Download the PHP package eloquent/otis without Composer
On this page you can find all versions of the php package eloquent/otis. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download eloquent/otis
More information about eloquent/otis
Files in eloquent/otis
Package otis
Short Description One-time password / multi-factor authentication library for PHP.
License MIT
Homepage https://github.com/eloquent/otis
Informations about the package otis
Otis
One-time password / multi-factor authentication library for PHP.
Installation and documentation
- Available as Composer package eloquent/otis.
- API documentation available.
What is Otis?
Otis is a PHP library for implementing one-time password / [multi-factor authentication] systems. Otis provides generators and validators for both TOTP (time-based passwords as defined in RFC 6238) and HOTP (counter-based passwords as covered in RFC 4226). Otis supports all hashing algorithms (SHA-1, SHA-256, SHA-512).
In addition, Otis provides tools for generating the URI format understood by Google Authenticator and other compatible OTP apps, as well as URIs for QR code generation services to further ease integration.
Usage
Validating a TOTP password
Validating an HOTP password
Generating a Google Authenticator URI
Generating a Google Authenticator QR code URI
Validating a sequence of HOTP passwords
Security considerations
When implementing an OTP system, the following points should be considered with care:
- Each password should only be considered valid once. This helps to avoid replay attacks. This is especially important for time-based passwords that may otherwise be considered valid for an entire time period. Keeping track of which one-time passwords have already been used in a successful validation is the only way to ensure a password is not re-used.
- The shared secret should be treated as sensitive information. When storing the secret on the server side, strong two-way encryption should be used. A solution such as Lockbox would be ideal.
- In order for time-based OTP systems to work well, there should be minimal differences in the system time of the server, and the OTP device in use. Otis defaults allow -1 to +1 time windows (a window is usually 30 seconds), but the validator can be configured to accept passwords from larger time windows.
Try Otis
Otis has a simple demonstration system. In order to run the demos, these instructions must be followed:
- Install Google Authenticator or a compatible OTP app.
- Clone the Otis repository.
- Install Composer dependencies, including dev dependencies.
- Run
test/bin/totp
ortest/bin/hotp
depending on which type of OTP system is preferred. - A link to a QR code image will be launched in the default browser.
- Scan this QR code with the OTP app.
- Return to the console and enter the passwords provided by the OTP app.
In addition, there is a test suite for determining the capabilities of OTP apps. In order to run the test suite follow these steps:
- Install Composer dependencies as above.
- Run
test/bin/otp-test-suite
. - The test suite will be launched in the default browser.
OTP app capabilities
Not all OTP apps support the same features. Even Google Authenticator does not support all the features that its URI format is capable of expressing (and support varies across platforms).
For a table of OTP apps and their capabilities, see OTP app capabilities in the wiki.
All versions of otis with dependencies
christian-riesen/base32 Version ~1
eloquent/enumeration Version ~5
icecave/isolator Version ~2