2017 © Pedro Peláez
 

library php-authenticator

A generator for counter- and time based authentication codes. PHP 7+

image

chillerlan/php-authenticator

A generator for counter- and time based authentication codes. PHP 7+

  • Tuesday, January 23, 2018
  • by codemasher
  • Repository
  • 1 Watchers
  • 5 Stars
  • 1,549 Installations
  • PHP
  • 2 Dependents
  • 0 Suggesters
  • 1 Forks
  • 1 Open issues
  • 9 Versions
  • 22 % Grown

The README.md

chillerlan/php-authenticator

A generator for counter based (RFC 4226) and time based (RFC 6238) one time passwords (OTP). (a.k.a. Yet Another Google Authenticator Implementation!), (*1)

PHP Version Support ![version][packagist-badge] License ![GitHub actions workflow][gh-action-badge] ![Coverage][coverage-badge] ![Codacy][codacy-badge] ![Downloads][downloads-badge], (*2)

Documentation

Requirements

Installation

requires composer, (*3)

via terminal: composer require chillerlan/php-authenticator, (*4)

composer.json, (*5)

{
    "require": {
        "php": "^8.2",
        "chillerlan/php-authenticator": "dev-main"
    }
}

Note: replace dev-main with a version constraint, e.g. ^5.0 - see releases for valid versions, (*6)

Profit!, (*7)

Usage

Create a secret

The secret is usually being created once during the activation process in a user control panel. So all you need to do there is to display it to the user in a convenient way - as a text string and QR code for example - and save it somewhere with the user data., (*8)

use chillerlan\Authenticator\{Authenticator, AuthenticatorOptions};

$options = new AuthenticatorOptions;
$options->secret_length = 32;

$authenticator = new Authenticator($options);
// create a secret (stored somewhere in a *safe* place on the server. safe... hahaha jk)
$secret = $authenticator->createSecret();
// you can also specify the length of the secret key, which overrides the options setting
$secret = $authenticator->createSecret(20);
// set an existing secret
$authenticator->setSecret($secret);

A secret created with Authenticator::createSecret() will also be stored internally, so that you don't need to provide the secret you just created on follow-up operations with the current instance., (*9)

Verify a one time code

Now during the login process - after the user has successfully entered their credentials - you would ask them for a one time code to check it against the secret from your user database., (*10)

// verify the code
if($authenticator->verify($otp)){
    // that's it - 2FA has never been easier! :D
}

time based (TOTP)

Verify adjacent codes, (*11)

// try the first adjacent
$authenticator->verify($otp, time() - $options->period); // -> true
// try the second adjacent, default is 1
$authenticator->verify($otp, time() + 2 * $options->period); // -> false
// allow 2 adjacent codes
$options->adjacent = 2;
$authenticator->verify($otp, time() + 2 * $options->period); // -> true

counter based (HOTP)

// switch mode to HOTP
$options->mode = AuthenticatorInterface::HOTP;
// user sends the OTP for code #42, which is equivalent to
$otp = $authenticator->code(42); // -> 123456
// verify [123456, 42]
$authenticator->verify($otp, $counterValueFromUserDatabase) // -> true

URI creation

In order to display a QR code for a mobile authenticator you'll need an otpauth:// URI, which can be created using the following method. - $label should be something that identifies the account to which the secret belongs - $issuer is the name of your website or company for example, so that the user is able to identify multiple accounts., (*12)

$uri = $authenticator->getUri($label, $issuer);

// -> otpauth://totp/my%20label?secret=NKSOQG7UKKID4IXW&issuer=chillerlan.net&digits=6&period=30&algorithm=SHA1

Notes

Keep in mind that several URI settings are not (yet) recognized by all authenticators. Check the Google Authenticator wiki for more info., (*13)

// code length, currently 6 or 8
$options->digits = 8;
// valid period between 15 and 60 seconds
$options->period = 45;
// set the HMAC hash algorithm
$options->algorithm = AuthenticatorInterface::ALGO_SHA512;

API

Authenticator

method return description
__construct(SettingsContainerInterface $options = null, string $secret = null) -
setOptions(SettingsContainerInterface $options) Authenticator called internally by __construct()
setSecret(string $secret) Authenticator called internally by __construct()
getSecret() string
createSecret(int $length = null) string $length overrides AuthenticatorOptions setting
code(int $data = null) string $data may be a UNIX timestamp (TOTP) or a counter value (HOTP)
verify(string $otp, int $data = null) bool for $data see Authenticator::code()
getUri(string $label, string $issuer, int $hotpCounter = null, bool $omitSettings = null) string

