Google authenticator github

Google authenticator github DEFAULT

Google2FA

Google Two-Factor Authentication for PHP

Google2FA is a PHP implementation of the Google Two-Factor Authentication Module, supporting the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.


Latest Stable VersionLicenseCode QualityBuildDownloads

Monthly DownloadsCoveragePHP


Menu

Version Compatibility

PHPGoogle2FA
5.47.x LTS
5.57.x LTS
5.67.x LTS
7.18.x
7.28.x
7.38.x
7.48.x
8.0 (β)8.x

Laravel bridge

This package is agnostic, but there's a Laravel bridge.

About QRCode generation

This package does not generate QRCodes for 2FA.

If you are looking for Google Two-Factor Authentication, but also need to generate QRCode for it, you can use the Google2FA QRCode package, which integrates this package and also generates QRCodes using the BaconQRCode library, or check options on how to do it yourself here in the docs.

Demos, Example & Playground

Please check the Google2FA Package Playground.

playground

Here's an demo app showing how to use Google2FA: google2fa-example.

You can scan the QR code on this (old) demo page with a Google Authenticator app and view the code changing (almost) in real time.

Requirements

Installing

Use Composer to install it:

To generate inline QRCodes, you'll need to install a QR code generator, e.g. BaconQrCode:

Usage

Instantiate it directly

usePragmaRX\Google2FA\Google2FA; $google2fa = newGoogle2FA(); return$google2fa->generateSecretKey();

How To Generate And Use Two Factor Authentication

Generate a secret key for your user and save it:

$user->google2fa_secret = $google2fa->generateSecretKey();

Generating QRCodes

The securer way of creating QRCode is to do it yourself or using a library. First you have to install a QR code generator e.g. BaconQrCode, as stated above, then you just have to generate the QR code url using:

$qrCodeUrl = $google2fa->getQRCodeUrl( $companyName, $companyEmail, $secretKey );

Once you have the QR code url, you can feed it to your preferred QR code generator.

// Use your own QR Code generator to generate a data URL:$google2fa_url = custom_generate_qrcode_url($qrCodeUrl); /// and in your view: <img src="{{ $google2fa_url }}" alt="">

And to verify, you just have to:

$secret = $request->input('secret'); $valid = $google2fa->verifyKey($user->google2fa_secret, $secret);

QR Code Packages

This package suggests the use of Bacon/QRCode because it is known as a good QR Code package, but you can use it with any other package, for instance Google2FA QRCode, Simple QrCode or Endroid QR Code, all of them use Bacon/QRCode to produce QR Codes.

Usually you'll need a 2FA URL, so you just have to use the URL generator:

$google2fa->getQRCodeUrl($companyName, $companyEmail, $secretKey)

Examples of Usage

Google2FA QRCode

Get a QRCode to be used inline:

$google2fa = (new \PragmaRX\Google2FAQRCode\Google2FA()); $inlineUrl = $google2fa->getQRCodeInline( 'Company Name', '[email protected]', $google2fa->generateSecretKey() );

And use in your template:

<img src="{{ $inlineUrl }}">

Simple QrCode

<div class="visible-print text-center"> {!! QrCode::size(100)->generate($google2fa->getQRCodeUrl($companyName, $companyEmail, $secretKey)); !!} <p>Scan me to return to the original page.</p> </div>

Endroid QR Code Generator

Generate the data URL

$qrCode = new \Endroid\QrCode\QrCode($value); $qrCode->setSize(100); $google2fa_url = $qrCode->writeDataUri();

And in your view

<div class="visible-print text-center"> {!! $google2fa_url !!} <p>Scan me to return to the original page.</p> </div>

