Download the PHP package coding-libs/laravel-mfa without Composer
On this page you can find all versions of the php package coding-libs/laravel-mfa. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Table of contents
Download coding-libs/laravel-mfa
More information about coding-libs/laravel-mfa
Files in coding-libs/laravel-mfa
Download coding-libs/laravel-mfa
More information about coding-libs/laravel-mfa
Files in coding-libs/laravel-mfa
Vendor coding-libs
Package laravel-mfa
Short Description Laravel Multi-Factor Authentication package (Email, SMS, Google Authenticator TOTP)
License MIT
Package laravel-mfa
Short Description Laravel Multi-Factor Authentication package (Email, SMS, Google Authenticator TOTP)
License MIT
FAQ
After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.
Example:
Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories.
In this case some credentials are needed to access such packages.
Please use the auth.json textarea to insert credentials, if a package is coming from a private repository.
You can look here for more information.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?
Informations about the package laravel-mfa
mfa
Multi Factor Authentication CodingLibs Laravel MFA
Installation
-
Install via Composer from Packagist:
- The service provider auto-registers. Publish config and migrations:
Features
- Email and SMS one-time code challenges with pluggable channels
- Configurable channel classes - extend Email and SMS channels via configuration
- Challenge generation without sending - generate codes without automatic delivery
- Google Authenticator compatible TOTP (RFC 6238) setup and verification
- Built-in QR code generation to display TOTP provisioning URI (uses bacon/bacon-qr-code)
- Remember device support via secure, hashed tokens stored in
mfa_remembered_devices - Recovery Codes: generate, verify, and manage one-time backup codes
- Simple API via
MFAfacade/service for issuing and verifying codes - Publishable config and migrations; encrypted storage of TOTP secret
- Extendable channel system to add providers like WhatsApp, Twilio, etc.
MFA Channels
- Email: delivers a one-time code via Laravel Mail
- SMS: delivers a one-time code via the configured SMS driver (defaults to
log) - TOTP: time-based one-time password compatible with Google Authenticator and similar apps
Compatibility
- Laravel 11 and 12
- PHP >= 8.2
Usage
Remember Devices (Optional)
- Enable or configure in
config/mfa.phpunderremember(or via env: see below) - On successful MFA, call
MFA::rememberDevice(...)and attach the returned cookie to the response - On subsequent requests, use
MFA::shouldSkipVerification($user, MFA::getRememberTokenFromRequest($request)) - To revoke a remembered device, call
MFA::forgetRememberedDevice($user, $token)
Recovery Codes
- What they are: single‑use backup codes that let users complete MFA when they cannot access their primary factor (e.g., lost phone or no network).
- Storage and security:
- Plaintext codes are returned only once at generation time; only their hashes are stored in
mfa_recovery_codes. - Hashing algorithm is configurable via
mfa.recovery.hash_algo(defaultsha256). - Codes are marked as used at first successful verification and cannot be reused.
- Plaintext codes are returned only once at generation time; only their hashes are stored in
-
Generating and displaying to the user:
-
Verifying a code and optional regeneration-on-use:
- Pool size maintenance: set
mfa.recovery.regenerate_on_use = trueto automatically replace a consumed code with a new one so the remaining count stays steady. -
Managing codes:
- UX recommendations:
- Require the user to confirm they’ve saved the codes before leaving the setup screen.
- Offer copy, download (txt), and print actions. Avoid storing plaintext on your servers.
- Warn that each code is one-time and will be invalid after use.
