PHPackages                             elgibor-solution/laravel-2fa - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. elgibor-solution/laravel-2fa

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

elgibor-solution/laravel-2fa
============================

Two-Factor Authentication package for Laravel supporting Google Authenticator (TOTP) and self-generated codes via SMS/WhatsApp/Email.

1.0.0(10mo ago)024Apache-2.0PHPPHP &gt;=8.1

Since Aug 25Pushed 9mo agoCompare

[ Source](https://github.com/elgiborsolution/laravel-2fa)[ Packagist](https://packagist.org/packages/elgibor-solution/laravel-2fa)[ RSS](/packages/elgibor-solution-laravel-2fa/feed)WikiDiscussions main Synced today

READMEChangelog (1)Dependencies (2)Versions (2)Used By (0)

elgibor-solution/laravel-2fa
============================

[](#elgibor-solutionlaravel-2fa)

Two-Factor Authentication package for Laravel that supports:

- **Google Authenticator (TOTP)**
- **Self-generated one-time codes** with configurable expiry
- **Delivery via Email (built-in), SMS, or WhatsApp** (user-provided callbacks)
- Built-in **fraud protection**: attempt limits, cooldowns, per-user lock

Requirements
------------

[](#requirements)

- PHP 8.1+
- Laravel 10 or 11

Installation
------------

[](#installation)

```
composer require elgibor-solution/laravel-2fa
```

Publish config and (optionally) migrations:

```
php artisan vendor:publish --provider="ESolution\Laravel2FA\Laravel2FAServiceProvider" --tag=2fa-config
php artisan vendor:publish --provider="ESolution\Laravel2FA\Laravel2FAServiceProvider" --tag=2fa-migrations
php artisan migrate
```

Configuration
-------------

[](#configuration)

`config/2fa.php`

- `channels.email/sms/whatsapp` — enable built-in email sender; provide SMS/WhatsApp callbacks.
- `self_generated_ttl` — expiry (seconds) for self-generated codes.
- `code_length` — digits for self-generated codes.
- `max_attempts`, `lock_minutes_after_max` — fraud control.
- `cooldown_seconds_between_requests` — min time between code requests.
- `totp_drift` — allowed time drift for TOTP.
- `issuer` — shown in Google Authenticator.
- `tables` — override table names if needed.

### Binding SMS / WhatsApp senders

[](#binding-sms--whatsapp-senders)

In `AppServiceProvider@boot()` or any service provider:

```
use Illuminate\Support\Facades\App;

// SMS
App::singleton('2fa.sender.sms', function () {
    return function (string $to, string $message, array $context = []) {
        // Integrate your SMS gateway here
        // Example: Sms::to($to)->send($message);
    };
});

// WhatsApp
App::singleton('2fa.sender.whatsapp', function () {
    return function (string $to, string $message, array $context = []) {
        // Integrate your WhatsApp provider here
        // Example: WhatsApp::sendText($to, $message);
    };
});
```

Email is supported out of the box via `Mail::raw()`.

Routes
------

[](#routes)

These routes are auto-registered under `/2fa` with `web,auth` middleware.

- `POST /2fa/init-totp` → Start TOTP setup. Returns `{ secret, otpauth_uri }`.
- `POST /2fa/confirm-totp` → Enable TOTP (body: `code`).
- `POST /2fa/disable` → Disable 2FA for the authenticated user.
- `POST /2fa/create` → Generate self code and send (body: `channel, destination, purpose?`).
- `POST /2fa/validate` → Validate any code (body: `code, purpose?`).

Using the Facade
----------------

[](#using-the-facade)

```
use TwoFA;

// Start TOTP enrollment
$resp = TwoFA::initTotp($user->id); // ['secret' => '...', 'otpauth_uri' => '...']

// Confirm and enable TOTP
$ok = TwoFA::confirmTotp($user->id, $request->code);

// Disable 2FA
TwoFA::disable($user->id);

// Create a self-generated code and deliver it
$res = TwoFA::createSelfGenerated($user->id, 'sms', $user->phone, 'login');

// Validate a code (works for TOTP or self-generated depending on user settings)
$isValid = TwoFA::validate($user->id, $request->code, 'login');
```

### Generating a QR Code for Google Authenticator

[](#generating-a-qr-code-for-google-authenticator)

`initTotp()` returns an `otpauth://` URI. Render a QR code on your frontend using any QR library (e.g., JavaScript QR libraries). Users can scan that QR with Google Authenticator.

