How do I integrate this package into Laravel’s authentication system?

Use Laravel’s service container to bind the `Authenticator` class in your `AuthServiceProvider`. Configure options like digits (6) and period (30 seconds) in `config/auth.php`, then inject the authenticator into controllers or middleware. For example, bind it as a singleton with custom options for TOTP or HOTP modes.

Does this package support Laravel 10+ and PHP 8.4+?

Yes, the package requires PHP 8.4+ and is fully compatible with Laravel 10+. Ensure your Laravel version supports PHP 8.4, as older versions (e.g., Laravel 9) may not meet the PHP requirement. Test thoroughly in your environment to confirm compatibility with other dependencies.

How should I store user secrets securely in the database?

Store secrets as Base32-encoded strings in a column like `otp_secret` in your `users` table. For extra security, encrypt the column using Laravel’s encryption or a dedicated secrets manager like Hashicorp Vault. Avoid plaintext storage to mitigate risks of database breaches.

Can I use this for Steam Guard or Battle.net authentication?

Yes, the package supports Steam Guard mode via the `SteamGuardAuthenticator` class, which requires `ext-curl` for server time synchronization. Configure it with `AuthenticatorOptions` and set the `mode` to `SteamGuard`. This is ideal for game-related or high-security applications requiring counter-based OTPs.

What happens if a user loses their 2FA device? How do I implement backup codes?

Backup codes should be generated once during setup and stored securely (e.g., encrypted JSON in the database). Implement a manual verification flow where users can input backup codes if their primary 2FA method fails. Use Laravel’s encryption to protect these codes and log their usage for audit purposes.

How do I generate QR codes for Google Authenticator setup?

Use a QR code library like `endroid/qr-code` or `chillerlan/php-qrcode` to generate QR codes from the Base32 secret. In Laravel, render the QR code in a Blade view using the secret and the user’s email/username as the label. Example: `$qrCode->render('svg')->setText($secret)->setSize(200)->save('public/qr.png');`

Is there a way to cache OTPs for better performance?

Yes, cache OTPs using Laravel’s cache system (e.g., Redis or file cache) to reduce database load. Store the OTP with a short TTL (e.g., 30 seconds for TOTP) using `cache()->put('user:123:otp', $code, now()->addSeconds(30))`. This is especially useful for high-traffic applications where OTP generation is frequent.

What are the alternatives to this package for Laravel 2FA?

Alternatives include `pragmarx/google2fa` (older but widely used) and `egulias/email-validator` for email-based 2FA. However, `chillerlan/php-authenticator` stands out for its RFC compliance, Steam Guard support, and modern PHP 8.4+ features. Evaluate based on your need for HOTP/TOTP, performance, and Laravel integration.

How do I handle rate limiting for failed OTP attempts?

Use Laravel’s throttle middleware to limit failed OTP attempts. For example, apply `ThrottlesLogins` to your OTP verification endpoint with a max of 5 attempts per minute. Log failed attempts and optionally notify users via email to prevent brute-force attacks.

Does this package support testing with fake OTPs in Laravel?

Yes, mock the `Authenticator` class in your tests using Laravel’s testing helpers. For example, use `Mockery` to return predefined OTPs during testing: `$this->mock(Authenticator::class)->shouldReceive('getCode')->andReturn('123456');`. This ensures your authentication logic works without relying on real-time OTP generation.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Php Authenticator Laravel Package

chillerlan/php-authenticator

PHP 8.4+ library to generate and validate HOTP (RFC 4226) and TOTP (RFC 6238) one-time passwords—Google Authenticator compatible. Includes Steam Guard server time sync (cURL) and constant-time encoding/hex helpers (Sodium or fallback).

