PHPBuilder - Implementing Two-Factor Authentication in PHP



RSS Twitter
Articles

Implementing Two-Factor Authentication in PHP

by: Voja Janjic
|
July 15, 2015

What is it?

Two-factor authentication is a type of authentication that "provides unambiguous identification of users by means of the combination of two different components." These authentication components could be something that the user knows, something that the user possesses or something that is inseparable from the user.

 

This method of authentication is a type of multi-factor authentication and is providing an additional layer of security due to the fact that an attacker is unlikely to be able to supply both factors required for access. Many websites support two-factor authentication nowadays, including PayPal, Facebook, eBay, Yahoo and many others.

 

In this tutorial, you will learn how to implement two-factor authentication in PHP. The User will have to provide the correct username and password (something that the user knows), as well as a PIN number from his/her mobile phone (something that the user possesses), that would have to be entered correctly in order to be authenticated.

 

Implementation in PHP

The easiest and the fastest way to enable two-factor authentication on your website is to use Google authenticator, which provides two-factor authentication for Google account logins, as well as other websites. The Google authenticator app is available for Android, iPhone and Blackberry and can provide authentication based on one of the two proposed standards: Time-based One Time Password (TOTP) and HMAC-Based One-time Password (HOTP). For PHP part, Google2FA PHP package will be used.

 

Each user who wants to enable two-factor authentication will have to download the Google authenticator mobile app. After that, the mobile app needs to be connected to your website, which can be done either via the secret code or the QR code. In other words, the website will have to generate a different secret code for each user and store it in the database. First, we will use Composer to install the PHP package, which will be used for secret code generation.

 

composer require pragmarx/google2fa

 

After that, let's instantiate the package:

 

use PragmaRX\Google2FA\Google2FA;
$google2fa = new Google2FA();

 

Now that the object is created, we can generate the secret key:

 

$secret = $google2fa->generateSecretKey();

 

The secret key should be generated after the user account has been created, stored in the database and shown to the user on the user settings page. A QR code could also be shown below the secret code:

 

$qrcode_url = $google2fa->getQRCodeGoogleUrl(
    'My website',
    $user->email,
    $user->google2fa_secret
); 

 

The $user variable is an object containing information about the user. To display the QR code, just do the following:

 

<img src="<?php echo $qrcode_url; ?>" />

 

In order to connect with the website, the user would have to enter the secret code into the Google authenticator mobile app or to scan the QR code. After that, the user will be shown a 6-digit PIN code that is valid for 30 seconds and that needs to be entered in the login form in order to be authenticated.

 

An example login form would look like this:

 

<form id="frm_login" name="frm_login" action="" method="post">
                <fieldset>
                                <label for="username">Username:</label>
		<input type="text" name="username" />
                </fieldset>
                <fieldset>
                                <label for="password">Password:</label>
                                <input type="password" name="password" />
                </fieldset>

                <fieldset>
                                <label for="secret">PIN:</label>
                                <input type="text" name="secret" />
                </fieldset>

                <fieldset>
                                <button type="submit" name="submit_btn">Login</button>
                </fieldset>	
</form>

 

The PHP file that would receive the form data would validate the PIN the following way:

 

$secret = $_POST['secret'];
$valid = $google2fa->verifyKey($user->google2fa_secret, $secret);
if($valid) {
                // PIN code is valid. Authenticate user
}
else {
                // PIN code is invalid
}

 

And that's it. You can now enjoy the security benefits of two-factor authentication.

 

Comment and Contribute

Your comment has been submitted and is pending approval.

Author:
Voja Janjic

Comment:



Comment:

(Maximum characters: 1200). You have characters left.