.menu
.search
CHECKING STATUS
I AM LISTENING TO
|
HOME / BLOG

Social Login Evolution: PHP Authentication Libraries That Outshine HybridAuth

21. May 2025
/ /
.SHARE

Table of Contents

Looking for a modern replacement for HybridAuth in your PHP projects? Whether you’ve outgrown it or found it too cumbersome, several excellent alternatives have emerged in recent years. Here’s a breakdown of your best options for handling social authentication in PHP applications.

League OAuth2 Client: The Community Favorite

The League’s OAuth 2.0 Client has become one of the most widely adopted solutions in the PHP ecosystem. It strikes an excellent balance between functionality and simplicity, handling the complex OAuth 2.0 flow without overwhelming your codebase.

What makes it stand out is its modular approach – the core package provides the foundation, while separate provider packages handle the specifics of each service. This means you only include what you need, keeping your dependencies lean.

Shell
1
2
3
 
composer require league/oauth2-client
 

Quick Example:

PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
// Using the Google provider as an example
$provider = new \League\OAuth2\Client\Provider\Google([
    'clientId'     => 'your-client-id',
    'clientSecret' => 'your-client-secret',
    'redirectUri'  => 'https://example.com/callback',
    'scopes'       => ['email', 'profile'],
]);
 
// If we don't have an authorization code, get one
if (!isset($_GET['code'])) {
    $authUrl = $provider->getAuthorizationUrl();
    $_SESSION['oauth2state'] = $provider->getState();
    header('Location: ' . $authUrl);
    exit;
 
// Check state to prevent CSRF attacks
} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {
    unset($_SESSION['oauth2state']);
    exit('Invalid state');
 
} else {
    // Get an access token using the authorization code
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code']
    ]);
    
    // Get the user's details
    $user = $provider->getResourceOwner($token);
    
    echo 'Hello, ' . $user->getFirstName() . '!';
}
 

The library is fully compliant with modern PHP standards (PSR-1, PSR-2, PSR-4, and PSR-7), and includes a GenericProvider class that works with any standard OAuth 2.0 provider right out of the box.

SocialConnect/auth: The Comprehensive Solution

If you need support for multiple authentication protocols beyond just OAuth2, SocialConnect/auth might be your best bet. This library handles OAuth1, OAuth2, OpenID, and OpenIDConnect standards with a unified API.

Shell
1
2
3
 
composer require socialconnect/auth
 

Quick Example:

PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
// Create a HTTP client
$httpClient = new \SocialConnect\HttpClient\Curl();
 
// Create HTTP stack
$httpStack = new \SocialConnect\Provider\HttpStack(
    $httpClient,
    new \SocialConnect\HttpClient\RequestFactory(),
    new \SocialConnect\HttpClient\StreamFactory()
);
 
// Configure providers
$configureProviders = [
    'redirectUri' => 'https://example.com/callback.php',
    'provider' => [
        'facebook' => [
            'client_id' => 'your-app-id',
            'client_secret' => 'your-app-secret'
        ],
        'google' => [
            'client_id' => 'your-client-id',
            'client_secret' => 'your-client-secret'
        ]
    ]
];
 
// Create service
$service = new \SocialConnect\Auth\Service(
    $httpStack,
    new \SocialConnect\Provider\Session\Session(),
    $configureProviders
);
 
// Get provider instance
$provider = $service->getProvider('facebook');
 
// Get authorization URL
$redirectUrl = $provider->makeAuthUrl();
 
// Redirect to authorization URL
header('Location: ' . $redirectUrl);
 

And in your callback script:

PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 
// Get provider instance again
$provider = $service->getProvider('facebook');
 
// Get access token
$accessToken = $provider->getAccessTokenByRequestParameters($_GET);
 
// Get user profile
$user = $provider->getIdentity($accessToken);
 
// Print user information
echo 'ID: ' . $user->id . PHP_EOL;
echo 'Name: ' . $user->name . PHP_EOL;
echo 'Email: ' . $user->email . PHP_EOL;
 

SocialConnect boasts support for over 30 providers including all the major players like Facebook, Google, Twitter, and GitHub. Its modular architecture follows the PSR-7, PSR-17, and PSR-18 standards, making it a great fit for modern PHP applications.

Firebase PHP-JWT: For JWT Specialists

Sometimes you don’t need a full social authentication suite – you just need to handle JWT (JSON Web Tokens). Firebase PHP-JWT is a specialized library that does exactly that, making it perfect for custom authentication systems or when working with JWTs from various providers.