View on GitHub

Deep Wiki

Context7

A generator for counter- and time based 2-factor authentication codes (Google Authenticator). PHP 8.2+

Frequently asked questions about Php Authenticator

How do I integrate this package into Laravel’s authentication system?: Use Laravel’s service container to bind the `Authenticator` class in your `AuthServiceProvider`. Configure options like digits (6) and period (30 seconds) in `config/auth.php`, then inject the authenticator into controllers or middleware. For example, bind it as a singleton with custom options for TOTP or HOTP modes.
Does this package support Laravel 10+ and PHP 8.4+?: Yes, the package requires PHP 8.4+ and is fully compatible with Laravel 10+. Ensure your Laravel version supports PHP 8.4, as older versions (e.g., Laravel 9) may not meet the PHP requirement. Test thoroughly in your environment to confirm compatibility with other dependencies.
How should I store user secrets securely in the database?: Store secrets as Base32-encoded strings in a column like `otp_secret` in your `users` table. For extra security, encrypt the column using Laravel’s encryption or a dedicated secrets manager like Hashicorp Vault. Avoid plaintext storage to mitigate risks of database breaches.
Can I use this for Steam Guard or Battle.net authentication?: Yes, the package supports Steam Guard mode via the `SteamGuardAuthenticator` class, which requires `ext-curl` for server time synchronization. Configure it with `AuthenticatorOptions` and set the `mode` to `SteamGuard`. This is ideal for game-related or high-security applications requiring counter-based OTPs.
What happens if a user loses their 2FA device? How do I implement backup codes?: Backup codes should be generated once during setup and stored securely (e.g., encrypted JSON in the database). Implement a manual verification flow where users can input backup codes if their primary 2FA method fails. Use Laravel’s encryption to protect these codes and log their usage for audit purposes.
How do I generate QR codes for Google Authenticator setup?: Use a QR code library like `endroid/qr-code` or `chillerlan/php-qrcode` to generate QR codes from the Base32 secret. In Laravel, render the QR code in a Blade view using the secret and the user’s email/username as the label. Example: `$qrCode->render('svg')->setText($secret)->setSize(200)->save('public/qr.png');`
Is there a way to cache OTPs for better performance?: Yes, cache OTPs using Laravel’s cache system (e.g., Redis or file cache) to reduce database load. Store the OTP with a short TTL (e.g., 30 seconds for TOTP) using `cache()->put('user:123:otp', $code, now()->addSeconds(30))`. This is especially useful for high-traffic applications where OTP generation is frequent.
What are the alternatives to this package for Laravel 2FA?: Alternatives include `pragmarx/google2fa` (older but widely used) and `egulias/email-validator` for email-based 2FA. However, `chillerlan/php-authenticator` stands out for its RFC compliance, Steam Guard support, and modern PHP 8.4+ features. Evaluate based on your need for HOTP/TOTP, performance, and Laravel integration.
How do I handle rate limiting for failed OTP attempts?: Use Laravel’s throttle middleware to limit failed OTP attempts. For example, apply `ThrottlesLogins` to your OTP verification endpoint with a max of 5 attempts per minute. Log failed attempts and optionally notify users via email to prevent brute-force attacks.
Does this package support testing with fake OTPs in Laravel?: Yes, mock the `Authenticator` class in your tests using Laravel’s testing helpers. For example, use `Mockery` to return predefined OTPs during testing: `$this->mock(Authenticator::class)->shouldReceive('getCode')->andReturn('123456');`. This ensures your authentication logic works without relying on real-time OTP generation.

Popularity trends

Recorded values over time (once-a-day snapshots). May 8, 2026 – Jun 6, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

Favorites

Forks

Score

21.9

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 56

+0.3
Forks

input: 2

+0.1
Open issues + PRs

input: 0

+0.0
Releases

input: 18

+5.4
Recency

input: 77

+15.8
Issue opportunity

input: 0

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 21.5

Opportunity

29.1

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

46.0
Contribution need

open_issues + open_prs: 0

0.0
Health factor

archived + recency + open issues

×0.97

Total 29.0

License

MIT

Last release

Mar 21, 2026

Watchers

Downloads

4K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hamzi/corewatch

minionfactory/raw-hydrator

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope