README

This library provides HMAC and time-based one-time password functionality as defined by RFC 4226 and RFC 6238 for PHP 5.3+.

Install

Via Composer

$ composer require rych/otp

Usage

The library makes generating and sharing secret keys easy.

<?php

use Rych\OTP\Seed;

// Generates a 20-byte (160-bit) secret key
$otpSeed = Seed::generate();

// -OR- use a pre-generated string
$otpSeed = new Seed('ThisIsMySecretSeed');

// Display secret key details
printf("Secret (HEX): %s\n", $otpSeed->getValue(Seed::FORMAT_HEX));
printf("Secret (BASE32): %s\n", $otpSeed->getValue(Seed::FORMAT_BASE32));

When a user attempts to login, they should be prompted to provide the OTP displayed on their device. The library can then validate the provided OTP using the user's shared secret key.

<?php

use Rych\OTP\HOTP;

$otpSeed = $userObject->getOTPSeed();
$otpCounter = $userObject->getOTPCounter();
$providedOTP = $requestObject->getPost('otp');

// The constructor will accept a Seed object or a string
$otplib = new HOTP($otpSeed);
if ($otplib->validate($providedOTP, $otpCounter)) {
    // Advance the application's stored counter
    // This bit is important for HOTP but not done for TOTP
    $userObject->incrementOTPCounter($otplib->getLastValidCounterOffset() + 1);

    // Now the user is authenticated
}

Time-based OTPs are handled the same way, except you don't have a counter value to track or increment.

Change log

Please see CHANGELOG for more information what has changed recently.

Testing

$ vendor/bin/phpunit -c phpunit.dist.xml

Security

If you discover any security related issues, please email rchouinard@gmail.com instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.