Google2FA is a PHP implementation of the Google Two-Factor Authentication Module, supporting the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.

Installation

Now you can install this package via Composer:

composer require pragmarx/google2fa

To generate inline QRCodes, you’ll need to install a QR code generator, e.g. BaconQrCode:

composer require bacon/bacon-qr-code

Usage

Instantiate it directly

use PragmaRX\Google2FA\Google2FA;
    
$google2fa = new Google2FA();
    
return $google2fa->generateSecretKey();

How To Generate And Use Two Factor Authentication

Generate a secret key for your user and save it:

$user->google2fa_secret = $google2fa->generateSecretKey();

Generating QRCodes

The securer way of creating QRCode is to do it yourself or use a library. First, you have to install a QR code generator e.g. BaconQrCode, as stated above, then you just have to generate the QR code URL using:

$qrCodeUrl = $google2fa->getQRCodeUrl(
    $companyName,
    $companyEmail,
    $secretKey
);

Once you have the QR code URL, you can feed it to your preferred QR code generator.

// Use your own QR Code generator to generate a data URL:
$google2fa_url = custom_generate_qrcode_url($qrCodeUrl);

/// and in your view:

<img src="{{ $google2fa_url }}" alt="">

And to verify, you just have to:

$secret = $request->input('secret');

$valid = $google2fa->verifyKey($user->google2fa_secret, $secret);

This package suggests the use of Bacon/QRCode because it is known as a good QR Code package, but you can use it with any other package.

Using Bacon/QRCode

<?php

use PragmaRX\Google2FA\Google2FA;
use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\Image\ImagickImageBackEnd;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;

$google2fa = app(Google2FA::class);

$g2faUrl = $google2fa->getQRCodeUrl(
    'pragmarx',
    'google2fa@pragmarx.com',
    $google2fa->generateSecretKey()
);

$writer = new Writer(
    new ImageRenderer(
        new RendererStyle(400),
        new ImagickImageBackEnd()
    )
);
	

$qrcode_image = base64_encode($writer->writeString($g2faUrl));

And show it as an image:

<img src="data:image/png;base64, <?php echo $qrcode_image; ?> "/>

HMAC Algorithms

To comply with RFC6238, this package supports SHA1, SHA256, and SHA512. It defaults to SHA1, so to use a different algorithm you just have to use the method setAlgorith():

$google2fa->setAlgorithm(Constants::SHA512);

Google Authenticator secret key compatibility

To be compatible with Google Authenticator, your (converted to base 32) secret key length must be at least 8 chars and be a power of 2: 8, 16, 32, 64…

So, to prevent errors, you can do something like this while generating it:

$secretKey = '123456789';
  
$secretKey = str_pad($secretKey, pow(2,ceil(log(strlen($secretKey),2))), 'X');

And it will generate

123456789XXXXXXX

By default, this package will enforce compatibility, but, if Google Authenticator is not a target, you can disable it by doing

$google2fa->setEnforceGoogleAuthenticatorCompatibility(false);

This package has a lot more in it. If you want to dig more, then you can visit its complete documentation on github.