omniauth-oauth2 VS rotp

It depends on what you mean by OAuth 2.0. If you want your app to be an OAuth 2.0 provider, then you'd use rodauth-oauth. If you want to enable your users to login through external apps that implement the OAuth 2.0 protocol, then OmniAuth is what you'd use. Not all external apps implement login via the OAuth 2.0 protocol, those that do will have their OmniAuth strategies inherit from omniauth-oauth2.

OmniAuth OAuth2 is a gem that contains a generic OAuth2 strategy for OmniAuth. It is meant to serve as a building block strategy for other strategies and not to be used independently (since it has no inherent way to gather uid and user info). 404 stars by now

Omniauth-OAuth checks for a state value sent in with the request that should be available within the session when the callback is performed (source here)

Your authentication mechanism should include multiple factors, something the user knows and something the user has. If you are using Devise, you can use the devise-two-factor gem. If you have custom authentication, you can use the rotp gem to generate OTP codes and verify those during login.

Aside from SMS scams, SMS is the least secure type of 2FA. I recommend implementing OTP via authenticator apps like Authenticator and 1Password. You can use the rotp gem for this: https://github.com/mdp/rotp

What you're describing sounds a lot like OTP https://github.com/mdp/rotp. It's a well known and standard way of issuing one time passwords (typically 6 digits that a user confirms by entering it in).

rotp: https://github.com/mdp/rotp and

Use https://github.com/mdp/rotp/ -- it's super simple to get TOTP 2FA set up. Friends don't let friends use SMS 2FA.

ROTP (The Ruby One Time Password Library) is a Ruby library for generating and validating one time passwords (HOTP & TOTP) according to RFC 4226 and RFC 6238. It is compatible with Google Authenticator available for Android and iPhone and any other TOTP based implementations. 1,217 stars by now