starred/google2fa
1
0
Fork 0
mirror of https://github.com/antonioribeiro/google2fa.git synced 2026-04-25 16:15:49 +03:00
Code Issues 19 Projects Releases 3 Packages Wiki Activity

[GH-ISSUE #170] Google Authenticator and Authy App generating invalid codes #312

New issue
Closed
opened 2026-03-01 17:49:06 +03:00 by kerem · 1 comment
kerem commented 2026-03-01 17:49:06 +03:00
Owner
Copy link

Originally created by @tuckerww on GitHub (Jun 30, 2021).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/170

It appears that neither the Google Authenticator nor the Authy app generate valid codes, whereas other TOTP apps such as iPhone's built-in 2FA/password manager and the FreeOTP+ app on Android work fine.

My suspicion is that Google and/or Authy updated something in their codebases so that they're no longer compatible with the way the google2fa library generates either the secret or the valid auth-codes.

I tested both by scanning QR codes and by manually entering the secrets.

I also ensured that NTP is running on the server and that the date/time match up. Just in case I even tried passing an extremely large $window (100) to $google2fa->verifyKey() but that doesn't seem to be the issue.

Example Code:

<?

use PragmaRX\Google2FA\Google2FA;
use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\Image\ImagickImageBackEnd;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;

$google2fa = new Google2FA;
$google2fa->setAlgorithm('sha512');
$google2fa->setEnforceGoogleAuthenticatorCompatibility(true);

$user = array(
    "username" => "tucker",
    "secret" => "2HJTI6WHCC362T5Y" // a previously generated secret
);

if (isset($_GET["generate"])) {
    // to generate a new secret and thus QR code below too
    $user["secret"] = $google2fa->generateSecretKey();
}

$realCode = $google2fa->getCurrentOtp($user["secret"]); // get current valid code to compare

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    // verify the code
    $window = 4;
    $valid = $google2fa->verifyKey($user["secret"], $_POST["code"], $window);
    if (!$valid) {
        print "INVALID CODE";
    } else {
        print "VALID CODE";
    }
}

// now to generate and print the QR code
$g2faUrl = $google2fa->getQRCodeUrl(
    'Google2fa Test',
    $user["email"],
    $user["secret"]
);

$writer = new Writer(
    new ImageRenderer(
        new RendererStyle(400),
        new ImagickImageBackEnd()
    )
);

$qrcode_image = base64_encode($writer->writeString($g2faUrl));

print "
<div style='text-align:center'>
    <h2>2FA Test using google2fa</h2>
    <b>Secret:</b> " . $user["secret"] . "<br>
    <b>QR Code:</b><br>
    <img src='data:image/png;base64, " . $qrcode_image . " '/>
    <form method='post'>
        <label for='code'>2FA Code</label>
        <input name='code'>
        <button type='submit'>Submit</button>
        <br><b>Current Valid Code:</b> " . $realCode . "<br>
    </form>
</div>";

PHP Version

PHP 7.2.20
Originally created by @tuckerww on GitHub (Jun 30, 2021). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/170 It appears that neither the Google Authenticator nor the Authy app generate valid codes, whereas other TOTP apps such as iPhone's built-in 2FA/password manager and the FreeOTP+ app on Android work fine. My suspicion is that Google and/or Authy updated something in their codebases so that they're no longer compatible with the way the google2fa library generates either the secret or the valid auth-codes. I tested both by scanning QR codes and by manually entering the secrets. I also ensured that NTP is running on the server and that the date/time match up. Just in case I even tried passing an extremely large `$window` (100) to `$google2fa->verifyKey()` but that doesn't seem to be the issue. Example Code: ``` <? use PragmaRX\Google2FA\Google2FA; use BaconQrCode\Renderer\ImageRenderer; use BaconQrCode\Renderer\Image\ImagickImageBackEnd; use BaconQrCode\Renderer\RendererStyle\RendererStyle; use BaconQrCode\Writer; $google2fa = new Google2FA; $google2fa->setAlgorithm('sha512'); $google2fa->setEnforceGoogleAuthenticatorCompatibility(true); $user = array( "username" => "tucker", "secret" => "2HJTI6WHCC362T5Y" // a previously generated secret ); if (isset($_GET["generate"])) { // to generate a new secret and thus QR code below too $user["secret"] = $google2fa->generateSecretKey(); } $realCode = $google2fa->getCurrentOtp($user["secret"]); // get current valid code to compare if ($_SERVER["REQUEST_METHOD"] == "POST") { // verify the code $window = 4; $valid = $google2fa->verifyKey($user["secret"], $_POST["code"], $window); if (!$valid) { print "INVALID CODE"; } else { print "VALID CODE"; } } // now to generate and print the QR code $g2faUrl = $google2fa->getQRCodeUrl( 'Google2fa Test', $user["email"], $user["secret"] ); $writer = new Writer( new ImageRenderer( new RendererStyle(400), new ImagickImageBackEnd() ) ); $qrcode_image = base64_encode($writer->writeString($g2faUrl)); print " <div style='text-align:center'> <h2>2FA Test using google2fa</h2> <b>Secret:</b> " . $user["secret"] . "<br> <b>QR Code:</b><br> <img src='data:image/png;base64, " . $qrcode_image . " '/> <form method='post'> <label for='code'>2FA Code</label> <input name='code'> <button type='submit'>Submit</button> <br><b>Current Valid Code:</b> " . $realCode . "<br> </form> </div>"; ``` PHP Version ``` PHP 7.2.20 ```
kerem closed this issue 2026-03-01 17:49:07 +03:00
kerem commented 2026-03-01 17:49:07 +03:00
Author
Owner
Copy link

@tuckerww commented on GitHub (Jun 30, 2021):

Aha! I have discovered the issue.

If you set the encryption algorithm to SHA512 then it doesn't work with the Google Authenticator App, but if you leave it as default then it works.

So in my above example I simply removed this line:

$google2fa->setAlgorithm('sha512');

This is because

Currently, the algorithm parameter is ignored by the Google Authenticator implementations.

So it uses SHA1 in the app no matter what you specify.

https://github.com/google/google-authenticator/wiki/Key-Uri-Format#algorithm

Closing this.

<!-- gh-comment-id:871601564 --> @tuckerww commented on GitHub (Jun 30, 2021): Aha! I have discovered the issue. If you set the encryption algorithm to SHA512 then it doesn't work with the Google Authenticator App, but if you leave it as default then it works. So in my above example I simply removed this line: ``` $google2fa->setAlgorithm('sha512'); ``` This is because > Currently, the algorithm parameter is ignored by the Google Authenticator implementations. So it uses SHA1 in the app no matter what you specify. https://github.com/google/google-authenticator/wiki/Key-Uri-Format#algorithm Closing this.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
9.x
fix-coverage
bump-to-version-9
10.x
reformat-code
add-linting
reorder-imports
8.x
install-php-84
test-on-php84
github-actions
master
7.x
pspstan
revert-124-123-google2fa_fix
v9.0.0
v8.0.3
v8.0.2
v8.0.1
8.0.0
v7.0.0
v6.1.3
v6.1.0
v6.0.1
v6.0.0
v4.0.2
v4.0.1
v5.0.0
v4.0.0
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.0.1
v1.0.0
v0.8.1
v0.8.0
v0.7.1
v0.7.0
v0.6.0
v0.5.0
v0.1.0
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/google2fa#312
No description provided.