Download the PHP package krixon/multi-factor-auth without Composer
On this page you can find all versions of the php package krixon/multi-factor-auth. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download krixon/multi-factor-auth
More information about krixon/multi-factor-auth
Files in krixon/multi-factor-auth
Package multi-factor-auth
Short Description Multi-factor authentication library for PHP7
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package multi-factor-auth
Multi Factor Authentication
A library for generating and verifying the codes used in multi-factor authentication systems.
Features:
- Time-based (TOTP) code generation and verification.
- Event-based (HOTP) code generation and verification.
- Barcode generation for easy client setup.
This library implements the following RFCs:
- RFC4226 - HOTP: An HMAC-Based One-Time Password Algorithm
- RFC6238 - TOTP: Time-Based One-Time Password Algorithm
It has been tested against the following multi-factor authentication tools:
- Google Authenticator (TOTP + HOTP)
- Authy (TOTP + HOTP)
Prerequisites
- PHP 7.1+
Installation
Install via composer
To install this library with Composer, run the following command:
You can see this library on Packagist.
Install from source
Quick Start
Let's say you have a server side application which you want to protect using multi-factor authentication.
There are three main steps involved:
- Generate a secret which is shared between the server and the user.
- Configure a client application (such as Google Authenticator) with the shared secret.
- Verify codes generated by the client application whenever the user needs to authenticate.
This library makes these steps easy.
The quickest way to get up and running is to create a new instance of the MultiFactorAuth class. This takes
various arguments to its constructor, but there is a static factory provided which creates an instance with sensible
and secure defaults. The only thing you need to provide is an "issuer" string. This is just a label which
identifies the provider or service managing a user's account - i.e. your application.
Next you need to generate the shared secret. By default the code below will generate a 160-bit, base32-encoded string:
In order for the user to configure their client application, they need to enter the secret that was just generated. Often the user's client application will be running on their mobile phone. Entering a 160-bit secret by hand is certainly possible, but we can make it easier by providing the user with a barcode to scan. This barcode contains all of the information required to configure the client.
When generating a barcode you must also provide an account identifier. This can be any string which allows the user to distinguish between multiple accounts in their client application. A good value for this is the user's email address.
The generateTimeBasedBarcode() method returns a Barcode instance. This can be used to ultimately render the
image, for example on a webpage:
Once the user has scanned the barcode, they should be prompted to enter a code which can be verified to determine that the configuration process was successful.
If the code is verified successfully, the secret can be securely persisted on the server, for example in a database.
From now on, when the user authenticates they should be prompted to enter a code along with their other credentials such as username and password. This code should be verified using the stored shared secret and authentication denied if verification fails.
Generating Backup Codes
If a user loses their device or otherwise cannot generate codes, you can allow them to login via a pre-generated backup code. Event-based (HOTP) codes are perfect for this.
The following example generates 10 backup codes which the user can write down or otherwise store.
Generating Secrets
By default, secrets are generated using the RandomBytesSecretGenerator. This generates cryptographically secure
secrets using PHP's random_bytes function. If a different method is required, simply implement the
SecretGenerator interface.
The RandomBytesSecretGenerator takes a Codec instance which determines how generated secrets are encoded. For
maximum compatibility with Google Authenticator and similar apps, secrets should be base32 encoded, so the
Base32Codec is used if no alternative is specified.
To generate a secret, either use a SecretGenerator directly, or use the MultiFactorAuth facade.
Sandbox
There is a simple sandbox script in the examples directory which can be used to generate secrets and barcodes and
to verify codes generated by a client application.
The sandbox can be run with the PHP built-in webserver. Make sure to specify the correct path to the examples
directory:
You can now visit http://localhost:8080/sandbox.php to use the sandbox.
TODO
- More automated tests.
- Expand documentation.
- Verify support for RFC6287 - OCRA: OATH Challenge-Response Algorithm.
