authenticatron.eustasy.org
Open in
urlscan Pro
2606:4700:3031::ac43:a50b
Public Scan
URL:
https://authenticatron.eustasy.org/
Submission: On July 08 via automatic, source certstream-suspicious — Scanned from DE
Submission: On July 08 via automatic, source certstream-suspicious — Scanned from DE
Form analysis 1 forms found in the DOM
POST #example
<form action="#example" method="POST">
<!-- WARNING: You should never reveal real secrets like this. -->
<input name="secondfactor_secret" type="hidden" value="PHEFUDB7L7RZT47R">
<label for="secondfactor_code">2fa Code</label>
<input name="secondfactor_code" id="secondfactor_code" type="text" maxlength="6">
<input type="submit" value="Check">
</form>Text Content
AUTHENTICATRON
A simple PHP script to create TOTP secrets and corresponding QR codes,
then verify the entered response over a given time variance.
homepage documentation glossary server source
INSTALLATION
Install
composer require eustasy/authenticatron
Require
//// Import eustasy\Authenticatron with Composer
require_once __DIR__ . '/vendor/autoload.php';
use eustasy\Authenticatron;
QUICK IMPLEMENTATION
STEP 1.
Authenticatron::new to create a new secret for a member, and fetch a secure
image for scanning.
Code
Authenticatron::new($accountName, $issuer)
Input
$accountName is a string containing your members username or nice-name,
perferably something unique and quickly identifiable.
$issuer is a string containing the name of your app or site.
Output
Outputs an array, where Secret is the Secret for the member, URL is an OTPAuth
URL, and QR is the Data64 URI for the QR code.
array(3) {
["Secret"]=>
string(16) "PHEFUDB7L7RZT47R"
["URL"]=>
string(113) "otpauth://totp/Authenticatron Example Page: John Smith?secret=PHEFUDB7L7RZT47R&issuer=Authenticatron+Example+Page"
["QR"]=>
string(722) "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALQAAAC0AQMAAAAHA5RxAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABq0lEQVRYhdWX7RGDQAhE6YD+u6QDwj6IYwGbH1HH6DtnLtzydRH/fnR3VXRkdUbNKWDkxZVV3dHFR2Hl85RzzpTzmK27nTdwfrPiF5yhWbk10Mt1VaaWTesW7/U0cHR/H29/MHB8NKVHzD0e5uKN5HFrxdvaZeKZMXL3TC23nccZcXKUx6EY4684+UybeNRon2g0o1aOPXppnR1ejtPKFKzbj8rIx6MmFpCmCIo+3W08chOqnKvmsb2csNBaFQkwVnsb72Re7FLkMWbl1B1FBMrk+a2Ln+7nY5OV0ssJ580XTWQQJD6uQOjVJ1Ud7tXHVQtCkhQJUGnEybGiSB6bonLX0MXJFlve8KgLax/HIoU3cyeF2cjHlwhmsquiI25WExfhIi/JrfL6DQ+XKxFssomk+uQrC1dSpV0pYlyhcXK5uHwptzHSnJe3bZxS/3R09KdWXg2lOCD82WXi+NDmugyWr6uMnDZRm46qrQrXFrk4bRzVEnG2t3Py3lb3tk/d21pbORNLkSQG083jtgNbc27f5+JqKLZjlz5JJTXy3n4Leahv37Jg4v99fACjewZOPV7MygAAAABJRU5ErkJggg=="
}
Handling
You'll want to store ['Secret'] with the member, but make sure you get them to
confirm a code before enforcing it, or it might not have worked and they would
be locked out of their account. Make sure that this is as protected as a
password hash.
['QR'] is the Data64 URI for the QR code. You can simply echo it into an img
element like this:
<img src="<?php echo $secondAuth['QR']; ?>" alt="Second Factor Authentication Code">
Example
Try scanning this into an app like Google Authenticator. You should see a code
and a countdown clock until it changes.
STEP 2.
Use Authenticatron::checkCode to confirm the setup and check time-unique codes
at every login.
Code
Authenticatron::checkCode($code, $secret)
Input
$code is the user input, the code that is generated on their device for
authentication. Should be numeric-only in most cases, alpha-numeric if you
change some settings.
$secret is the secret the member scanned that you securely stored for later.
$variance is an optional integer indicating the adjustment of codes with a 30
second value. Defaults to 2 either side, or 1 minute.
Output
Outputs a boolean value, true if the entered code is within allowed range, false
if not.
bool(true)
Handling
You only need to check an input is alpha-numeric, and maybe 6 characters long
before checking it against a retreieved secret.
$secret = ...;
if (
strlen($_POST['secondfactor_code']) == 6 &&
ctype_alnum($_POST['secondfactor_code'])
) {
if ( Authenticatron::checkCode($_POST['secondfactor_code'], $secret) ) {
// Authenticated, log in...
} else {
// Incorrect code
}
} else {
// Invalid entry
}
Example
Enter the code that your device generates after scanning the image to from Step
1.
2fa Code
--------------------------------------------------------------------------------
FURTHER READING
Visit our documentation for a more thorough description of the options and
functions available to you.
Take a look at the glossary if there are any terms you don't understand.
The server page can be used if this script is installed on your server to check
for requirements.
This work is predominantly MIT licensed. See the LICENSE.md file for more
information.
If you're ready to rock, check out the source!