How to use Google Two Factor Authentication in your project?

At our end we take security at a priority, implementation of different ways to secure website should be the priority for every developer.

Today we are going to discuss on how to implement two factor authentication using Google’s Authenticator.

What is Two Factor Authentication?

2FA is nothing new. In fact it’s already been widely adopted by most major platforms (Facebook, Apple, Google etc) as a means of making account logins more secure.

Two Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand — such as a physical token.

So how does the user get the code?

  • Historically this required the user to carry a widget or card reader device (in the case of bank accounts) on their person, to generate a unique code.
  • Recently a popular method has been sending the user an SMS with a one time use code.

However there are other options…

How Google Authenticator works

Google Authenticator is a free app for your smart phone that generates a new code every 30 seconds. It works like this:

  1. When enabling 2FA, the application you’re securing generates a QR code that user’s scan with their phone camera to add the profile to their Google Authenticator app.
  2. Your user’s smart phone then generates a new code every 30 seconds to use for the second part of authentication to the application.

Implementing Google Authenticator on your website using PHP

The easiest way to do this is to use an open source composer package to do the tricky stuff for you:sonata-project/google-authenticator – PackagistLibrary to integrate Google Authenticator into a PHP projectpackagist.org

You’ll use the library to:

  • Generate the QR code for your user’s to scan when they enable 2FA.
  • Verify that the code entered is valid at login.

Generating the QR Code

$g = new \Google\Authenticator\GoogleAuthenticator();$salt = '7WAO342QFANY6IKBF7L7SWEUU79WL3VMT920VB5NQMW';
$secret = $username.$salt;echo '<img src="'.$g->getURL($username, 'example.com', $secret).'" />';

Tips:

Verifying entered codes

You need to use the same secret you used to generate the barcode in order to validate the user’s input.

$g = new \Google\Authenticator\GoogleAuthenticator();$salt = '7WAO342QFANY6IKBF7L7SWEUU79WL3VMT920VB5NQMW';
$secret = $username.$salt;$check_this_code = $_POST['code'];if ($g->checkCode($secret, $check_this_code)) {
echo 'Success!';
} else {
echo 'Invalid login';
}

While Google Authenticator might not be the most desirable 2FA method for your customers, there’s no reason you can’t implement it for staff or administrators when it’s this easy.

Do Like and Share the post and also write your comments below if you like the post.

Website Security – PHP: Implementing Security To Your Website

Security is one of the major concerns today and when it comes to coding, It becomes a point to re-think what are the best possible ways to implement security to the website.

We have jotted down the basic concepts of web security (in php) which can be used to secure your code from being misused and to which can protect you from some basic attacks.

Use of Nonce

Nonce is basically used to identify if the user is sending request from a valid location. Location here means from a webpage that has been served by the genuine server.

How it works

As the name suggests, it is a combination of occasions.

When a user sends the initial request to a website, the server generates an unique session for the user, which is used to identify the user every-time.

But it is hard to justify if the webpage which is submitting the request is on the same website. Eg. If I have a form on my website with the following code

<form method="post" action="login.php">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" name="submit"/>
</form>

It simply suggests that the data with the key “username” and “password” will be sent to the page named “login.php”.

The same form can be developed on an automation tool in some X machine and can be used to send request to the website, which can lead to security breach

To justify, if the form is submitted from a location from the website itself. A nonce is used.

<?php
session_start();
$_SESSION['nonce'] = md5(rand(1111,99999));
$nonce = $_SESSION['nonce'];
?>
<form method="post" action="login.php">
<input type="text" name="nonce" value="<?php echo $nonce; ?>" readonly/>
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" name="submit"/>
</form>

In the above set of code, we have generated a random number which is then hashed using the md5() hashing technique, and stored in the nonce variable.

The same value is stored in the session too. Once someone opens up the website, the nonce will be generated and will be stored in the unique session of the user, when he submits the form, the nonce will be sent back to the server, which will be validated to see if it matches the original nonce. If it matches, then it is coming from a valid source and if not, it is not from a valid location.

<?php
session_start();
if(isset($_POST['username']) && isset($_POST['password']) && isset($_POST['nonce'])){
if($_SESSION['nonce']==$_POST['nonce']){
 echo "Submited from a valid source";
}
else{
 echo "Submitted from an invalid source";
}
}
$_SESSION['nonce'] = md5(rand(1111,99999));
$nonce = $_SESSION['nonce'];
?>
<form method="post" action="login.php">
<input type="text" name="nonce" value="<?php echo $nonce; ?>" readonly/>
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" name="submit"/>
</form>

Securing files from being required/included in a file outside of website.

It is a general practice to create generic code and requiring or including it in the files where needed.

This is a great way to implement the concept of Don’t Repeat Yourself (DRY), but there is a security breach that can come into picture here too.

Look at the following codes:

connection.php

<?php
 $connection = mysqli_connect('hostname', 'user','password','database');
?>

save.php

<?php
 require('connection.php');
 //some mysql transaction code goes here
?>

In the above two files, connection.php and save.php, you can see that the file just needs to be written in require() function and it will get required.

The file connection.php can be required from any other source and can be used to showcase all the connection information from any other machine.
For example, anyone can use the global path for the same file to require it in his/her code as below

hackerFile.php

<?php
 require('https://abc.com/connection.php');
 print_r($connection);
?>

The above code will show all the connection information.

To secure it, we can define a variable which can be used as a token to check if it is being requested from a valid location. For example

connection.php

<?php
if(!defined('uniquenamevariable')){
 die('Nothing Found');
}
 $connection = mysqli_connect('hostname', 'user','password','database');
?>
<?php
define('uniquenamevariable',true);
 require('connection.php');
 //some mysql transaction code goes here
?>

So if anyone will require it using a absolute path, he will be unknown of the unique variable name defined in the php code, which will stop him from digging inside the code.

There are a lot other security ways, stay tuned to our blogs to learn more...