Configuration
- See
config/mfa.phpfor all options. Key settings:- code_length: OTP digits for email/sms (default 6)
- code_ttl_seconds: Challenge expiry (default 300s)
- email:
- enabled (bool)
- from_address, from_name, subject
- channel: custom channel class (default: EmailChannel)
- sms:
- enabled (bool)
- driver:
log(default) or custom integration - from: optional sender id/number
- channel: custom channel class (default: SmsChannel)
- totp:
- issuer: defaults to
config('app.name') - digits: 6 by default
- period: 30s by default
- window: 1 slice tolerance by default
- remember:
- enabled (bool, default true)
- cookie: cookie name (default
mfa_rd) - lifetime_days: validity window (default 30)
- path, domain, secure, http_only, same_site
- recovery:
- enabled (bool, default true)
- codes_count: number of codes to generate (default 10)
- code_length: length of each code (default 10)
- regenerate_on_use: whether to auto-regenerate when consumed (default false)
- hash_algo: hashing algorithm for stored codes (default
sha256)
Environment variables (examples)
Database
- Publishing migrations creates tables:
mfa_methods: tracks enabled MFA methods per user; stores encrypted TOTPsecretmfa_challenges: stores pending OTP codes for email/sms with expiry and consumed_atmfa_remembered_devices: stores hashed tokens for device recognition with IP, UA, and expirymfa_recovery_codes: stores hashed recovery codes and usage timestamp
API Overview (Facade MFA)
- issueChallenge(Authenticatable $user, string $method, bool $send = true): ?MfaChallenge
- generateChallenge(Authenticatable $user, string $method): ?MfaChallenge - Generate without sending
- verifyChallenge(Authenticatable $user, string $method, string $code): bool
- setupTotp(Authenticatable $user, ?string $issuer = null, ?string $label = null): array returns
['secret','otpauth_url'] - verifyTotp(Authenticatable $user, string $code): bool
- generateTotpQrCodeBase64(Authenticatable $user, ?string $issuer = null, ?string $label = null, int $size = 200): ?string
- isEnabled(Authenticatable $user, string $method): bool
- enableMethod(Authenticatable $user, string $method, array $attributes = []): MfaMethod
- disableMethod(Authenticatable $user, string $method): bool
- Remember device helpers:
- isRememberEnabled(): bool
- rememberDevice(Authenticatable $user, ?int $lifetimeDays = null, ?string $deviceName = null): array returns
['token','cookie'] - getRememberCookieName(): string
- getRememberTokenFromRequest(Request $request): ?string
- shouldSkipVerification(Authenticatable $user, ?string $token): bool
- makeRememberCookie(string $token, ?int $lifetimeDays = null): Cookie
- forgetRememberedDevice(Authenticatable $user, string $token): int
- Recovery codes:
- generateRecoveryCodes(Authenticatable $user, ?int $count = null, ?int $length = null, bool $replaceExisting = true): array returns plaintext codes
- verifyRecoveryCode(Authenticatable $user, string $code): bool
- getRemainingRecoveryCodesCount(Authenticatable $user): int
- clearRecoveryCodes(Authenticatable $user): int
Custom Channel Classes
Configuration-Based Custom Channels
You can extend the built-in Email and SMS channels by configuring custom channel classes:
Programmatic Channel Registration
Challenge Generation Without Sending
Generate challenge codes without automatic delivery:
Creating a Custom MFA Channel
Steps
- Implement
CodingLibs\MFA\Contracts\MfaChannelwith a uniquegetName()and asend(...)method - Register your channel during app boot (e.g., in a service provider) via
MFA::registerChannel(...) - Issue a challenge using the new channel name:
MFA::issueChallenge($user, 'your-channel')
Notes
- SMS driver defaults to
log. Integrate your provider by implementing a custom channel or enhancingSmsChannelin your app via service container bindings. - TOTP
secretis stored encrypted by default via Eloquent cast. - QR code generation requires either Imagick or GD PHP extensions. If neither is available, generation will throw a runtime exception.
All versions of laravel-mfa with dependencies
PHP Build Version
Package Version
Requires
php Version
>=8.2
illuminate/support Version ^11.0|^12.0
illuminate/database Version ^11.0|^12.0
illuminate/mail Version ^11.0|^12.0
illuminate/config Version ^11.0|^12.0
illuminate/console Version ^11.0|^12.0
bacon/bacon-qr-code Version ^2.0|^3.0
illuminate/support Version ^11.0|^12.0
illuminate/database Version ^11.0|^12.0
illuminate/mail Version ^11.0|^12.0
illuminate/config Version ^11.0|^12.0
illuminate/console Version ^11.0|^12.0
bacon/bacon-qr-code Version ^2.0|^3.0
The package coding-libs/laravel-mfa contains the following files
Loading the files please wait ....