christian-riesen/otp

One Time Passwords, hotp and totp according to RFC4226 and RFC6238

Maintainers

Details

github.com/ChristianRiesen/otp

Homepage

Source

Issues

Installs: 2 870 573

Dependents: 6

Suggesters: 0

Security: 0

Stars: 87

Watchers: 4

Forks: 27

Open Issues: 8

2.7.0 2021-02-23 20:13 UTC

Requires

Requires (Dev)

MIT aab865ae6d356993ad9d51f8a7e8f32b8a54730a

otphotptotpgoogleauthenticatorrfc4226rfc6238

This package is auto-updated.

Last update: 2024-04-24 02:49:00 UTC

README

Build Status

Did you like this? Flattr it:

Flattr otp

Installation

Use composer and require the library in your composer.json

{
    "require": {
        "christian-riesen/otp": "^2.0",
    }
}

Usage

<?php

use Otp\Otp;
use Otp\GoogleAuthenticator;
use ParagonIE\ConstantTime\Encoding;

// Get a Pseudo Secret
// Defaults to 16 characters
$secret = GoogleAuthenticator::generateRandom();

// Url for the QR code
// Using totp method
$url = GoogleAuthenticator::getQrCodeUrl('totp', 'Label like user@host.com', $secret);

// Save the secret with the users account
// Display QR Code to the user

// Now how to check
$otp = new Otp();

// $key is a 6 digit number, coming from the User
// Assuming this is present and sanitized
// Allows for a 1 code time drift by default
// Third parameter can alter that behavior
if ($otp->checkTotp(Encoding::base32DecodeUpper($secret), $key)) {
    // Correct key
    // IMPORTANT! Note this key as being used
    // so nobody could launch a replay attack.
    // Cache that for the next minutes and you
    // should be good.
} else {
    // Wrong key
}

// Just to create a key for display (testing)
$key = $otp->totp(Encoding::base32DecodeUpper($secret));

Sample script in example folder. Requires sessions to work (for secret storage).

Class Otp

Implements hotp according to RFC4226 and totp according to RFC6238 (only sha1, sha256 and sha512 algorithms). Once you have a secret, you can use it directly in this class to create the passwords themselves (mainly for debugging use) or use the check functions to safely check the validity of the keys. The checkTotp function also includes a helper to battle timedrift.

Class GoogleAuthenticator

Static function class to generate a correct url for the QR code, so you can easily scan it with your device. Google Authenticator is available as an application for iPhone and Android. This removes the burden to create such an app from the developers of websites by using this set of classes.

There are also older open source versions of the Google Authenticator app for both iPhone and Android.

About

Requirements

PHP >= 5.4.0

Uses paragonie/random_compat and paragonie/constant_time_encoding.

If you want to run the tests, PHPUnit >= 4.8.35 is required.

Author

Christian Riesen chris.riesen@gmail.com http://christianriesen.com

Acknowledgements

The classes have been inspired by many different places that were talking about otp and Google Authenticator. Thank you all for your help.

Project setup ideas blatantly taken from https://github.com/Seldaek/monolog