pragmarx/google2fa
Google2FA adds HOTP/TOTP two-factor authentication to PHP, compatible with Google Authenticator and RFC 4226/6238. Generate secrets and QR code data, verify one-time codes, and tune validation windows and time drift—ideal for Laravel or standalone apps.
Version 9.0.0 introduces a breaking change: The default secret key length has been increased from 16 to 32 characters for enhanced security.
generateSecretKey() now generates 32-character secrets by default (previously 16)If you want to keep the previous behavior (16-character secrets):
// Old default behavior (v8.x and below)
$secret = $google2fa->generateSecretKey();
// New way to get 16-character secrets (v9.0+)
$secret = $google2fa->generateSecretKey(16);
If you want to use the new default (32-character secrets):
// This now generates 32-character secrets by default
$secret = $google2fa->generateSecretKey();
Potential Impact Areas
- Database schemas: Check if your google2fa_secret columns can handle 32 characters
- Validation rules: Update any length validations that expect exactly 16 characters
- Tests: Update test assertions expecting 16-character secrets
- UI components: Ensure QR code displays and secret key fields accommodate longer secrets
Important: Existing 16-character secrets remain fully functional. Database updates are only needed if you want to use the new 32-character default behavior.
Why This Change?
While 16-character secrets meet RFC 6238 minimum requirements, 32-character secrets provide significantly better security:
- 16 chars: 80 bits of entropy (adequate but minimal)
- 32 chars: 160 bits of entropy (much stronger against brute force)
This change aligns with modern security best practices for cryptographic applications.
How can I help you explore Laravel packages today?