Security

Google Authenticator with PHP

Posted by Matt Foster on March 4, 2015 0 Comments

Read Next →

Performance

Website Performance

Uncategorized

BT SmartHub 2 Monitoring and Statistics

Networking

Monitoring TalkTalk Router Bandwidth

Gone are the days of SecureID OTP tokens costing an arm and a leg, and being just for Enterprise.

My own WP site here is protected with Google Authenticator, and there is no excuse for not doing the same on yours.  Just grab the awesome WP Google Authenticator plugin and you will be good to go.

My favourite iOS App for this is the awesome Authy but there are plenty out there.

But the world doesn’t run on WordPress, suppose you want to do it yourself in a LAMP site…

Grab a copy of the PHPGangsta class

Creating users:

$ga = new PHPGangsta_GoogleAuthenticator();
$secret = $ga->createSecret();
echo "Your OTP Secret is: ".$secret."\n\nIt is probably a good idea to take a note of this";
echo "\nPlease scan in the QR code to setup your OTP ";
$qrCodeUrl = $ga->getQRCodeGoogleUrl('MyApp', $secret);

<IMG SRC='<?php echo $qrCodeUrl?>'>
<BR>

<?php
$oneCode = $ga->getCode($secret);
$checkResult = $ga->verifyCode($secret, $oneCode, 2);    // 2 = 2*30sec clock tolerance
if ($checkResult) {
echo 'OK';
$sql="UPDATE localusers set GASecret='" . $secret . "' WHERE id=" . $userRow['id'];
mysqli_query($link,$sql);
} else {
echo 'FAILED';
}

Authenticating users:

if(!isset($userRow['GASecret']) || !isset($_REQUEST['e'])) { // Impossible to Authenticate
header('HTTP/1.1 401 Authentcation Impossible');
header('Content-Type: application/json; charset=UTF-8');
die(json_encode(array('message' => 'ERROR', 'code' => 1337)));
} else { // Try to authenticate
$ga = new PHPGangsta_GoogleAuthenticator();
$checkResult = $ga->verifyCode($userRow['GASecret'], $_REQUEST['e'], 2);    // 2 = 2*30sec clock tolerance
if($checkResult)  {
session_write_close();
session_start();
$_SESSION['OTP'] = 1;
session_write_close();
$result="Authenticated";
header('Content-Type: application/json');
die(json_encode($result));
} else {
header('HTTP/1.1 401 Authentcation Failed');
header('Content-Type: application/json; charset=UTF-8');
die(json_encode(array('message' => 'ERROR', 'code' => 1337)));
}

Obviously these are just snippets, which will never actually run for you, but you get the general idea.

 

It is so easy, it is just rude not to.

Matt Foster

IT Architect since 1995 with a broad range of skills ranging from 5-year destination planning, strategic architecture, detailed solutions architecture, systems administration, and coding.

Read Next →

Performance

Website Performance

Uncategorized

BT SmartHub 2 Monitoring and Statistics

Networking

Monitoring TalkTalk Router Bandwidth

Leave a Reply

About Me

Offering IT consultancy services for over 20 years with a focus on architecture and security. This includes strategic EA futures to detailed SA in LAMP stacks, IaaS and PaaS.

Available on both contract and freelance basis depending on your needs. Let’s talk about how I can help you!

Freelance

Interested in working with me? Head to my People Per Hour profile and let’s talk!