Bacon/QRCode

<?phpusePragmaRX\Google2FA\Google2FA; useBaconQrCode\Renderer\ImageRenderer; useBaconQrCode\Renderer\Image\ImagickImageBackEnd; useBaconQrCode\Renderer\RendererStyle\RendererStyle; useBaconQrCode\Writer; $google2fa = app(Google2FA::class); $g2faUrl = $google2fa->getQRCodeUrl( 'pragmarx', '[email protected]', $google2fa->generateSecretKey() ); $writer = newWriter( newImageRenderer( newRendererStyle(400), newImagickImageBackEnd() ) ); $qrcode_image = base64_encode($writer->writeString($g2faUrl));

And show it as an image:

<img src="data:image/png;base64, <?php echo $qrcode_image; ?> "/>

HMAC Algorithms

To comply with RFC6238, this package supports SHA1, SHA256 and SHA512. It defaults to SHA1, so to use a different algorithm you just have to use the method :

$google2fa->setAlgorithm(Constants::SHA512);

Server Time

It's really important that you keep your server time in sync with some NTP server, on Ubuntu you can add this to the crontab:

sudo service ntp stop sudo ntpd -gq sudo service ntp start

Validation Window

To avoid problems with clocks that are slightly out of sync, we do not check against the current key only but also consider keys each from the past and future. You can pass as optional third parameter to , it defaults to . A new key is generated every 30 seconds, so this window includes keys from the previous two and next two minutes.

$secret = $request->input('secret'); $window = 8; // 8 keys (respectively 4 minutes) past and future$valid = $google2fa->verifyKey($user->google2fa_secret, $secret, $window);

An attacker might be able to watch the user entering his credentials and one time key. Without further precautions, the key remains valid until it is no longer within the window of the server time. In order to prevent usage of a one time key that has already been used, you can utilize the function.

$secret = $request->input('secret'); $timestamp = $google2fa->verifyKeyNewer($user->google2fa_secret, $secret, $user->google2fa_ts); if ($timestamp !== false) { $user->update(['google2fa_ts' => $timestamp]); // successful } else { // failed }

Note that either (if the key is invalid or has been used before) or the provided key's unix timestamp divided by the key regeneration period of 30 seconds.

Using a Bigger and Prefixing the Secret Key

Although the probability of collision of a 16 bytes (128 bits) random string is very low, you can harden it by:

Use a bigger key

$secretKey = $google2fa->generateSecretKey(32); // defaults to 16 bytes

You can prefix your secret keys

You may prefix your secret keys, but you have to understand that, as your secret key must have length in power of 2, your prefix will have to have a complementary size. So if your key is 16 bytes long, if you add a prefix it must be also 16 bytes long, but as your prefixes will be converted to base 32, the max length of your prefix is 10 bytes. So, those are the sizes you can use in your prefixes:

And it can be used like so:

$prefix = strpad($userId, 10, 'X'); $secretKey = $google2fa->generateSecretKey(16, $prefix);

Window

The Window property defines how long a OTP will work, or how many cycles it will last. A key has a 30 seconds cycle, setting the window to 0 will make the key lasts for those 30 seconds, setting it to 2 will make it last for 120 seconds. This is how you set the window:

$secretKey = $google2fa->setWindow(4);

But you can also set the window while checking the key. If you need to set a window of 4 during key verification, this is how you do:

$isValid = $google2fa->verifyKey($seed, $key, 4);

Key Regeneration Interval

You can change key regeneration interval, which defaults to 30 seconds, but remember that this is a default value on most authentication apps, like Google Authenticator, which will, basically, make your app out of sync with them.

$google2fa->setKeyRegeneration(40);

Google Authenticator secret key compatibility

To be compatible with Google Authenticator, your (converted to base 32) secret key length must be at least 8 chars and be a power of 2: 8, 16, 32, 64...

