The lib work well on Android app but IOS.

Whatever I tried to change the keylength when I scan with my IPhone the error always appear: Invalid token barcode.

I have use package
composer require pragmarx/google2fa-laravel
composer require bacon/bacon-qr-code
and my reference url is - https://www.5balloons.info/two-factor-authentication-google2fa-laravel-5/

Is the "google2fa_secret" attribute the only one, I need to add to my user model?
-Regarding the middleware, is there some included already? I already read about middleware in the issue section.

Please use the paragonie/constant_time_encoding Composer package for doing Base32 encoding. It helps to prevent cache-timing attacks.

feature request: using qrcodejs to remove dependency simplesoftwareio/simple-qrcode

show QRCode is a front-end need, so it is reasonable to achieve it in Client Side with javascript.
qrcodejs is a perfect solution for this.
(leave the show QRCode task to the front-end guy 🎃 )
ext-gd and simplesoftwareio/simple-qrcode are heavy dependency for 2fa server side package

Google2FA.php, line 276 calls the function random_int(), a PHP 7 function...

http://php.net/manual/en/function.random-int.php

But the project is flagged as PHP 5.4+ compliant

The https://packagist.org/packages/symfony/polyfill-php56 package provides hash_equals function (when it's missing only) and therefore:

• the hash_equals(...) can be used instead of Str::equals(...)
• the whole Str class can be dropped, because it's only consists of that equals function

Dear contributors,

To allow this package to be adopted by other projects, I'm trying to move the license of this package from the original GPLv3 to something more permissive, like MIT, but I need you and the original developer (Phil), to approve it.

So, I'm listing all of you (up to today) and ask for a YAY/NAY comment in this thread, from each one of you.

If you have any questions or something to say about this change, please do.

If you have a really good understanding of licensing (which I do not), please jump in and help us.

• Phil - phil [at] xqi [dot] cc
• @antonioribeiro
• @barryvdh
• @GrahamCampbell
• @SebastianS90
• @aik099
• @medinae
• @taichunmin
• @jbrooksuk
• @drbyte
• @mikerockett
• @zhiyi7
• @PixellUp
• @bram1028
• @proshanto
• @cnanney
• @ashnewmanjones
• @kalfheim
• @it-can
• @tshafer
• @adeelx
• @ngyikp
• @domodwyer
• @leandro-lugaresi

It is a good practice to check if a generated secret key is unique in the User DB table, that is not yet assigned to another user (statistically is improbable, but not sure).

Software versions

PHP 7.2.8 (cli) (built: Jul 19 2018 12:15:24) ( NTS )
Composer version 1.7.2 2018-08-16 16:57:12

After composer require
get this

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Conclusion: don't install pragmarx/google2fa v3.0.2
    - Conclusion: don't install pragmarx/google2fa v3.0.1
    - Conclusion: remove paragonie/random_compat v9.99.99
    - Installation request for pragmarx/google2fa ^3.0 -> satisfiable by pragmarx/google2fa[v3.0.0, v3.0.1, v3.0.2].
    - Conclusion: don't install paragonie/random_compat v9.99.99
    - pragmarx/google2fa v3.0.0 requires paragonie/random_compat ~1.4|~2.0 -> satisfiable by paragonie/random_compat[v1.4.0, v1.4.1, v1.4.2, v1.4.3, v2.0.0, v2.0.1, v2.0.10, v2.0.11, v2.0.12, v2.0.13, v2.0.14, v2.0.15, v2.0.16, v2.0.17, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7, v2.0.8, v2.0.9].
    - Can only install one of: paragonie/random_compat[v1.4.0, v9.99.99].
    - Can only install one of: paragonie/random_compat[v1.4.1, v9.99.99].
    - Can only install one of: paragonie/random_compat[v1.4.2, v9.99.99].
    - Can only install one of: paragonie/random_compat[v1.4.3, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.0, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.1, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.10, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.11, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.12, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.13, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.14, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.15, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.16, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.17, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.2, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.3, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.4, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.5, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.6, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.7, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.8, v9.99.99].
    - Can only install one of: paragonie/random_compat[v2.0.9, v9.99.99].
    - Installation request for paragonie/random_compat (locked at v9.99.99) -> satisfiable by paragonie/random_compat[v9.99.99].

