PHP download

Download the PHP package asubodh/filament-two-factor-auth without Composer

On this page you can find all versions of the php package asubodh/filament-two-factor-auth. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download asubodh/filament-two-factor-auth
More information about asubodh/filament-two-factor-auth
Files in asubodh/filament-two-factor-auth

Vendor asubodh
Package filament-two-factor-auth
Short Description A production-ready Two-Factor Authentication plugin for Filament admin panels with TOTP, QR codes, recovery codes, and middleware protection.
License MIT
Homepage https://github.com/asubodh/filament-two-factor-auth

Keywords security laravel totp 2fa MFA two-factor-authentication google-authenticator filament

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Example code of asubodh/filament-two-factor-auth

Informations about the package filament-two-factor-auth

Filament Multi-Factor Auth (MFA)

A robust, production-ready Multi-Factor Authentication (MFA) plugin designed specifically for Filament v5 admin panels.

Created by Subodh Aryal (@asubodh), this package provides a seamless and highly secure integration of TOTP-based authentication compatible with Google Authenticator, Authy, Microsoft Authenticator, and any standard TOTP application.

✨ Features

🔐 TOTP Authentication — Time-based One-Time Password (RFC 6238).
📱 QR Code Setup — Scan-to-configure with any authenticator app.
🔑 Recovery Codes — One-time backup codes with hashed database storage.
🛡️ Login Challenge — Native OTP verification page displayed securely after standard login.
🚨 Enforce 2FA — Option to force all users to set up 2FA before they can access the panel.
🍪 Trusted Devices — Optional "remember this device" functionality.
⚡ Rate Limiting — Built-in brute-force protection on OTP attempts.
🔒 Encrypted Secrets — TOTP secrets are encrypted at rest using Laravel Crypt.
📡 Event System — Listen to events for enable, disable, verify, and failed attempts.
🎨 Native Filament UI — Clean, dark-mode compatible settings and challenge pages that blend perfectly with your panel.

📋 Requirements

PHP 8.2+
Laravel 11.0+
Filament v5.0+

🚀 Installation & Setup

1. Install the Package

Pull the package into your project using Composer:

2. Publish and Run Migrations

Publish the necessary database migrations and run them. This will add the required columns to your users table and create a new two_factor_recovery_codes table.

3. Publish Configuration (Optional)

You can publish the configuration file to customize the default behavior:

4. Prepare Your User Model

Update your User model to implement the TwoFactorAuthenticatable interface and use the HasTwoFactorAuth trait.

5. Register the Plugin in Your Panel

Add the TwoFactorPlugin to your Filament panel configuration (e.g., app/Providers/Filament/AdminPanelProvider.php).

That's it! Your admin panel now has full 2FA support.

⚙️ Configuration & Options

Plugin Fluent API

The plugin provides a fluent API for easy configuration directly within your Panel Provider:

Configuration File (`config/two-factor-auth.php`)

If you published the config file, you can modify deeper system settings:

Option	Default	Description
`issuer`	`config('app.name')`	Name shown in authenticator apps.
`window`	`1`	TOTP verification window (±30s per unit). Handles slight clock drift.
`encrypt_secret`	`true`	Encrypt TOTP secrets at rest.
`recovery_codes.count`	`8`	Number of recovery codes generated for the user.
`recovery_codes.length`	`10`	Character length of each recovery code.
`rate_limit.max_attempts`	`5`	Maximum OTP attempts allowed before temporary lockout.
`rate_limit.decay_minutes`	`1`	Lockout duration in minutes after exceeding max attempts.
`remember_device.enabled`	`false`	Enable trusted device cookies.
`remember_device.days`	`30`	Lifetime of the trusted device cookie in days.

🛠️ How It Works

Enabling 2FA

The user navigates to Two-Factor Auth via the sidebar or profile menu.
They click Enable Two-Factor Authentication.
A QR code is generated. The user scans it with their authenticator app.
The user verifies the setup by entering the current 6-digit code.
The system generates and displays one-time recovery codes for the user to securely store.

