Can scheb/2fa-google-authenticator work directly with Laravel without Symfony?

No, this package is designed for Symfony and requires adaptation for Laravel. You’ll need to create a service provider, middleware, or facade to bridge Symfony’s components (like the ContainerInterface) with Laravel’s ecosystem. Consider alternatives like `paragonie/google-authenticator` for a Laravel-native solution.

What Laravel versions does this package support?

The package itself doesn’t natively support Laravel, but you can integrate it with Laravel 5.5+ or later by building a compatibility layer. Symfony 4/5 (which this package targets) may require additional work for Laravel’s service container and middleware pipeline. Test thoroughly with your Laravel version.

How do I generate QR codes for Google Authenticator setup?

The package provides QR code generation via the `SchebTwoFactorBundle` in Symfony. For Laravel, you’d need to replicate this logic using a library like `endroid/qr-code` or `bacon/bacon-qr-code` and integrate it with the bundle’s secret provisioning workflow. Ensure the QR code includes the correct issuer/label metadata.

Does this package support backup codes or recovery options?

The package focuses on TOTP validation and QR provisioning but doesn’t include backup code generation out of the box. You’ll need to implement recovery mechanisms manually, such as storing backup codes in Laravel’s `users` table or a dedicated `backup_codes` table, and handle their rotation securely.

How do I validate TOTP codes in Laravel’s login flow?

You’ll need to create middleware or extend Laravel’s authentication logic to validate TOTP codes. For example, use a `TwoFactorMiddleware` to check codes during login or sensitive actions. The Symfony bundle’s validator can be called via a service provider, but ensure it’s wrapped to return Laravel-compatible responses (e.g., `Auth::login()` failures).

Are there performance concerns with TOTP validation for large user bases?

TOTP validation itself is lightweight, but integrating Symfony’s bundle into Laravel may introduce overhead. Cache TOTP secrets and validation results (e.g., using Laravel’s cache drivers) to reduce database queries. Monitor token generation and validation times under load, especially if using Redis or other distributed caches.

What’s the best way to store TOTP secrets securely in Laravel?

Never store secrets in plaintext. Use Laravel’s encryption (`config/app.php` encryption key) or a dedicated secrets manager like AWS KMS or Hashicorp Vault. Store encrypted secrets in the `users` table (e.g., a `totp_secret` column) and ensure your migration handles encryption/decryption transparently during provisioning and validation.

Can I use this package with Laravel’s built-in authentication (e.g., `Auth::attempt`)?

Yes, but you’ll need to extend Laravel’s authentication logic. Create a custom guard or middleware that checks TOTP codes before allowing login. For example, modify the `AuthManager` to include TOTP validation in the `attempt` or `validate` methods, or use a post-login event to trigger TOTP checks.

What alternatives exist for Laravel 2FA with Google Authenticator?

Consider Laravel-native packages like `laravel-2fa` (by Whitecube) or `paragonie/google-authenticator`, which are designed for Laravel’s ecosystem and avoid Symfony dependencies. These offer similar TOTP functionality with easier integration, QR code generation, and Laravel-specific middleware support.

How do I handle time synchronization issues with TOTP codes?

TOTP codes rely on device time synchronization. Allow a small time window (e.g., 1–2 seconds) for code validation to account for clock drift. Use PHP’s `time()` and the bundle’s TOTP logic to validate codes within this buffer. For critical applications, consider enforcing NTP synchronization on user devices or providing manual time correction options.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

2Fa Google Authenticator Laravel Package

scheb/2fa-google-authenticator

Adds Google Authenticator-based two-factor authentication (TOTP) to Symfony apps. Generates QR codes and secrets, validates one-time codes, and plugs into your login flow to improve account security with minimal setup.

