Download the PHP package chillerlan/php-authenticator without Composer
On this page you can find all versions of the php package chillerlan/php-authenticator. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download chillerlan/php-authenticator
More information about chillerlan/php-authenticator
Files in chillerlan/php-authenticator
Package php-authenticator
Short Description A generator for counter- and time based 2-factor authentication codes (Google Authenticator). PHP 7.4+
License
Informations about the package php-authenticator
chillerlan/php-authenticator
A generator for counter based (RFC 4226) and time based (RFC 6238) one time passwords (OTP). (a.k.a. Yet Another Google Authenticator Implementation!)
Documentation
Requirements
- PHP 8.2+
ext-curl
for Steam Guard server time synchronizationext-sodium
for constant time implementations of base64 encode/decode and hex2bin/bin2hex (paragonie/constant_time_encoding
is used as fallback)
Installation
requires composer
via terminal: composer require chillerlan/php-authenticator
composer.json
Note: replace dev-main
with a version constraint, e.g. ^5.0
- see releases for valid versions
Profit!
Usage
Create a secret
The secret is usually being created once during the activation process in a user control panel. So all you need to do there is to display it to the user in a convenient way - as a text string and QR code for example - and save it somewhere with the user data.
A secret created with Authenticator::createSecret()
will also be stored internally,
so that you don't need to provide the secret you just created on follow-up operations with the current instance.
Verify a one time code
Now during the login process - after the user has successfully entered their credentials - you would ask them for a one time code to check it against the secret from your user database.
time based (TOTP)
Verify adjacent codes
counter based (HOTP)
URI creation
In order to display a QR code for a mobile authenticator you'll need an otpauth://
URI, which can be created using the following method.
$label
should be something that identifies the account to which the secret belongs$issuer
is the name of your website or company for example, so that the user is able to identify multiple accounts.
Notes
Keep in mind that several URI settings are not (yet) recognized by all authenticators. Check the Google Authenticator wiki for more info.
API
Authenticator
method | return | description |
---|---|---|
__construct(SettingsContainerInterface $options = null, string $secret = null) |
- | |
setOptions(SettingsContainerInterface $options) |
Authenticator |
called internally by __construct() |
setSecret(string $secret) |
Authenticator |
called internally by __construct() |
getSecret() |
string |
|
createSecret(int $length = null) |
string |
$length overrides AuthenticatorOptions setting |
code(int $data = null) |
string |
$data may be a UNIX timestamp (TOTP) or a counter value (HOTP) |
verify(string $otp, int $data = null) |
bool |
for $data see Authenticator::code() |
getUri(string $label, string $issuer, int $hotpCounter = null, bool $omitSettings = null) |
string |
AuthenticatorOptions
Properties
property | type | default | allowed | description |
---|---|---|---|---|
$digits |
int |
6 | 6 or 8 | auth code length |
$period |
int |
30 | 15 - 60 | validation period (seconds) |
$secret_length |
int |
20 | >= 16 | length of the secret phrase (bytes, unencoded binary) |
$algorithm |
string |
SHA1 |
SHA1 , SHA256 or SHA512 |
HMAC hash algorithm, see AuthenticatorInterface::HASH_ALGOS |
$mode |
string |
totp |
totp , hotp , battlenet or steam |
authenticator mode: time- or counter based, see AuthenticatorInterface::MODES |
$adjacent |
int |
1 | >= 0 | number of allowed adjacent codes |
$time_offset |
int |
0 | * | fixed time offset that will be added to the current time value |
$useLocalTime |
bool |
true | * | whether to use local time or request server time |
$forceTimeRefresh |
bool |
false | * | whether to force refreshing server time on each call |
AuthenticatorInterface
Methods
method | return | description |
---|---|---|
setOptions(SettingsContainerInterface $options) |
AuthenticatorInterface |
|
setSecret(string $encodedSecret) |
AuthenticatorInterface |
|
getSecret() |
string |
|
createSecret(int $length = null) |
string |
|
getServertime() |
int |
|
getCounter(int $data = null) |
int |
internal |
getHMAC(int $counter) |
string |
internal |
getCode(string $hmac) |
int |
internal |
getOTP(int $code) |
string |
internal |
code(int $data = null) |
string |
|
verify(string $otp, int $data = null) |
bool |
Constants
constant | type | description |
---|---|---|
TOTP |
string |
|
HOTP |
string |
|
STEAM_GUARD |
string |
|
ALGO_SHA1 |
string |
|
ALGO_SHA256 |
string |
|
ALGO_SHA512 |
string |
|
MODES |
array |
map of mode -> classname |
HASH_ALGOS |
array |
list of available hash algorithms |
All versions of php-authenticator with dependencies
chillerlan/php-settings-container Version ^2.1.6 || ^3.2.1
paragonie/constant_time_encoding Version ^2.6