So, to prevent errors, you can do something like this while generating it:

$secretKey = '123456789'; $secretKey = str_pad($secretKey, pow(2,ceil(log(strlen($secretKey),2))), 'X');

And it will generate

By default, this package will enforce compatibility, but, if Google Authenticator is not a target, you can disable it by doing

$google2fa->setEnforceGoogleAuthenticatorCompatibility(false);

Google Authenticator Apps:

To use the two factor authentication, your user will have to install a Google Authenticator compatible app, those are some of the currently available:

  • Authy for iOS, Android, Chrome, OS X
  • FreeOTP for iOS, Android and Pebble
  • Google Authenticator for iOS
  • Google Authenticator for Android
  • Google Authenticator (port) on Windows Store
  • Microsoft Authenticator for Windows Phone
  • LastPass Authenticator for iOS, Android, OS X, Windows
  • 1Password for iOS, Android, OS X, Windows

Deprecation Warning

Google API for QR generator is turned off. All version of that package prior to 5.0.0 are deprecated. Please upgrade and check documentation regarding QRCode generation.

Testing

The package tests were written with PHPUnit. There are some Composer scripts to help you run tests and analysis:

PHPUnit:

PHPStan analysis:

Authors

License

Google2FA is licensed under the MIT License - see the LICENSE file for details.

Contributing

Pull requests and issues are more than welcome.

Sours: https://github.com/antonioribeiro/google2fa

scheb/2fa-google-authenticator

Build StatusScrutinizer Code QualityCode CoverageLatest Stable VersionMonthly DownloadsTotal DownloadsLicense

This package extends scheb/2fa-bundle with two-factor authentication using Google Authenticator.


This repository is a sub-repository of scheb/2fa and is READ ONLY.

Please do not submit any Pull Request here. Use the main repository instead.

Installation

Please follow the bundle's installation instructions.

Documentation

Documentation can be found on the Symfony Bundles Documentation website.

License

This software is available under the MIT license.

Sours: https://github.com/scheb/2fa-google-authenticator
  1. Youtube the lightning thief
  2. Mike zachary state farm
  3. Pavlov vr quest

Authenticator Build StatusCrowdin

Authenticator generates 2-Step Verification codes in your browser.

Available for Chrome and Firefox

Build Setup

# install development dependencies npm install # compile npm run [chrome, firefox]

Development (Chrome)

# install development dependencies npm install # compiles the Chrome extension to the `./test/chrome` directory npm run dev:chrome # load the unpacked extension from the `./test/chrome/ directory in Chrome

Note that Windows users should download a tool like Git Bash or Cygwin to build.

Sours: https://github.com/Authenticator-Extension/Authenticator

Google Authenticator PAM module

Example PAM module demonstrating two-factor authentication for logging into servers via SSH, OpenVPN, etc…

This project is not about logging in to Google, Facebook, or other TOTP/HOTP second factor systems, even if they recommend using the Google Authenticator apps.

Build Status

Build & install

./bootstrap.sh ./configure make sudo make install

If you don't have access to "sudo", you have to manually become "root" prior to calling "make install".

Setting up the PAM module for your system

For highest security, make sure that both password and OTP are being requested even if password and/or OTP are incorrect. This means that at least the first of (or whatever other module is used to verify passwords) and should be set as , not . It probably can't hurt to have both be , but it could depend on the rest of your PAM config.

If you use HOTP (counter based as opposed to time based) then add the option to make sure the counter isn't incremented for failed attempts.

Add this line to your PAM configuration file:

Setting up a user

Run the binary to create a new secret key in your home directory. These settings will be stored in .

If your system supports the "libqrencode" library, you will be shown a QRCode that you can scan using the Android "Google Authenticator" application.

If your system does not have this library, you can either follow the URL that outputs, or you have to manually enter the alphanumeric secret key into the Android "Google Authenticator" application.

In either case, after you have added the key, click-and-hold until the context menu shows. Then check that the key's verification value matches (this feature might not be available in all builds of the Android application).

Each time you log into your system, you will now be prompted for your TOTP code (time based one-time-password) or HOTP (counter-based), depending on options given to , after having entered your normal user id and your normal UNIX account password.