Login Flow (The Challenge)

The user logs in with their standard email and password.
The EnsureTwoFactorAuthenticated middleware detects that 2FA is active.
The user is securely redirected to the Two-Factor Challenge page.
The user enters their 6-digit TOTP code (or opts to use a recovery code).
Upon success, the session is marked as verified, and the user gains full access.

Enforcing 2FA (`enforceForAllUsers`)

If enforceForAllUsers() is enabled on the plugin, any user who successfully logs in but hasn't configured 2FA will be immediately locked to the Two-Factor Auth settings page. A prominent warning will instruct them that setup is required by the administrator. They cannot navigate to any other page until setup is complete.

Trusted Devices (Remember Device)

When rememberDevice() is enabled, a secure, HMAC-signed, HTTP-only cookie is created on the user's browser after they successfully pass the 2FA challenge. For the duration of this cookie (default: 30 days), the user will not be prompted for a 2FA code again on that specific device, even if their session expires and they log back in with their password. This dramatically improves user experience without heavily compromising security.

📡 Events

The package fires various events that you can listen to in your application (e.g., for logging audit trails or sending notifications).

Event	Payload	Description
`TwoFactorEnabled`	`$user`	Fired when a user successfully enables 2FA.
`TwoFactorDisabled`	`$user`	Fired when a user disables 2FA.
`TwoFactorVerified`	`$user`	Fired when a user successfully passes the 2FA login challenge.
`TwoFactorFailed`	`$user`, `$reason`	Fired when a user enters an invalid TOTP or recovery code.

Example Event Subscriber

Instead of creating separate listeners for each event, you can use an Event Subscriber to handle all 2FA events cleanly in one file.

Because Laravel 11+ has automatic event discovery enabled by default, you just need to create this class in app/Listeners/TwoFactorEventSubscriber.php. Laravel will automatically detect the methods starting with handle and register them!

🛡️ Security Measures

Security is the primary focus of this package:

Secret Storage: TOTP secrets are encrypted at rest using Laravel's Crypt facade (AES-256-CBC/AES-128-CBC).
Recovery Codes: Stored as bcrypt hashes, ensuring that even in the event of a database breach, plain-text backup codes are not exposed.
Brute-Force Protection: Built-in rate limiting (defaults to 5 attempts per minute) prevents attackers from guessing OTPs.
Clock Drift Mitigation: The verification window allows for ±1 period (30 seconds) to account for minor time sync issues on the user's device.
Session Fixation: The user's session is regenerated immediately after passing the 2FA challenge.

💾 Database Changes

When you run the migrations, the following happens:

users Table Additions:
- two_factor_secret (text, nullable) — The encrypted TOTP secret.
- two_factor_enabled (boolean) — Status flag.
- two_factor_confirmed_at (timestamp, nullable) — When setup was finalized.
two_factor_recovery_codes Table:
- Tracks the hashed recovery codes, which user they belong to, and timestamps for creation and usage.

🧪 Testing

🤝 Contributing

Contributions are always welcome! Please see CONTRIBUTING for details.

👤 Credits

Subodh Aryal (asubodh) - Creator & Lead Developer
All Contributors

📄 License

The MIT License (MIT). Please see the License File for more information.

All versions of filament-two-factor-auth with dependencies

PHP Build Version

Package Version

Version v1.0.0 Release 09. May 2026
create-project require 0 people chose require and
0 people chose create-project.

Download

Download latest version of filament-two-factor-auth from vendor asubodh

Requires php Version ^8.2
bacon/bacon-qr-code Version ^3.0
filament/filament Version ^5.0
illuminate/contracts Version ^11.0|^12.0
illuminate/support Version ^11.0|^12.0
pragmarx/google2fa Version ^8.0|^9.0
spatie/laravel-package-tools Version ^1.16

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package asubodh/filament-two-factor-auth contains the following files

Loading the files please wait ...