This small library implements the HMAC-based one-time password algorithms used mostly on two steps authentication: time based TOTP (RFC 6238) and HOTP (RFC 4226).
Easily and quick allows to configure and use mobile apps like Google Authenticator.
Although it should work even on PHP 5.4. We strongly recommend using PHP >= 7.3 as lower versions have reached end of life.
Preferable use composer
composer require pedrosancao/php-otp
Create a new token
$totp = PedroSancao\OTP\TOTP::create();
Present URI to user as a QR-Code or show base 32 encoded secret
// example using Google API, it's recommended to use a local library
$uri = $totp->getUri('user@domain.com', 'Issuer Name');
$src = 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=' . urlencode($uri);
printf('<img src="https://github.com/pedrosancao/php-otp/raw/main/%s"/>', $src);
// OR
echo $totp->getSecretReadable();
Store the shared secret
$secret = $totp->getRawSecret();
$totp = PedroSancao\OTP\TOTP::createRaw($storedSecret);
$totp->verify($inputPassword);
$totp = PedroSancao\OTP\TOTP::create($base32encodedSecret);
// or
$totp = PedroSancao\OTP\TOTP::createRaw($storedSecret);
// or
$totp = PedroSancao\OTP\TOTP::createFromURI($uriFromQrCode);
echo $totp->getPassword();
SHA1 is the default method. If you want to use another after create a new instance
with one of create*
methods call useSha256
or useSha512
:
$totp = PedroSancao\OTP\TOTP::createRaw($storedSecret)->useSha256();
This library is release under the MIT licence.