During the initial roll-out process, you might find that not all users have created a secret key yet. If you would still like them to be able to log in, you can pass the "nullok" option on the module's command line:

Encrypted home directories

If your system encrypts home directories until after your users entered their password, you either have to re-arrange the entries in the PAM configuration file to decrypt the home directory prior to asking for the OTP code, or you have to store the secret file in a non-standard location:

would be a possible choice. Make sure to set appropriate permissions. You also have to tell your users to manually move their .google_authenticator file to this location.

In addition to "${USER}", the option also recognizes both "~" and as short-hands for the user's home directory.

When using the option, you might want to also set the option. The latter forces the PAM module to switch to a dedicated hard-coded user id prior to doing any file operations. When using the option, you must not include "~" or "${HOME}" in the filename.

The option can also be useful if you want to authenticate users who do not have traditional UNIX accounts on your system.

Module options

secret=/path/to/secret/file

See "encrypted home directories", above.

authtok_prompt=prompt

Overrides default token prompt. If you want to include spaces in the prompt, wrap the whole argument in square brackets:

user=some-user

Force the PAM module to switch to a hard-coded user id prior to doing any file operations. Commonly used with .

no_strict_owner

DANGEROUS OPTION!

By default the PAM module requires that the secrets file must be owned the user logging in (or if is specified, owned by that user). This option disables that check.

This option can be used to allow daemons not running as root to still handle configuration files not owned by that user, for example owned by the users themselves.

allowed_perm=0nnn

DANGEROUS OPTION!

By default, the PAM module requires the secrets file to be readable only by the owner of the file (mode 0600 by default). In situations where the module is used in a non-default configuration, an administrator may need more lenient file permissions, or a specific setting for their use case.

debug

Enable more verbose log messages in syslog.

try_first_pass / use_first_pass / forward_pass

Some PAM clients cannot prompt the user for more than just the password. To work around this problem, this PAM module supports stacking. If you pass the option, the module queries the user for both the system password and the verification code in a single prompt. It then forwards the system password to the next PAM module, which will have to be configured with the option.

In turn, module also supports both the standard and options. But most users would not need to set those on the .

noskewadj

If you discover that your TOTP code never works, this is most commonly the result of the clock on your server being different from the one on your Android device. The PAM module makes an attempt to compensate for time skew. You can teach it about the amount of skew that you are experiencing, by trying to log it three times in a row. Make sure you always wait 30s (but not longer), so that you get three distinct TOTP codes.

Some administrators prefer that time skew isn't adjusted automatically, as doing so results in a slightly less secure system configuration. If you want to disable it, you can do so on the module command line:

no_increment_hotp

Don't increment the counter for failed HOTP attempts. Normally you should set this so failed password attempts by an attacker without a token don't lock out the authorized user.

nullok

Allow users to log in without OTP, if they haven't set up OTP yet.

PAM requires at least one answer from a module, and causes this module to say . This means that if this option is used at least one other module must have said . One way to do this is to add to the end of the PAM config.

echo_verification_code

By default, the PAM module does not echo the verification code when it is entered by the user. In some situations, the administrator might prefer a different behavior. Pass the option to the module in order to enable echoing.

If you would like verification codes that are counter based instead of timebased, use the binary to generate a secret key in your home directory with the proper option. In this mode, clock skew is irrelevant and the window size option now applies to how many codes beyond the current one that would be accepted, to reduce synchronization problems.

grace_period=seconds

If present and non-zero, provide a grace period during which a second verification code will not be requested. Try setting seconds to 86400 to allow a full-day between requesting codes; or 3600 for an hour.

This works by adding an (IP address, timestamp) pair to the security file after a successful one-time-password login; only the last ten distinct IP addresses are tracked.

allow_readonly

DANGEROUS OPTION!

With this option an attacker with ability to fill up the filesystem (flood server with web requests, or if they have an account just fill the disk up) can force a situation where one-time-passwords can be reused, defeating the purpose of "one time".

