chregu / googleauthenticator.php Goto Github PK
View Code? Open in Web Editor NEWUse the Google Authenticator App and check the code with this PHP script
License: MIT License
Use the Google Authenticator App and check the code with this PHP script
License: MIT License
Ported from http://code.google.com/p/google-authenticator/ You can use the Google Authenticator app from here http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=1066447 to generate One Time Passwords/Tokens and check them with this little PHP app (Of course, you can also create them with this). There are many real world applications for that, but noone implemented it yet. See example.php for how to use it. There's a little web app showing how it works in web/, please make users.dat writeable for the webserver, doesn't really work otherwise (it can't save the secret). Try to login with chregu/foobar. What's missing in the example: *** * Prevent replay attacks. One token should only be used once * Show QR Code only when providing password again (or not at all) * Regenrate secret
The PHP builtin method rand() is used to generate the secret in https://github.com/chregu/GoogleAuthenticator.php/blob/master/lib/GoogleAuthenticator.php#L78. The PHP docs state «This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.»
I have used this code in 2 different site which sits in 2 different server with a time difference of 1 hr and the code generated in my mobila app matches with one server (both are in same timezone) and 2nd one site doesnt match the code at all but matches after an hour. (Note i have generated 2 different secret keys and mobile app has 2 different accounts respectively).
How to work this out?
Issues Addressed:
Note: this may not be backward compatible given the way $domain was specified, but it does follow the Google spec located here........
https://github.com/google/google-authenticator/wiki/Key-Uri-Format
public function getUrl($issuer, $user, $secret, $width = 200, $height = 200) {
$url = sprintf("otpauth://totp/%s:%s?secret=%s&issuer=%s", rawurlencode($issuer), $user, $secret, rawurlencode($issuer));
$encoder = sprintf("https://www.google.com/chart?chs=%dx%d&chld=M|0&cht=qr&chl=",$width,$height);
$encoderURL = sprintf( "%s%s",$encoder, rawurlencode($url));
return $encoderURL;
}
http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
How can I add two step authentication to this login system
Hello.
How I can sync GA app timing at the mobile with PHP script?
In the example I see:
$secret = 'XVQ2UIGO75XRUKJO';
$time = floor(time() / 30);
$code = "846474";
But in the GA app another timing ... And when I put code from GA app its valid. But when time is over in the GA app code still valid.
Thanks.
It looks like both the QR code URL and some formatting changes are needed to get this to work correctly. Working function as of November 29, 2012:
public function getUrl($user, $hostname, $secret) { $url = sprintf("otpauth://totp/%s@%s?secret=%s", $user, $hostname, $secret); $encoder = "https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl="; $encoderURL = $encoder . urlencode( sprintf( "otpauth://totp/%s@%s?secret=%s", $user, $hostname, $secret) ); return $encoderURL; }
Allow passing 0 in the $time argument of getCode() method.
Currently it uses a !$time condition but it should be $time === null. 0 is a perfectly valid timestamp/counter value.
after scanning my barcode with the authenticator app, there is no header or title or name or whatever you want to call it, so that i can tell one OTP code in my list from another.
https://github.com/chregu/GoogleAuthenticator.php/blob/master/lib/GoogleAuthenticator.php#L31
The checkCode generator currently uses ==
to compare the user-provided code to the system generating code. It should be switched to use PHP's hash_equals
function, which is able to perform the comparison in a way that does not leak timing data.
http://php.net/manual/en/function.hash-equals.php
This is important because the 30 second TOTP window is likely enough to make many attempts to validate a code. Because the project isn't under active maintenance, I would suggest adding a line to the readme referring people to a different TOTP library, such as:
I'm getting this error with PHP version 5.3.21
Its this code:
// Unpack it again
$value = unpack('N', $result)[1];
Is there something I can do as a work-around? It works fine with php 5.6.18
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.