Fraud &amp; Security
--------------------

[](#fraud--security)

- **Hashed codes** at rest (HMAC-SHA256 with `APP_KEY`). Set `hash_codes=false` to store plaintext (not recommended).
- **Per-code attempt limit** (config `max_attempts`).
- **Cooldown** between requests (`cooldown_seconds_between_requests`).
- **Temporary account lock** after too many failures (`lock_minutes_after_max`). Lock status is tracked in `two_fa_settings.locked_until`.
- **IP &amp; User-Agent logging** for every action in `two_fa_logs`.

> Tip: Add additional monitoring or alerts by listening to model events or querying `two_fa_logs`.

Middleware
----------

[](#middleware)

An optional middleware `ESolution\Laravel2FA\Http\Middleware\Enforce2FA` is included. It blocks requests if the account is currently locked. Register it in `app/Http/Kernel.php` and apply where needed.

```
protected $routeMiddleware = [
    // ...
    'enforce2fa' => \ESolution\Laravel2FA\Http\Middleware\Enforce2FA::class,
];
```

Database
--------

[](#database)

- `two_fa_settings`: per-user status, method (`totp` or `self`), secret, lock.
- `two_fa_codes`: self-generated codes, expiry, attempts, delivery channel.
- `two_fa_logs`: audit log of events.

Testing Locally
---------------

[](#testing-locally)

- Enable mail logging (e.g., `MAIL_MAILER=log`) to see email messages in logs.
- For SMS/WhatsApp, just bind callbacks that `Log::info()` the outbound text.

---

Support &amp; Hiring
--------------------

[](#support--hiring)

Need professional help or want to move faster? **Hire the E-Solution / Elgibor team** for integration, audits, or custom features.
📧 ****

---

Donations
---------

[](#donations)

If this package saves you time, consider supporting development ❤️

- **Ko‑fi**: [![ko-fi](https://camo.githubusercontent.com/201ef269611db7eb6b5d08e9f756ab8980df3014b64492770bdf13a6ed924641/68747470733a2f2f6b6f2d66692e636f6d2f696d672f676974687562627574746f6e5f736d2e737667)](https://ko-fi.com/U7U21L7D5J)

---

License
-------

[](#license)

Apache-2.0

###  Health Score

31

↑

LowBetter than 66% of packages

Maintenance55

Moderate activity, may be stable

Popularity10

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity45

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

313d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/5470172?v=4)[esolution](/maintainers/esolution)[@esolution](https://github.com/esolution)

---

Top Contributors

[![elgibor-solution](https://avatars.githubusercontent.com/u/783039?v=4)](https://github.com/elgibor-solution "elgibor-solution (3 commits)")

### Embed Badge

![Health badge](/badges/elgibor-solution-laravel-2fa/health.svg)

```
[![Health](https://phpackages.com/badges/elgibor-solution-laravel-2fa/health.svg)](https://phpackages.com/packages/elgibor-solution-laravel-2fa)
```

###  Alternatives

[directorytree/ldaprecord-laravel

LDAP Authentication &amp; Management for Laravel.

5752.3M18](/packages/directorytree-ldaprecord-laravel)[illuminate/notifications

The Illuminate Notifications package.

513.1M1.1k](/packages/illuminate-notifications)[illuminate/auth

The Illuminate Auth package.

10528.2M1.2k](/packages/illuminate-auth)[jurager/teams

Laravel package to manage team functionality and operate with user permissions.

23822.5k](/packages/jurager-teams)[flarum/core

Delightfully simple forum software.

201.4M2.3k](/packages/flarum-core)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
