Provides two-factor authentication for Symfony applications

Installs: 1 025 512

Dependents: 16

Suggesters: 1

Security: 2

Stars: 331

Watchers: 16

Forks: 106

Open Issues: 5


v4.12.0 2020-01-12 14:01 UTC


Build Status Scrutinizer Code Quality Code Coverage Latest Stable Version Total Downloads License

This bundle provides two-factor authentication for your Symfony application.

It comes with the following two-factor authentication methods:

Additional features you will like:

  • Interface for custom two-factor authentication methods
  • Trusted IPs
  • Trusted devices (once passed, no more two-factor authentication on that device)
  • Single-use backup codes for when you don't have access to the second factor device
  • Multi-factor authentication (more than 2 steps)
  • CSRF protection
  • Whitelisted routes (accessible during two-factor authentication)


composer require scheb/two-factor-bundle

... and follow the installation instructions.


Detailed documentation of all features can be found in the Resources/doc directory.


  • Recommended version: Bundle version 4.x is compatible with Symfony 3.4, 4.x and 5.x.
  • Bundle version 3.x is compatible with Symfony 3.4, 4.x and 5.x.

Previous versions are no longer maintained, please consider upgrading.

Security Issues

If you think that you have found a security issue in the bundle, don't use the bug tracker and don't publish it publicly. Instead, please report via email to

Known security issues:

  • Before version 3.7 the bundle is vulnerable to a security issue in JWT, which can be exploited by an attacker to generate trusted device cookies on their own, effectively by-passing two-factor authentication. (#143)

  • Before versions 3.26.0 / 4.11.0 it was possible to bypass two-factor authentication when the remember-me option is available on the login form. (#253)


You're welcome to contribute to this bundle by creating a pull requests or feature request in the issues section. For pull requests, please follow these guidelines:

  • Symfony code style (use php_cs.xml to configure the code style in your IDE)
  • PHP7.1 type hints for everything (including: return types, void, nullable types)
  • declare(strict_types=1) must be used
  • Please add/update test cases
  • Test methods should be named [method]_[scenario]_[expected result]

Besides new features, translations are highly welcome.

To run the test suite install the dependencies with composer install and then execute bin/phpunit.


This bundle is available under the MIT license.