How To Do This PHP

PHP The Guardian of Two-Factor Authentication (2FA)

October 15, 2023
Two-Factor Authentication (2FA)

Implementing Two-Factor Authentication (2FA) adds an extra layer of security to your login system. Below is a simple example of how you can incorporate 2FA using time-based one-time passwords (TOTP) in PHP. This example uses the PHPGangsta/GoogleAuthenticator library, which you can install via Composer:

composer require php-gangsta/googleauthenticator

Now, here’s a basic implementation:

<?php
require 'vendor/autoload.php';

use PHPGangsta_GoogleAuthenticator;

// Function to generate a secret key for a user
function generateSecretKey() {
    $ga = new PHPGangsta_GoogleAuthenticator();
    return $ga->createSecret();
}

// Function to generate a QR code URL for user's 2FA app
function generateQRCodeUrl($username, $secret) {
    $ga = new PHPGangsta_GoogleAuthenticator();
    return $ga->getQRCodeGoogleUrl($username, $secret, 'Your App Name');
}

// Function to verify a 2FA code
function verifyTwoFactorCode($secret, $code) {
    $ga = new PHPGangsta_GoogleAuthenticator();
    return $ga->verifyCode($secret, $code, 2); // 2 = 2*30sec clock tolerance
}

// Example: User registration (generate secret key)
$username = "example_user";
$secretKey = generateSecretKey();

// Save $username and $secretKey in your database

// Example: Display QR code for user to scan with 2FA app
$qrCodeUrl = generateQRCodeUrl($username, $secretKey);
echo "Scan the following QR code with your 2FA app:\n";
echo '<img src="' . $qrCodeUrl . '" alt="QR Code" />';

// Example: User login
$enteredCode = $_POST['2fa_code']; // Replace with the actual input variable from your form

// Retrieve $secretKey from the database based on $username
// In a real application, you would perform proper database queries to get the user's secret key

if (verifyTwoFactorCode($secretKey, $enteredCode)) {
    echo "Two-Factor Authentication successful. Proceed with login.";
} else {
    echo "Invalid Two-Factor Authentication code. Login denied.";
}
?>

In this example:

  1. The generateSecretKey function generates a secret key for a user using the Google Authenticator library.
  2. The generateQRCodeUrl function generates a QR code URL that the user can scan with their 2FA app.
  3. The verifyTwoFactorCode function verifies the entered 2FA code against the user’s secret key.
  4. During user registration, you would generate a secret key and save it along with the username in your database.
  5. During the login process, you retrieve the user’s secret key from the database and verify the entered 2FA code.

Make sure to integrate this example into your existing authentication flow, and adapt it to your specific needs and database structure.