How to generate backup codes for google authenticator in php

Question

I'm using two step verification in my website using Google Authenticator . I'm using this php library for Google Authenticator . Its working fine but now I want to generate backup codes for later use, but there is no function in that library to generate backup codes .

I want to know the algorithm of backup codes and how to implement it in php.

Answer 1

Duplicating the algorithms is not possible

This is currently not supported on purpose, to reduce the attack surface. At the moment, Google has no plans to add this feature.

Actually, it's not just a matter of duplicating the algorithms (it's pretty easy). You will also need to obtain the secret key from which the codes are generated by the algorithm. At the moment, Google Authenticator does not provide a way to obtain this secret key, nor is such a feature planned.

More information at Issue 235: Is there an api to get the current TOTP from another app

Solution 1: the PAM module

The PAM module can add a two-factor authentication step to any PAM-enabled application. There is a support for emergency scratch codes in this module. You will have to do some shell scripts and call them with you php code.

Solution 2: use another php API that does the work for you

If you are using Apache server, download the free LGPL PHP library implementing HOTP and TOTP , called multiOTP. This library includes a command line version that can be integrated in FreeRadius.

• Install FreeRadius on your server
• Integrate multiOTP in FreeRadius following the instructions provided with multiOTP
• Use the mod_auth_radius in Apache to have a radius authentication

MultiOTP is fully compatible with Google Authenticator which supports TOTP and HOTP. It supports emergency scratch passwords with 10 codes.