PHPackages                             eustasy/authenticatron - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. eustasy/authenticatron

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

eustasy/authenticatron
======================

HOTP / TOTP secrets with corresponding QR links and code verification from a simple PHP script.

v4.1.1(1mo ago)111.1k1MITHTMLPHP &gt;=8.2CI passing

Since Mar 14Pushed yesterday2 watchersCompare

[ Source](https://github.com/eustasy/authenticatron)[ Packagist](https://packagist.org/packages/eustasy/authenticatron)[ Docs](https://github.com/eustasy/authenticatron)[ GitHub Sponsors](https://github.com/eustasy)[ Fund](https://issuehunt.io/r/eustasy)[ RSS](/packages/eustasy-authenticatron/feed)WikiDiscussions main Synced yesterday

READMEChangelog (10)Dependencies (6)Versions (6)Used By (0)

Authenticatron
==============

[](#authenticatron)

[![Normal (PHP)](https://github.com/eustasy/authenticatron/actions/workflows/php.yml/badge.svg)](https://github.com/eustasy/authenticatron/actions/workflows/php.yml)[![Normal (Security)](https://github.com/eustasy/authenticatron/actions/workflows/security.yml/badge.svg)](https://github.com/eustasy/authenticatron/actions/workflows/security.yml)[![Test (PHP)](https://github.com/eustasy/authenticatron/actions/workflows/test-php.yml/badge.svg)](https://github.com/eustasy/authenticatron/actions/workflows/test-php.yml)[![Maintainability](https://camo.githubusercontent.com/174d450023a5c63bb94a9e585ceab14e213907cf42b28447a6997aa3f68b3734/68747470733a2f2f716c74792e73682f67682f657573746173792f70726f6a656374732f61757468656e7469636174726f6e2f6d61696e7461696e6162696c6974792e737667)](https://qlty.sh/gh/eustasy/projects/authenticatron)[![Code Coverage](https://camo.githubusercontent.com/36854827e1ac4043ac0bb6d1bbfa617e9cbb2ff2f5833b9f680ffe2dc08ac7af/68747470733a2f2f716c74792e73682f67682f657573746173792f70726f6a656374732f61757468656e7469636174726f6e2f636f7665726167652e737667)](https://qlty.sh/gh/eustasy/projects/authenticatron)

A simple PHP script to create HOTP / TOTP / Google Authenticator secrets, corresponding QR links and code verification.

Based on the original BSD 2 Licensed work found at [PHPGangsta/GoogleAuthenticator](https://github.com/PHPGangsta/GoogleAuthenticator)

Heavily modified to improve security and suit our needs.

Requirements
------------

[](#requirements)

- PHP &gt;= 8.2
- `ext-gd` (e.g. `php8.x-gd`) for QR Code generation.
- [`jysperu/php-qr-code`](https://packagist.org/packages/jysperu/php-qr-code) — installed automatically via Composer.

Installation
------------

[](#installation)

If you already use Composer then the [eustasy/Authenticatron](https://packagist.org/packages/eustasy/authenticatron) package can be easily installed.

```
composer require eustasy/authenticatron
```

Require the class in your PHP code:

```
////    Import eustasy\Authenticatron with Composer
require_once __DIR__ . '/vendor/autoload.php';
use eustasy\Authenticatron;
```

Quick Implementation
--------------------

[](#quick-implementation)

```
////    Create a new account
// Returns a secret (to be stored) a URL (to be clicked on) and a QR Code (to be scanned)
Authenticatron::new($accountName, $issuer);
//  array(3) {
//    ["Secret"]=>
//    string(16) "6MZYWOOFVAKL7LQB"
//    ["URL"]=>
//    string(83) "otpauth://totp/Example Site: John Smith?secret=6MZYWOOFVAKL7LQB&issuer=Example+Site"
//    ["QR"]=>
//    string(630) "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJQAAACUAQMAAABP8pKXAAAABlBMVEUAAAD///+l2Z/dAAAACXBIWXMAAA7EAAAOxAGVKw4bAAABZklEQVRIia2WUY7DQAhDuQH3vyU3YP1MN+p33EnVJC9ShgGbSVVV66iZ1W/rM16z3u1pjdWobXDEyvc6MUl7vpRpFv2Pjv0N003pUBJy5nid0lYKnry8ZZTkazx1e8sojYKdGiaiUhOxZvmKWuGWNEQWIqYx3LB8zaPrjA36Lr97WAFpiBiyRpaFiKzMiGEYHkF0LusgYT281AK/CUNGBkjlWN7OScIkH5YPx4vSecYkG6RNd5i5gmXMvRBrY2p8nbGiQdBcB+NQ8IxhExLb7j5oIGN0RAKn5aDOj6dfs7Vf3GAdsXUZMN4odZNMp7M7ZGuIa/DzukcEzD0VFTWTrGNOGBsx5rMc6badMVd4bO6yOEO2t+7d6z63LwSMy/NLnx5dqPeMt6LvfR5m7PbQ67Ff2+hrZp9Qa9qO++xkzDUaWo/101sxOzFeydB4yrx9OtTJGd+Yrrc3gfsGCdiJ3NvKv6sT9gdy9gHcop2cdQAAAABJRU5ErkJggg=="
//  }
```

```
////    Check a code
// When a code is entered, just retrieve the secret and check them both.
Authenticatron::checkCode($code, $secret)
//  bool(true) - successful auth
//  bool(false) - failed auth
```

How it Works
------------

[](#how-it-works)

Rather than rely on expensive SMS (text messages) that lack global deliverability, Google Authenticator does not even require a network connection to generate its codes. Instead, simply scan the generated QR code with your camera, and receive a new, 6-digit second factor of authentication from your phone every 30 seconds.