First of all, thank you so much for merging and improving my PR (#50)!

But are you sure that this change in the specification is correct?

 public function it_verifies_keys_newer()
 {
   $this->verifyKeyNewer($this->secret, '512396', 26213401, 2, 26213400)->shouldBe(false);    // 26213400
-  $this->verifyKeyNewer($this->secret, '410272', 26213401, 2, 26213400)->shouldBe(false);    // 26213401
+  $this->verifyKeyNewer($this->secret, '410272', 26213401, 2, 26213400)->shouldBe(26213401);    // 26213401
   $this->verifyKeyNewer($this->secret, '239815', 26213401, 2, 26213400)->shouldBe(26213402); // 26213402
   $this->verifyKeyNewer($this->secret, '313366', 26213401, 2, 26213400)->shouldBe(false);    // 26213403
 }

For me it looks wrong, especially when looking at the example from the readme file:

$secret = $request->input('secret');

$timestamp = $google2fa->verifyKeyNewer($user->google2fa_secret, $secret, $user->google2fa_ts);

if ($timestamp !== false) {
    $user->update(['google2fa_ts' => $timestamp]);
    // successful
} else {
    // failed
}

There we store the returned timestamp into the user model, and take it from there for the next verifyKeyNewer call. The comparison therefore must be "strictly newer" and not "newer or equal".
With your change, the situation is as follows (assuming that timestamp 26213401 is in the window):

• The user provides the token 410272 which is for the timestamp 26213401. Assume that this timestamp is new, i.e. the check will pass.
• The verifyKeyNewer call returns 26213401, we store that timestamp into the user model.
• An attacker has witnessed the user entering credentials and otp token. He therefore knows the token. While still being in the window, he tries to login with correct credentials and the same token 410272.
• We check: $google2fa->verifyKeyNewer($user->google2fa_secret, 410272, 26213401), which returns 26213401 as specified by your changed test.
• The attacker therefore can login, reusing the already used token.

To resolve this, we either can:

• change the test to ->shouldBe(false) again and make sure that the implementation passes this test, or
• change the readme and instruct to increment the timestamp at some point, e.g.
  $user->update(['google2fa_ts' => $timestamp + 1]); (but this sounds less convenient)

I might be wrong, as I haven't yet found the time to thoroughly test your new version, but the changed test feels wrong for me.

Anyways, thanks a lot for the effort you put into maintaining this package and further improving it for Laravel 5.5.

I've been using this package in many projects now, and it's really strange that in the current one I'm on, when I push to production, the tokens are invalidated, though the secret and token are being sent properly.

Is there any known "tip" or something we should know of?

Thanks!

I have a new user which does not have an old timestamp, so when validation happens it returns true, should it not return the timestamp instead?

Here is what im doing :

        $valid = $this->google2FA->verifyKeyNewer(
            $request->user()->second_auth_secret,
            $request->get('token'),
            $request->user()->second_auth_updated_at ? $request->user()->second_auth_updated_at->timestamp : null
        );

// since valid is a true / false 
        if ($valid !== false) {

            $request->user()->update([
                'second_auth_active' => true,
                // this is a true or false currently 
                'second_auth_updated_at' =>$valid,
            ]);
        }

See: https://developers.google.com/chart/infographics/docs/qr_codes

Hi there! Yesterday I played a bit with G2FA and now have a question. (I don't know another place to ask and I know that the original code was made by a Phil …)

Background of my understanding

G2FA generates (default) every 30 secs (= keyRegeneration) a new OTP with a valid. time/period from now (= timeStamp) up to now + 4x30 secs (now is rounded down to the last 30st second).

