Totp

This class provides an RFC6238-compliant Time-based One Time Passwords, compatible with Google Authenticator (with PassCodeLength = 6 and TimePeriod = 30).

since

4.0.0

Methods

__construct

Initialises an RFC6238-compatible TOTP generator. Please note that this class does not implement the constraint in the last paragraph of §5.2 of RFC6238. It's up to you to ensure that the same user/device does not retry validation within the same Time Step.

__construct(integer $timeStep = 30, integer $passCodeLength = 6, integer $secretLength = 10, Object $base32 = null) 

Arguments

$timeStep

integerThe Time Step (in seconds). Use 30 to be compatible with Google Authenticator.

$passCodeLength

integerThe generated passcode length. Default: 6 digits.

$secretLength

integerThe length of the secret key. Default: 10 bytes (80 bits).

$base32

ObjectThe base32 en/decrypter

checkCode

Check is the given passcode $code is a valid TOTP generated using secret key $secret

checkCode(string $secret, string $code) : boolean

Arguments

$secret

stringThe Base32-encoded secret key

$code

stringThe passcode to check

Response

booleanTrue if the code is valid

generateSecret

Generates a (semi-)random Secret Key for TOTP generation

generateSecret() : string
note

Since 3.9.25 we use the secure method "random_bytes" over the original insecure "rand" function. The random_bytes function has been backported to outdated PHP versions by the core shipped library paragonie/random_compat

Response

string

getCode

Gets the TOTP passcode for a given secret key $secret and a given UNIX timestamp $time

getCode(string $secret, integer $time = null) : string

Arguments

$secret

stringThe Base32-encoded secret key

$time

integerUNIX timestamp

Response

string

getPeriod

Get the time period based on the $time timestamp and the Time Step defined. If $time is skipped or set to null the current timestamp will be used.

getPeriod(integer|null $time = null) : integer

Arguments

$time

integer|nullTimestamp

Response

integerThe time period since the UNIX Epoch

getUrl

Returns a QR code URL for easy setup of TOTP apps like Google Authenticator

getUrl(string $user, string $hostname, string $secret) : string

Arguments

$user

stringUser

$hostname

stringHostname

$secret

stringSecret string

Response

string

hashToInt

Extracts a part of a hash as an integer

hashToInt(string $bytes, string $start) : string

Arguments

$bytes

stringThe hash

$start

stringThe char to start from (0 = first char)

Response

string

Properties

_passCodeLength

Passcode length

Type(s)

integer

_pinModulo

Pin modulo

Type(s)

integer

_secretLength

The length of the secret in bytes.

RFC 4226: "The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits." The original value was 10 bytes (80 bits) this value has been increased to 20 (160 bits) with Joomla! 3.9.25

Type(s)

integer

_timeStep

Timestep

Type(s)

integer

_base32

Base32

Type(s)

integer