moh4mmad/php-otp-without-database

OTP verification using cryptography without database

Maintainers

Details

github.com/moh4mmad/php-otp-without-database

Source

Issues

Installs: 22

Dependents: 0

Suggesters: 0

Security: 0

Stars: 15

Watchers: 3

Forks: 3

Open Issues: 0

1.0.0 2019-10-15 15:27 UTC

MIT cf07c82cf09e7624cfe6e01992592c54ba5dbb11

  • Sakib <sakib.woop@sakib.info>

This package is auto-updated.

Last update: 2025-06-17 00:28:01 UTC

README

What is it?

This is a simple script written in php to verify One Time Password (OTP) without any database. You can read the blog post here to understand the technique and motivation.

How to install

git clone https://github.com/moh4mmad/php-otp-without-database.git

or

composer require moh4mmad/php-otp-without-database

Usage

You need additional tool to send SMS. This module only takes care of the verification part.

Verification process

OTP verification is done in the following steps:

  • A hash is created with the phone number/email address and then sent to the user.
  • The user also receives the OTP via SMS, email or any other method.
  • The user sends back the hash, OTP and phone/email used in the first request.
  • The server verifies the information and returns true if they match.

Generating OTP Hash

$otp = new Sakib\OTP;
$email = "test@abc.com";
$code = $otp->generateRandomString(6);
$hash = $otp->CreateOTP($email, $code);

You can then send this hash to the user as response.

CreateOTP($email, $otp, $key = "verysecret", $min = 5, $algo = "sha256");

Verifying OTP hash

The user should get the hash from the HTTP request and should get the real OTP via SMS or email. Then when the user sends back the information, they can be verified with the following code:

VerifyTOP($email, $otp, $hash, $key="verysecret", $algo = "sha256");

This method returns a Boolean. If the verification is successful, it will return true.

Issues

If you come across any issues please report them here