')->assertJson(['message' => 'Unauthenticated.'])->assertStatus(401);
     }
 
-    public function test_user_no_2fa_cant_access()
+    public function test_user_no_2fa_can_access()
     {
         $this->actingAs(UserStub::create([
             'name'     => 'test',
@@ -52,9 +55,9 @@ public function test_user_no_2fa_cant_access()
             'password' => '$2y$10$K0WnjWfbVBYcCvoSAh0yRurrgXgWVgQE2JHBJ.zdQdGHXgJofgGKC',
         ]));
 
-        $this->followingRedirects()->get('test')->assertSee('2fa.notice');
+        $this->get('test')->assertSee('ok');
 
-        $this->getJson('test')->assertSee(__('Two Factor Authentication is not enabled.'))->assertForbidden();
+        $this->getJson('test')->assertSee('ok')->assertOk();
     }
 
     public function test_user_2fa_not_enabled_cant_acesss()
@@ -63,7 +66,9 @@ public function test_user_2fa_not_enabled_cant_acesss()
 
         $this->followingRedirects()->get('test')->assertSee('2fa.notice');
 
-        $this->getJson('test')->assertSee(__('Two Factor Authentication is not enabled.'))->assertForbidden();
+        $this->getJson('test')
+            ->assertJson(['message' => 'You need to enable Two Factor Authentication.'])
+            ->assertForbidden();
     }
 
     public function test_user_2fa_enabled_access()
diff --git a/tests/Listeners/ForcesTwoFactorAuthTest.php b/tests/Listeners/ForcesTwoFactorAuthTest.php
index f513816..b7555c5 100644
--- a/tests/Listeners/ForcesTwoFactorAuthTest.php
+++ b/tests/Listeners/ForcesTwoFactorAuthTest.php
@@ -46,12 +46,14 @@ public function test_form_contains_action_credentials_remember_and_user()
             'credentials' => ['foo' => 'bar'],
             'remember'    => 'on',
             'error'       => true,
+            'input'       => 'bar'
         ])->render();
 
         $this->assertStringContainsString('action="qux"', $view);
         $this->assertStringContainsString('<input type="hidden" name="foo" value="bar">', $view);
         $this->assertStringContainsString('<input type="hidden" name="remember" value="on">', $view);
-        $this->assertStringContainsString(__('The Code is invalid or has expired.'), $view);
+        $this->assertStringNotContainsString('<input type="text" name="foo" id="bar"', $view);
+        $this->assertStringContainsString(trans('The Code is invalid or has expired.'), $view);
     }
 
     public function test_form_doesnt_contains_credentials()
@@ -62,12 +64,14 @@ public function test_form_doesnt_contains_credentials()
             'credentials' => null,
             'remember'    => 'on',
             'error'       => true,
+            'input'       => 'foo'
         ])->render();
 
         $this->assertStringContainsString('action="qux"', $view);
         $this->assertStringNotContainsString('<input type="hidden" name="foo" value="bar">', $view);
         $this->assertStringContainsString('<input type="hidden" name="remember" value="on">', $view);
-        $this->assertStringContainsString(__('The Code is invalid or has expired.'), $view);
+        $this->assertStringNotContainsString('<input type="text" name="foo" id="bar"', $view);
+        $this->assertStringContainsString(trans('The Code is invalid or has expired.'), $view);
     }
 