Example one

now: 11:03:54
valid from: 11:03:30
valid up to: 11:05:30

Example two

now: 11:03:15
valid from: 11:03:00
valid up to: 11:05:00

Questions

Examples

With the above examples my expected valid up to-time is not true. My OTPs always are 30 secs longer valid.

example one = up to 11:06:00
example two = up to 11:05:30

→ So I'm missing something or is my understanding wrong?

My scenario

Is a scenario where OTPs are generated every second and are valid for 20 secs realisable/feasible. And if yes, how can I do it?

Tanks a lot for your help and best regards!

Thanks for the awesome work on this! I've implemented this package into Laravel and it works great!

I'm now trying to generate recover codes or back up codes. Like this page: https://support.google.com/accounts/answer/1187538?hl=en
How are you generating recovery codes (backup codes) incase a user doesn't have their phone?

I've looked through the code and have been thinking of different ways I can implement a recovery code list, but coming up empty handed.

Can the one time password method oathHotp be used in a loop to generate those codes?

you mention it is compatible with php 5.4 but the function random_int in base32 trait is only available in php7 and will return an error message

Class 'BaconQrCode\Renderer\Image\Png' not found

due to changes in BaconQrCode 2.0

Have an way to create a Backup list of codes, like if my user don't have the cellphone next, he/her can use one code of the list.

I have use package
composer require pragmarx/google2fa-laravel
composer require bacon/bacon-qr-code
and my reference url is - https://www.5balloons.info/two-factor-authentication-google2fa-laravel-5/

In the documentation it suggests using:

$google2fa_url = Google2FA::getQRCodeGoogleUrl(
    'YourCompany',
    $user->email,
    $user->google2fa_secret
);

This generates a URL to Google Charts.
Using this URL creates a GET request which allows all of the information to sniffed.

Using:

$google2fa_url = Google2FA::getQRCodeGoogleUrl(
    'YourCompany',
    'email',
    'OhHeyThe2faSecret'
);

Returns: https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FYourCompany%3Aemail%3Fsecret%3DOhHeyThe2faSecret%26issuer%3DYourCompany
If you decode the &chl= part you get: otpauth://totp/YourCompany:email?secret=OhHeyThe2faSecret&issuer=YourCompany

The QR code should be generated server side rather than being passed to a 3rd Party.

When I tried using no prefix:
$otp_secret = $google2fa->generateSecretKey(16);
It generates a usable secret, tested by Authy on iOS (manually key in the secret, or QR code scan)

When I tried using a blank prefix:
$otp_secret = $google2fa->generateSecretKey(16, '');
It generates a usable secret, tested by Authy on iOS (manually key in the secret, or QR code scan)

When I add a prefix prefix:
$otp_secret = $google2fa->generateSecretKey(16, 'm');
$otp_secret = $google2fa->generateSecretKey(16, 'mel');
$otp_secret = $google2fa->generateSecretKey(16, 'melvin');
All 3 lines yield an error, whether manually keying in the secret, or QR code scan.

Anybody else encounter this problem?

If you use a company new with a space it wil result in an invalid barcode.

$google2fa_url = Google2FA::getQRCodeGoogleUrl(
    'My Company',
    $user->email,
    $user->google2fa_secret
);

There's a small error, where you register the facade, it points to ServiceProvider instead of Facade, so instead of:

'Google2FA' => 'PragmaRX\Google2FA\Vendor\Laravel\ServiceProvider',

It should be

'Google2FA' => 'PragmaRX\Google2FA\Vendor\Laravel\Facade',

Great package by the way, thanks.

