Generate and verify a Time-Based One-Time Password (TOTP) using PHP.
Generate a secret - used as cryptographic key to generate the tokens
Configure the length of the generated secret (default: 40)
Generate token - generate the numeric code that also shows up in the 2fa app
Configure which hashing algorithm to use: SHA1, SHA265, or SHA512 (default: SHA1)
Configure wheter to use 6 or 8 digits in the token (default: 6)
Configure for how long a token is valid: 15, 30, or 60 seconds (default: 30)
Option to generate historic (older) tokens (used by the verify script)
Create URI for QR code - use this otpauth:// URI as the source to generate a QR code
Configure issuer (required) and account name (optional) that show up in the 2fa app
🔵 Issuer: account.name
123 456
❗ QR code image generator not included
Verify user tokens - with the generated token from the system using the stored secret
Configurable to validate 1 or more older tokens in chronological order (default: 0)
Using PHP's random_bytes() which returns cryptographically secure random bytes to generate the TOTP secret.
Works with TOTP compatible 2fa apps like Google Authenticator and Authy, available for Android, iOS (iPhone), Linux, macOS, and Windows. Although not all RFC 6238 TOTP features are supported by these apps.
Code released under the MIT license.