     public function test_login_with_no_valid_credentials_no_2fa_fails()
diff --git a/tests/Rules/TotpRuleTest.php b/tests/Rules/TotpRuleTest.php
new file mode 100644
index 0000000..5c23685
--- /dev/null
+++ b/tests/Rules/TotpRuleTest.php
@@ -0,0 +1,132 @@
+<?php
+
+namespace Tests\Rules;
+
+use Tests\Stubs\UserStub;
+use Tests\RegistersPackage;
+use Tests\CreatesTwoFactorUser;
+use Orchestra\Testbench\TestCase;
+use Tests\RunsPublishableMigrations;
+use Illuminate\Support\Facades\Date;
+use Illuminate\Foundation\Testing\DatabaseMigrations;
+
+class TotpRuleTest extends TestCase
+{
+    use RegistersPackage;
+    use DatabaseMigrations;
+    use RunsPublishableMigrations;
+    use CreatesTwoFactorUser;
+
+    protected function setUp() : void
+    {
+        $this->afterApplicationCreated([$this, 'loadLaravelMigrations']);
+        $this->afterApplicationCreated([$this, 'runPublishableMigration']);
+        $this->afterApplicationCreated([$this, 'createTwoFactorUser']);
+
+        $this->afterApplicationCreated(function () {
+            $this->app['router']->get('intended', function () {
+                return 'ok';
+            })->name('intended')->middleware('web', 'auth', '2fa.confirm');
+        });
+
+        parent::setUp();
+    }
+
+    public function test_validation_fails_if_guest()
+    {
+        $fails = validator([
+            'totp_code' => '123456'
+        ], [
+            'totp_code' => 'totp_code'
+        ])->fails();
+
+        $this->assertTrue($fails);
+    }
+
+    public function test_validation_fails_if_user_is_not_2fa()
+    {
+        $user = UserStub::create([
+            'name'     => 'test',
+            'email'    => 'bar@test.com',
+            'password' => '$2y$10$K0WnjWfbVBYcCvoSAh0yRurrgXgWVgQE2JHBJ.zdQdGHXgJofgGKC',
+        ]);
+
+        $this->app['auth']->guard()->setUser($user);
+
+        $fails = validator([
+            'totp_code' => '123456'
+        ], [
+            'totp_code' => 'totp_code'
+        ])->fails();
+
+        $this->assertTrue($fails);
+    }
+
+    public function test_validator_fails_if_user_is_2fa_but_not_enabled()
+    {
+        $this->app['auth']->guard()->setUser(tap($this->user)->disableTwoFactorAuth());
+
+        $fails = validator([
+            'totp_code' => '123456'
+        ], [
+            'totp_code' => 'totp_code'
+        ])->fails();
+
+        $this->assertTrue($fails);
+    }
+
+    public function test_validator_fails_if_user_is_2fa_but_code_is_invalid()
+    {
+        $this->app['auth']->guard()->setUser($this->user);
+
+        $fails = validator([
+            'totp_code' => '123456'
+        ], [
+            'totp_code' => 'totp_code'
+        ])->fails();
+
+        $this->assertTrue($fails);
+    }
+
+    public function test_validator_fails_if_user_is_2fa_but_code_is_expired_over_window()
+    {
+        Date::setTestNow($now = Date::create(2020, 04, 01, 16, 30));
+
+        $this->app['auth']->guard()->setUser($this->user);
+
+        $fails = validator([
+            'totp_code' => $this->user->makeTwoFactorCode($now, -2)
+        ], [
+            'totp_code' => 'totp_code'
+        ])->fails();
+
+        $this->assertTrue($fails);
+    }
+
+    public function test_validator_succeeds_if_code_valid()
+    {
+        Date::setTestNow($now = Date::create(2020, 04, 01, 16, 30));
+
+        $this->app['auth']->guard()->setUser($this->user);
+
+        $fails = validator([
+            'totp_code' => $this->user->makeTwoFactorCode($now)
+        ], [
+            'totp_code' => 'totp_code'
+        ])->fails();
+
+        $this->assertFalse($fails);
+    }
+
+    public function test_validator_rule_uses_translation()
+    {
+        $validator = validator([
+            'totp_code' => 'invalid'
+        ], [
+            'totp_code' => 'totp_code'
+        ]);
+
+        $this->assertSame('The Code is invalid or has expired.', $validator->errors()->get('totp_code')[0]);
+    }
+
+}
\ No newline at end of file