Download the PHP package webmonks/laravel-2fa without Composer

Laravel 2FA

The definitive Laravel 2FA package with true plug-and-play architecture. Zero configuration required - works instantly with Laravel Mail, then scales to enterprise needs with WhatsApp, Voice, Push Notifications, and custom delivery providers.

Transform your Laravel authentication from basic to bulletproof in 30 seconds. Unlike other 2FA packages that force you into rigid patterns, Laravel 2FA v1.1 gives you the freedom to start simple and customize everything as your requirements evolve - now with global reach through WhatsApp, Voice calls, Push notifications, and intelligent fallback systems.

Why Laravel 2FA?

🚀 30-Second Setup: Install, migrate, protect routes - done. Email OTP works immediately with your existing Laravel Mail configuration.

🔌 True Plug & Play: Start with zero configuration, then customize anything. No vendor lock-in, no forced dependencies, no architectural constraints.

🎯 Production Battle-Tested: 96 comprehensive tests, 227 assertions, extensive security features, and real-world deployment experience.

🏗️ Enterprise-Ready Architecture: Multi-auth support, device trust management, comprehensive rate limiting, audit logging, and extensible provider system.

Key Features

🔐 Complete 2FA Methods

• Email OTP (zero-config) - Works instantly with Laravel Mail
• SMS OTP - Twilio, Vonage/Nexmo, AWS SNS with fallback chains
• WhatsApp OTP - Twilio WhatsApp & WhatsApp Business API
• Voice Call OTP - Multi-language voice calls with customizable voices
• Push Notifications - FCM (Android/iOS/Web) & APNS (iOS) with approval workflows
• TOTP/Google Authenticator - Time-based codes with QR generation
• Recovery Codes - Secure backup authentication system

🛡️ Enterprise Security

• Multi-Auth Guards: Native support for web, admin, api, customer - any authentication guard
• Advanced Fallback System: Multi-provider chains with intelligent failover
• Device Trust Management: Remember trusted devices with configurable expiration
• Rate Limiting: Brute force protection with configurable thresholds
• End-to-End Encryption: All sensitive data encrypted at rest
• Comprehensive Audit Logging: Track all 2FA events and security incidents

🔧 Developer Experience

• True Plug & Play: Works in 30 seconds with zero configuration
• 100% Customizable: Override providers, templates, logic, UI - or use sensible defaults
• Custom Delivery Providers: Slack, Discord, Telegram integration examples
• Extensible Architecture: Create custom providers for any delivery method
• 95%+ Test Coverage: Production-ready with PestPHP testing framework
• Laravel 10, 11, 12+ Ready: Modern Laravel compatibility with future-proof architecture

Requirements

• PHP: 8.1+ minimum
• Laravel: 10.0+ (supports 11.x, 12.x)
• Optional Providers: Twilio SDK, Vonage, AWS SNS, FCM, APNS for enhanced 2FA methods

Quick Start (30 Seconds)

1. Install & Setup

2. Prepare Your User Model

3. Protect Routes & Enable 2FA

That's it! Your routes are now protected with email-based 2FA using Laravel's built-in mail system.

Zero Configuration Philosophy

Laravel 2FA works instantly with your existing setup, then grows with your needs:

Complete Installation Guide

Basic Installation

Optional: Publish Configuration

Optional: SMS Provider Setup

For Twilio (Recommended)

For Vonage/Nexmo

For AWS SNS

Usage Examples

Email OTP (Zero Configuration)

SMS OTP (Once Provider Configured)

TOTP/Google Authenticator

Recovery Codes

Device Trust Management

New in v1.1: Advanced 2FA Methods

Laravel 2FA v1.1 introduces powerful new authentication methods for enhanced security and global reach.

WhatsApp OTP

Send verification codes via WhatsApp using Twilio WhatsApp or WhatsApp Business API.

Configuration

For Twilio WhatsApp:

For WhatsApp Business API:

Usage

Voice Call OTP

Deliver verification codes via voice calls with multi-language support and customizable voices.

Configuration

Usage

Additional SMS Providers

Enhanced SMS support with Vonage (formerly Nexmo) and AWS SNS, plus intelligent fallback chains.

Vonage/Nexmo Configuration

AWS SNS Configuration

SMS Provider Fallback

Configure fallback chains for maximum reliability:

Push Notifications

Implement push notification-based 2FA with approval workflows for mobile applications.

FCM (Firebase Cloud Messaging) Configuration

APNS (Apple Push Notification) Configuration

Push Notification Usage

Custom Delivery Providers

Extend Laravel 2FA with custom delivery methods like Slack, Discord, or Telegram.

Slack Integration Example

Discord Integration Example

Telegram Bot Integration

Advanced Fallback Configuration

Configure sophisticated fallback chains for maximum delivery reliability.