Shell
1
2
3
 
composer require firebase/php-jwt
 

Quick Example:

PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
 
// Your secret key (keep this private!)
$key = 'your-secret-key';
 
// Create token payload
$payload = [
    'iss' => 'https://your-domain.com',     // Issuer
    'aud' => 'https://your-app.com',        // Audience
    'iat' => time(),                        // Issued at time
    'exp' => time() + (60 * 60),           // Expires in 1 hour
    'user_id' => 123,                       // Custom user data
    'email' => 'user@example.com'
];
 
// Generate JWT
$jwt = JWT::encode($payload, $key, 'HS256');
 
echo "Generated token: " . $jwt . PHP_EOL;
 
// Later, when you need to verify and decode the token:
try {
    $decoded = JWT::decode($jwt, new Key($key, 'HS256'));
    
    // Access the claims
    echo "User ID: " . $decoded->user_id . PHP_EOL;
    echo "Email: " . $decoded->email . PHP_EOL;
} catch (Exception $e) {
    echo "Token verification failed: " . $e->getMessage();
}
 

It’s a lightweight package with minimal dependencies that complies with RFC 7519 (the JWT specification). If you’re building a custom authentication flow or need to integrate with a JWT-based system, this library provides just what you need without the overhead of a complete OAuth implementation.

OAuth2 Server PHP: When You Need to Be the Provider

For projects where you need to implement your own OAuth2 server rather than just connecting to external providers, Brent Shaffer’s OAuth2 Server PHP library is the go-to solution.

Shell
1
2
3
 
composer require bshaffer/oauth2-server-php
 

Quick Example:

PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
// Database configuration
$dsn      = 'mysql:dbname=oauth2_server;host=localhost';
$username = 'root';
$password = '';
 
// Initialize OAuth storage and server
$storage = new OAuth2\Storage\Pdo(['dsn' => $dsn, 'username' => $username, 'password' => $password]);
$server = new OAuth2\Server($storage);
 
// Add the "Client Credentials" grant type
$server->addGrantType(new OAuth2\GrantType\ClientCredentials($storage));
 
// Add the "Authorization Code" grant type
$server->addGrantType(new OAuth2\GrantType\AuthorizationCode($storage));
 
// Handle a token request
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_SERVER['REQUEST_URI'] == '/token') {
    $server->handleTokenRequest(OAuth2\Request::createFromGlobals())->send();
    exit;
}
 
// Handle an authorization request
if ($_SERVER['REQUEST_URI'] == '/authorize') {
    $request = OAuth2\Request::createFromGlobals();
    $response = new OAuth2\Response();
 
    // Validate the authorize request
    if (!$server->validateAuthorizeRequest($request, $response)) {
        $response->send();
        exit;
    }
    
    // Display an authorization form
    if (!isset($_POST['authorized'])) {
        exit('
            <form method="post">
                Do you authorize the app to access your data?
                <input type="submit" name="authorized" value="yes">
                <input type="submit" name="authorized" value="no">
            </form>
        ');
    }
 
    // Process the authorization form
    $is_authorized = ($_POST['authorized'] === 'yes');
    $server->handleAuthorizeRequest($request, $response, $is_authorized);
    $response->send();
}
 

This library provides a complete OAuth2 server implementation that supports multiple grant types. It’s well-documented with practical examples and can be integrated with various PHP frameworks.

Why Move Away From HybridAuth?

HybridAuth served the PHP community well for many years since its inception in 2009. However, as PHP has evolved, developers have increasingly found HybridAuth challenging to work with for several reasons:

  • Its architecture doesn’t always align with modern PHP practices
  • Some find its API overly complex for simple use cases
  • The codebase has accumulated technical debt over the years
  • Integration with newer frameworks can be challenging

The alternatives discussed here generally offer more modern codebases with better PHP version support, clearer documentation, and more active development communities.

Making Your Choice

When selecting a replacement for HybridAuth, consider your specific requirements:

  • If you need a well-supported, general-purpose OAuth2 client, League OAuth2 Client is hard to beat
  • For multi-protocol support beyond just OAuth2, SocialConnect/auth offers the most comprehensive solution
  • When working specifically with JWTs, Firebase PHP-JWT provides a focused tool
  • If you need to implement your own OAuth2 server, OAuth2 Server PHP is purpose-built for the task

Each of these libraries represents the evolving approach to authentication in the PHP ecosystem, emphasizing modularity, standards compliance, and focused functionality.

FAQ

What are PHP Authentication Libraries?

