Padlock Icon


A simple PHP script to create TOTP secrets and corresponding QR codes,
then verify the entered response over a given time variance.



composer require eustasy/authenticatron


////    Import eustasy\Authenticatron with Composer
require_once __DIR__ . '/vendor/autoload.php';
use eustasy\Authenticatron;

Quick Implementation

Step 1.

Authenticatron::new to create a new secret for a member, and fetch a secure image for scanning.


Authenticatron::new($accountName, $issuer)


$accountName is a string containing your members username or nice-name, perferably something unique and quickly identifiable.

$issuer is a string containing the name of your app or site.


Outputs an array, where Secret is the Secret for the member, URL is an OTPAuth URL, and QR is the Data64 URI for the QR code.

array(3) {
  string(16) "UYJNVXRZJS63SEHT"
  string(113) "otpauth://totp/Authenticatron Example Page: John Smith?secret=UYJNVXRZJS63SEHT&issuer=Authenticatron+Example+Page"
  string(722) "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALQAAAC0AQMAAAAHA5RxAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABrElEQVRYhdWXS47DUAgEuQH3vyU3YKgGW5l9ZxE7caJ6lvCj+Tni14/urq6MrM6oOQFGPt/KzKrumDu6SszH51/28CjsN1c7H/ysxzc4BvFcRJab8xmDuA2/xYc/HRyZ/x0f8eDgitFEj5hrvMzFkVy6aI8KgN2Xjac2Nz/jtnGg5DFyJQMBpTWZdPLc/Wz2SSMexMepFgnDHrEVZ9zEA4chN7nBYl1cmTgxFaXEKCXFSm/jKqdUJc5xGhcnb+JIboNSwN+88PDBY1r7IvO05uQkgvym6if9y8hX9SeGR/R88sLEt90gdiszeAwjRxWETm6h8F1eGznBFFv7SsDKYWRfilFj08nnh06p8QJyZm2cnklTVtSmWsTVEw+vbTZoTlB1x/VrF1c36KtLhFVWOPntA5BqQJ1WrkrR7C/UNrPLyUkLFMmdS7fOOnlfq9+JDpnMvLYZp2b2fKYuF7/c7toSiN13xcE1JuaNX2i0bc3Ga8eWbW7oH09dMvHWrLtvNCTGjtZWrlkoFQGKXDeP3NcBzQC40Mljq0ZovTTeOfnz3nHTaeSatfHfPv4AdfdKRq1b9QMAAAAASUVORK5CYII="


You'll want to store ['Secret'] with the member, but make sure you get them to confirm a code before enforcing it, or it might not have worked and they would be locked out of their account. Make sure that this is as protected as a password hash.

['QR'] is the Data64 URI for the QR code. You can simply echo it into an img element like this:

<img src="<?php echo $secondAuth['QR']; ?>" alt="Second Factor Authentication Code">


Google Camera Icon

Try scanning this into an app like Google Authenticator. You should see a code and a countdown clock until it changes.

QR Code for 2nd factor authentication

Step 2.

Use Authenticatron::checkCode to confirm the setup and check time-unique codes at every login.


Authenticatron::checkCode($code, $secret)


$code is the user input, the code that is generated on their device for authentication. Should be numeric-only in most cases, alpha-numeric if you change some settings.

$secret is the secret the member scanned that you securely stored for later.

$variance is an optional integer indicating the adjustment of codes with a 30 second value. Defaults to 2 either side, or 1 minute.


Outputs a boolean value, true if the entered code is within allowed range, false if not.



You only need to check an input is alpha-numeric, and maybe 6 characters long before checking it against a retreieved secret.

$secret = ...;
if (
	strlen($_POST['secondfactor_code']) == 6 &&
) {
	if ( Authenticatron::checkCode($_POST['secondfactor_code'], $secret) ) {
		// Authenticated, log in...
	} else {
		// Incorrect code
} else {
	// Invalid entry


Google Authenticator Icon

Enter the code that your device generates after scanning the image to from Step 1.

Google Help Lifeboat Ring Icon

Further Reading

Visit our documentation for a more thorough description of the options and functions available to you.

Take a look at the glossary if there are any terms you don't understand.

The server page can be used if this script is installed on your server to check for requirements.

This work is predominantly MIT licensed. See the file for more information.

If you're ready to rock, check out the source!