Environment Variables for v1.1 Features

Multi-Auth Guard Support

Laravel 2FA natively supports multiple authentication guards for complex applications:

Configuration

Usage with Guards

Advanced Features

Rate Limiting & Security

Audit Logging

Custom Email Templates

Custom SMS Provider

Register in your service provider:

API & JSON Responses

For API applications, Laravel 2FA provides structured JSON responses:

API Middleware

JSON Response Format

When 2FA is required, the middleware returns:

API Endpoints

Testing

Running Tests

Test Your Integration

Artisan Commands

Laravel 2FA includes helpful Artisan commands for management:

Configuration Reference

Core Configuration

Environment Variables

Performance & Optimization

Queue Configuration

Database Optimization

Caching

Security Considerations

Data Protection

• Encryption: All sensitive data (secrets, codes) encrypted at rest
• Secure Deletion: Used codes and expired data automatically purged
• No Plain Text: Codes never stored in plain text, always hashed
• Secure Transmission: HTTPS recommended for all 2FA operations

Rate Limiting

Best Practices

1. Use HTTPS: Always serve your application over HTTPS
2. Secure Sessions: Use secure session configuration
3. Monitor Logs: Enable audit logging and monitor for suspicious activity
4. Regular Updates: Keep the package and dependencies updated
5. Backup Recovery Codes: Ensure users safely store recovery codes
6. Test Thoroughly: Test 2FA flows in staging before production

Troubleshooting

Common Issues

Email OTP Not Sending

SMS Issues

TOTP Sync Issues

WhatsApp Issues

Common WhatsApp Issues:

• Sandbox not configured: Ensure WhatsApp sandbox is properly set up in Twilio Console
• Business API not approved: WhatsApp Business API requires Meta approval for production
• Invalid phone format: WhatsApp requires E.164 format (+1234567890)
• Template violations: Messages must follow WhatsApp template policies

Voice Call Issues

Common Voice Issues:

• Number not voice-enabled: Some numbers don't support voice calls
• Language not supported: Check available languages for your region
• Audio quality issues: Adjust speed and voice type settings
• International restrictions: Some countries have voice calling restrictions

Push Notification Issues

Common Push Issues:

• Invalid FCM server key: Ensure server key matches project
• APNS certificate expired: Check certificate validity
• Device token invalid: Tokens expire and need refresh
• Network issues: Push services require stable internet connection
• App not in foreground: Some systems require app to be active

SMS Provider Fallback Issues

Common Fallback Issues:

• All providers failing: Check network connectivity and credentials
• Infinite fallback loops: Ensure fallback_drivers doesn't include primary driver
• Quota exceeded: Monitor usage limits for each provider
• Configuration mismatch: Verify each provider's required settings

Custom Delivery Provider Issues

Common Custom Provider Issues:

• Webhook URL invalid: Verify webhook URLs are accessible
• Authentication failed: Check API keys and tokens
• Rate limiting: Custom providers may have rate limits
• Message formatting: Some providers require specific message formats

Debug Mode

Monitoring & Analytics

Support Channels

• Documentation: Complete documentation and examples
• Issues: Bug reports and feature requests
• Questions: GitHub Issues with "question" label
• Security: Report security vulnerabilities

Roadmap

✅ Version 1.1 (Released - January 2025)

• ✅ WhatsApp OTP: Twilio WhatsApp & WhatsApp Business API integration
• ✅ Voice Call OTP: Multi-language voice calls with Twilio
• ✅ Additional SMS Providers: Vonage/Nexmo & AWS SNS support
• ✅ Push Notifications: FCM (Android/iOS/Web) & APNS (iOS) support
• ✅ Custom Delivery Providers: Slack, Discord, Telegram integration examples
• ✅ Advanced Fallback System: Multi-provider fallback chains
• ✅ Enhanced Security: Improved rate limiting and monitoring

Version 1.2 (Q2 2025)

• Admin Dashboard: Web UI for 2FA management and analytics
• Enhanced Analytics: Usage statistics, success rates, and cost tracking
• Backup Authentication: Hardware security keys (WebAuthn/FIDO2)
• Mobile SDK: React Native and Flutter SDK for push notifications

Version 2.0 (Q3 2025)

• Biometric Support: Touch ID, Face ID integration
• Risk-Based Authentication: AI-powered adaptive authentication
• Multi-Tenant Support: SaaS application features
• Advanced Audit: Compliance reporting and forensic analysis

Contributing

We welcome contributions! Please see our Contributing Guide for details.

Development Setup

Code Standards

• PSR-12: Follow PSR-12 coding standards
• Tests: All features must include tests
• Documentation: Update docs for new features
• Backwards Compatibility: Maintain BC unless major version

Security Vulnerabilities

If you discover a security vulnerability, please send an email to [email protected]. All security vulnerabilities will be promptly addressed.

License

Laravel 2FA is open-sourced software licensed under the MIT License.

Credits

• WebMonks Team: Core maintainers
• Contributors: All amazing contributors
• Inspiration: Built on the shoulders of giants in the Laravel ecosystem

Ready to secure your Laravel application?

From zero to bulletproof authentication in 30 seconds. 🚀