A One Time Password Authentication package, compatible with Google Authenticator.

v1.3.3 2020-04-05 17:39 UTC


Latest Stable Version License Code Quality Build

Downloads Coverage StyleCI PHP

Google Two-Factor Authentication Package for Laravel

Google2FA is a PHP implementation of the Google Two-Factor Authentication Module, supporting the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.

This package is a Laravel bridge to Google2FA's PHP package.

The intent of this package is to create QRCodes for Google2FA and check user typed codes. If you need to create backup/recovery codes, please check below.

Recovery/Backup codes

if you need to create recovery or backup codes to provide a way for your users to recover a lost account, you can use the Recovery Package.

Demos, Example & Playground

Please check the Google2FA Package Playground.


Here's an demo app showing how to use Google2FA: google2fa-example.

You can scan the QR code on this (old) demo page with a Google Authenticator app and view the code changing (almost) in real time.


Laravel Google2FA Google2FA-Laravel
4.2 <= 1.0.1
5.0-5.1 <= 1.0.1
5.2-6.x >= 2.0.0 >= 0.2.0

Before Google2FA 2.0 (Laravel 5.1) you have to install pragmarx/google2fa:~1.0, because this package was both a Laravel package and a PHP (agnostic).


Click here to see the middleware demo:



Use Composer to install it:

composer require pragmarx/google2fa-laravel

Installing on Laravel

Laravel 5.5 and above

You don't have to do anything else, this package autoloads the Service Provider and create the Alias, using the new Auto-Discovery feature.

Laravel 5.4 and below

Add the Service Provider and Facade alias to your app/config/app.php (Laravel 4.x) or config/app.php (Laravel 5.x):


'Google2FA' => PragmaRX\Google2FALaravel\Facade::class,

Publish the config file

php artisan vendor:publish --provider="PragmaRX\Google2FALaravel\ServiceProvider"

Using It

Use the Facade

use Google2FA;

return Google2FA::generateSecretKey();

In Laravel you can use the IoC Container

$google2fa = app('pragmarx.google2fa');

return $google2fa->generateSecretKey();


This package has a middleware which will help you code 2FA on your app. To use it, you just have to:

Add the middleware to your Kernel.php:

protected $routeMiddleware = [
    '2fa' => \PragmaRX\Google2FALaravel\Middleware::class,

Using it in one or more routes:

Route::get('/admin', function () {
    return view('admin.index');
})->middleware(['auth', '2fa']);

QRCode Backend

There are three available: imagemagick (default), svg and eps.

You can change it via config:

 * Which image backend to use for generating QR codes?
 * Supports imagemagick, svg and eps
'qrcode_image_backend' => \PragmaRX\Google2FALaravel\Support\Constants::QRCODE_IMAGE_BACKEND_IMAGEMAGICK,

Or runtime:


Configuring the view

You can set your 'ask for a one time password' view in the config file (config/google2fa.php):

 * One Time Password View
'view' => 'google2fa.index',

And in the view you just have to provide a form containing the input, which is also configurable:

 * One Time Password request input name
'otp_input' => 'one_time_password',

Here's a form example:

    <form action="/google2fa/authenticate" method="POST">
        <input name="one_time_password" type="text">

        <button type="submit">Authenticate</button>

One Time Password Lifetime

Usually an OTP lasts forever, until the user logs off your app, but, to improve application safety, you may want to re-ask, only for the Google OTP, from time to time. So you can set a number of minutes here:

* Lifetime in minutes.
* In case you need your users to be asked for a new one time passwords from time to time.

'lifetime' => 0, // 0 = eternal

And you can decide whether your OTP will be kept alive while your users are browsing the site or not:

 * Renew lifetime at every new request.

'keep_alive' => true,

Manually logging out from 2Fa

This command wil logout your user and redirect he/she to the 2FA form on the next request:


If you don't want to use the Facade, you may:

use PragmaRX\Google2FALaravel\Support\Authenticator;

(new Authenticator(request()))->logout();

Throttling / Lockout after X attempts

Unless you need something really fancy, you can probably use Laravel's route throttle middleware for that:

Route::get('/admin', function () {
    return view('admin.index');
})->middleware(['auth', '2fa', 'throttle']);

Stateless usage

$authenticator = app(Authenticator::class)->bootStateless($request);

if ($authenticator->isAuthenticated()) {
    // otp auth success!

You can also use a stateless middleware:

protected $routeMiddleware = [
    '2fa' => \PragmaRX\Google2FALaravel\MiddlewareStateless::class,


The following events are fired:

  • EmptyOneTimePasswordReceived
  • LoggedOut
  • LoginFailed
  • LoginSucceeded
  • OneTimePasswordExpired
  • OneTimePasswordRequested


Check the ReadMe file in the main Google2FA repository.


The package tests were written with phpspec.


Antonio Carlos Ribeiro


Google2FA is licensed under the MIT License - see the LICENSE file for details


Pull requests and issues are more than welcome.