chregu / googleauthenticator.php Goto Github PK

The PHP builtin method rand() is used to generate the secret in https://github.com/chregu/GoogleAuthenticator.php/blob/master/lib/GoogleAuthenticator.php#L78. The PHP docs state «This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.»

I have used this code in 2 different site which sits in 2 different server with a time difference of 1 hr and the code generated in my mobila app matches with one server (both are in same timezone) and 2nd one site doesnt match the code at all but matches after an hour. (Note i have generated 2 different secret keys and mobile app has 2 different accounts respectively).

How to work this out?

Issues Addressed:

1. Added Issuer parameter to match the spec, separate from user
2. Proper encoding to handle spaces in Issuer name
3. made width and height optional parameters

Note: this may not be backward compatible given the way $domain was specified, but it does follow the Google spec located here........

https://github.com/google/google-authenticator/wiki/Key-Uri-Format

public function getUrl($issuer, $user, $secret, $width = 200, $height = 200) {
    $url =  sprintf("otpauth://totp/%s:%s?secret=%s&issuer=%s", rawurlencode($issuer), $user, $secret, rawurlencode($issuer));
    $encoder = sprintf("https://www.google.com/chart?chs=%dx%d&chld=M|0&cht=qr&chl=",$width,$height);
    $encoderURL = sprintf( "%s%s",$encoder, rawurlencode($url));

    return $encoderURL;

}

http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

How can I add two step authentication to this login system

Hello.

How I can sync GA app timing at the mobile with PHP script?

In the example I see:

$secret = 'XVQ2UIGO75XRUKJO';
$time = floor(time() / 30);
$code = "846474";

But in the GA app another timing ... And when I put code from GA app its valid. But when time is over in the GA app code still valid.

Thanks.

It looks like both the QR code URL and some formatting changes are needed to get this to work correctly. Working function as of November 29, 2012:

public function getUrl($user, $hostname, $secret) {
        $url =  sprintf("otpauth://totp/%s@%s?secret=%s", $user, $hostname, $secret);
        $encoder = "https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=";
        $encoderURL = $encoder . urlencode( sprintf( "otpauth://totp/%s@%s?secret=%s", $user, $hostname, $secret) );
        
        return $encoderURL;
        
    }

Allow passing 0 in the $time argument of getCode() method.

Currently it uses a !$time condition but it should be $time === null. 0 is a perfectly valid timestamp/counter value.

after scanning my barcode with the authenticator app, there is no header or title or name or whatever you want to call it, so that i can tell one OTP code in my list from another.

https://github.com/chregu/GoogleAuthenticator.php/blob/master/lib/GoogleAuthenticator.php#L31

The checkCode generator currently uses == to compare the user-provided code to the system generating code. It should be switched to use PHP's hash_equals function, which is able to perform the comparison in a way that does not leak timing data.

http://php.net/manual/en/function.hash-equals.php

This is important because the 30 second TOTP window is likely enough to make many attempts to validate a code. Because the project isn't under active maintenance, I would suggest adding a line to the readme referring people to a different TOTP library, such as:

https://github.com/Spomky-Labs/otphp

I'm getting this error with PHP version 5.3.21

Its this code:

        // Unpack it again
        $value = unpack('N', $result)[1];

Is there something I can do as a work-around? It works fine with php 5.6.18

Thanks!