Hello, can you add support for Laravel Catalyst Sentinel for the middleware

FYI: https://github.com/antonioribeiro/google2fa#use-a-bigger-key

Setting a 32-byte key (with prefix) results in an Invalid barcode error in the Google Authenticator app whereas 16-byte key seems to work fine.

use PragmaRX\Google2FA\Google2FA;

        $gFA = new Google2FA();

        $imageDataUri = $gFA->getQRCodeInline(
            $request->getHttpHost(),
            $user->email,
            $secret,
            200
        );

Class 'PragmaRX\Google2FA\Google2FA' not found
How to fix for Laravel 5.3 ?

I have sort of the same problem as what JordyKroeze had. Even if I have entered the TOTP from Authenticator Plus after I scanned the QR code, it only generate Uncaught Error: Call to a member function input() on null in .... Why?

Here's is my current code:

use PragmaRX\Google2FA\Google2FA;

$google2fa = new Google2FA();
$tfa_secretkey = $google2fa->generateSecretKey();
$input = $_POST['textfield-verify-code'];    # This is the input that the user enters theirs TOTP
$secret = $request->input($input);
$window = 8;
$valid = $google2fa->verifyKey($tfa_secretkey, $secret, $window);

echo $valid;

This is my code, i am unable to figure out why $vaild is returning false every time.

<?php

$user = array('email' =>'[email protected]','google2fa_secret'=>$google2fa->generateSecretKey(16));

$google2fa->setAllowInsecureCallToGoogleApis(true);

$google2fa_url = $google2fa->getQRCodeGoogleUrl(
    'Redipay.com',
    $user['email'],
    $user['google2fa_secret']
);

//print_r($user);
/// and in your view:

echo '<img src="'.$google2fa_url.'" alt="">';


//print_r($_POST);
if($_POST['Verify']){

echo 'secret Submitted by you' . $_POST['secret'];

$secret = $_POST['secret'];

$valid = $google2fa->verifyKey($user['google2fa_secret'], $secret, 8);

if($valid){
	
	echo 'code is valid';

}else{
	echo "Please provide Correct information.";
}

}


?>


<form action="" method="POST" >
	<input type="text" name="secret" class="form-control col-sm-6" placeholder="enter your secret code" />
	<button type="submit" name="Verify" value="Verify">Verify</button>
</form>

I keep getting invalid QR codes when using default settings on Laravel 5.4.
Here is my code:

/**
     * Generate a new 2FA key.
     *
     * @return void
     */
    public function setup2FA(Google2FA $google2fa)
    {
        $user = Auth::user();
        $google2fa_secret = $google2fa->generateSecretKey();
        $google2fa_url = $google2fa->getQRCodeGoogleUrl(
            config('app.name', 'Laravel'),
            $user->email,
            $user->google2fa_secret
        );

        return view('2fa.setup', ['google2fa_secret' => $google2fa_secret, 'google2fa_url' => $google2fa_url]);
    }

I should note that I am using the Microsoft Authenticator app on Windows 10 mobile, but my coworker is having the same issue using Google Authenticator on Android.
Also the Secrets themselves work just fine, if entered manually.
What gives?

You say at the bottom that the license is BSD-3, but the badge at the top of the README file says MIT. Guessing the MIT one is wrong at the top?

I just added the package to my laravel application and the QR code is displaying correctly.
But when i scan the code it gives me url instead of OTP without any otp.
Infact when i scan the QR code on this page https://antoniocarlosribeiro.com/technology/google2fa it also gives me url without any otp.

Do we need any specific scan app to scan this QR??

Hello,

When i follow the readme i get a QRcode and everyting.

But i get this error if i try to check the code.

Notice: Undefined variable: request in FILENAME on line 30

Fatal error: Call to a member function input() on a non-object in FILENAME on line 30

Line 30 is this (Changed my secretkey)
$secret = $request->input('abcdef');

Where is this request variable coming from ?

While composer.json states "BSD-3-Clause" (as the LICENSE file), the file header states "GPLv3+"

Can you please clarify ?

The return type of getTimestamp is specified to be int.
But the value returned is the result from floor, and that is float (see documentation).

You even test that the value is a float.

Can we make that consistent, please?