By default, if the option is defined the PAM module requires some free space to store the IP address and timestamp of the last login. It could prevent access if a server has no free space or in case of an update config file error. With the option you can ignore any errors which could occur during config file update.

Sours: https://github.com/google/google-authenticator-libpam

Authenticator github google

Authenticator

Two-Factor Authentication Client for iOS.

Build StatusCodecovLatest ReleaseMIT License

Authenticator is a simple, free, and open source two-factor authentication app. It helps keep your online accounts secure by generating unique one-time passwords, which you use in combination with your other passwords to log into supporting websites. The simple combination of the password in your head and the rotating passwords generated by the app make it much harder for anyone but you to access your accounts.

  • Easy: Simple setup via QR code, "otpauth://" URL, or manual entry
  • Secure: All data is stored in encrypted form on the iOS keychain
  • Compatible: Full support for time-based and counter-based one-time passwords as standardized in RFC 4226 and 6238
  • Off the Grid: The app never connects to the internet, and your secret keys never leave your device.

Screenshot of the Authenticator token listScreenshot of the Authenticator QR Code scannerScreenshot of the Authenticator token entry form

Getting Started

  1. Check out the latest version of the project:
  1. In the Authenticator directory, check out the project's dependencies:
  1. Open the file.

If you open the instead, the project will not be able to find its dependencies.

  1. Build and run the "Authenticator" scheme.

Managing Dependencies

Authenticator uses Carthage to manage its dependencies, but it does not currently use Carthage to build those dependencies. The dependency projects are checked out as submodules, are included in , and are built by Xcode as target dependencies of the Authenticator app.

To check out the dependencies, simply follow the "Getting Started" instructions above.

To update the dependencies, modify the Cartfile and run:

License

This project is made available under the terms of the MIT License.

The modern Authenticator grew out of the abandoned source for Google Authenticator for iOS. The original Google code on which this project was based is licensed under the Apache License, Version 2.0.

Sours: https://github.com/mattrubin/Authenticator
How to setup 2FA with GitHub

Configuring two-factor authentication

You can configure two-factor authentication using a mobile app or via text message. You can also add a security key.

We strongly recommend using a time-based one-time password (TOTP) application to configure 2FA. TOTP applications are more reliable than SMS, especially for locations outside the United States. TOTP apps support the secure backup of your authentication codes in the cloud and can be restored if you lose access to your device.

Warning:

  • If you're a member, billing manager, or outside collaborator to a private repository of an organization that requires two-factor authentication, you must leave the organization before you can disable 2FA on GitHub.
  • If you disable 2FA, you will automatically lose access to the organization and any private forks you have of the organization's private repositories. To regain access to the organization and your forks, re-enable two-factor authentication and contact an organization owner.

If you're a member of an enterprise with managed users, you cannot configure 2FA for your managed user account. 2FA should be configured through your identity provider.

Configuring two-factor authentication using a TOTP mobile app

A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. We recommend using cloud-based TOTP apps such as:

Tip: To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time. If 2FA is already enabled and you want to add another device, you must re-configure 2FA from your security settings.

  1. Download a TOTP app.
  2. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  3. In the left sidebar, click Account security. User account security settings
  4. Under "Two-factor authentication", click Enable two-factor authentication. Enable two-factor authentication option
  5. Under "Two-factor authentication", select Set up using an app and click Continue.
  6. Under "Authentication verification", do one of the following:
    • Scan the QR code with your mobile device's app. After scanning, the app displays a six-digit code that you can enter on GitHub.
    • If you can't scan the QR code, click enter this text code to see a code that you can manually enter in your TOTP app instead. Click enter this code
  7. The TOTP mobile application saves your GitHub account and generates a new authentication code every few seconds. On GitHub, type the code into the field under "Enter the six-digit code from the application". If your recovery codes are not automatically displayed, click Continue. TOTP enter code field
  8. Under "Save your recovery codes", click Download to download your recovery codes to your device. Save them to a secure location because your recovery codes can help you get back into your account if you lose access. List of recovery codes to download
  9. After saving your two-factor recovery codes, click I have saved my recovery codes to enable two-factor authentication for your account.
  10. After you've saved your recovery codes and enabled 2FA, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.

