Blog Detail


A Google Two-Factor Authentication Package for PHP & Laravel cover image

A Google Two-Factor Authentication Package for PHP & Laravel

Google2FA is a PHP implementation of the Google Two-Factor Authentication Module, supporting the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.


Now you can install this package via Composer:

composer require pragmarx/google2fa

To generate inline QRCodes, you'll need to install a QR code generator, e.g. BaconQrCode:

composer require bacon/bacon-qr-code


Instantiate it directly

use PragmaRX\Google2FA\Google2FA;

$google2fa = new Google2FA();

return $google2fa->generateSecretKey();

How To Generate And Use Two Factor Authentication

Generate a secret key for your user and save it:

$user->google2fa_secret = $google2fa->generateSecretKey();

Generating QRCodes

The securer way of creating QRCode is to do it yourself or use a library. First, you have to install a QR code generator e.g. BaconQrCode, as stated above, then you just have to generate the QR code URL using:

$qrCodeUrl = $google2fa->getQRCodeUrl(

Once you have the QR code URL, you can feed it to your preferred QR code generator.

// Use your own QR Code generator to generate a data URL:
$google2fa_url = custom_generate_qrcode_url($qrCodeUrl);

/// and in your view:

<img src="{{ $google2fa_url }}" alt="">

And to verify, you just have to:

$secret = $request->input('secret');

$valid = $google2fa->verifyKey($user->google2fa_secret, $secret);

This package suggests the use of Bacon/QRCode because it is known as a good QR Code package, but you can use it with any other package.

Using Bacon/QRCode


use PragmaRX\Google2FA\Google2FA;
use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\Image\ImagickImageBackEnd;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;

$google2fa = app(Google2FA::class);

$g2faUrl = $google2fa->getQRCodeUrl(

$writer = new Writer(
    new ImageRenderer(
        new RendererStyle(400),
        new ImagickImageBackEnd()

$qrcode_image = base64_encode($writer->writeString($g2faUrl));

And show it as an image:

<img src="data:image/png;base64, <?php echo $qrcode_image; ?> "/>

HMAC Algorithms

To comply with RFC6238, this package supports SHA1, SHA256, and SHA512. It defaults to SHA1, so to use a different algorithm you just have to use the method setAlgorith():


Google Authenticator secret key compatibility

To be compatible with Google Authenticator, your (converted to base 32) secret key length must be at least 8 chars and be a power of 2: 8, 16, 32, 64...

So, to prevent errors, you can do something like this while generating it:

$secretKey = '123456789';

$secretKey = str_pad($secretKey, pow(2,ceil(log(strlen($secretKey),2))), 'X');

And it will generate


By default, this package will enforce compatibility, but, if Google Authenticator is not a target, you can disable it by doing


This package has a lot more in it. If you want to dig more, then you can visit its complete documentation on github.

Published at : 03-01-2022

Author : Rizwan Aslam
Rizwan Aslam

I am a highly results-driven professional with 12+ years of collective experience in the grounds of web application development especially in laravel, native android application development in java, and desktop application development in the dot net framework. Now managing a team of expert developers at Codebrisk.

Launch project