[GH-ISSUE #9] Recovery Codes Question #7

New issue

Closed

opened 2026-02-25 20:32:10 +03:00 by kerem · 4 comments

kerem commented

2026-02-25 20:32:10 +03:00

Owner

Originally created by @codivist on GitHub (May 21, 2015).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/9

Thanks for the awesome work on this! I've implemented this package into Laravel and it works great!

I'm now trying to generate recover codes or back up codes. Like this page: https://support.google.com/accounts/answer/1187538?hl=en
How are you generating recovery codes (backup codes) incase a user doesn't have their phone?

I've looked through the code and have been thinking of different ways I can implement a recovery code list, but coming up empty handed.

Can the one time password method oathHotp be used in a loop to generate those codes?

Originally created by @codivist on GitHub (May 21, 2015). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/9 Thanks for the awesome work on this! I've implemented this package into Laravel and it works great! I'm now trying to generate recover codes or back up codes. Like this page: https://support.google.com/accounts/answer/1187538?hl=en How are you generating recovery codes (backup codes) incase a user doesn't have their phone? I've looked through the code and have been thinking of different ways I can implement a recovery code list, but coming up empty handed. Can the one time password method `oathHotp` be used in a loop to generate those codes?

kerem closed this issue

2026-02-25 20:32:10 +03:00

kerem commented

2026-02-25 20:32:10 +03:00

Author

Owner

@danlake commented on GitHub (Dec 16, 2015):

I have run into exactly the same issue. Would be useful to understand how to implement this as not all TFA apps / clients can scan QR codes

@danlake commented on GitHub (Dec 16, 2015): I have run into exactly the same issue. Would be useful to understand how to implement this as not all TFA apps / clients can scan QR codes

kerem commented

2026-02-25 20:32:10 +03:00

Author

Owner

@aik099 commented on GitHub (Mar 11, 2016):

The recovery codes are one time use passwords, that:

are generated not based on time
expire immediately after use

This library isn't responsible for creating/validating them. You can use any secure random generator for creating these codes.

@aik099 commented on GitHub (Mar 11, 2016): The recovery codes are one time use passwords, that: - are generated not based on time - expire immediately after use This library isn't responsible for creating/validating them. You can use any secure random generator for creating these codes.

kerem commented

2026-02-25 20:32:10 +03:00

Author

Owner

@GrahamCampbell commented on GitHub (Jul 17, 2016):

This can probably closed. This is outside the scope of this package.

@GrahamCampbell commented on GitHub (Jul 17, 2016): This can probably closed. This is outside the scope of this package.

kerem commented

2026-02-25 20:32:10 +03:00

Author

Owner

@antonioribeiro commented on GitHub (Jul 17, 2016):

As @GrahamCampbell said, not related to this package. You should generate recovery codes on your app using a different method (sms, email...), and it must not be based on time as this package is.

@antonioribeiro commented on GitHub (Jul 17, 2016): As @GrahamCampbell said, not related to this package. You should generate recovery codes on your app using a different method (sms, email...), and it must not be based on time as this package is.

kerem referenced this issue

2026-03-01 17:48:32 +03:00

[GH-ISSUE #7] Middleware for L5 #241

kerem referenced this issue

2026-03-14 11:51:45 +03:00

[GH-ISSUE #7] Middleware for L5 #474