starred/google2fa
1
0
Fork 0
mirror of https://github.com/antonioribeiro/google2fa.git synced 2026-04-24 23:55:55 +03:00
Code Issues 19 Projects Releases 3 Packages Wiki Activity
3 releases 35 tags
  • v9.0.0 e6bc62dd6a

    v9.0.0 Stable

    kerem released this 2025-09-20 01:51:08 +03:00 | 4 commits to 9.x since this release

    📅 Originally published on GitHub: Fri, 19 Sep 2025 22:55:29 GMT
    🏷️ Git tag created: Fri, 19 Sep 2025 22:51:08 GMT

    ⚠️ Version 9.0.0 Breaking Change

    Default Secret Key Length Increased

    Version 9.0.0 introduces a breaking change: The default secret key length has been increased from 16 to 32 characters for enhanced security.

    What Changed?

    • generateSecretKey() now generates 32-character secrets by default (previously 16)
    • This increases cryptographic entropy from 80 bits to 160 bits
    • Maintains full compatibility with Google Authenticator and other TOTP apps

    Migration Guide

    If you want to keep the previous behavior (16-character secrets):

    // Old default behavior (v8.x and below)
$secret = $google2fa->generateSecretKey();

// New way to get 16-character secrets (v9.0+)
$secret = $google2fa->generateSecretKey(16);

If you want to use the new default (32-character secrets):

// This now generates 32-character secrets by default
$secret = $google2fa->generateSecretKey();

Potential Impact Areas

- Database schemas: Check if your google2fa_secret columns can handle 32 characters
- Validation rules: Update any length validations that expect exactly 16 characters
- Tests: Update test assertions expecting 16-character secrets
- UI components: Ensure QR code displays and secret key fields accommodate longer secrets

Important: Existing 16-character secrets remain fully functional. Database updates are only needed if you want to use the new 32-character default behavior.

Why This Change?

While 16-character secrets meet RFC 6238 minimum requirements, 32-character secrets provide significantly better security:

- 16 chars: 80 bits of entropy (adequate but minimal)
- 32 chars: 160 bits of entropy (much stronger against brute force)

This change aligns with modern security best practices for cryptographic applications.
    Downloads