Padlock Icon

Authenticatron

A simple PHP script to create TOTP secrets and corresponding QR codes,
then verify the entered response over a given time variance.
homepagedocumentationglossaryserversource

Installation

Install

composer require eustasy/authenticatron

Require

////    Import eustasy\Authenticatron with Composer
require_once __DIR__ . '/vendor/autoload.php';
use eustasy\Authenticatron;

Quick Implementation

Step 1.

Authenticatron::new to create a new secret for a member, and fetch a secure image for scanning.

Code

Authenticatron::new($accountName, $issuer)

Input

$accountName is a string containing your members username or nice-name, perferably something unique and quickly identifiable.

$issuer is a string containing the name of your app or site.

Output

Outputs an array, where Secret is the Secret for the member, URL is an OTPAuth URL, and QR is the Data64 URI for the QR code.

array(3) {
  ["Secret"]=>
  string(16) "UQIJXFIXLAF7FCN3"
  ["URL"]=>
  string(113) "otpauth://totp/Authenticatron Example Page: John Smith?secret=UQIJXFIXLAF7FCN3&issuer=Authenticatron+Example+Page"
  ["QR"]=>
  string(726) "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALQAAAC0AQMAAAAHA5RxAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABr0lEQVRYhdWXQY7DUAhDuYHvf0tuwGCbVB3Nsp5FI6VKXiL9gsH8VH37MTPdPdif3psWCPI9jWdqmi+J5fhoRZK5lzrNB4UBduX/4bUPGhsWkOd8BMbUDustnwlu3d+OX/XwOX+OTRsD/FO/n3JWk7JWEgh6Icgp+N5RczAkXFwpPpIBqwsLqykMKsjL/Qb9hdZ1JfmGpcboQrn74LoKcZYsm4PyzKmT5CxcBSRp9rR9BPlGRN3Z1BSdgQZ5M23uCyrE7EmYFN88bb5o3HDr9dVtiPNKsJg/VZbqNsWpwtmRy/d0SXFXLRuOgoxtJMiZN3AoKDCZ0iufCU6q2aChVs/MiXEuqK5WS9D9jFNcubqEcS7sDTrJR+JD7QdF2VFe7ohNIBetges2xTkUOHiK0m9NMcIOctcRc/Xy16ooZ0D8abvr048hrs2oOhrlIed9V4zTKl6+TYXgwRni3o/SPF7ujQ7ycm/P6S6DSnJtgziTeUkD9P40xu9TgE/x9HYl+RhrVU2H67sgh3amY9++fWmSMzgPffkqolyjmW7Kqe+1k1zfHboduuptIHP8u48fgzdyWiMaSEEAAAAASUVORK5CYII="
}

Handling

You'll want to store ['Secret'] with the member, but make sure you get them to confirm a code before enforcing it, or it might not have worked and they would be locked out of their account. Make sure that this is as protected as a password hash.


['QR'] is the Data64 URI for the QR code. You can simply echo it into an img element like this:

<img src="<?php echo $secondAuth['QR']; ?>" alt="Second Factor Authentication Code">

Example

Google Camera Icon

Try scanning this into an app like Google Authenticator. You should see a code and a countdown clock until it changes.

QR Code for 2nd factor authentication

Step 2.

Use Authenticatron::checkCode to confirm the setup and check time-unique codes at every login.

Code

Authenticatron::checkCode($code, $secret)

Input

$code is the user input, the code that is generated on their device for authentication. Should be numeric-only in most cases, alpha-numeric if you change some settings.

$secret is the secret the member scanned that you securely stored for later.

$variance is an optional integer indicating the adjustment of codes with a 30 second value. Defaults to 2 either side, or 1 minute.

Output

Outputs a boolean value, true if the entered code is within allowed range, false if not.

bool(true)

Handling

You only need to check an input is alpha-numeric, and maybe 6 characters long before checking it against a retreieved secret.

$secret = ...;
if (
	strlen($_POST['secondfactor_code']) == 6 &&
	ctype_alnum($_POST['secondfactor_code'])
) {
	if ( Authenticatron::checkCode($_POST['secondfactor_code'], $secret) ) {
		// Authenticated, log in...
	} else {
		// Incorrect code
	}
} else {
	// Invalid entry
}

Example

Google Authenticator Icon

Enter the code that your device generates after scanning the image to from Step 1.


Google Help Lifeboat Ring Icon

Further Reading

Visit our documentation for a more thorough description of the options and functions available to you.

Take a look at the glossary if there are any terms you don't understand.

The server page can be used if this script is installed on your server to check for requirements.

This work is predominantly MIT licensed. See the LICENSE.md file for more information.

If you're ready to rock, check out the source!