Google Authenticator 2-factor authentication

v3.0 2021-04-20 19:40 UTC

This package is auto-updated.

Last update: 2023-11-21 01:55:08 UTC


Build Status

This is a fork of with the following changes:

  • Uses to generate QR code data URIs
  • No longer generates Google's Chart API to make QR code links
  • Uses namespacing
  • Augmented test coverage to 100%
  • Bumped minimum PHP version to 7.3

Original License:


This PHP class can be used to interact with the Google Authenticator mobile app for 2-factor-authentication. This class can generate secrets, generate codes, validate codes and present a QR-Code for scanning the secret. It implements TOTP according to RFC6238

For a secure installation you have to make sure that used codes cannot be reused (replay-attack). You also need to limit the number of verifications, to fight against brute-force attacks. For example you could limit the amount of verifications to 10 tries within 10 minutes for one IP address (or IPv6 block). It depends on your environment.


See following example:

require_once 'vendor/autoload.php';

use Vectorface\GoogleAuthenticator;

$ga = new GoogleAuthenticator();
$secret = $ga->createSecret();
echo "Secret is: {$secret}\n\n";

$qrCodeUrl = $ga->getQRCodeUrl('Blog', $secret);
echo "PNG Data URI for the QR-Code: {$qrCodeUrl}\n\n";

$oneCode = $ga->getCode($secret);
echo "Checking Code '$oneCode' and Secret '$secret':\n";

// 2 = 2*30sec clock tolerance
$checkResult = $ga->verifyCode($secret, $oneCode, 2);
if ($checkResult) {
    echo 'OK';
} else {
    echo 'FAILED';

Running the script provides output similar to:


PNG Data URI for the QR-Code: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARgAAAEYCAIAAAAI[snipped]

Checking Code '848634' and Secret 'OQB6ZZGYHCPSX4AK':


composer require vectorface/googleauthenticator

Run Tests:

  • All tests are inside tests folder.
  • Execute composer install to prepare your environment.
  • Run composer test from the project root directory.