Blog Posts

2-step verification with Google Authenticator and PHP

Many large web services nowadays support 2-step verification to enhance the security for their users. With 2-step verification you have to supply a one-time-token besides your usual username/password so in case someone steals your password it won't help them much, because they don't have (hopefully) the device which provides this one-time-token for you. You may know this from your bank or even enabled it on Google Apps, Facebook or Amazon.

The main point about 2-step verification is that something else than your computer provides that token. If it's on your computer and that one gets stolen (or hacked into), it won't help much for the additional security. That's why you need a second device for those tokens. Some banks do that with SMS/Text Messages (Facebook, too), other give you special devices for that (eg. RSA keys) and the last group does it with your smartphone.

Google provides an app called Google Authenticator which exactly does that, is available for Android, iPhone and Blackberry and is Open Source. The ideal candidate for an implementation in PHP.

We had this request from a client to have a backend system which is available from everywhere (so they can ditch their VPN for that) but is somehow secure nevertheless. I was at that time playing with the 2-step verification stuff of Google apps and thought that this must be doable in PHP as well. So I reverse engineered the android code and came up with this little GoogleAuthenticator.php library.

If you implement this library in your application, you can tell to your clients, they should just download the Google Authenticator app and then scan the QR Code you provide them on their first login. Depending on your security requirements, you can now ask them for that token on every login or every other day or whatever you need. And of course any time they use another computer/browser.

We actually didn't implement the library in any real life project yet (that will come), but for now I made a little, quick and dirty framework-less example available here. Please read the code and the comments to understand how it's supposed to work. It would be great if anyone would implement that into an Symfony 2 bundle (or the whole security framework of Symfony 2).

Some not-to-be-named ex-Liiper also suggested to port that to javascript and a chrome-extension so that one can automatically fill in that mandatory token form. But that would of course totally defeat the purpose of the whole thing, nevertheless technically possible ;)

If you have any question about the library, do not hesitate to ask in the comments.

Related Entries:
- 2-step verification. You can offer it with PHP, too
- A RSS feed for private Google Groups for Google Apps
- Techday Slides: OWASP Security Top 10
- Hiding parts of a page from Google
- jsdomenu versus Google Analytics

About the author

Comments [6]

Phill, 19.08.2012 17:20 CET

Good to know about 2 step verification though I haven't found many poeple actually using it.

Ravindra Kumar, 09.10.2012 16:33 CET

Hi,

I am Ravindra kumar. i want to implement 2-step verification with Google Authenticator using the PHP. I have download your code and it is working. First i login using the gmail username and password then it come on OTP it is fine. Please tell me how can use this OTP using the SMS. when we login then we receive a SMS then i will put it then it goes to login.

Please tell me it is possible.

Chregu, 09.10.2012 19:28 CET

This module doesn't work with SMS. That's provided by Google. It only works with the Google Authenticator App

Ravindra Kumar, 10.10.2012 18:49 CET

Hi Chregu,

It is using the users.dat file for store the username and password and secret key. Please tell me can we use the gmail account Authenticator like Facebook connect. First it check from gmail account. Please suggest me how can implement this process.

I want to use gmail Authenticator then generate OTP.

Thanks

rene, 07.06.2013 21:51 CET

Quetal muy interesante
Mi duda es la siguiente tengo windows server en donde lo intale los scripts de php, como puedo realisar la sincronizacion ya que no muestra el mimo codigo

saludos cordiales

Stephen, 09.10.2014 23:08 CET

How do you tie it together with a login system?

Add a comment

Your email adress will never be published. Comment spam will be deleted!