View on GitHub

Deep Wiki

Context7

[READ ONLY] Extends scheb/2fa-bundle with two-factor authentication using Google Authenticator

Frequently asked questions about 2Fa Google Authenticator

Can scheb/2fa-google-authenticator work directly with Laravel without Symfony?: No, this package is designed for Symfony and requires adaptation for Laravel. You’ll need to create a service provider, middleware, or facade to bridge Symfony’s components (like the ContainerInterface) with Laravel’s ecosystem. Consider alternatives like `paragonie/google-authenticator` for a Laravel-native solution.
What Laravel versions does this package support?: The package itself doesn’t natively support Laravel, but you can integrate it with Laravel 5.5+ or later by building a compatibility layer. Symfony 4/5 (which this package targets) may require additional work for Laravel’s service container and middleware pipeline. Test thoroughly with your Laravel version.
How do I generate QR codes for Google Authenticator setup?: The package provides QR code generation via the `SchebTwoFactorBundle` in Symfony. For Laravel, you’d need to replicate this logic using a library like `endroid/qr-code` or `bacon/bacon-qr-code` and integrate it with the bundle’s secret provisioning workflow. Ensure the QR code includes the correct issuer/label metadata.
Does this package support backup codes or recovery options?: The package focuses on TOTP validation and QR provisioning but doesn’t include backup code generation out of the box. You’ll need to implement recovery mechanisms manually, such as storing backup codes in Laravel’s `users` table or a dedicated `backup_codes` table, and handle their rotation securely.
How do I validate TOTP codes in Laravel’s login flow?: You’ll need to create middleware or extend Laravel’s authentication logic to validate TOTP codes. For example, use a `TwoFactorMiddleware` to check codes during login or sensitive actions. The Symfony bundle’s validator can be called via a service provider, but ensure it’s wrapped to return Laravel-compatible responses (e.g., `Auth::login()` failures).
Are there performance concerns with TOTP validation for large user bases?: TOTP validation itself is lightweight, but integrating Symfony’s bundle into Laravel may introduce overhead. Cache TOTP secrets and validation results (e.g., using Laravel’s cache drivers) to reduce database queries. Monitor token generation and validation times under load, especially if using Redis or other distributed caches.
What’s the best way to store TOTP secrets securely in Laravel?: Never store secrets in plaintext. Use Laravel’s encryption (`config/app.php` encryption key) or a dedicated secrets manager like AWS KMS or Hashicorp Vault. Store encrypted secrets in the `users` table (e.g., a `totp_secret` column) and ensure your migration handles encryption/decryption transparently during provisioning and validation.
Can I use this package with Laravel’s built-in authentication (e.g., `Auth::attempt`)?: Yes, but you’ll need to extend Laravel’s authentication logic. Create a custom guard or middleware that checks TOTP codes before allowing login. For example, modify the `AuthManager` to include TOTP validation in the `attempt` or `validate` methods, or use a post-login event to trigger TOTP checks.
What alternatives exist for Laravel 2FA with Google Authenticator?: Consider Laravel-native packages like `laravel-2fa` (by Whitecube) or `paragonie/google-authenticator`, which are designed for Laravel’s ecosystem and avoid Symfony dependencies. These offer similar TOTP functionality with easier integration, QR code generation, and Laravel-specific middleware support.
How do I handle time synchronization issues with TOTP codes?: TOTP codes rely on device time synchronization. Allow a small time window (e.g., 1–2 seconds) for code validation to account for clock drift. Use PHP’s `time()` and the bundle’s TOTP logic to validate codes within this buffer. For critical applications, consider enforcing NTP synchronization on user devices or providing manual time correction options.

Popularity trends

Recorded values over time (once-a-day snapshots). May 11, 2026 – Jun 9, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

Favorites

Forks

Score

0.2

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 29

+0.1
Forks

input: 2

+0.1
Open issues + PRs

input: 0

+0.0
Releases

input: 0

+0.0
Recency

input: —

+0.0
Issue opportunity

input: 0

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 0.2

Opportunity

54.2

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

98.1
Contribution need

open_issues + open_prs: 0

0.0
Health factor

archived + recency + open issues

×0.85

Total 54.2

License

MIT

Watchers

Downloads

251K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

codeflextech/permission-manager

karnoweb/livewire-datepicker

sayedenam/sayed-dashboard

milito/query-filter

apiboxsym/user-bundle

apiboxsym/health-check-bundle

jayeshmepani/jpl-moshier-ephemeris-php

elnasnato/laraliveui

labrodev/rest-sdk

sampaui/sampaui

babelqueue/php-sdk

facebook/capi-param-builder-php

babelqueue/symfony

hamzi/corewatch

minionfactory/raw-hydrator

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver