How do I integrate this package into a Laravel application for Google Authenticator-style 2FA?

Start by requiring the package via Composer (`composer require chillerlan/php-authenticator`). Register it as a singleton in `AppServiceProvider` using Laravel’s DI container, then inject the `Authenticator` class into your controllers or services. Use `createSecret()` to generate a secret, `getUri()` to create a QR code URI, and `verify()` to validate user input.

Does this package support Laravel’s authentication middleware (e.g., enforcing 2FA on login)?

Yes, you can integrate it with Laravel’s middleware. Create a custom middleware to check for 2FA secrets in the session or database, then use the `verify()` method to validate codes. Combine it with Laravel’s built-in `auth` middleware or use it standalone for API endpoints.

What Laravel versions are compatible with this package, given it requires PHP 8.4+?

This package works with Laravel 10.x and 11.x, as they support PHP 8.4+. If you’re using an older Laravel version (e.g., 8.x or 9.x), you’ll need to upgrade PHP to 8.4+ first. The package is not tied to specific Laravel features beyond dependency injection.

How should I store the 2FA secrets in the database for Laravel users?

Store the secrets in a `secret` column (e.g., `users` table) as plaintext or encrypted using Laravel’s `encrypt()` helper. For security, avoid exposing secrets in logs or error messages. You can also add a `revoked_at` column to handle secret rotation or revocation.

Can I generate QR codes for users to scan with Google Authenticator using this package?

Yes, use the `getUri()` method to generate an `otpauth://` URI, then pass it to a QR code library like `endroid/qr-code` to create a scannable image. This is ideal for user onboarding—generate the QR code during registration and display it in a Laravel Blade view or API response.

What happens if a user’s server time is out of sync for TOTP verification?

TOTP relies on server time, so ensure your Laravel server uses NTP for accurate time synchronization. For distributed systems, consider caching time offsets or using a centralized time source. The package includes Steam Guard mode for time-syncing with Steam’s servers if needed.

Is there a way to rate-limit failed 2FA attempts in Laravel?

Yes, combine the package with Laravel’s `throttle` middleware. For example, create a middleware that checks failed 2FA attempts in the `failed_attempts` table (or a custom table) and throttles requests accordingly. This prevents brute-force attacks on 2FA codes.

Does this package support backup codes or manual entry for users who can’t scan QR codes?

The package itself focuses on TOTP/HOTP generation/verification, but you can implement backup codes separately. Store them in the database (e.g., `backup_codes` column) and validate them alongside 2FA codes. For manual entry, use the `getSecret()` method to display the secret key.

How do I test TOTP verification in Laravel, especially for time-based codes?

Use Laravel’s `travel()` helper to mock time during testing. For example, `Carbon::setTestNow(Carbon::now()->addSeconds(30))` to simulate a future time. Test the `verify()` method with known codes and edge cases (e.g., expired codes). Mock the `Authenticator` class in unit tests.

Are there alternatives to this package for Laravel 2FA, and why should I choose this one?

Alternatives include `bacon/bacon-qr` (for QR codes) or `egulias/email-validator` (for email-based 2FA), but this package is a complete, RFC-compliant solution for TOTP/HOTP with minimal dependencies. It’s lightweight, actively maintained, and integrates seamlessly with Laravel’s DI system without bloating your project.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Php Authenticator Laravel Package

chillerlan/php-authenticator

PHP 8.4+ library to generate and verify HOTP (RFC 4226) and TOTP (RFC 6238) one-time passwords, compatible with Google Authenticator-style apps. Includes optional Steam Guard time sync plus constant-time encoding helpers for safer key handling.

View on GitHub

Deep Wiki

Context7

Generate secure HOTP (RFC 4226) and TOTP (RFC 6238) one-time passwords in PHP—compatible with common authenticator apps (Google Authenticator style) and suitable for 2FA flows. Designed for modern runtimes (PHP 8.4+) with optional integrations for stronger timing safety and accurate clock sync.

Supports counter-based (HOTP) and time-based (TOTP) OTP generation
Optional Steam Guard server time synchronization via ext-curl
Constant-time helpers via ext-sodium (fallback to paragonie/constant_time_encoding)
Composer-installable, lightweight, and focused on RFC-aligned behavior

Frequently asked questions about Php Authenticator

How do I integrate this package into a Laravel application for Google Authenticator-style 2FA?: Start by requiring the package via Composer (`composer require chillerlan/php-authenticator`). Register it as a singleton in `AppServiceProvider` using Laravel’s DI container, then inject the `Authenticator` class into your controllers or services. Use `createSecret()` to generate a secret, `getUri()` to create a QR code URI, and `verify()` to validate user input.
Does this package support Laravel’s authentication middleware (e.g., enforcing 2FA on login)?: Yes, you can integrate it with Laravel’s middleware. Create a custom middleware to check for 2FA secrets in the session or database, then use the `verify()` method to validate codes. Combine it with Laravel’s built-in `auth` middleware or use it standalone for API endpoints.
What Laravel versions are compatible with this package, given it requires PHP 8.4+?: This package works with Laravel 10.x and 11.x, as they support PHP 8.4+. If you’re using an older Laravel version (e.g., 8.x or 9.x), you’ll need to upgrade PHP to 8.4+ first. The package is not tied to specific Laravel features beyond dependency injection.
How should I store the 2FA secrets in the database for Laravel users?: Store the secrets in a `secret` column (e.g., `users` table) as plaintext or encrypted using Laravel’s `encrypt()` helper. For security, avoid exposing secrets in logs or error messages. You can also add a `revoked_at` column to handle secret rotation or revocation.
Can I generate QR codes for users to scan with Google Authenticator using this package?: Yes, use the `getUri()` method to generate an `otpauth://` URI, then pass it to a QR code library like `endroid/qr-code` to create a scannable image. This is ideal for user onboarding—generate the QR code during registration and display it in a Laravel Blade view or API response.
What happens if a user’s server time is out of sync for TOTP verification?: TOTP relies on server time, so ensure your Laravel server uses NTP for accurate time synchronization. For distributed systems, consider caching time offsets or using a centralized time source. The package includes Steam Guard mode for time-syncing with Steam’s servers if needed.
Is there a way to rate-limit failed 2FA attempts in Laravel?: Yes, combine the package with Laravel’s `throttle` middleware. For example, create a middleware that checks failed 2FA attempts in the `failed_attempts` table (or a custom table) and throttles requests accordingly. This prevents brute-force attacks on 2FA codes.
Does this package support backup codes or manual entry for users who can’t scan QR codes?: The package itself focuses on TOTP/HOTP generation/verification, but you can implement backup codes separately. Store them in the database (e.g., `backup_codes` column) and validate them alongside 2FA codes. For manual entry, use the `getSecret()` method to display the secret key.
How do I test TOTP verification in Laravel, especially for time-based codes?: Use Laravel’s `travel()` helper to mock time during testing. For example, `Carbon::setTestNow(Carbon::now()->addSeconds(30))` to simulate a future time. Test the `verify()` method with known codes and edge cases (e.g., expired codes). Mock the `Authenticator` class in unit tests.
Are there alternatives to this package for Laravel 2FA, and why should I choose this one?: Alternatives include `bacon/bacon-qr` (for QR codes) or `egulias/email-validator` (for email-based 2FA), but this package is a complete, RFC-compliant solution for TOTP/HOTP with minimal dependencies. It’s lightweight, actively maintained, and integrates seamlessly with Laravel’s DI system without bloating your project.

View on GitHub

Stars

Favorites

Forks

Score

25.7

License

MIT

Last release

Mar 21, 2026

Watchers

Downloads

5K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport