PHPackages theriftlab/laravel-mfa - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. theriftlab/laravel-mfa ActiveLibrary[Authentication & Authorization](/categories/authentication) theriftlab/laravel-mfa ====================== Bare-bones email-based 2FA using signed links. v0.1.3-beta(3y ago)214PHPPHP ^8.0 Since Oct 19Pushed 3y ago1 watchersCompare [ Source](https://github.com/theriftlab/laravel-mfa)[ Packagist](https://packagist.org/packages/theriftlab/laravel-mfa)[ RSS](/packages/theriftlab-laravel-mfa/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (3)Dependencies (11)Versions (5)Used By (0) Basic Laravel MFA ================= [](#basic-laravel-mfa) Overview -------- [](#overview) This is a bare-bones email-based 2FA package which can be configured to send out an email containing a signed link upon successful authentication. Any routes you place under the provided `mfa` middleware will be inaccessible until the link is clicked. Installation ------------ [](#installation) ``` composer require theriftlab/laravel-mfa ``` Optionally, publish the migration: ``` php artisan vendor:publish --tag=mfa-migrations ``` Then: ``` php artisan migrate ``` Setup ----- [](#setup) ### Add to User Model [](#add-to-user-model) First, you will need to mark your `User` model (or whatever model you are using for Auth) as ready for MFA: ``` +use Mfa\Contracts\MfaUser; +use Mfa\Concerns\Mfa; ... -class User extends Authenticatable +class User extends Authenticatable implements MfaUser { use HasApiTokens; use HasFactory; + use Mfa; use Notifiable; ... } ``` ### Add to Auth Flow [](#add-to-auth-flow) Due to the non-standard nature of Laravel's auth/login flow, it is up to you to decide where/when to trigger & end the MFA session using the `MfaAuth` facade, which expects an authenticated user to be present in order to work. For example, in a [Breeze](https://github.com/laravel/breeze) setup, you might add these lines into `app/Http/Controllers/Auth/AuthenticatedSessionController`: ``` use Mfa\Facades\MfaAuth; ... public function store(LoginRequest $request) { $request->authenticate(); $request->session()->regenerate(); + if (MfaAuth::isActive()) { + MfaAuth::trigger(); + return redirect()->route('mfa.sent'); + } ... } ... public function destroy(Request $request) { + if (MfaAuth::isActive()) { + MfaAuth::logout(); + } Auth::guard('web')->logout(); ... } ``` ### Configure & Add Views [](#configure--add-views) The email containing the signed link is a very simple template, and can be published: ``` php artisan vendor:publish --tag=mfa-views ``` There are also two view files which you will need to implement: `resources/views/auth/mfa-sent.blade.php` and `resources/views/auth/mfa-invalid.blade.php`. - `mfa-sent.blade.php` is shown when the user is first authorized by Laravel's default auth process and is waiting for the MFA signed link email. This template can optionally contain a link / button to POST to named route `mfa.resend`, which will resend the signed link email. The `$errors` session data will contain an error message if an invalid link is clicked, and `session('status')` will contain a message if the link email is resent. A logout link is also a good idea on this page to restart the whole process, in case the wrong account is logged in. - `mfa-invalid.blade.php` is shown when the user is *not* authorized and an invalid link is clicked, and therefore any resend / logout options are not available. **Note:** when the user is *not* authorized and a *valid* link is clicked from an email (eg. the initial default auth session might have timed out), the user will be automatically logged in. ### Configuring Your Routes [](#configuring-your-routes) Finally, on whichever routes you wish to protect with MFA, you can add the `mfa` middleware after `auth` - for example: ``` Route::get('/dashboard', function () { return view('dashboard'); })->middleware(['auth', 'mfa'])->name('dashboard'); ``` This will redirect any `Auth`ed but un`MFA`ed user back to display your `auth.mfa-sent` view. Configuration ------------- [](#configuration) The default config is fairly self-explanatory and looks like this: ``` // Whether MFA is active 'active' => env('MFA_ACTIVE', true), // How many minutes the signed link lasts before timing out 'link_timeout' => env('MFA_LINK_TIMEOUT', 60), // How many chars long the generated code should be 'code_length' => env('MFA_CODE_LENGTH', 32), // URL to redirect to when link has been authorized 'redirect_url' => env('MFA_REDIRECT_URL', '/'), // Which model will be adopting the MfaUser functionality 'model' => env('MFA_MODEL', 'App\Models\User'), ``` You may publish the config file if you wish to change the defaults: ``` php artisan vendor:publish --tag=mfa-config ``` ### Health Score 21 — LowBetter than 19% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity9 Limited adoption so far Community7 Small or concentrated contributor base Maturity40 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~2 days Total 4 Last Release 1290d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/7fa1c8a793c191b44ce81ec9670006610345c5b782d6d09edc749870a57ea951?d=identicon)[theriftlab](/maintainers/theriftlab) --- Top Contributors [![theriftlab](https://avatars.githubusercontent.com/u/370745?v=4)](https://github.com/theriftlab "theriftlab (4 commits)") ### Embed Badge ![Health badge](/badges/theriftlab-laravel-mfa/health.svg) ``` [![Health](https://phpackages.com/badges/theriftlab-laravel-mfa/health.svg)](https://phpackages.com/packages/theriftlab-laravel-mfa) ``` ### Alternatives [laravel/pulse Laravel Pulse is a real-time application performance monitoring tool and dashboard for your Laravel application. 1.7k12.1M99](/packages/laravel-pulse)[roots/acorn Framework for Roots WordPress projects built with Laravel components. 9682.1M97](/packages/roots-acorn)[flarum/core Delightfully simple forum software. 211.3M1.9k](/packages/flarum-core)[psalm/plugin-laravel Psalm plugin for Laravel 3274.9M308](/packages/psalm-plugin-laravel)[themosis/framework The Themosis framework. 676307.9k18](/packages/themosis-framework)[laragear/two-factor On-premises 2FA Authentication for out-of-the-box. 339785.3k8](/packages/laragear-two-factor) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)