PHPackages                             hiqdev/yii2-mfa - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication & Authorization](/categories/authentication)
4. /
5. hiqdev/yii2-mfa

ActiveYii2-extension[Authentication & Authorization](/categories/authentication)

hiqdev/yii2-mfa
===============

Multi-factor authentication for Yii2 projects

0.1.0(8y ago)1015.1k↓50%4[1 PRs](https://github.com/hiqdev/yii2-mfa/pulls)1BSD-3-ClausePHP

Since Oct 24Pushed 4y ago6 watchersCompare

[ Source](https://github.com/hiqdev/yii2-mfa)[ Packagist](https://packagist.org/packages/hiqdev/yii2-mfa)[ Docs](https://github.com/hiqdev/yii2-mfa)[ RSS](/packages/hiqdev-yii2-mfa/feed)WikiDiscussions master Synced 1mo ago

READMEChangelog (2)Dependencies (3)Versions (3)Used By (1)

Yii2 MFA
========

[](#yii2-mfa)

**Multi-factor authentication for Yii2 projects**

[![Latest Stable Version](https://camo.githubusercontent.com/2c20944b8b4e1de53907523c9cb512f06870a0fbb644de2f971e5af1b825c15f/68747470733a2f2f706f7365722e707567782e6f72672f6869716465762f796969322d6d66612f762f737461626c65)](https://packagist.org/packages/hiqdev/yii2-mfa)[![Total Downloads](https://camo.githubusercontent.com/e6c97c65061b204d6fdbcbb64a68fbb6d835b89ed3fb84a6af09c0dc4b76746b/68747470733a2f2f706f7365722e707567782e6f72672f6869716465762f796969322d6d66612f646f776e6c6f616473)](https://packagist.org/packages/hiqdev/yii2-mfa)[![Build Status](https://camo.githubusercontent.com/7195c7e8ae2bd49d6f84d1ba54ea25549b6ba51cb95ee142af67d81b618f6656/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f6869716465762f796969322d6d66612e737667)](https://travis-ci.org/hiqdev/yii2-mfa)[![Scrutinizer Code Coverage](https://camo.githubusercontent.com/11dad29cdb869cf56e6312dbf40023e25616fb6dcc64cb0ee3d2aae77bc1025b/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f636f7665726167652f672f6869716465762f796969322d6d66612e737667)](https://scrutinizer-ci.com/g/hiqdev/yii2-mfa/)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/4833ebc93028e80fef20301f9b497c52b75563d1573ad57193d4f9c6f1e69297/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f672f6869716465762f796969322d6d66612e737667)](https://scrutinizer-ci.com/g/hiqdev/yii2-mfa/)[![Dependency Status](https://camo.githubusercontent.com/3a71c65521b8acfb7b272ca1d22e3dbcd78a2fd30a4153f3dea45402ec07734d/68747470733a2f2f7777772e76657273696f6e6579652e636f6d2f7068702f6869716465763a796969322d6d66612f6465762d6d61737465722f62616467652e737667)](https://www.versioneye.com/php/hiqdev:yii2-mfa/dev-master)

This package provides:

- [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) - Time-based One-time Password Algorithm used for two factor authentication
- checking for user allowed IPs
- generation and checking recovery codes (PLANNED)

Uses:

- [robthree/twofactorauth](https://github.com/robthree/twofactorauth) for TOTP
- [hiqdev/php-confirmator](https://github.com/hiqdev/php-confirmator) for confirmation tokens

Can be plugged into any exising Yii2 project. See how it is used in [hiqdev/hiam](https://github.com/hiqdev/hiam).

Installation
------------

[](#installation)

The preferred way to install this yii2-extension is through [composer](http://getcomposer.org/download/).

Either run

```
php composer.phar require "hiqdev/yii2-mfa"
```

or add

```
"hiqdev/yii2-mfa": "*"
```

to the require section of your composer.json.

Configuration
-------------

[](#configuration)

This extension provides pluggable configuration to be used with [composer-config-plugin](https://github.com/hiqdev/composer-config-plugin).

Also you can use it usual way by copy-pasting config. See [src/config/web.php](src/config/web.php) for configuration example.

Available configuration parameters:

- `organization.name`

For more details please see [src/config/params.php](src/config/params.php).

Usage
-----

[](#usage)

This plugin provides behavior and configuration attaches it to user component on `beforeLogin` event. And then the behavior validates IPs and TOTP on every login.

