The OTP plugin for Devise I help to maintain goes 2.0 this week. Here is what’s new and how to upgrade.

What’s new

We tried to address a couple of things in this release, mainly support for lockable strategy, improving locale files, and fixing Hotwire and Remember me support. On top we refactored some code, cleaned up ERB views, and added Rubocop and linting.

Most of these things are self-descriptive but it might be important to note that the devise-otp shares failed login counter with lockable for now. In a way, a login failure is a login failure at the end of the day.

We also have some breaking changes that warrant the big version bump. Laney Stroup refactored browser persistance to be a dedicated controller and while standardizing browser persistance routes moved actions to be HTML buttons.

Upgrading

1. Regenerate the controller and views if you use custom ones:

    rails g devise_otp:controllers
    rails g devise_otp:views
   

   Note that the browser persistence controls now use button_to, rather than link_to.

2. Update locales file

   Move any *_persistence keys from devise.otp.otp_tokens to devise.otp.otp_persistence

And that should be it! Please file an issue if you found one.

Check out my book

Interested in Ruby on Rails default testing stack? Take Minitest and fixtures for a spin with my latest book.

Get Test Driving Rails and make your tests faster and easier to maintain.

Published on 21 Oct 2025

p.s. I recently released the first ever Kamal course.