PHPackages                             eloquent/otis - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. eloquent/otis

AbandonedArchivedLibrary[Authentication &amp; Authorization](/categories/authentication)

eloquent/otis
=============

One-time password / multi-factor authentication library for PHP.

0.3.0(12y ago)39582MITPHPPHP &gt;=5.3

Since Aug 26Pushed 11y ago1 watchersCompare

[ Source](https://github.com/eloquent/otis)[ Packagist](https://packagist.org/packages/eloquent/otis)[ Docs](https://github.com/eloquent/otis)[ RSS](/packages/eloquent-otis/feed)WikiDiscussions develop Synced 2w ago

READMEChangelog (3)Dependencies (7)Versions (5)Used By (0)

Otis
====

[](#otis)

*One-time password / multi-factor authentication library for PHP.*

[![The most recent stable version is 0.3.0](https://camo.githubusercontent.com/a95a4aa26a983eb94202d4fd9e327fbe3f3ea062c643634dc853465aca68b563/687474703a2f2f696d672e736869656c64732e696f2f3a73656d7665722d302e332e302d79656c6c6f772e737667 "This project uses semantic versioning")](http://semver.org/)[![Current build status image](https://camo.githubusercontent.com/1d71e93330f1961fcf0ae9617a8c826568113844cc9c0a0af96b37d0d9bcd90d/687474703a2f2f696d672e736869656c64732e696f2f7472617669732f656c6f7175656e742f6f7469732f646576656c6f702e737667 "Current build status for the develop branch")](https://travis-ci.org/eloquent/otis)[![Current coverage status image](https://camo.githubusercontent.com/9e3a45ed49b51468c2154de2b771fe9a3529396fbc807211acf00d2a849b74ed/687474703a2f2f696d672e736869656c64732e696f2f636f766572616c6c732f656c6f7175656e742f6f7469732f646576656c6f702e737667 "Current test coverage for the develop branch")](https://coveralls.io/r/eloquent/otis)

Installation and documentation
------------------------------

[](#installation-and-documentation)

- Available as [Composer](http://getcomposer.org/) package [eloquent/otis](https://packagist.org/packages/eloquent/otis).
- [API documentation](http://lqnt.co/otis/artifacts/documentation/api/) available.

What is *Otis*?
---------------

[](#what-is-otis)

*Otis* is a PHP library for implementing [one-time password](http://en.wikipedia.org/wiki/One-time_password) / [multi-factor authentication](http://en.wikipedia.org/wiki/Multi-factor_authentication) systems. *Otis* provides generators and validators for both [TOTP](http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) (time-based passwords as defined in [RFC 6238](http://tools.ietf.org/html/rfc6238)) and [HOTP](http://en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm)(counter-based passwords as covered in [RFC 4226](http://tools.ietf.org/html/rfc4226)). *Otis* supports all hashing algorithms (SHA-1, SHA-256, SHA-512).

In addition, *Otis* provides tools for generating the [URI format](https://code.google.com/p/google-authenticator/wiki/KeyUriFormat) understood by [Google Authenticator](http://en.wikipedia.org/wiki/Google_Authenticator) and other compatible OTP apps, as well as URIs for QR code generation services to further ease integration.

Usage
-----

[](#usage)

### Validating a TOTP password

[](#validating-a-totp-password)

```
use Eloquent\Otis\Totp\TotpValidator;

$validator = new TotpValidator;

$password = ''; // the password to validate
$secret = '';     // the shared secret

$result = $validator->validate($password, $secret);
```

### Validating an HOTP password

[](#validating-an-hotp-password)

```
use Eloquent\Otis\Hotp\HotpValidator;

$validator = new HotpValidator;

$password = ''; // the password to validate
$secret = '';     // the shared secret
$counter = 0;                 // current counter value

$result = $validator->validate($password, $secret, $counter, $newCounter);
if ($result) {
    $counter = $newCounter;
}
```

### Generating a Google Authenticator URI

[](#generating-a-google-authenticator-uri)

```
use Eloquent\Otis\GoogleAuthenticator\GoogleAuthenticatorUriFactory;

$uriFactory = new GoogleAuthenticatorUriFactory;

$uri = $uriFactory->createTotpUri('12345678901234567890', 'test.ease@example.org');
echo $uri; // outputs 'otpauth://totp/test.ease%40example.org?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ'
```

