Padlock Icon

Authenticatron

A simple, procedural PHP script to create Google Authenticator secrets and corresponding QR codes,
then verify the entered response over a given time variance.
homepagedocumentationglossaryserversource

Authenticatron New

Information

Create a new Secret and get the QR Code all in one.

Code

Authenticatron_New($Member_Name)

Input

$Member_Name is a string containing the data your member will identify with.

Output

Outputs an array, where Secret is the Secret for the member, URL is an OTPAuth URL, and QR is the Data64 URI for the QR code.

array(3) {
  ["Secret"]=>
  string(16) "NWMNS5Y7EEQZ5ASU"
  ["URL"]=>
  string(84) "otpauth://totp/Example Site: Member Name?secret=NWMNS5Y7EEQZ5ASU&issuer=Example+Site"
  ["QR"]=>
  string(622) "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJQAAACUAQMAAABP8pKXAAAABlBMVEUAAAD///+l2Z/dAAAACXBIWXMAAA7EAAAOxAGVKw4bAAABYUlEQVRIia2WyxHEIAxD1YH679IdeC2ZZPaMwm7I8A58LGEHANjFZqFYxGnXjN0kUYO60DMMGcgB6EGzxgw/YE205p/fF2z+E4Ou6g/YvGdQz56fuNwySfLXXt1uWavBk09TXxHTxKP3wNmyvZQxSSOGYbJTKQYBKx26HIna6IbMakMun9ag3R4wLSH/6KXQnnVvmbfatng5Gp0xSBZaelloLRkwHmXovU8wOmOiTjfON/JkyBTOFZuSKmbUNnX8k3qQsbLSkl36b46N2Lz5nF1+tCfvmUzE9/65GERMYk+eaV+dk8QSJj/OU4qp+66I6bLAuV8JbIbac8Lm9CrFDuv4iSGjOzjRyJRExjSrrmLVSTvW/Z6x3tOvwxsRc4kitsi7NmcMWLE3sm9hvWau8XR9r/0MCZmraJ/beOISsv38qL2MzNks0V4Jrn4ZU6LmJm3XPteBe4ZHmHLlq0fzS/YDbFn06Wnu11MAAAAASUVORK5CYII="
}

Authenticatron Check

Information

This returns a simple boolean value to prevent data-leakage and zero-equivalent values from codes or keys.

Code

Authenticatron_Check($Code, $Secret)

Authenticatron_Check($Code, $Secret, $Variance = false)

Input

$Code is what the user enters to authenticate. A 6 digit string, usually numeric, but not necessarily an integer.

$Secret is the first result from Authenticatron_Check, that you securely stored for later.

$Variance is an integer indicating the adjustment of codes with a 30 second value. Defaults to 2 either side, or 1 minute.

Output

Outputs a boolean value, true or false.

bool(true)

lifefloat

Warning: The functions below are for advanced users only.

You should only need the two functions above this point to implement two-factor authentication.

Functions listed below this point should not need to be used in most production-ready environments.


Authenticatron Secret

Information

Generates a 16-digit secret, never to be shared with anyone except via internal non-cachable QR code.

Generated using MCrypt if it is available, falling back to OpenSSL if it is secure.

MCrypt is not installed.

OpenSSL is installed, and secure.

Your installation will use OpenSSL.

Code

Authenticatron_Secret()

Authenticatron_Secret($Length = 16)

Input

$Length should be an integer, longer than 16. Usually left to default.

Output

Returns a $Length long string with 32bit only Characters, or false on failure (usually due to a lack of security).

Click the link to keep the secret the same when you refresh the page.

EGTS2ZZNBKYHD2EF

Authenticatron URL

Information

Generates the URL for launching and adding the Secret we made earlier.

This link won't do anything unless you have a Authentication program on your computer.

Code

Authenticatron_URL($Member_Name, $Secret)

Authenticatron_URL($Member_Name, $Secret, $Issuer = DEFAULT)

Input

All parameters should be strings, with the optional issuer defaulting to the configured value if not passed.

Output

Outputs an OTPAuth URL that gives people their Secret along with a passed Member Name and an optional Issuer.

otpauth://totp/Example Site: Member Name?secret=EGTS2ZZNBKYHD2EF&issuer=Example+Site

Authenticatron QR

Information

Outputs a QR Code in Data64 for direct embedding from a given URL.

The GD functions are loaded.

Code

Authenticatron_QR($URL)

Authenticatron_QR($URL, $Size = 4)

Authenticatron_QR($URL, $Size = 4, $Margin = 0)

Authenticatron_QR($URL, $Size = 4, $Margin = 0, $Level = 'M')

Input

$URL is a valid OTPAuth URL in string form.

$Size is a non-zero integer, defaults to 4.

$Margin is an integer, defaults to 0.

$Level is a string, defaults to 'M'. It defines the error correction level.

Output

Google Camera Icon

Outputs a QR Code image in 64bit data-URI form.

Try scanning this QR code with your phone.

This should open an app like Google Authenticator.

Base32 Decode

Information

You shouldn't need to be using this function, it's just part of the hashing.

It also isn't decoding, at least not in any real sense.

Code

Base32_Decode($Secret)

Input

The lone parameter is a string value that expects a valid Base32 secret.

Output

Outputs a string of the numeric representation of the Secret as ASCII text.

string(10) "!-g-
q"

Authenticatron Code

Information

This is the current authentication code.

Check the Acceptable list to see the two either side.

Code

Authenticatron_Code($Secret)

Authenticatron_Code($Secret, $Timestamp = false)

Authenticatron_Code($Secret, $Timestamp = false, $CodeLength = 6)

Input

$Secret is a valid Base32 Secret in string form.

$Timestamp is a unix timestamp, defaults to false to use the current timestamp.

$CodeLength is a non-zero integer, the desired length of the generated code. Defaults to 6.

Output

Outputs the calculated code for the current or provided timestamp.

string(6) "614990"

Authenticatron Acceptable

Information

This is the array Authenticatron_Check uses to check for valid codes.

Code

Authenticatron_Acceptable($Secret)

Authenticatron_Acceptable($Secret, $Variance = 2)

Input

$Secret is a valid Base32 Secret in string form.

$Variance is an integer indicating the adjustment of codes with a 30 second value. Defaults to 2, or 1 minute.

Output

Google Authenticator Icon

Outputs the calculated code for the current or provided timestamp.

Note the indexes, which can be used to determine the time difference, and perhaps warn users on the outer bounds.

Code generation is expensive, so avoid generating any you don't want to check against later.

array(5) {
  [-2]=>
  string(6) "598155"
  [-1]=>
  string(6) "755270"
  [0]=>
  string(6) "614990"
  [1]=>
  string(6) "811824"
  [2]=>
  string(6) "612275"
}

Your phone should produce one of these from the QR code above.

These are only valid for 30 seconds, so click the Secret link to get a new list.


lifefloat

Glossary

Base32 is an encoding, effectively an alphabet, that computers use made up of 32 characters.

Base32 Characters are A to Z (upper-case only), and 2 to 7.

HOTP is HMAC-based one-time password algorithm. HOTP Algorithms generate passwords from a given secret that do not expose the secret over time.

OATH is the short name for the Initiative for Open Authentication, an organisation dedicated to keeping secure authentication free.

OTP Auth stands for one-time password authentication.

QR Code (Quick Response Code) is a type of 2D matrix barcodes with built in redundancy, commonly used to scan links into mobile phones through cameras.

TOTP abbreviates Time-based One-time Password Algorithm. TOTP Algorithms generate passwords from a given secret that are only valid over a very specific time period.