Two Factor Authentication using Google Authenticator in PHP

Introduction

This tutorial will guide you through implementing Two Factor Authentication (2FA) using Google Authenticator in PHP. 2FA adds an extra layer of security to your applications by requiring a second form of verification beyond just a password. This method is widely used and enhances the security of user accounts.

Step 1: Set Up Your Project

• Create a new PHP project or open an existing one.
• Ensure you have a web server running (like XAMPP, WAMP, or MAMP).
• Install the Google Authenticator library to handle the 2FA functionality. You can use the following command if you're using Composer:

composer require "sonata-project/google-authenticator"

• Include the library in your PHP file:

require 'vendor/autoload.php';
use Sonata\GoogleAuthenticator\GoogleAuthenticator;

Step 2: Generate a Secret Key

• When a user registers or opts into 2FA, generate a secret key. This key will be unique for each user and will be used to generate time-based codes.

$g = new GoogleAuthenticator();
$secret = $g->generateSecret();

• Store this secret key securely in your database associated with the user's account.

Step 3: Create a QR Code for the User

• To make it easy for users to set up Google Authenticator, generate a QR code that they can scan.

$qrCodeUrl = $g->getURL('username@example.com', 'YourAppName', $secret);

• Use an image library or an API to create and display the QR code to the user. A common choice is the endroid/qr-code library.

use Endroid\QrCode\QrCode;

// Generate QrCode
$qrcode = new QrCode($qrCodeUrl);
header('Content-Type: '.$qrcode->getContentType());
echo $qrcode->writeString();

Step 4: Verify the Code Entered by the User

• After the user has scanned the QR code and is prompted to enter a verification code, capture their input.

$code = $_POST['code']; // User input from a form

• Use the Google Authenticator library to verify the code against the stored secret key.

$isCodeValid = $g->checkCode($secret, $code);
if ($isCodeValid) {
    // Success: Code is valid
} else {
    // Failure: Code is invalid
}

Step 5: Implement Additional Security Measures

• Encourage users to enable backup codes for account recovery.
• Implement session management to log users out after a certain period of inactivity.
• Regularly review your security practices and update your code to ensure compliance with best practices.

Conclusion

By following these steps, you have successfully implemented Two Factor Authentication using Google Authenticator in PHP. This approach not only secures user accounts but also enhances trust in your application. Next steps could involve testing this implementation thoroughly and considering additional security features such as email notifications for login attempts.