Padlock Icon

Authenticatron

A simple PHP script to create TOTP secrets and corresponding QR codes,
then verify the entered response over a given time variance.
homepagedocumentationglossaryserversource

Step 1.

Use $auth = new Authenticatron() to initialize an instance and $auth->new to create a new secret for a member, and fetch a secure image for scanning.

Code

$auth = new Authenticatron()
$auth->new($accountName)

Input

$accountName is a string containing your members username or nice-name, perferably something unique and quickly identifiable.

Output

Outputs an array, where Secret is the Secret for the member, URL is an OTPAuth URL, and QR is the Data64 URI for the QR code.

array(3) {
  ["Secret"]=>
  string(16) "CZS3QIWZAAYPJVRE"
  ["URL"]=>
  string(113) "otpauth://totp/Authenticatron Example Page: John Smith?secret=CZS3QIWZAAYPJVRE&issuer=Authenticatron+Example+Page"
  ["QR"]=>
  string(806) "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALQAAAC0AQMAAAAHA5RxAAAABlBMVEUAAAD///+l2Z/dAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAB6klEQVRYha2XgZXjQAhD1QH9d0kHLPpMfFeAnPXG+c57ZAYksCSVuqeneg9pSu+I8JqpJfKr9l7tF2aCXFU17dA+Z89FWd6argKMr9LccffPVzUK890379i+7Wtvz7/9THBduP+Prx4SfHxszokLNOgY30X52Bteo+lVboq7auVqdWaq+A2u4xRfJYiKdd5dXaIEctyqcyV5+1xXxRJz3PGEHPwLNjG7zJeXBD/LGEvjt4coMcUHjW2kIjG2j7q8Z7gctMztG40tkZgQH5sEat70tNc1h0LcBWtu//CS5swqx912SPmICnMDUpBTSBiql2bT8HWOX5Czu7qPCvJxt3RltSP7gqgx7pgnQIdG4q9sM9w9R+iMd0t76k0BCY5fP6+D9fl3jMuio6honI2Hd4wPNsTmeUHuaX3rzPCiWGkLjjh4eJKTEPzo1yao3hSnJWB6zKX1deoY//yJ+332muOk26oj568IFONPDRYdt2lx0zFuG3UyhqXx7+b4EB9U/JraaYQvpTgiaAxJp4m69hbiheTOKp7h8SHFb+xlsLiW6dFLOX7d5s3u1gjTdce4+707/+i6aP9af4pTsjdskZHPy3NcPBEPMyTPgJ3l93xWpzk7h4LcEx0nzYfpTkFOaKbSfkOe7jrD/wCYWROqVKhnhQAAAABJRU5ErkJggg=="
}

Handling

You'll want to store ['Secret'] with the member, but make sure you get them to confirm a code before enforcing it, or it might not have worked and they would be locked out of their account. Make sure that this is as protected as a password hash.


['QR'] is the Data64 URI for the QR code. You can simply echo it into an img element like this:

<img src="<?php echo $secondAuth['QR']; ?>" alt="Second Factor Authentication Code">

Example

Google Camera Icon

Try scanning this into an app like Google Authenticator. You should see a code and a countdown clock until it changes.

Second Factor Authentication Code

Step 2.

Use $auth->checkCode to confirm the setup and check time-unique codes at every login.

Code

$auth->checkCode($Code, $secret)

Input

$Code is the user input, the code that is generated on their device for authentication. Should be numeric-only in most cases, alpha-numeric if you change some settings.

$secret is the secret the member scanned that you securely stored for later.

$Variance is an optional integer indicating the adjustment of codes with a 30 second value. Defaults to 2 either side, or 1 minute.

Output

Outputs a boolean value, true if the entered code is within allowed range, false if not.

bool(true)

Handling

You only need to check an input is alpha-numeric, and maybe 6 characters long before checking it against a retreieved secret.

$secret = ...;
if (
	strlen($_POST['secondfactor_code']) == 6 &&
	ctype_alnum($_POST['secondfactor_code'])
) {
	if ( $auth->checkCode($_POST['secondfactor_code'], $secret) ) {
		// Authenticated, log in...
	} else {
		// Incorrect code
	}
} else {
	// Invalid entry
}

Example

Google Authenticator Icon

Enter the code that your device generates after scanning the image to from Step 1.


lifefloat

Further Reading

Visit our documentation for a more thorough description of the options and functions available to you.

Take a look at the glossary if there are any terms you don't understand.

The server page can be used if this script is installed on your server to check for requirements.

If you're ready to rock, check out the source!

Open Source Initiative Keyhole

This work is predominantly MIT licensed. See the LICENSE.md file for more information.