Padlock Icon


A simple, procedural PHP script to create Google Authenticator secrets and corresponding QR codes,
then verify the entered response over a given time variance.

Step 1.

Use Authenticatron_New to create a new secret for a member, and fetch a secure image for scanning.




$Member_Name is a string containing your members username or nice-name, perferably something unique and quickly identifiable.


Outputs an array, where Secret is the Secret for the member, URL is an OTPAuth URL, and QR is the Data64 URI for the QR code.

array(3) {
  string(16) "SAO2OVNLHKJI65IK"
  string(83) "otpauth://totp/Example Site: John Smith?secret=SAO2OVNLHKJI65IK&issuer=Example+Site"
  string(626) "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJQAAACUAQMAAABP8pKXAAAABlBMVEUAAAD///+l2Z/dAAAACXBIWXMAAA7EAAAOxAGVKw4bAAABZElEQVRIia2WUQ7DMAhDfQPuf0tuwGyTdfuO22lV+yKFFOwQAChUD7r4H5zrmtVMNQExyfA1ZKji3N0FxeBrzjQzg/D3EmtlgQP9AvP0XLIepp683DKV5O966nbLRhfvXDZaEfmUsJJ09FIaVyoQsXGByCxLDnfIuFJYjzgZDlmr1AyksjNAKy8BoxBLKpIgx9+AiPGj18kMt8IMmRzTLlNLQbolTIYuz9vSzzizAYP2GRwdCnTGlALL3NU6EkiYkzgOoJ3ReYmYRbQ7mb6gM1b2i7xcdTayiNEjXmvZgBpHxlyZsjLHis9YeXOV+eA9Fp0x7KSzGmqvOWG2sspkoixkTLsrU+rFt2ufsdl5KUo3qd663TPoxCCz9IZaUd4z+U+t3alkHNk6YVul2e3s10av2bb20wjwbYABgwxjDdnTdc5cCTt93il5g8l8/te2l4jN9hTXqvfEmTCH0ZstA5/hAvYBetEgGHu1w5AAAAAASUVORK5CYII="


You'll want to store ['Secret'] with the member, but make sure you get them to confirm a code before enforcing it, or it might not have worked and they would be locked out of their account. Make sure that this is as protected as a password hash.

['QR'] is the Data64 URI for the QR code. You can simply echo it into an img element like this:

<img src="<?php echo $SecondAuth['QR']; ?>" alt="Second Factor Authentication Code">


Google Camera Icon

Try scanning this into an app like Google Authenticator. You should see a code and a countdown clock until it changes.

Second Factor Authentication Code

Step 2.

Use Authenticatron_Check to confirm the setup and check time-unique codes at every login.


Authenticatron_Check($Code, $Secret)


$Code is the user input, the code that is generated on their device for authentication. Should be numeric-only in most cases, alpha-numeric if you change some settings.

$Secret is the secret the member scanned that you securely stored for later.

$Variance is an optional integer indicating the adjustment of codes with a 30 second value. Defaults to 2 either side, or 1 minute.


Outputs a boolean value, true if the entered code is within allowed range, false if not.



You only need to check an input is alpha-numeric, and maybe 6 characters long before checking it against a retreieved secret.

$Secret = ...;
if (
	strlen($_POST['secondfactor_code']) == 6 &&
) {
	if ( Authenticatron_Check($_POST['secondfactor_code'], $Secret) ) {
		// Authenticated, log in...
	} else {
		// Incorrect code
} else {
	// Invalid entry


Google Authenticator Icon

Enter the code that your device generates after scanning the image to from Step 1.


Further Reading

Visit our documentation for a more thorough description of the options and functions available to you.

Take a look at the glossary if there are any terms you don't understand.

The server page can be used if this script is installed on your server to check for requirements.

If you're ready to rock, check out the source!

Open Source Initiative Keyhole

This work is predominantly MIT licensed. See the file for more information.