pedrosancao / php-otp

One-time password PHP implementation of HMAC-based algorithm according to RFC 4226 and RFC 6238 compatible with Google Authenticator.
https://packagist.org/packages/pedrosancao/php-otp
MIT License
15 stars 2 forks source link
google-authenticator hotp one-time-password otp rfc-4226 rfc-6238 totp two-steps-authentication

A PHP One-Time Password implementation

project license code size PHP version packagist version packagist downloads test coverage tests status

This small library implements the HMAC-based one-time password algorithms used mostly on two steps authentication: time based TOTP (RFC 6238) and HOTP (RFC 4226).

Easily and quick allows to configure and use mobile apps like Google Authenticator.

Requirements

Although it should work even on PHP 5.4. We strongly recommend using PHP >= 7.3 as lower versions have reached end of life.

Installation

Preferable use composer

composer require pedrosancao/php-otp

Usage

Syncing time-based one-time password with client

Create a new token

$totp = PedroSancao\OTP\TOTP::create();

Present URI to user as a QR-Code or show base 32 encoded secret

// example using Google API, it's recommended to use a local library
$uri = $totp->getUri('user@domain.com', 'Issuer Name');
$src = 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=' . urlencode($uri);
printf('<img src="https://github.com/pedrosancao/php-otp/raw/main/%s"/>', $src);
// OR
echo $totp->getSecretReadable();

Store the shared secret

$secret = $totp->getRawSecret();

Verifying passwords

$totp = PedroSancao\OTP\TOTP::createRaw($storedSecret);
$totp->verify($inputPassword);

Using as client

$totp = PedroSancao\OTP\TOTP::create($base32encodedSecret);
// or
$totp = PedroSancao\OTP\TOTP::createRaw($storedSecret);
// or
$totp = PedroSancao\OTP\TOTP::createFromURI($uriFromQrCode);
echo $totp->getPassword();

Change hashing algorithm

SHA1 is the default method. If you want to use another after create a new instance with one of create* methods call useSha256 or useSha512:

$totp = PedroSancao\OTP\TOTP::createRaw($storedSecret)->useSha256();

To do list

Licence

This library is release under the MIT licence.