A simple PHP script to create TOTP secrets and corresponding QR codes,
then verify the entered response over a given time variance.
homepage
documentation
glossary
server
source
Information
Create a new Secret and get the QR Code all in one.
Code
Authenticatron::new(string $accountName, string $issuer): array
Input
$accountName
is a string containing the data your member will identify with.
$issuer
is a string containing the name of your app or site.
Output
Outputs an array, where Secret
is the Secret for the member, URL
is an OTPAuth URL, and QR
is the Data64 URI for the QR code.
array(3) { ["Secret"]=> string(16) "NQPWYNEFTNTKGCCI" ["URL"]=> string(102) "otpauth://totp/Documentation Example: Member Name?secret=NQPWYNEFTNTKGCCI&issuer=Documentation+Example" ["QR"]=> string(638) "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAKQAAACkAQMAAAAjexcCAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABbUlEQVRIidWWwXXDMAxDtQH23xIboARot+lZuMTPL3a+DrRAEuI533ZJojRPzA/zt0LpGySFg8P8rVCRABwXmHexRwdwYsHRunQ2MuqwSeeeMKBGnH+a3VGn7+P6yPEdTa3NXiYQ8YICHcFHcaZAfD+7uKa04HSBuLDnqdOhw5xSv1l7bLRriqRyMplszhJblM6nRTL6jXZLk7u09rOiU6FMkyghLfnjRtd01IHNzbL4eVpU8cxFeS9Rt7WVP9kFktMCXc9MmSAiPT10S/fzY/jTLdpGLFCXBtc8oz5K1LXsXGptaRr8VOhK4uIYlbSu1KA5QRzHpe1KVIem8azNZvJV55puZ8tNY/64Z4O6wZVFwwNWqPOozEA+nMjX7a9pTDNLQNq8Q1cLL+yJJ3Woj3uXnL//bwq6p3wEcmXHR1GiPpriosqsslsr0Z3YbHMCetQDi5cyYIgdehLm7MzmeulQbaP4VFLWTod+1/UDedRREz337HcAAAAASUVORK5CYII=" }
Information
This returns a simple boolean value to prevent data-leakage and zero-equivalent values from codes or keys.
Code
Authenticatron::checkCode(string $code, string $secret, int $variance = 2): bool
Input
$code
is what the user enters to authenticate. A 6 digit string, usually numeric, but not necessarily an integer.
$secret
is the first result from new
, that you securely stored for later.
$variance
is an integer indicating the adjustment of codes with a 30 second value. Defaults to 2 either side, or 1 minute.
Output
Outputs a boolean value, true or false.
bool(true)
You should only need the two functions above this point to implement two-factor authentication.
Functions listed below this point should not need to be used in most production-ready environments.
Information
Generates a 16-digit secret, never to be shared with anyone except via internal non-cachable QR code.
Generated using RandomBytes if it is available, falling back to OpenSSL if it is secure.
RandomBytes is available.
OpenSSL is installed, and secure.
Your installation will use RandomBytes.
Code
Authenticatron::makeSecret(int $length = 16): ?string
Input
$length
should be an integer, longer than 16. Usually left to default.
Output
Returns a $length
long string with 32bit only Characters, or null
on failure (usually due to a lack of security).
Click the link to keep the secret the same when you refresh the page.
Information
Generates the URL for launching and adding the Secret we made earlier.
This link won't do anything unless you have a Authentication program on your computer.
Code
Authenticatron::getUrl(string $accountName, string $secret, string $issuer): string
Input
All parameters should be strings.
Output
Outputs an OTPAuth URL that gives people their Secret along with a passed Member Name and an optional Issuer.
otpauth://totp/Documentation Example: Member Name?secret=COAOCGCYDINDFOID&issuer=Documentation+Example
Information
Outputs a QR Code in Data64 for direct embedding from a given URL.
The GD functions are loaded.
Code
generateQrCode(string $URL, int $Size = 4, int $Margin = 2): ?string
Input
$URL
is a valid OTPAuth URL in string form.
$Size
is a non-zero integer, defaults to 4.
$Margin
is an integer, defaults to 2.
Output
Outputs a QR Code image in 64bit data-URI form.
Try scanning this QR code with your phone.
This should open an app like Google Authenticator.
Information
This is the current authentication code.
Check the Acceptable list to see the two either side.
Code
getCode(string $secret, int $timestamp = null, int $codeLength = 6): string
Input
$secret
is a valid Base32 Secret in string form.
$timestamp
is a unix timestamp, defaults to false to use the current timestamp.
$codeLength
is a non-zero integer, the desired length of the generated code. Defaults to 6.
Output
Outputs the calculated code for the current or provided timestamp.
string(6) "411381"
Information
This is the array checkCode
uses to check for valid codes.
Code
Authenticatron::getCodesInRange(string $secret, int $variance = 2): array
Input
$secret
is a valid Base32 Secret in string form.
$variance
is an integer indicating the adjustment of codes with a 30 second value. Defaults to 2, or 1 minute.
Output
Outputs the calculated code for the current or provided timestamp.
Note the indexes, which can be used to determine the time difference, and perhaps warn users on the outer bounds.
Code generation is expensive, so avoid generating any you don't want to check against later.
array(5) { [-2]=> string(6) "592887" [-1]=> string(6) "117553" [0]=> string(6) "411381" [1]=> string(6) "132815" [2]=> string(6) "506520" }
Your phone should produce one of these from the QR code above.
These are only valid for 30 seconds, so click the Secret link to get a new list.
Base32 is an encoding, effectively an alphabet, that computers use made up of 32 characters.
Base32 Characters are A to Z (upper-case only), and 2 to 7.
HOTP is HMAC-based one-time password algorithm. HOTP Algorithms generate passwords from a given secret that do not expose the secret over time.
OATH is the short name for the Initiative for Open Authentication, an organisation dedicated to keeping secure authentication free.
OTP Auth stands for one-time password authentication.
QR Code (Quick Response Code) is a type of 2D matrix barcodes with built in redundancy, commonly used to scan links into mobile phones through cameras.
TOTP abbreviates Time-based One-time Password Algorithm. TOTP Algorithms generate passwords from a given secret that are only valid over a very specific time period.
Visit our documentation for a more thorough description of the options and functions available to you.
Take a look at the glossary if there are any terms you don't understand.
The server page can be used if this script is installed on your server to check for requirements.
This work is predominantly MIT licensed. See the LICENSE.md file for more information.
If you're ready to rock, check out the source!