This package is abandoned and no longer maintained. No replacement package was suggested.

Brute Force authentication protection.

dev-master 2019-03-19 13:33 UTC

This package is not auto-updated.

Last update: 2022-04-30 05:09:59 UTC


This is a sample implementation of Google multi-factor authentication (MFA) for Zend Framework 2.

Implementation by Team CODIFIC • We code terrific.

MIT License


This plugin implements the Google multi-factor authentication using a one-time token that is valid for maximum 8 minutes (configurable). Even if a username/password combination is leaked, brute forced or dictionary attacked the MFA will make sure the attacker will still not be able to login as Google MGA


Add the plugin to your composer.json by using the following line:

"codific/zf2-multi-factor-authentication": "dev-master"

and run

php composer.phar update


The authenticated users should have 2 additional attributes in the database.

`secretKey` varchar(100) NOT NULL default ''
`mfaEnabled` tinyint(1) NOT NULL default 0

Upon a successful login redirect the authenticated user to the mfa screen. Here is a sample action for the MFA. Note that we save the authenticated user in a cache variable and we clear the authentication storage before redirecting. After a successful MFA we restore the storage from the cache.

     * Check multi-factor authentication after a successful login.
     * @return \Zend\View\Model\ViewModel
    public function checkmfaAction()
        $data = $this->cache->authenticatedUser;
        $request = $this->getRequest();
        if($request->isPost()) {
            $postData = $request->getPost();
            $googleAuth = new \Codific\Authenticator($data->secretKey);
            if($googleAuth->verifyCode($postData->pin, 4)) //the second parameter specifies the validity of the MFA token in minutes
                $this->cache->authenticatedUser->verifyMFA = 1;
                $auth = new AuthenticationService();
                return $this->redirect()->toUrl("/admin/index/index");
                $this->cache->error = "Your code is invalid. Please try again.";
        return $this->view;

Here is a sample of the view code.

    <span class="widget-icon"><i class="fa fa-list"></i></span>
    <h2>2-step verification</h2>
  <div class='well'>
    <form action="/admin/login/checkmfa" method="POST" name="login" class="form-horizontal" id="login">
      <fieldset class="form-horizontal">
        <div class="form-group ">
          <label>Enter verification code</label>
          <input type="tel" pattern="[0-9 ]*" id="totpPin" name="pin" dir="ltr" autocomplete="off" placeholder="Enter 6-digit code" autofocus class="form-control">
        <div class="form-group ">
          <button type="submit" name="done" id="submitbutton" class="button-fix btn-primary form-control btn" value="">Submit</button>