17 Apr, 2026

How to Implement Two-Factor Authentication (2FA) in PHP

07 May, 2025 11 mins read

0 comments 0 likes

Learn how to implement Two-Factor Authentication (2FA) in PHP using Google Authenticator. Step-by-step guide with code examples to enhance your web app’s security.

As online security threats continue to evolve, implementing Two-Factor Authentication (2FA) in your PHP applications has become essential. 2FA adds an extra layer of protection on top of the traditional username and password by requiring a second factor — usually a code sent to a user’s phone or generated by an app like Google Authenticator.

Table of contents [Show]

Prerequisites
Step 1: Install the Google Authenticator Library
Step 2: Generate and Store the Secret Key
Step 3: Show QR Code for User Setup
Step 4: Verify the User's 2FA Code
Tips
Conclusion

Prerequisites

Basic PHP knowledge
Composer installed
Access to a PHP development environment

Step 1: Install the Google Authenticator Library

We’ll use robthree/twofactorauth, a popular PHP package for 2FA.

composer require robthree/twofactorauth

Step 2: Generate and Store the Secret Key

Each user will need a unique secret key. Store this key securely in your database.


require 'vendor/autoload.php';

use RobThree\Auth\TwoFactorAuth;

$tfa = new TwoFactorAuth('MyApp');

// Generate a new secret for the user
$secret = $tfa->createSecret();

// Store $secret in the user's database record

Step 3: Show QR Code for User Setup

Let the user scan a QR code with Google Authenticator or a similar app:


$label = 'user@example.com';
$qrCodeUrl = $tfa->getQRCodeImageAsDataUri($label, $secret);

// Embed the image in your HTML
echo '<img src="' . $qrCodeUrl . '" />';

Step 4: Verify the User's 2FA Code

When a user logs in, prompt for their 2FA code and verify it:


$userCode = $_POST['2fa_code']; // from user input
$isValid = $tfa->verifyCode($secret, $userCode);

if ($isValid) {
    echo "2FA verified!";
} else {
    echo "Invalid 2FA code.";
}

Tips

Allow users to regenerate or reset their 2FA secret in case they lose access.
Use HTTPS to prevent man-in-the-middle attacks.
Implement rate limiting on 2FA code verification to deter brute-force attempts.

Conclusion

Implementing 2FA in PHP using robthree/twofactorauth is a straightforward way to significantly improve your application's security. With just a few steps, you can protect your users and their data from unauthorized access.

Download 2FA Authentication PHP

Secure your app — one factor at a time.

Learning

How to Build a Browser OCR Tool with Tesseract.js

05 Mar, 2026 66 mins read

Learn how to build a browser-based OCR app using Tesseract.js. Extract text from images directly in the browser with a simple client-side setup.

Learning

Build a PHP Image Background Remover Using Remove.bg API

02 Mar, 2026 21 mins read

Step-by-step guide to creating a PHP backend that removes image backgrounds using Remove.bg API. Ideal for developers building automated image tools

Learning

Build a Real-Time PHP Chat App with MySQL & JavaScript

20 Feb, 2026 87 mins read

Learn how to create a real-time PHP chat app using MySQL and JavaScript with user login, typing status, chat history deletion, and a modern, responsive UI.