PHP Authentication Libraries are code packages that help developers implement secure user authentication in their applications. These libraries provide ready-made functions for user registration, login processes, password management, and access control. Modern libraries typically include support for secure hashing algorithms, multi-factor authentication, and often work with various frameworks or can be framework-agnostic.

What features should a modern PHP authentication library include?

A modern PHP authentication library should include: secure password hashing with algorithms like bcrypt or Argon2, two-factor authentication support, CSRF protection, role-based access control, session management, account lockout mechanisms, password reset functionality, and compatibility with PHP 7.4+ and PHP 8. Additionally, support for OAuth2, JWT (JSON Web Tokens), and OpenID Connect are increasingly important for contemporary applications.

What is the difference between OAuth and JWT?

OAuth and JWT serve different purposes in authentication systems. OAuth is a protocol for authorization that allows third-party applications to access resources without exposing user credentials. JWT (JSON Web Token) is a token format for securely transmitting information between parties as a JSON object. OAuth can use JWT as its token format, but doesn’t have to. JWT is stateless and self-contained, while OAuth can be stateful or stateless depending on implementation.

What are some popular framework-agnostic PHP authentication libraries?

Popular framework-agnostic PHP authentication libraries include: These libraries can be integrated into any PHP project regardless of the underlying framework.

How do I implement two-factor authentication (2FA) in PHP?

To implement two-factor authentication in PHP:
  1. Choose a 2FA library like RobThree/TwoFactorAuth or Sonata/GoogleAuthenticator
  2. Generate a secret key for each user
  3. Create a QR code containing the secret for users to scan with authenticator apps
  4. Store the secret securely in your database
  5. During login, after password verification, prompt for the time-based code
  6. Verify the entered code against the user’s stored secret
  7. Provide backup codes for recovery in case users lose access to their devices
Most libraries support common 2FA methods including TOTP (Time-based One-Time Password) which is compatible with apps like Google Authenticator and Authy.

Should I build my own authentication system or use an existing library?

For most projects, using an existing authentication library is strongly recommended over building your own. Authentication is security-critical, and established libraries have undergone peer review and testing. Building your own system risks introducing security vulnerabilities that could compromise user data. Existing libraries also save development time and typically implement best practices like proper password hashing, protection against common attacks, and regularly updated security measures. The OWASP Top 10 frequently includes authentication-related vulnerabilities.

What is the role of password hashing in PHP authentication?

Password hashing transforms user passwords into unreadable strings before storage, protecting them even if the database is breached. Modern PHP authentication libraries use secure algorithms like bcrypt or Argon2 with salting to prevent rainbow table attacks. PHP’s native password_hash() and password_verify() functions provide secure implementation. Proper hashing is essential for authentication security, and modern libraries automatically handle this with appropriate work factors that can increase over time as computing power grows.

How do JWT tokens work in PHP authentication?

JWT (JSON Web Tokens) work by encoding user claims and signing them cryptographically. In PHP, when a user logs in, the server:
  1. Creates a payload containing user information and permissions
  2. Adds standard claims like expiration time and issuer
  3. Signs the token with a secret key (using HMAC) or private key (using RSA/ECDSA)
  4. Returns the encoded token to the client
For subsequent requests, the client sends the token, which the server validates by checking the signature and expiration. Libraries like firebase/php-jwt make implementation straightforward. JWTs enable stateless authentication, eliminating the need for server-side session storage. You can learn more and test JWT tokens at jwt.io.

How can I implement social login with PHP?

To implement social login (authentication via platforms like Google, Facebook, or GitHub) in PHP:
  1. Choose an OAuth client library like league/oauth2-client or HybridAuth
  2. Register your application with each provider to obtain client IDs and secrets
  3. Configure the library with these credentials
  4. Create login buttons that redirect to the authentication URL
  5. Handle the callback from the provider
  6. Retrieve user information from the provider’s API
  7. Create or update a local user record linked to the social identity
These libraries handle the OAuth flow complexities, making social login implementation much simpler.

What security considerations should I keep in mind when using authentication libraries?

When using PHP authentication libraries, remember these security considerations:
  • Always use HTTPS to prevent credential interception
  • Keep libraries updated to address security vulnerabilities
  • Implement proper session management with secure cookies
  • Add rate limiting to prevent brute force attacks
  • For JWT implementations, set appropriate short expiration times
  • Never store sensitive data in JWT tokens
  • Implement CSRF protection for authentication forms
  • Consider adding multi-factor authentication
  • Validate and sanitize all input, even from authenticated users
  • Follow the principle of least privilege for authorization

How do I implement role-based access control (RBAC) with PHP authentication?

