starred/google2fa
1
0
Fork 0
mirror of https://github.com/antonioribeiro/google2fa.git synced 2026-04-26 16:45:49 +03:00
Code Issues 19 Projects Releases 3 Packages Wiki Activity

[GH-ISSUE #129] verifyKey will always return false #295

New issue
Closed
opened 2026-03-01 17:48:59 +03:00 by kerem · 3 comments
kerem commented 2026-03-01 17:48:59 +03:00
Owner
Copy link

Originally created by @pixagraphic on GitHub (Oct 16, 2019).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/129

I'm using it exactly as instructed, but the generated codes will not be validated:
When I register a user, a secret key is created and stored to the database:



protected function create(array $data)
    {
        $google2fa = new Google2FA();
        $google2fa->setAlgorithm(Constants::SHA512);

        return User::create([
       .....
            'secret' => $google2fa->generateSecretKey('64')
        ]);
    }

The inlineUrl is returned to the user and the qr-code is displayed.

        $google2fa = new Google2FA();
        $google2fa->setAlgorithm(Constants::SHA512);

        $inlineUrl = $google2fa->getQRCodeInline(
            'Name',
            $user->mail,
            $user->secret
        );

On login I check the user provided code:

        $google2fa = new Google2FA();
        $google2fa->setAlgorithm(Constants::SHA512);

        $secret = request(['code']);
        $window = 10;

        $user = auth()->user();

        if($google2fa->verifyKey($user->secret, $secret['code'], $window)){
            ...... 
        }

But this will always return false...

Originally created by @pixagraphic on GitHub (Oct 16, 2019). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/129 I'm using it exactly as instructed, but the generated codes will not be validated: When I register a user, a secret key is created and stored to the database: ``` protected function create(array $data) { $google2fa = new Google2FA(); $google2fa->setAlgorithm(Constants::SHA512); return User::create([ ..... 'secret' => $google2fa->generateSecretKey('64') ]); } ``` The inlineUrl is returned to the user and the qr-code is displayed. ``` $google2fa = new Google2FA(); $google2fa->setAlgorithm(Constants::SHA512); $inlineUrl = $google2fa->getQRCodeInline( 'Name', $user->mail, $user->secret ); ``` On login I check the user provided code: ``` $google2fa = new Google2FA(); $google2fa->setAlgorithm(Constants::SHA512); $secret = request(['code']); $window = 10; $user = auth()->user(); if($google2fa->verifyKey($user->secret, $secret['code'], $window)){ ...... } ``` But this will always return false...
kerem closed this issue 2026-03-01 17:48:59 +03:00
kerem commented 2026-03-01 17:49:00 +03:00
Author
Owner
Copy link

@pixagraphic commented on GitHub (Oct 16, 2019):

Maybe this helps someone else: the problem was the "$google2fa->setAlgorithm(Constants::SHA512);" part. The algorithm should only be set during key generation (registration). When verifying the key the algorithm must not be set. When I removed the setAlgorithm from there everything works fine. Thanks for this library!

<!-- gh-comment-id:542649745 --> @pixagraphic commented on GitHub (Oct 16, 2019): Maybe this helps someone else: the problem was the "$google2fa->setAlgorithm(Constants::SHA512);" part. The algorithm should only be set during key generation (registration). When verifying the key the algorithm must not be set. When I removed the setAlgorithm from there everything works fine. Thanks for this library!
kerem commented 2026-03-01 17:49:00 +03:00
Author
Owner
Copy link

@bengearig commented on GitHub (Mar 11, 2021):

@pixagraphic You're actually using SHA1 and not SHA512. This didn't sit right with me when I had this issue so I investigated further.

The Microsoft Authenticator app ignores the algorithm setting in the otpauth:// url encoded in the QR code and instead uses SHA1 without any warning or indication of this fallback. The Google Authenticator app on the other hand will respect the SHA512 setting.

I am not sure which app you are using, but I wanted to point this out to you and anyone else that ends up here that your issue is likely related to the authenticator application you are using and not your code. Do not remove the code to set the algorithm as you will end up with SHA1 when you were expecting SHA512.

<!-- gh-comment-id:796453819 --> @bengearig commented on GitHub (Mar 11, 2021): @pixagraphic You're actually using SHA1 and not SHA512. This didn't sit right with me when I had this issue so I investigated further. The Microsoft Authenticator app ignores the algorithm setting in the otpauth:// url encoded in the QR code and instead uses SHA1 without any warning or indication of this fallback. The Google Authenticator app on the other hand will respect the SHA512 setting. I am not sure which app you are using, but I wanted to point this out to you and anyone else that ends up here that your issue is likely related to the authenticator application you are using and not your code. Do not remove the code to set the algorithm as you will end up with SHA1 when you were expecting SHA512.
kerem commented 2026-03-01 17:49:00 +03:00
Author
Owner
Copy link

@pixagraphic commented on GitHub (Mar 11, 2021):

Hey, thanks for pointing that out. I think you're right that it's an issue with the authenticator applications as it worked with some devices but didn't with others.

In the end I went with SHA1 for optimal compatibility as SHA1 is only being used as hash function for the HMAC computation and therefor may still be assumed secure especially for my purpose. [1]

[1] https://cseweb.ucsd.edu/~mihir/papers/hmac-new.html

<!-- gh-comment-id:796607033 --> @pixagraphic commented on GitHub (Mar 11, 2021): Hey, thanks for pointing that out. I think you're right that it's an issue with the authenticator applications as it worked with some devices but didn't with others. In the end I went with SHA1 for optimal compatibility as SHA1 is only being used as hash function for the HMAC computation and therefor may still be assumed secure especially for my purpose. [1] [1] https://cseweb.ucsd.edu/~mihir/papers/hmac-new.html
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
9.x
fix-coverage
bump-to-version-9
10.x
reformat-code
add-linting
reorder-imports
8.x
install-php-84
test-on-php84
github-actions
master
7.x
pspstan
revert-124-123-google2fa_fix
v9.0.0
v8.0.3
v8.0.2
v8.0.1
8.0.0
v7.0.0
v6.1.3
v6.1.0
v6.0.1
v6.0.0
v4.0.2
v4.0.1
v5.0.0
v4.0.0
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.0.1
v1.0.0
v0.8.1
v0.8.0
v0.7.1
v0.7.0
v0.6.0
v0.5.0
v0.1.0
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/google2fa#295
No description provided.