To use this plugin you have to instantiate your `\Yii->app->user->identity` class from `hiqdev\yii2\mfa\base\MfaIdentityInterface` and implement all of the methods, which will return or set MFA properties. For example:

```
use hiqdev\yii2\mfa\base\MfaIdentityInterface;

class Identity implements MfaIdentityInterface
{
    ...

    /**
     * @inheritDoc
     */
    public function getUsername(): string
    {
        return $this->username;
    }

    /**
     * @inheritDoc
     */
    public function getTotpSecret(): string
    {
        return $this->totp_secret ?? '';
    }

    ...

```

IPs and TOTP functions are independent and you can provide just one of properties to have only corresponding functionality.

Usage with OAuth2
-----------------

[](#usage-with-oauth2)

Also there is a configuration to provide MFA for OAuth2.

- Require suggested `"bshaffer/oauth2-server-php": '~1.7'` package
- Use `hiqdev\yii2\mfa\GrantType\UserCredentials` for configuring `/oauth/token` command via totp code. For example:

    'modules' => \[ 'oauth2' => \[ 'grantTypes' => \[ 'user\_credentials' => \[ 'class' => \\hiqdev\\yii2\\mfa\\GrantType\\UserCredentials::class, \], \], \], \]
- Extend you `Identity` class from `ApiMfaIdentityInterface`.
- Use actions:

    POST /mfa/totp/api-temporary-secret - Proviedes temporary secret to generate QR-code POST /mfa/totp/api-enable - Enables totp POST /mfa/totp/api-disable - Disables totp

Back redirection
----------------

[](#back-redirection)

For any MFA route, you can add a GET param `?back=https://some.site.com`. It will redirect the user after a successful operation to the needed site. To avoid open redirect vulnerability, you need to validate the `back` param.

It should be done with `\hiqdev\yii2\mfa\validator\BackUrlValidatorInterface` which has a default implementation. You have to create your own and reinitialize it with the container definition:

config/web.php:

```
'container' => [
   'singletons' => [
       \hiqdev\yii2\mfa\validator\BackUrlValidatorInterface::class => \your\own\validator::class,
    ],
],
```

License
-------

[](#license)

This project is released under the terms of the BSD-3-Clause [license](LICENSE). Read more [here](http://choosealicense.com/licenses/bsd-3-clause).

Copyright © 2016-2018, HiQDev ()

###  Health Score

34

—

LowBetter than 77% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity33

Limited adoption so far

Community19

Small or concentrated contributor base

Maturity54

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 76.5% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~344 days

Total

2

Last Release

3149d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/790fd24da129907d373559f60c6994f664f06e3f518502c03580cc9f3594615e?d=identicon)[hiqdev](/maintainers/hiqdev)

---

Top Contributors

[![hiqsol](https://avatars.githubusercontent.com/u/11820365?v=4)](https://github.com/hiqsol "hiqsol (52 commits)")[![strorch](https://avatars.githubusercontent.com/u/23340907?v=4)](https://github.com/strorch "strorch (12 commits)")[![SilverFire](https://avatars.githubusercontent.com/u/4499203?v=4)](https://github.com/SilverFire "SilverFire (3 commits)")[![tafid](https://avatars.githubusercontent.com/u/3338188?v=4)](https://github.com/tafid "tafid (1 commits)")

---

Tags

hacktoberfesttotpAuthenticationtwo-factoryii2rfc6238multi-factor

### Embed Badge

![Health badge](/badges/hiqdev-yii2-mfa/health.svg)

```
[![Health](https://phpackages.com/badges/hiqdev-yii2-mfa/health.svg)](https://phpackages.com/packages/hiqdev-yii2-mfa)
```

###  Alternatives

[paragonie/multi-factor

Vendor-agnostic two-factor authentication library

142195.5k2](/packages/paragonie-multi-factor)[lfkeitel/phptotp

TOTP/HOTP library for PHP

85434.7k2](/packages/lfkeitel-phptotp)[scheb/2fa-totp

Extends scheb/2fa-bundle with two-factor authentication using TOTP

292.7M22](/packages/scheb-2fa-totp)[chillerlan/php-authenticator

A generator for counter- and time based 2-factor authentication codes (Google Authenticator). PHP 8.2+

58119.1k2](/packages/chillerlan-php-authenticator)[remotemerge/totp-php

Lightweight, fast, and secure TOTP (2FA) authentication library for PHP — battle tested, dependency free, and ready for enterprise integration.

2010.2k](/packages/remotemerge-totp-php)[kelunik/two-factor

Two factor authentication.

371.9k1](/packages/kelunik-two-factor)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)