• Return int
  • Insert a cast to int in getTimestamp
  • Adjust the test to check is_int
• Return float
  • Fix @return annotation in interface and class

I can do a pull request for either choice if you tell me which way to go. In my opinion, int is better here because the value is floored anyways and even a 32 bit signed integer for a unix timestamp divided by 30 will be enough for almost another 2000 years - and by that time everyone should have switched to a system aware of 64 bit integers 😄

Please help me, I have added provider 'PragmaRX\Google2FA\Vendor\Laravel\ServiceProvider' and 'Google2FA' => PragmaRX\Google2FA\Vendor\Laravel\Facade::class in alias, but I get this error. I have to tried with "composer update, composer install, php artisan vendor:publish" but it 's not fixed.

Laravel 5.4 Php 5.6

$user = User::first();
$google2fa = new Google2FA();
$code_from_app = "332117";

$valid = $google2fa->verifyKey($user->google2fa_secret, $code_from_app);

Throwing error : Default value for parameters with a class type hint can only be NULL

I had some search and found that php-cs-fixer issue it requires PHP 7.1 but i haven't used that and for this library min PHP version require is 5.4 So, please look into this issue.

Thanks

I'm getting this error with either 5.4 or 5.5 Laravel versions:

"Class pragmarx.google2fa does not exist"

Already tried composer update... Any ideia?

Hi have a bug when using spaces in company name or holder.

I seen that this issue is fixed but not yet released.

After analysing your fix, I can see that you made a rawurlencode on company but not holder name. Why is that? The holder name can also have spaces.

See: https://github.com/antonioribeiro/google2fa/blob/master/src/Google2FA.php#L311

Thanks

Verifying old tokens which has been used minutes ago get validated. Is there some way to disable old keys?

Hello,

regarding QRCode::getQRCodeGoogleUrl. I don't think it is a good idea to use an external service for showing the qr code containing the secret key. Shouldn't this secret key be only in the hands of the one to be authenticated? If you use this method, also an external service gets this secret information.

A major security flaw imho.

Kind Regards

If this package had middleware you could require 2fa for certain routes (like /admin & /settings) or all routes.

It would redirect to a screen to enter that info then redirect back to the intended resource just like login.

It would be nice if we could use the Laravel form validator to check whether the given token code is valid.

The Google2FA::generateSecretKey method internally uses Google2FA::getRandomNumber, which uses mt_rand function. According to its documentation (see http://php.net/mt_rand) it should not be used in security-related contexts.

Since current usage exactly qualifies as security related context I'm proposing to:

1. use https://packagist.org/packages/paragonie/random_compat package to get random_int function, that was added only in PHP 7
2. use random_int instead of mt_rand

If you're interested I can send a PR.

i change value from 30second such as 25,45 to reduce lifetime of generate code but it not work

help me please i am newbie for google2FA

Hello i don't want to use bacon/bacon-qr-code package for some reason
is there a way to replace it using this https://github.com/SimpleSoftwareIO/simple-qrcode package instead ?

I am experiencing an issue in Laravel 5.2 after registering this class.

I installed the package with composer, registered it in app.php. I also did a composer dumpautoload and cleared the cache with artisan, but I still get this error each time. I can see the files exist in vendor and all looks good there. I have also manually deleted the cache thinking that could have been the issue but no luck so far.

`# php artisan config:cache

[Symfony\Component\Debug\Exception\FatalThrowableError]
Class 'PragmaRX\Google2FA\Vendor\Laravel\ServiceProvider' not found`

Is this release planned. Anything I can help with?

The events files on google2fa-laravel/src/events not work for me on laravel 5.2.45, then i upgrade to 5.3 and still not work, i try to delete the Dispatchable and everything works fine, but i dont know how this affect other things... The event request example working for me are this

The .travis.yml says to use phpunit, but tests are written using PHPSpec and therefore vendor/bin/phpspec run command should be used instead.