PHP implementation of the OATH one-time password standards

Installs: 8 926

Dependents: 4

Stars: 34

Watchers: 4

Forks: 5

Open Issues: 1

Language: PHP

v1.1.1 2015-06-30 03:38 UTC


Latest Version on Packagist Software License Build Status Coverage Status Quality Score Total Downloads

This library provides HMAC and time-based one-time password functionality as defined by RFC 4226 and RFC 6238 for PHP 5.3+.


Via Composer

$ composer require rych/otp


The library makes generating and sharing secret keys easy.


use Rych\OTP\Seed;

// Generates a 20-byte (160-bit) secret key
$otpSeed = Seed::generate();

// -OR- use a pre-generated string
$otpSeed = new Seed('ThisIsMySecretSeed');

// Display secret key details
printf("Secret (HEX): %s\n", $otpSeed->getValue(Seed::FORMAT_HEX));
printf("Secret (BASE32): %s\n", $otpSeed->getValue(Seed::FORMAT_BASE32));

When a user attempts to login, they should be prompted to provide the OTP displayed on their device. The library can then validate the provided OTP using the user's shared secret key.


use Rych\OTP\HOTP;

$otpSeed = $userObject->getOTPSeed();
$otpCounter = $userObject->getOTPCounter();
$providedOTP = $requestObject->getPost('otp');

// The constructor will accept a Seed object or a string
$otplib = new HOTP($otpSeed);
if ($otplib->validate($providedOTP, $otpCounter)) {
    // Advance the application's stored counter
    // This bit is important for HOTP but not done for TOTP
    $userObject->incrementOTPCounter($otplib->getLastValidCounterOffset() + 1);

    // Now the user is authenticated

Time-based OTPs are handled the same way, except you don't have a counter value to track or increment.

Change log

Please see CHANGELOG for more information what has changed recently.


$ vendor/bin/phpunit -c phpunit.dist.xml


If you discover any security related issues, please email rchouinard@gmail.com instead of using the issue tracker.


The MIT License (MIT). Please see License File for more information.