One time password generator, validator, and qrcode generator that has no web dependencies (self-contained) in PHP

This started out as a straight drop-in class which you can still download from here, however it has been developed into a full admin/usercp system using the gentelella theme converted to smarty 3.

• The license for the gentelella theme is located inside /templates/gentelella/LICENSE.TXT and can be viewed here
• The method otp::GenerateQRCode() inside otp.class.php is based off code written in QR code class library for PHP4 / 5 ver. 0.50beta14 (C)2002-2013,Y.Swetake , and has been modified to output base64 encoded image as well as load data from the included sqlite database.
• Smarty is Licensed under LGPL

All other 3rd party libraries (jquery, jquery extensions, etc) and languages (javascript/ecma, css, etc) are under their respective licenses having attribution included in the respective file(s), or in the directory containing the file(s). Absense of said license does not mean that no license applies, but it is assumed the strongest license in this project would then apply where no other license is available. If a license file/attribution was not included and you believe this to be an error, please submit it as a bug report or pull request with any license details that may have been omitted.

Download the application, and set the appropriate values in config.inc.php, then run /app/install . If everything passes, the database will be installed if it doesn't exist, and a new user admin with the the password admin will be created using ACL 9999 which should give plenty of access levels to play with for lower level users or admins.

Once installed, all users and administrators have access to add an authenticator to their account, and edit the following basic settings for their own account : Name, Password, Email

This was tested and runs well on the following detailed lists of all modules and extensions loaded for Apache and PHP. Many of the modules or extensions come pre-loaded but since this varies between distributions, I have included a more comprehensive list which you can tweak.

• access_compat_module (shared)
• actions_module (shared)
• alias_module (shared)
• auth_basic_module (shared)
• authn_core_module (shared)
• authn_file_module (shared)
• authz_core_module (shared)
• authz_host_module (shared)
• authz_user_module (shared)
• autoindex_module (shared)
• core_module (static)
• deflate_module (shared)
• dir_module (shared)
• env_module (shared)
• fastcgi_module (shared)
• filter_module (shared)
• headers_module (shared)
• http_module (static)

Loaded Modules:

• log_config_module (static)
• logio_module (static)
• mime_module (shared)
• mpm_event_module (shared)
• negotiation_module (shared)
• rewrite_module (shared)
• setenvif_module (shared)
• socache_shmcb_module (shared)
• so_module (static)
• ssl_module (shared)
• status_module (shared)
• unixd_module (static)
• version_module (static)
• watchdog_module (static)

[PHP Modules]

• bcmath
• bz2
• calendar
• Core
• ctype
• date
• dba
• dom
• ereg
• exif
• fileinfo
• filter
• ftp
• gd
• gettext
• hash
• iconv
• json
• libxml
• mbstring
• mhash
• mysql
• mysqli
• mysqlnd
• openssl
• pcntl
• pcre
• PDO
• pdo_mysql
• pdo_sqlite
• Phar
• posix
• readline
• Reflection
• session
• shmop
• SimpleXML
• soap
• sockets
• SPL
• sqlite3
• standard
• sysvmsg
• sysvsem
• sysvshm
• tokenizer
• wddx
• xml
• xmlreader
• xmlwriter
• Zend OPcache
• zip
• zlib

[Zend Modules]

• Zend OPcache

This should not matter too much which database platform you choose either MariaDB or MySQL, however you will need it compiled with mysqlnd (native driver) support as well as compiled into PHP.

If an authenticator is not on the users account, the authenticator code field is disregarded. If any part of the credentials fail including if the authenticator code is invalid or not a valid scratch code, a generic message is displayed stating 'Invalid Credentials' so that no clue is given making it more difficult for an attacker to guess which part of the credential system was correct by messages such as 'Invalid Password'.

If no authenticator is on the users account

If an authenticator exists on the users account:

410 Gone instead of 404 for pages that do not have a valid modal. This script only checks for the physical existence of resource files (jpg, png, js, etc.) and denies any direct access to physical php/html/etc files. As you can see in the screenshot, if the physical resource file is missing, it will also trigger a 410 gone, showing the missing element and virtual path in the address bar.

400 error message for resources that the user does not have permission to access.