Skip to content

One-Time Passwords per RFC 4226 (HOTP) and RFC 6238 (TOTP) implemented in PHP.

License

LGPL-3.0, GPL-3.0 licenses found

Licenses found

LGPL-3.0
COPYING.LESSER
GPL-3.0
COPYING
Notifications You must be signed in to change notification settings

thepapanoob/PHPOTP

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

** Warning **

While the code provided appears to work in limited cases, it
probably contains bugs.  See COPYING and COPYING.LESSER for
disclaimers and such.

If this concerns you, you are encouraged to read the code yourself.
It is a surprisingly small amount of code, and much of it is
rather straightforward.

As always, patches are welcome.  Patches must be provided as
public domain (or whatever your local equivalent is) to prevent
license entanglement issues.

** Introduction **

Two-factor authentication is becoming an increasingly popular way of
increasing security.  As an example, Google now supports it's use
for their user accounts, as well as provides a Google Authenticator
mobile app.

The term "Two-factor" normally refers to authentication based on a
password (the first factor) as well as something else (in this
case a mobile app acting as a security token).  Authentication that
combines "something you know" and "something you have" brings
additional security.

** Compatability **

Any standards complient HOTP/TOTP application should work.

RedHat's FreeOTP works well and is Apache 2.0 licensed.
https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp

Google's Google Authenticator works well and is nicely polished, but
supports only SHA1 with 6 digits and a 30-second window.
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

** Usage **

On the server:

	$OTP=new PHPOTP();
	$Seed=$OTP->GenSeed();
	StoreSeedSomewhereSafe($Seed);

	$URI=$OTP->TOTPAsURI('Issuer Name','A Label',Base32::Encode($Seed));
	echo QREncode($URI);

The StoreSeedSomewhereSafe() and QREncode() functions are left to the reader.

The client would then use the QR code to set up their token, typically a
mobile app.

To authenticate, the user would provide the value currently provided by
their token.  The server would:

	$OTP=new PHPOTP();
	$Seed=GetSeedFromSomewhereSafe();
	$CurrValue=$OTP->TOTP($Seed);
	$Success=($CurrValue==$_REQUEST['value']);

The Seed=GetSeedFromSomewhereSafe() function is left to the reader.

About

One-Time Passwords per RFC 4226 (HOTP) and RFC 6238 (TOTP) implemented in PHP.

Resources

License

LGPL-3.0, GPL-3.0 licenses found

Licenses found

LGPL-3.0
COPYING.LESSER
GPL-3.0
COPYING

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published