It does this by generating a 16 character secret, or seed, that is then encoded as a special URL, along with some identifying information, and outputted as a QR code. The phone reads the codes, and the Google Authenticator app runs the secret through a code generation process to output a time-restricted code. The website follows the same process to produce matching codes without actually having to communicate further.

Potential Flaws &amp; How to Avoid them
---------------------------------------

[](#potential-flaws--how-to-avoid-them)

### Secret Capture

[](#secret-capture)

If you hand off the secret to a service like Google Charts as some demos show, then it would be trivial to compromise the second level of authentication from the start. To cure this, make sure you never send the secret in plain text to the user, or cache images such as the QR code. Instead, output it directly as a base64 encoded PNG, preferably served over HTTPS. [letsencrypt.org](https://letsencrypt.org) gives out SSL Certificates for free.

### Replay Attacks

[](#replay-attacks)

Quickly re-using an intercepted token to gain access, by taking advantage of the plus/minus one minute rule.

> If a token is not marked as invalid as soon as it has been used an attacker who has intercepted the token may be able to quickly replay it to obtain access.

[Google TOTP Two-factor Authentication for PHP - idontplaydarts.com](https://www.idontplaydarts.com/2011/07/google-totp-two-factor-authentication-for-php/)

To fix this, log used codes and disallow them from being used a second time, at least for double the variation of your codes allowance.

### Brute Force

[](#brute-force)

> If there is no upper limit on the number of attempts a user can make at guessing a token it may be possible to brute-force the one-time token.
>
> If the seed is too small and an attacker can intercept a few tokens it may be possible to brute-force the seed value allowing the attacker to generate new one-time tokens. For this reason Google enforces a minimum seed length of 16 characters or 80-bits.

[Google TOTP Two-factor Authentication for PHP - idontplaydarts.com](https://www.idontplaydarts.com/2011/07/google-totp-two-factor-authentication-for-php/)

Brute forcing of codes can be fixed in much the same way as brute forcing passwords, primarily with rate-limiting of some kind. Brute forcing of secrets, or seeds, can only be done with intercepted codes. Again, HTTPS is your friend.

Improvements over [PHPGangsta/GoogleAuthenticator](https://github.com/PHPGangsta/GoogleAuthenticator)
-----------------------------------------------------------------------------------------------------

[](#improvements-over-phpgangstagoogleauthenticator)

- Fixes time-matching bug for better code recognition.
- Encodes URL to work best with Google Authenticator.
- Removes `rand` in favour of `random_bytes` for improved security.
- Returns base64 PNG rather than Google Chart to better obscure secret from snoopers.

With thanks to [RebThrees bug report](https://github.com/PHPGangsta/GoogleAuthenticator/issues/11).

How to Implement
----------------

[](#how-to-implement)

Apart from our earlier warnings about things being intercepted without HTTPS and basic brute-force avoidance (limit attempts), there is very little you must avoid to keep second-factor authentication secure. Don't send the secrets to third parties, but store them yourself (you'll need them every time a user tries to log in), and only allow a code to be used once.

Allow fallbacks. Like password resets, users should be able to bypass second-factor by using their email address. Perhaps send a single use code there, or use the Acceptable function to give them one for two or three minutes in the future. Do NOT allow them to simply turn it off without logging in.

References
----------

[](#references)

- [About 2-Step Verification - Google](https://support.google.com/accounts/answer/180744)
- [Install Google Authenticator - Google](https://support.google.com/accounts/answer/1066447)
- [Install on Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2)
- [Install on iOS](https://itunes.apple.com/us/app/google-authenticator/id388497605)
- [Install on Blackberry](https://m.google.com/authenticator)

###  Health Score

52

—

FairBetter than 96% of packages

Maintenance97

Actively maintained with recent releases

Popularity29

Limited adoption so far

Community11

Small or concentrated contributor base

Maturity58

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 96% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~269 days

Total

4

Last Release

32d ago

PHP version history (2 changes)v4.0.0PHP &gt;=8.0

v4.0.1PHP &gt;=8.2

### Community

Maintainers

![](https://www.gravatar.com/avatar/c571702d24c8fe3c0ab310b03de2997570a60e4ed70b97b4a245982438dbbf27?d=identicon)[lewisgoddard](/maintainers/lewisgoddard)

---

Top Contributors

[![lewisgoddard](https://avatars.githubusercontent.com/u/831389?v=4)](https://github.com/lewisgoddard "lewisgoddard (339 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (14 commits)")

---

Tags

2faauthenticationcomposer-packagespasswordsphpsecretsecuritytotptwo-factor-authwebauthnhotptotpsecurityAuthenticationTwo Factor Authenticationsecretpasswords2fa webauthn

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/eustasy-authenticatron/health.svg)

```
[![Health](https://phpackages.com/badges/eustasy-authenticatron/health.svg)](https://phpackages.com/packages/eustasy-authenticatron)
```

###  Alternatives

[paragonie/multi-factor

Vendor-agnostic two-factor authentication library

142198.6k2](/packages/paragonie-multi-factor)[lfkeitel/phptotp

TOTP/HOTP library for PHP

85476.4k2](/packages/lfkeitel-phptotp)[jiripudil/otp

Library that generates and verifies one-time passwords.

2828.3k1](/packages/jiripudil-otp)[remotemerge/totp-php

Lightweight, fast, and secure TOTP (2FA) authentication library for PHP — battle tested, dependency free, and ready for enterprise integration.

2118.5k](/packages/remotemerge-totp-php)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