AuthenticatorOptions

Properties

property type default allowed description
$digits int 6 6 or 8 auth code length
$period int 30 15 - 60 validation period (seconds)
$secret_length int 20 >= 16 length of the secret phrase (bytes, unencoded binary)
$algorithm string SHA1 SHA1, SHA256 or SHA512 HMAC hash algorithm, see AuthenticatorInterface::HASH_ALGOS
$mode string totp totp, hotp, battlenet or steam authenticator mode: time- or counter based, see AuthenticatorInterface::MODES
$adjacent int 1 >= 0 number of allowed adjacent codes
$time_offset int 0 * fixed time offset that will be added to the current time value
$useLocalTime bool true * whether to use local time or request server time
$forceTimeRefresh bool false * whether to force refreshing server time on each call

AuthenticatorInterface

Methods

method return description
setOptions(SettingsContainerInterface $options) AuthenticatorInterface
setSecret(string $encodedSecret) AuthenticatorInterface
getSecret() string
createSecret(int $length = null) string
getServertime() int
getCounter(int $data = null) int internal
getHMAC(int $counter) string internal
getCode(string $hmac) int internal
getOTP(int $code) string internal
code(int $data = null) string
verify(string $otp, int $data = null) bool

Constants

constant type description
TOTP string
HOTP string
STEAM_GUARD string
ALGO_SHA1 string
ALGO_SHA256 string
ALGO_SHA512 string
MODES array map of mode -> classname
HASH_ALGOS array list of available hash algorithms

2FA ALL THE THINGS! , (*14)

The Versions

23/01 2018

dev-master

9999999-dev https://github.com/chillerlan/php-authenticator

A generator for counter- and time based authentication codes. PHP 7+

  Sources   Download

MIT

The Requires

  • php >=7.0.3

 

The Development Requires

2fa authenticator totp hotp rfc4226 rfc6238

23/01 2018

2.0.1

2.0.1.0 https://github.com/chillerlan/php-authenticator

A generator for counter- and time based authentication codes. PHP 7+

  Sources   Download

MIT

The Requires

  • php >=7.0.3

 

The Development Requires

2fa authenticator totp hotp rfc4226 rfc6238

23/12 2017

2.0.0

2.0.0.0 https://github.com/codemasher/php-authenticator

A generator for counter- and time based authentication codes. PHP 7+

  Sources   Download

MIT

The Requires

  • php >=7.0.3

 

The Development Requires

2fa authenticator totp hotp rfc4226 rfc6238

25/10 2017

1.1.0

1.1.0.0 https://github.com/codemasher/php-googleauth

Time based authentication codes. PHP 7+

  Sources   Download

MIT

The Requires

  • php >=7.0.3

 

The Development Requires

2fa authenticator totp

29/02 2016

1.0.4

1.0.4.0 https://github.com/codemasher/php-googleauth

Time based authentication codes. PHP 5.6+, PHP 7

  Sources   Download

MIT

The Requires

 

The Development Requires

2fa authenticator totp

23/02 2016

1.0.3

1.0.3.0 https://github.com/codemasher/php-googleauth

Time based authentication codes. PHP 5.6+, PHP 7

  Sources   Download

MIT

The Requires

 

The Development Requires

2fa authenticator totp

04/02 2016

1.0.2

1.0.2.0 https://github.com/codemasher/php-googleauth

Time based authentication codes. PHP 5.6+, PHP 7

  Sources   Download

MIT

The Requires

 

The Development Requires

2fa authenticator totp

13/12 2015

1.0.1

1.0.1.0 https://github.com/codemasher/php-googleauth

Time based authentication codes. PHP 5.6+, PHP 7

  Sources   Download

MIT

The Requires

 

The Development Requires

2fa authenticator totp

07/12 2015

1.0.0

1.0.0.0 https://github.com/codemasher/php-googleauth

Time based authentication codes. PHP 5.6+, PHP 7

  Sources   Download

MIT

The Requires

 

The Development Requires

2fa authenticator totp