PHPackages                             mchuluq/laravel-mfa - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. mchuluq/laravel-mfa

ActiveLibrary

mchuluq/laravel-mfa
===================

Multi-Factor Authentication package for Laravel with TOTP, Email OTP, and WebAuthn support

04PHP

Since Feb 11Pushed 3mo agoCompare

[ Source](https://github.com/mchuluq/laravel-mfa)[ Packagist](https://packagist.org/packages/mchuluq/laravel-mfa)[ RSS](/packages/mchuluq-laravel-mfa/feed)WikiDiscussions master Synced 1mo ago

READMEChangelogDependenciesVersions (1)Used By (0)

Laravel MFA (Multi-Factor Authentication)
=========================================

[](#laravel-mfa-multi-factor-authentication)

Multi-Factor Authentication package for Laravel 8+ with support for TOTP, Email OTP, and WebAuthn/Passkey.

Features
--------

[](#features)

- 🔐 **Multiple MFA Methods**: TOTP (Authenticator Apps), Email OTP, WebAuthn/Passkey
- 🎨 **Driver Pattern**: Easy to extend with custom drivers
- 🛡️ **Security First**: Rate limiting, backup codes, device remembering
- 🎯 **Middleware Based**: Simple integration as authentication layer
- 📱 **User Friendly**: Multiple methods per user, fallback options
- 🔧 **Highly Configurable**: Extensive configuration options
- 🎭 **Laravel 8+ Compatible**: Built specifically for Laravel 8

Requirements
------------

[](#requirements)

- PHP ^7.4 or ^8.0
- Laravel ^8.0
- MySQL/PostgreSQL/SQLite

Installation
------------

[](#installation)

### 1. Install via Composer

[](#1-install-via-composer)

```
composer require mchuluq/laravel-mfa
```

### 2. Publish

[](#2-publish)

```
php artisan vendor:publish --tag=mfa-config
php artisan vendor:publish --tag=mfa-migrations
php artisan vendor:publish --tag=mfa-vue
php artisan vendor:publish --tag=mfa-blade
php artisan migrate
```

### 3. Add Trait to User Model

[](#3-add-trait-to-user-model)

```
use Mchuluq\LaravelMFA\Traits\HasMFA;

class User extends Authenticatable
{
    use HasMFA;

    // ...
}
```

Configuration
-------------

[](#configuration)

Edit `config/mfa.php`:

```
return [
    'enabled' => true,

    'drivers' => [
        'totp' => [
            'enabled' => true,
            // ...
        ],
        'email_otp' => [
            'enabled' => true,
            // ...
        ],
        'webauthn' => [
            'enabled' => true,
            // ...
        ],
    ],

    // ...
];
```

Usage
-----

[](#usage)

### Protect Routes with MFA

[](#protect-routes-with-mfa)

```
// routes/web.php
Route::middleware(['auth', 'mfa'])->group(function () {
    Route::get('/dashboard', [DashboardController::class, 'index']);
    Route::get('/profile', [ProfileController::class, 'show']);
});
```

### Setup MFA for User

[](#setup-mfa-for-user)

```
// In your controller
public function enableTotp(Request $request)
{
    $user = auth()->user();

    // Setup TOTP
    $setup = mfa('totp')->setup($user);

    return view('mfa.setup.totp', [
        'qrCode' => $setup['qr_code'],
        'secret' => $setup['secret'],
        'backupCodes' => $setup['backup_codes'],
    ]);
}

public function verifyTotp(Request $request)
{
    $user = auth()->user();
    $code = $request->input('code');

    if (mfa('totp')->verify($user, $code)) {
        return redirect()->route('dashboard')
            ->with('success', 'MFA enabled successfully!');
    }

    return back()->withErrors(['code' => 'Invalid code']);
}
```

### Check MFA Status

[](#check-mfa-status)

```
// Check if user has MFA enabled
if ($user->hasMFAEnabled()) {
    // ...
}

// Get enabled methods
$methods = $user->getMFAMethods();

// Get primary method
$primary = $user->getPrimaryMFAMethod();
```

### Using Helper Functions

[](#using-helper-functions)

```
// Get MFA manager
$manager = mfa();

// Get specific driver
$totp = mfa('totp');

// Check if MFA is verified in session
if (mfa_verified()) {
    // User has verified MFA
}

// Check if user requires MFA
if (mfa_required()) {
    // Redirect to challenge
}
```

Available Drivers
-----------------

[](#available-drivers)

### 1. TOTP (Time-based One-Time Password)

[](#1-totp-time-based-one-time-password)

Works with authenticator apps like:

- Google Authenticator
- Microsoft Authenticator
- Authy
- 1Password

```
// Setup
$setup = mfa('totp')->setup($user);

// Verify
$isValid = mfa('totp')->verify($user, $code);

// Disable
mfa('totp')->disable($user);
```

### 2. Email OTP

[](#2-email-otp)

Send verification codes via email.

```
// Send challenge
mfa('email_otp')->challenge($user);

// Verify
$isValid = mfa('email_otp')->verify($user, $code);
```

### 3. WebAuthn / Passkey

[](#3-webauthn--passkey)

Hardware security keys and biometric authentication.

```
// Setup
$options = mfa('webauthn')->setup($user);

// Verify
$isValid = mfa('webauthn')->verify($user, $credential);
```

Security Features
-----------------

[](#security-features)

- **Rate Limiting**: Configurable max attempts and lockout
- **Backup Codes**: Emergency access codes for TOTP
- **Remember Device**: Optional trusted device feature
- **Session Timeout**: Automatic MFA session expiration
- **Audit Logging**: Track all MFA events

Events
------

[](#events)

Listen to MFA events:

```
use Mchuluq\LaravelMFA\Events\MFAEnabled;
use Mchuluq\LaravelMFA\Events\MFAVerified;
use Mchuluq\LaravelMFA\Events\MFAFailed;

// In EventServiceProvider
protected $listen = [
    MFAEnabled::class => [
        SendMFAEnabledNotification::class,
    ],
    MFAVerified::class => [
        LogMFAVerification::class,
    ],
];
```

License
-------

[](#license)

The MIT License (MIT). Please see [License File](LICENSE.md) for more information.

Credits
-------

[](#credits)

- [mchuluq](https://github.com/mchuluq)

###  Health Score

19

—

LowBetter than 10% of packages

Maintenance55

Moderate activity, may be stable

Popularity4

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity12

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

### Community

Maintainers

![](https://www.gravatar.com/avatar/fd90760a78da54cd0c335ffb7428b1187c6d440f05cdfcd7332a410833d85dfb?d=identicon)[mchuluq](/maintainers/mchuluq)

---

Top Contributors

[![mchuluq](https://avatars.githubusercontent.com/u/3388761?v=4)](https://github.com/mchuluq "mchuluq (4 commits)")

### Embed Badge

![Health badge](/badges/mchuluq-laravel-mfa/health.svg)

```
[![Health](https://phpackages.com/badges/mchuluq-laravel-mfa/health.svg)](https://phpackages.com/packages/mchuluq-laravel-mfa)
```

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)