To implement role-based access control (RBAC) with PHP authentication:
  1. Define roles and permissions in your database structure
  2. Associate users with roles (many-to-many relationship)
  3. Create middleware or helper functions to check permissions
  4. Secure routes and controller actions with permission checks
  5. Implement UI elements that adapt to user permissions
Many PHP authentication libraries like Delight-im/PHP-Auth include RBAC functionality or can be extended to support it. For complex authorization requirements, consider dedicated RBAC libraries or frameworks with built-in authorization systems like Symfony’s Security component.

How do I handle token revocation in JWT-based authentication?

Handling token revocation in JWT-based authentication requires strategies to overcome JWT’s stateless nature:
  • Short expiration times: Limit the window of token validity
  • Token blacklisting: Store revoked tokens in a database or cache
  • Token versioning: Include a version number in tokens that can be invalidated
  • Refresh token rotation: Issue new refresh tokens with each use
  • Redis/Memcached for efficient blacklist storage
The best approach depends on your security requirements and infrastructure. For high-security applications, combining short-lived tokens with a blacklist mechanism provides good security while maintaining performance.

What PHP versions do modern authentication libraries support?

Modern PHP authentication libraries typically support PHP 7.2 and above, with most focusing on PHP 7.4, 8.0, 8.1, and 8.2 compatibility. As of 2025, libraries actively maintained will support PHP 8.3 and 8.4. Legacy libraries might still work with PHP 5.6, but these aren’t recommended for new projects due to security concerns. Always check the library’s documentation for specific PHP version requirements and consider future PHP version compatibility when selecting an authentication library. See the PHP supported versions page for current information.

How can I test the security of my PHP authentication implementation?

To test the security of your PHP authentication implementation:
  • Run automated security scanning tools like OWASP ZAP or Burp Suite
  • Perform penetration testing against your authentication endpoints
  • Test for common vulnerabilities (SQL injection, XSS, CSRF)
  • Verify password policies and hashing implementation
  • Check session management for security issues
  • Test rate limiting and account lockout mechanisms
  • Conduct code reviews focused on security aspects
  • Consider professional security audits for critical applications
Regular security testing should be part of your development process, especially after significant changes to authentication components. The OWASP Top 10 list is a good starting point for understanding common web application security risks.

Can I use multiple authentication libraries together?

Yes, you can use multiple PHP authentication libraries together, but careful planning and integration are essential. For example, you might use a primary authentication library for basic user management while adding a specialized 2FA library and a social login component. When integrating multiple libraries, maintain a consistent application flow, resolve dependency conflicts, avoid duplicated functionality, and ensure security policies are enforced uniformly across all authentication paths.

How do I implement secure session management in PHP?

For secure session management in PHP:
  • Use HTTPS for all authenticated pages
  • Set secure and HttpOnly flags on session cookies
  • Configure proper session.cookie_samesite settings (Lax or Strict)
  • Regenerate session IDs after login and privilege changes
  • Set reasonable session timeouts
  • Store sessions securely (Redis or database instead of files)
  • Implement CSRF protection for all forms
  • Consider IP binding for sensitive applications
  • Add user agent validation for extra security
Modern PHP authentication libraries typically handle these considerations for you, reducing the risk of implementation errors.

How do I implement OAuth 2.0 in my PHP application?

To implement OAuth 2.0 in a PHP application, you can:
  1. Choose a library like league/oauth2-server (for servers) or league/oauth2-client (for clients)
  2. Configure OAuth entities (clients, scopes, grants)
  3. Implement authorization and token endpoints
  4. Set up resource server validation
  5. Secure all OAuth endpoints with HTTPS
  6. Implement proper token storage and validation
  7. Add refresh token capabilities
The implementation details vary depending on whether you’re building an OAuth server (to authenticate others) or client (to authenticate with external providers). For common provider integrations, dedicated packages like league/oauth2-google can simplify the process.

How do I choose between stateful and stateless authentication?

When choosing between stateful (session-based) and stateless (token-based) authentication:
  • Choose stateful when: security is paramount, you need immediate revocation capabilities, your application is monolithic, or you have heavy server-side rendering.
  • Choose stateless when: you’re building microservices, need horizontal scaling without shared storage, developing mobile APIs, or implementing single-page applications.
Many modern applications use a hybrid approach: stateless JWTs for API authentication with short expiration times combined with longer-lived refresh tokens managed stateully. This balances security and scalability concerns.