Configuring two-factor authentication using text messages

If you're unable to authenticate using a TOTP mobile app, you can authenticate using SMS messages. You can also provide a second number for a fallback device. If you lose access to both your primary device and your recovery codes, a backup SMS number can get you back in to your account.

Before using this method, be sure that you can receive text messages. Carrier rates may apply.

Warning: We strongly recommend using a TOTP application for two-factor authentication instead of SMS. GitHub doesn't support sending SMS messages to phones in every country. Before configuring authentication via text message, review the list of countries where GitHub supports authentication via SMS. For more information, see "Countries where SMS authentication is supported".

  1. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar

  2. In the left sidebar, click Account security. User account security settings

  3. Under "Two-factor authentication", click Enable two-factor authentication. Enable two-factor authentication option

  4. Under "Two-factor authentication", select Set up using SMS and click Continue.

  5. Under "Authentication verification", select your country code and type your mobile phone number, including the area code. When your information is correct, click Send authentication code.

    2FA SMS screen

  6. You'll receive a text message with a security code. On GitHub, type the code into the field under "Enter the six-digit code sent to your phone" and click Continue.

    2FA SMS continue field

  7. Under "Save your recovery codes", click Download to download your recovery codes to your device. Save them to a secure location because your recovery codes can help you get back into your account if you lose access. List of recovery codes to download

  8. After saving your two-factor recovery codes, click I have saved my recovery codes to enable two-factor authentication for your account.

  9. After you've saved your recovery codes and enabled 2FA, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.

Configuring two-factor authentication using a security key

After you configure 2FA using a mobile app or via text message, you can add a security key, like a fingerprint reader or Windows Hello. The technology that enables authentication with a security key is called WebAuthn. WebAuthn is the successor to U2F and works in all modern browsers. For more information, see "WebAuthn" and "Can I Use."

On most devices and browsers, you can use a physical security key over USB or NFC. Some browsers can use the fingerprint reader, facial recognition, or password/PIN on your device as a security key.

Authentication with a security key is secondary to authentication with a TOTP application or a text message. If you lose your security key, you'll still be able to use your phone's code to sign in.

  1. You must have already configured 2FA via a TOTP mobile app or via SMS.
  2. Ensure that you have a WebAuthn compatible security key inserted into your computer.
  3. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  4. In the left sidebar, click Account security. User account security settings
  5. Next to "Security keys", click Add. Add security keys option
  6. Under "Security keys", click Register new security key. Registering a new security key
  7. Type a nickname for the security key, then click Add. Providing a nickname for a security key
  8. Activate your security key, following your security key's documentation. Prompt for a security key
  9. Confirm that you've downloaded and can access your recovery codes. If you haven't already, or if you'd like to generate another set of codes, download your codes and save them in a safe place. If you lose access to your account, you can use your recovery codes to get back into your account. For more information, see "Recovering your account if you lose your 2FA credentials." Download recovery codes button
  10. After you've saved your recovery codes and enabled 2FA, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.

Further reading

Sours: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

Now discussing:

Google Authenticator OpenSource

The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms. One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).

This GitHub project is specifically for the Google Authenticator apps which target the Blackberry and iOS mobile platforms.

Other related Google Authenticator opensource projects can be found as noted below:

There are no account backups in any of the apps by design.

These apps are not on the app stores, and their code has diverged from what's in the app stores, so patches here won't necessarily show up in those versions.

These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.

Further documentation is available in the Wiki.

Sours: https://github.com/google/google-authenticator


27282 27283 27284 27285 27286