sFire PHP Framework

One Time Password

One Time Passwords (OTP) can help you creating secure websites and applications. An OTP is more secure than a static password, especially a user-created password, which can be weak and/or reused across multiple accounts. OTPs may replace authentication login information or may be used in addition to it in order to add another layer of security. sFire has a built-in OTP driver which gives you the tools to easily create and verify One Time Passwords.

In this section we will handle:

  • Setting the Time-based One Time password driver
  • Setting the HMAC One Time password driver
  • Generating secret key

Setting the Time-based One Time password driver

Time-based OTP (TOTP for short), is based on HOTP but where the moving factor is time instead of the counter. TOTP uses time in increments called the timestep, which is usually 30 or 60 seconds. This means that each OTP is valid for the duration of the timestep.

Time-based password
use sFire\OTP\OTP;

$totp = new OTP();
$totp -> setDriver('totp');

Click here to view more information about the usage of the TOTP driver.

Setting the HMAC One Time password driver

Event-based OTP (also called HOTP meaning HMAC-based One-Time Password) is the original One-Time Password algorithm and relies on two pieces of information. The first is the secret key, called the "seed", which is known only by the token and the server that validates submitted OTP codes. The second piece of information is the moving factor which, in event-based OTP, is a counter. The counter is stored in the token and on the server. The counter in the token increments when the button on the token is pressed, while the counter on the server is incremented only when an OTP is successfully validated.

HMAC-based password
use sFire\OTP\OTP;

$hotp = new OTP();
$hotp -> setDriver('hotp');

Click here to view more information about the usage of the HOTP driver.

Generating secret key

Not all characters are allowed to use in a OTP based secret key. sFire provides you an easy way to generate a secret key by using the generateSecret method. By default, it will generate a 16 character key length mixed with number, lowercase and capital letters.

Parameters
$otp -> generateSecret([integer $length, boolean $numbers, boolean $letters, boolean $capitals]);
Examples
use sFire\OTP\OTP;

$otp = new OTP();
$otp -> generateSecret(); //Output similar to: QAfQ6nhYkhOHlN6W

//32 characters lenght key
$otp -> generateSecret(32); //Output similar to: CM3o64thy75COQPXwCW7Ws4ojUsgYh5r

//Only numbers
$otp -> generateSecret(16, true, false, false);  //Output similar to: 4744373477442653

//Only numbers and lowercase characters
$otp -> generateSecret(16, true, true, false);  //Output similar to: wy26xisbx7abkzcw