Download the PHP package pragmarx/google2fa without Composer

On this page you can find all versions of the php package pragmarx/google2fa. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?
pragmarx/google2fa
Rate from 1 - 5
Rated 1.00 based on 2 reviews

Informations about the package google2fa

Google2FA

Google Two-Factor Authentication for PHP

Google2FA is a PHP implementation of the Google Two-Factor Authentication Module, supporting the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.


Latest Stable Version Code Quality Run tests Downloads

Monthly Downloads Coverage


Menu

Version Compatibility

PHP Google2FA
5.4 7.x LTS
5.5 7.x LTS
5.6 7.x LTS
7.1 8.x
7.2 8.x
7.3 8.x
7.4 8.x
8.0 (β) 8.x

Laravel bridge

This package is agnostic, but there's a Laravel bridge.

About QRCode generation

This package does not generate QRCodes for 2FA.

If you are looking for Google Two-Factor Authentication, but also need to generate QRCode for it, you can use the Google2FA QRCode package, which integrates this package and also generates QRCodes using the BaconQRCode library, or check options on how to do it yourself here in the docs.

Demos, Example & Playground

Please check the Google2FA Package Playground.

Here's a demo app showing how to use Google2FA: google2fa-example.

You can scan the QR code on this (old) demo page with a Google Authenticator app and view the code changing (almost) in real time.

Requirements

Installing

Use Composer to install it:

composer require pragmarx/google2fa

To generate inline QRCodes, you'll need to install a QR code generator, e.g. BaconQrCode:

composer require bacon/bacon-qr-code

Usage

Instantiate it directly

How To Generate And Use Two Factor Authentication

Generate a secret key for your user and save it:

Generating QRCodes

The more secure way of creating QRCode is to do it yourself or using a library. First you have to install a QR code generator e.g. BaconQrCode, as stated above, then you just have to generate the QR code url using:

Once you have the QR code url, you can feed it to your preferred QR code generator.

And to verify, you just have to:

QR Code Packages

This package suggests the use of Bacon/QRCode because it is known as a good QR Code package, but you can use it with any other package, for instance Google2FA QRCode, Simple QrCode or Endroid QR Code, all of them use Bacon/QRCode to produce QR Codes.

Usually you'll need a 2FA URL, so you just have to use the URL generator:

Examples of Usage

Google2FA QRCode

Get a QRCode to be used inline:

And use in your template:

Simple QrCode

Endroid QR Code Generator

Generate the data URL

And in your view

Bacon/QRCode

And show it as an image:

HMAC Algorithms

To comply with RFC6238, this package supports SHA1, SHA256 and SHA512. It defaults to SHA1, so to use a different algorithm you just have to use the method setAlgorithm():

Server Time

It's really important that you keep your server time in sync with some NTP server, on Ubuntu you can add this to the crontab:

Validation Window

To avoid problems with clocks that are slightly out of sync, we do not check against the current key only but also consider $window keys each from the past and future. You can pass $window as optional third parameter to verifyKey, it defaults to 1. When a new key is generated every 30 seconds, then with the default setting, keys from one previous, the current, and one next 30-seconds intervals will be considered. To the user with properly synchronized clock, it will look like the key is valid for 60 seconds instead of 30, as the system will accept it even when it is already expired for let's say 29 seconds.

Setting the $window parameter to 0 may also mean that the system will not accept a key that was valid when the user has seen it in their generator as it usually takes some time for the user to input the key to the particular form field.

An attacker might be able to watch the user entering his credentials and one time key. Without further precautions, the key remains valid until it is no longer within the window of the server time. In order to prevent usage of a one time key that has already been used, you can utilize the verifyKeyNewer function.

Note that $timestamp is either false (if the key is invalid or has been used before) or the provided key's unix timestamp divided by the key regeneration period of 30 seconds.

Using a Bigger and Prefixing the Secret Key

Although the probability of collision of a 16 bytes (128 bits) random string is very low, you can harden it by:

Use a bigger key

You can prefix your secret keys

You may prefix your secret keys, but you have to understand that, as your secret key must have length in power of 2, your prefix will have to have a complementary size. So if your key is 16 bytes long, if you add a prefix it must also be 16 bytes long, but as your prefixes will be converted to base 32, the max length of your prefix is 10 bytes. So, those are the sizes you can use in your prefixes:

And it can be used like so:

Window

The Window property defines how long a OTP will work, or how many cycles it will last. A key has a 30 seconds cycle, setting the window to 0 will make the key last for those 30 seconds, setting it to 2 will make it last for 120 seconds. This is how you set the window:

But you can also set the window while checking the key. If you need to set a window of 4 during key verification, this is how you do:

Key Regeneration Interval

You can change key regeneration interval, which defaults to 30 seconds, but remember that this is a default value on most authentication apps, like Google Authenticator, which will, basically, make your app out of sync with them.

Google Authenticator secret key compatibility

To be compatible with Google Authenticator, your (converted to base 32) secret key length must be at least 8 chars and be a power of 2: 8, 16, 32, 64...

So, to prevent errors, you can do something like this while generating it:

And it will generate

By default, this package will enforce compatibility, but, if Google Authenticator is not a target, you can disable it by doing

Google Authenticator Apps

To use the two factor authentication, your user will have to install a Google Authenticator compatible app, those are some of the currently available:

Deprecation Warning

Google API for QR generator is turned off. All versions of that package prior to 5.0.0 are deprecated. Please upgrade and check documentation regarding QRCode generation.

Testing

The package tests were written with PHPUnit. There are some Composer scripts to help you run tests and analysis:

PHPUnit:

`

PHPStan analysis:

`

Authors

License

Google2FA is licensed under the MIT License - see the LICENSE file for details.

Contributing

Pull requests and issues are more than welcome.

Sponsorships

Direct

None.

Indirect


All versions of google2fa with dependencies

PHP Build Version
Package Version
Requires php Version ^7.1|^8.0
paragonie/constant_time_encoding Version ^1.0|^2.0|^3.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package pragmarx/google2fa contains the following files

Loading the files please wait ....