Easy Two Factor Authentication (2FA) with Google Authenticator & PHP
Implementing two factor authentication with PHP is easier than you think and is hugely beneficial for the security of your application.
In this article I show you how you can quickly implement 2FA with Google Authenticator (but is also compatible with other 2FA apps).
What is Two Factor Authentication?
2FA is nothing new. In fact it’s already been widely adopted by most major platforms (Facebook, Apple, Google etc) as a means of making account logins more secure.
Two Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand — such as a physical token.
So how does the user get the code?
- Historically this required the user to carry a widget or card reader device (in the case of bank accounts) on their person, to generate a unique code.
- Recently a popular method has been sending the user an SMS with a one time use code.
However there are other options…
How Google Authenticator works
Google Authenticator is a free app for your smart phone that generates a new code every 30 seconds. It works like this:
- When enabling 2FA, the application you’re securing generates a QR code that user’s scan with their phone camera to add the profile to their Google Authenticator app.
- Your user’s smart phone then generates a new code every 30 seconds to use for the second part of authentication to the application.
Implementing Google Authenticator on your website using PHP
The easiest way to do this is to use an open source composer package to do the tricky stuff for you:
https://packagist.org/packages/pragmarx/google2fa
You’ll use the library to:
- Generate a secret key for each user
- Generate the QR code for your user to scan when they enable 2FA.
- Verify that the code entered is valid at login.
Generating the Secret Key
Each user needs to have a “secret key” stored against their account (for example, a column in the database table where you store your user account information).
This key is used to generate the QR code that they scan, then subsequently to verify that the code they enter at login is correct.
Here’s the PHP that you need:
$google2fa = new \PragmaRX\Google2FA\Google2FA();
$secret = $google2fa->generateSecretKey();// Now store the key in your database
Note: although the secret key appears to be just a text string, to be compatible with Google Authenticator it has to be a Base32 string. That’s why the most reliable route to generate the key is to use the library because it takes care of all of that for you.
Generating the QR Code
Using the same library, we can generate the text string that makes up the QR code. Then we can use a public API to generate a QR code image.
$google2fa = new \PragmaRX\Google2FA\Google2FA();
$text = $google2fa->getQRCodeUrl(
'example.com',
$username,
$secret_key
);
$image_url = 'https://chart.googleapis.com/chart?cht=qr&chs=300x300&chl='.$text;echo '<img src="'.$image_url.'" />';
Verifying entered codes
When the user logs in, you can then verify the code they’ve entered is valid by using their secret key and the code they entered into your UI.
$google2fa = new \PragmaRX\Google2FA\Google2FA();if ($google2fa->verifyKey($secret_key, $user_provided_code)) {
// Code is valid} else { // Code is NOT valid}
While Google Authenticator might not be the most desirable 2FA method for your customers, there’s no reason you can’t implement it for staff or administrators when it’s this easy.
