Skip to content

PHP Class: x_class_2fa

The x_class_2fa class enables secure two-factor authentication (2FA) using time-based one-time passwords (TOTPs). It relies on a Base32-encoded secret key (RFC 4648, no padding) to generate and verify short-lived codes, typically valid for 30 seconds. The default code length is 6 digits but can be customized via the $codeLength parameter. Accurate server time is crucial for successful code validation.

Use the class by including /_framework/classes/x_class_2fa.php.

Dependencies

  • PHP 7.1–7.4
  • PHP 8.0–8.4

PHP Modules

  • session: Required if you intend to associate 2FA codes with session data. Typically bundled in PHP by default.
  • hashing: Required for HMAC-SHA1 operations used in generating and verifying codes. Included by default in standard PHP installations.

Methods


__construct

Initializes the 2FA class with a Base32-encoded secret key and an optional code length.

Parameter Type Description Default
$secretKey string The Base32-encoded secret key used for generating and verifying 2FA codes. None
$codeLength int The length of the 2FA code to be generated. 6
Return Value When does this return value occur?
void Always. This is a constructor and returns nothing.

generateSecretKey

Generates a cryptographically secure Base32-encoded secret key for 2FA.

Parameter Type Description Default
$length int Number of random bytes to generate before encoding. 16
Return Value When does this return value occur?
string (Base32-encoded) Always returns a Base32-encoded string representing the key.

generateCode

Generates a time-based one-time password (TOTP) using the secret key.

Parameter Type Description Default
$forTime int Optional Unix timestamp to generate the code for (for testing/debugging). null
Return Value When does this return value occur?
string Returns a numeric code that is valid for a 30-second time window.

verifyCode

Verifies whether the provided code is valid for the current or nearby time windows.

Parameter Type Description Default
$code string The 2FA code to verify. None
$window int Number of 30-second intervals to allow as drift (e.g. 1 = ±30s). 1
Return Value When does this return value occur?
true If the provided code is valid within the allowed time window.
false If the code does not match or is outside the acceptable time drift.

Example

<?php
// Example: Using the x_class_2fa class for generating and verifying 2FA codes

// Step 1: Generate a new Base32 secret key
$secretKey = x_class_2fa::generateSecretKey();

// Step 2: Initialize the 2FA class
$twofa = new x_class_2fa($secretKey);

// Step 3: Generate a 2FA code
$generatedCode = $twofa->generateCode();
echo "Generated 2FA Code: " . $generatedCode . "\n";

// Step 4: Verify the 2FA code
$isCodeValid = $twofa->verifyCode($generatedCode);
if ($isCodeValid) {
    echo "The 2FA code is valid.\n";
} else {
    echo "The 2FA code is invalid.\n";
}

// Step 5: Simulate code expiration
sleep(30);
$newCode = $twofa->generateCode();
echo "New 2FA Code after 30 seconds: " . $newCode . "\n";
?>