GitHub - thepapanoob/PHPOTP: One-Time Passwords per RFC 4226 (HOTP) and RFC 6238 (TOTP) implemented in PHP.

thepapanoob / PHPOTP Public

Notifications You must be signed in to change notification settings
Fork 0
Star 3

One-Time Passwords per RFC 4226 (HOTP) and RFC 6238 (TOTP) implemented in PHP.

LGPL-3.0, GPL-3.0 licenses found

Licenses found

3 stars 0 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
AUTHORS		AUTHORS
Base32.php		Base32.php
COPYING		COPYING
COPYING.LESSER		COPYING.LESSER
PHPOTP.php		PHPOTP.php
README		README
Test.php		Test.php
VERSION		VERSION
demo.php		demo.php

Repository files navigation

** Warning **

While the code provided appears to work in limited cases, it
probably contains bugs.  See COPYING and COPYING.LESSER for
disclaimers and such.

If this concerns you, you are encouraged to read the code yourself.
It is a surprisingly small amount of code, and much of it is
rather straightforward.

As always, patches are welcome.  Patches must be provided as
public domain (or whatever your local equivalent is) to prevent
license entanglement issues.

** Introduction **

Two-factor authentication is becoming an increasingly popular way of
increasing security.  As an example, Google now supports it's use
for their user accounts, as well as provides a Google Authenticator
mobile app.

The term "Two-factor" normally refers to authentication based on a
password (the first factor) as well as something else (in this
case a mobile app acting as a security token).  Authentication that
combines "something you know" and "something you have" brings
additional security.

** Compatability **

Any standards complient HOTP/TOTP application should work.

RedHat's FreeOTP works well and is Apache 2.0 licensed.
https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp

Google's Google Authenticator works well and is nicely polished, but
supports only SHA1 with 6 digits and a 30-second window.
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

** Usage **

On the server:

	$OTP=new PHPOTP();
	$Seed=$OTP->GenSeed();
	StoreSeedSomewhereSafe($Seed);

	$URI=$OTP->TOTPAsURI('Issuer Name','A Label',Base32::Encode($Seed));
	echo QREncode($URI);

The StoreSeedSomewhereSafe() and QREncode() functions are left to the reader.

The client would then use the QR code to set up their token, typically a
mobile app.

To authenticate, the user would provide the value currently provided by
their token.  The server would:

	$OTP=new PHPOTP();
	$Seed=GetSeedFromSomewhereSafe();
	$CurrValue=$OTP->TOTP($Seed);
	$Success=($CurrValue==$_REQUEST['value']);

The Seed=GetSeedFromSomewhereSafe() function is left to the reader.