What code sample can I use to implement basic PHP authentication?

Here’s a basic example using the Delight-im/PHP-Auth library:
PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
// Initialize database connection
$db = new \PDO('mysql:dbname=auth;host=localhost;charset=utf8mb4', 'username', 'password');
 
// Initialize auth component
$auth = new \Delight\Auth\Auth($db);
 
// Register a new user
try {
    $userId = $auth->register('user@example.com', 'strong_password', 'John Doe');
    echo 'User registered with ID: ' . $userId;
}
catch (\Delight\Auth\InvalidEmailException $e) {
    echo 'Invalid email address';
}
catch (\Delight\Auth\InvalidPasswordException $e) {
    echo 'Invalid password';
}
catch (\Delight\Auth\UserAlreadyExistsException $e) {
    echo 'User already exists';
}
 
// Log in a user
try {
    $auth->login('user@example.com', 'strong_password');
    echo 'User is logged in';
}
catch (\Delight\Auth\InvalidEmailException $e) {
    echo 'Invalid email address';
}
catch (\Delight\Auth\InvalidPasswordException $e) {
    echo 'Invalid password';
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
    echo 'Email not verified';
}
catch (\Delight\Auth\TooManyRequestsException $e) {
    echo 'Too many requests';
}
 
// Check if user is logged in
if ($auth->isLoggedIn()) {
    echo 'User is logged in with ID: ' . $auth->getUserId();
}
else {
    echo 'User is not logged in';
}
 
// Log out
$auth->logOut();
 
This example demonstrates basic user registration, login, and session management using a modern PHP authentication library.

How can I implement JWT authentication in PHP?

Here’s a basic example of JWT authentication using the Firebase/php-jwt library:
PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
<?php
// Include the JWT library
require_once 'vendor/autoload.php';
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
 
// Your secret key (keep this secure and not in your code in production)
$key = 'your-secret-key';
 
// Creating a token after successful authentication
function generateToken($userId, $email) {
    global $key;
    
    $payload = [
        'iss' => 'your-app-name',       // Issuer
        'aud' => 'your-app-clients',    // Audience
        'iat' => time(),                // Issued at time
        'nbf' => time(),                // Not before time
        'exp' => time() + 3600,         // Expiration (1 hour)
        'data' => [                     // Custom data
            'userId' => $userId,
            'email' => $email
        ]
    ];
    
    // Generate JWT
    return JWT::encode($payload, $key, 'HS256');
}
 
// Verify and decode a token
function validateToken($jwt) {
    global $key;
    
    try {
        // Decode JWT
        $decoded = JWT::decode($jwt, new Key($key, 'HS256'));
        return $decoded;
    } catch (Exception $e) {
        // Token is invalid
        return false;
    }
}
 
// Example usage for login endpoint
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['email'], $_POST['password'])) {
    $email = $_POST['email'];
    $password = $_POST['password'];
    
    // Verify credentials (replace with your authentication logic)
    if (verifyCredentials($email, $password)) {
        $userId = getUserId($email); // Get user ID
        
        // Generate token
        $token = generateToken($userId, $email);
        
        // Return token to client
        header('Content-Type: application/json');
        echo json_encode(['token' => $token]);
    } else {
        http_response_code(401);
        echo json_encode(['error' => 'Invalid credentials']);
    }
}
 
// Example usage for protected endpoint
if ($_SERVER['REQUEST_METHOD'] === 'GET' && isset($_SERVER['HTTP_AUTHORIZATION'])) {
    // Get token from Authorization header
    $authHeader = $_SERVER['HTTP_AUTHORIZATION'];
    $token = str_replace('Bearer ', '', $authHeader);
    
    // Validate token
    $decoded = validateToken($token);
    
    if ($decoded) {
        // Token is valid, return protected data
        $userId = $decoded->data->userId;
        
        // Fetch user data
        $userData = getUserData($userId);
        
        header('Content-Type: application/json');
        echo json_encode($userData);
    } else {
        // Invalid token
        http_response_code(401);
        echo json_encode(['error' => 'Invalid or expired token']);
    }
}
?>
 
This code demonstrates basic JWT token generation and validation for API authentication in PHP.

How do I implement 2FA with TOTP in PHP?

