Google Authenticator using PHP


Google Authenticator is a free app for your smart phone that generates a new code every 30 seconds. It works like this:

When enabling 2FA, the application you’re securing generates a QR code that user’s scan with their phone camera to add the profile to their Google Authenticator app.

Your user’s smart phone then generates a new code every 30 seconds to use for the second part of authentication to the application.

It  is useful to verify the user identity before providing them the access to a certain website or Application. It helps in protecting our accounts against password thefts.

How does it work?

The below image shows how the Google Authenticator actually works using two-factor authentication. While logging in the application, it provides an extra layer of authentication apart from the User Credentials. For login, user is asked to enter the Google Authenticator Code which is generated from its mobile App after scanning the QR Code or manually entering the setup key. The user is granted access of the application only after successful verification.

The user of the app / system needs to associate his account with the Google Authenticator application installed on his smartphone. This association is made by reading a QR Code, or entering the code manually (in both cases, the code must be generated from the system itself).

Below, you can view the main interface of the Google Authenticator app. Each set of 6 digits refers to a specific system.


We’ll use the library to:

Generate a secret key for each user
Generate the QR code for your user to scan when they enable 2FA.
Verify that the code entered is valid at login.
Generating the Secret Key:

Each user needs to have a “secret key” stored against their account (for example, a column in the database table where you store your user account information).

This key is used to generate the QR code that they scan, then subsequently to verify that the code they enter at login is correct.

Here’s the PHP that you need:


require_once PHPGangsta/GoogleAuthenticator.php;

$ga = new PHPGangsta_GoogleAuthenticator();

$secret = $ga->createSecret();

echoSecret is: “.$secret.”\n\n“;



Note: although the secret key appears to be just a text string, to be compatible with Google Authenticator it has to be a Base32 string.

Generating the QR Code:

Using the same library, we can generate the text string that makes up the QR code. Then we can use a public API to generate a QR code image.


require_once PHPGangsta/GoogleAuthenticator.php;

$ga = new PHPGangsta_GoogleAuthenticator();

$qrCodeUrl = $ga->getQRCodeGoogleUrl(‘Blog’, $secret);

echoGoogle Charts URL for the QR-Code: “.$qrCodeUrl.”\n\n“;


Verifying entered codes:

When the user logs in, you can then verify the code they’ve entered is valid by using their secret key and the code they entered into your UI.


require_once PHPGangsta/GoogleAuthenticator.php;

$ga = new PHPGangsta_GoogleAuthenticator();

$checkResult = $ga->verifyCode(<<Secret Key>>, <<OTP>>, 2);

if ($checkResult) {

   echo ‘OK’;

} else {

   echo ‘FAILED’;



Comprehensive Full Stack Development Outsourcing​

Most popular