Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a security mechanism that requires a user to provide two or more independent verification factors before access is granted. The three classical factors are:

• Something you know: a password or PIN.

• Something you have: a hardware token, authenticator app (TOTP/HOTP), or SMS code.

• Something you are: a biometric such as a fingerprint or face recognition.

Requiring at least two factors dramatically reduces the risk of account compromise: stealing a password alone is no longer enough.

In the PHP ecosystem, MFA is relevant both at the application level (protecting user accounts) and at the infrastructure level. Packagist, for example, has introduced mandatory MFA for package publishers to harden the supply chain against account takeover.

PHP itself does not ship MFA libraries, but the ecosystem offers several: scheb/2fa-bundle (Symfony), pragmarx/google2fa (Laravel), and generic TOTP/HOTP packages.

<?php

use OTPHP\TOTP;

// Generate a TOTP secret for a user at enrolment time
$totp   = TOTP::generate();
$secret = $totp->getSecret(); // store this in the user record

// At login time, verify the code the user typed
$userCode = $_POST['totp_code'];
if (!$totp->verify($userCode)) {
    throw new RuntimeException('Invalid MFA code');
}

?>

Documentation

See also The Quiet Shift Reshaping PHP Security and NIST SP 800-63B: MFA guidelines.

Related : Authentication, One-Time Password (OTP), Single Sign On (SSO), OAuth, Password, Security, Supply Chain Attack, Packagist

Related packages : scheb/2fa-bundle, pragmarx/google2fa, spomky-labs/otphp