- First create a secret and associate it with a user
createSecret();
?>
-
Next create a QR code and let the user scan it:
; ?>)
...or display the secret to the user for manual entry:
getCode($secret);
?>
- Next, have the user verify the code; at this time the code displayed by a 2FA-app would be: (but that changes periodically)
- When the code checks out, 2FA can be / is enabled; store (encrypted?) secret with user and have the user verify a code each time a new session is started.
-
When aforementioned code () was entered, the result would be:
verifyCode($secret, $code) === true) { ?>
OK
FAIL
Note: Make sure your server-time is NTP-synced! Depending on the $discrepancy allowed your time cannot drift too much from the users' time!
ensureCorrectTime();
echo 'Your hosts time seems to be correct / within margin';
} catch (RobThree\Auth\TwoFactorAuthException $ex) {
echo 'Warning: Your hosts time seems to be off: ' . $ex->getMessage();
}
?>