Caution! Uses functions not suitable for cryptographic purposes!

[oittaa]

1. https://www.php.net/manual/en/function.mt-rand.php

Caution This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using random_int(), random_bytes(), or openssl_random_pseudo_bytes() instead.

https://github.com/alexandregz/twofactor_gauthenticator/blob/71fc85a3016e24f2fdd667ef8c6d3c983184b82e/twofactor_gauthenticator.php#L487

2. https://www.php.net/manual/en/function.array-rand.php

is not suitable for cryptographic purposes

https://github.com/alexandregz/twofactor_gauthenticator/blob/9d9e9bab91923a53d0f9c80fc6cb498a8112ec7e/PHPGangsta/GoogleAuthenticator.php#L30

[oittaa]

Now that I look more closely, doesn't this generate same IV every time? That's extremely dangerous.

https://github.com/alexandregz/twofactor_gauthenticator/blob/71fc85a3016e24f2fdd667ef8c6d3c983184b82e/twofactor_gauthenticator.php#L482

[maltejk]

In parts this is very likely fixed in upstream of "GoogleAuthenticator" library, as PHPGangsta/GoogleAuthenticator.php does not seem to include "mt_rand" anymore.