### Generating a Google Authenticator QR code URI

[](#generating-a-google-authenticator-qr-code-uri)

```
use Eloquent\Otis\GoogleAuthenticator\GoogleAuthenticatorUriFactory;
use Eloquent\Otis\QrCode\GoogleChartsQrCodeUriFactory;

$uriFactory = new GoogleAuthenticatorUriFactory;
$qrCodeUriFactory = new GoogleChartsQrCodeUriFactory;

$qrCodeUri = $qrCodeUriFactory->createUri(
    $uriFactory->createTotpUri('12345678901234567890', 'test.ease@example.org')
);
echo $qrCodeUri; // outputs 'https://chart.googleapis.com/chart?cht=qr&chs=250x250&chld=%7C0&chl=otpauth%3A%2F%2Ftotp%2Ftest.ease%2540example.org%3Fsecret%3DGEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ'
```

### Validating a sequence of HOTP passwords

[](#validating-a-sequence-of-hotp-passwords)

```
use Eloquent\Otis\Hotp\HotpValidator;

$validator = new HotpValidator;

// the password sequence to validate
$passwords = array('', '', '');
$secret = '';      // the shared secret
$counter = 0;                  // current counter value

$result = $validator->validateSequence($passwords, $secret, $counter, $newCounter);
if ($result) {
    $counter = $newCounter;
}
```

Security considerations
-----------------------

[](#security-considerations)

When implementing an OTP system, the following points should be considered with care:

- Each password should only be considered valid once. This helps to avoid replay attacks. This is especially important for time-based passwords that may otherwise be considered valid for an entire time period. Keeping track of which one-time passwords have already been used in a successful validation is the only way to ensure a password is not re-used.
- The shared secret should be treated as sensitive information. When storing the secret on the server side, strong two-way encryption should be used. A solution such as [Lockbox](http://lqnt.co/lockbox) would be ideal.
- In order for time-based OTP systems to work well, there should be minimal differences in the system time of the server, and the OTP device in use. *Otis* defaults allow -1 to +1 time windows (a window is usually 30 seconds), but the validator can be configured to accept passwords from larger time windows.

Try *Otis*
----------

[](#try-otis)

*Otis* has a simple demonstration system. In order to run the demos, these instructions must be followed:

- [Install Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en) or a compatible OTP app.
- Clone the *Otis* repository.
- Install [Composer](http://getcomposer.org/) dependencies, including dev dependencies.
- Run `test/bin/totp` or `test/bin/hotp` depending on which type of OTP system is preferred.
- A link to a QR code image will be launched in the default browser.
- Scan this QR code with the OTP app.
- Return to the console and enter the passwords provided by the OTP app.

In addition, there is a test suite for determining the capabilities of OTP apps. In order to run the test suite follow these steps:

- Install [Composer](http://getcomposer.org/) dependencies as above.
- Run `test/bin/otp-test-suite`.
- The test suite will be launched in the default browser.

OTP app capabilities
--------------------

[](#otp-app-capabilities)

Not all OTP apps support the same features. Even [Google Authenticator](http://en.wikipedia.org/wiki/Google_Authenticator) does not support all the features that its [URI format](https://code.google.com/p/google-authenticator/wiki/KeyUriFormat) is capable of expressing (and support varies across platforms).

For a table of OTP apps and their capabilities, see [OTP app capabilities](https://github.com/eloquent/otis/wiki/otp-app-capabilities) in the wiki.

###  Health Score

28

—

LowBetter than 52% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity23

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity51

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~75 days

Total

3

Last Release

4541d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/100152?v=4)[Erin](/maintainers/ezzatron)[@ezzatron](https://github.com/ezzatron)

---

Top Contributors

[![ezzatron](https://avatars.githubusercontent.com/u/100152?v=4)](https://github.com/ezzatron "ezzatron (52 commits)")

---

Tags

googleotpauthAuthenticationpassword2fatimemultiauthenticatoroathonetwofactor

### Embed Badge

![Health badge](/badges/eloquent-otis/health.svg)

```
[![Health](https://phpackages.com/badges/eloquent-otis/health.svg)](https://phpackages.com/packages/eloquent-otis)
```

###  Alternatives

[ellaisys/aws-cognito

AWS Cognito package that allows Auth and other related features using the AWS SDK for PHP

121242.9k1](/packages/ellaisys-aws-cognito)[remotemerge/totp-php

Lightweight, fast, and secure TOTP (2FA) authentication library for PHP — battle tested, dependency free, and ready for enterprise integration.

2115.4k](/packages/remotemerge-totp-php)[lorenzoferrarajr/lfj-opauth

LfjOpauth is a Zend Framework 2 module that enables support for many authentication providers through the Opauth framework.

2915.4k](/packages/lorenzoferrarajr-lfj-opauth)[kelunik/two-factor

Two factor authentication.

371.9k2](/packages/kelunik-two-factor)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