Here’s a basic example of implementing TOTP-based two-factor authentication using the RobThree/TwoFactorAuth library:
PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
<?php
// Include the library
require_once 'vendor/autoload.php';
 
use RobThree\Auth\TwoFactorAuth;
 
// Create a new instance of the TwoFactorAuth class
$tfa = new TwoFactorAuth('MyApp');
 
// Generate a new secret key for a user
function generateSecretKey() {
    global $tfa;
    return $tfa->createSecret(); // Default 160 bits
}
 
// Get the QR code URL to display to the user
function getQRCodeUrl($username, $secret) {
    global $tfa;
    return $tfa->getQRCodeImageAsDataUri($username, $secret);
}
 
// Verify the TOTP code provided by the user
function verifyCode($secret, $code) {
    global $tfa;
    return $tfa->verifyCode($secret, $code);
}
 
// Example: Setting up 2FA for a user
if ($_GET['action'] === 'setup') {
    // Generate a new secret key
    $secret = generateSecretKey();
    
    // Store the secret in the database for the user
    // storeSecretForUser($userId, $secret);
    
    // Generate QR code URL
    $qrCodeUrl = getQRCodeUrl('user@example.com', $secret);
    
    // Display QR code to the user
    echo "<h1>Scan this QR code with your authenticator app:</h1>";
    echo "<img src='{$qrCodeUrl}'>";
    echo "<p>Or manually enter this code: {$secret}</p>";
}
 
// Example: Verifying a code during login
if ($_POST['action'] === 'verify') {
    $userId = $_POST['user_id'];
    $code = $_POST['code'];
    
    // Get the user's secret from the database
    $secret = getUserSecret($userId); // Replace with your function
    
    // Verify the code
    if (verifyCode($secret, $code)) {
        echo "Code is valid. Login successful!";
        // Continue with login process
    } else {
        echo "Invalid code. Please try again.";
    }
}
?>
 
This code demonstrates generating a secret key for a user, creating a QR code for them to scan with an authenticator app, and verifying the TOTP code during login.
Let’s Talk!

Looking for a reliable partner to bring your project to the next level? Whether it’s development, design, security, or ongoing support—I’d love to chat and see how I can help.

Get in touch,
and let’s create something amazing together!

RELATED POSTS

READ ABOUT IT

Digital Kiosk Software Market 2025

/ / / / /

An area that I am constantly monitoring for REALFUSION, to offer our customers the best solution for their requirements. The global digital kiosk software market is experiencing rapid growth, valued at $7.48 billion in 2023 and projected to reach $17.02 billion by 2030 with a 12.6% CAGR (Compound Annual Growth Rate). The broader interactive kiosk […]

READ ABOUT IT

Indoor Navigation: Diving Into My New RabbitHole / Maze – Part 2

/ / / / /

Part 1 Finding Your Way: Open Source Wayfinding Solutions 1. The Old Guard: UC Davis Wayfinding Let’s start with the granddaddy of them all – the UC Davis Wayfinding plugin. This jQuery-based solution has been around the block and back, with over 100 stars on GitHub and a track record of actually working in real-world […]

READ ABOUT IT

Indoor Navigation: Diving Into My New RabbitHole / Maze – Part 1

/ / / / /

I recently completed a comprehensive demo setup for our Digital Kiosk Solutions at REALFUSION. While reviewing each module we offer, I integrated quick samples and listed available options, including external solutions. Indoor navigation represents a significant market opportunity, with 6-10 viable solution providers currently available. However, most face a critical challenge: their pricing models and […]

Alexander

I am a full-stack developer. My expertise include:

  • Server, Network and Hosting Environments
  • Data Modeling / Import / Export
  • Business Logic
  • API Layer / Action layer / MVC
  • User Interfaces
  • User Experience
  • Understand what the customer and the business needs


I have a deep passion for programming, design, and server architecture—each of these fuels my creativity, and I wouldn’t feel complete without them.

With a broad range of interests, I’m always exploring new technologies and expanding my knowledge wherever needed. The tech world evolves rapidly, and I love staying ahead by embracing the latest innovations.

Beyond technology, I value peace and surround myself with like-minded individuals.

I firmly believe in the principle: Help others, and help will find its way back to you when you need it.

DISCOVER.

.PROJECTS - LEAD
.PROJECTS - I LOVE

.highlights

portalZINE® NMN
Alexander Gräf
Stettiner Str. Nord 20
D-49624 Löningen

© 2002-2025 portalZINE® NMN. All rights reserved.

.highlights

.PROJECTS - LEAD
.PROJECTS - I LOVE

PORTALZINE® NMN
Alexander Gräf
Stettiner Str. Nord 20
DE-49624 Löningen

PUSH THE BOUNDARIES OF YOUR PROJECT.