First create a secret and associate it with a user'; $secret = $tfa->createSecret(160); // Though the default is an 80 bits secret (for backwards compatibility reasons) we recommend creating 160+ bits secrets (see RFC 4226 - Algorithm Requirements) echo '
  1. Next create a QR code and let the user scan it:

    ...or display the secret to the user for manual entry: ' . chunk_split($secret, 4, ' '); $code = $tfa->getCode($secret); echo '
  2. Next, have the user verify the code; at this time the code displayed by a 2FA-app would be: ' . $code . ' (but that changes periodically)'; echo '
  3. When the code checks out, 2FA can be / is enabled; store (encrypted?) secret with user and have the user verify a code each time a new session is started.'; echo '
  4. When aforementioned code (' . $code . ') was entered, the result would be: ' . (($tfa->verifyCode($secret, $code) === true) ? 'OK' : 'FAIL'); ?>

Note: Make sure your server-time is NTP-synced! Depending on the $discrepancy allowed your time cannot drift too much from the users' time!

ensureCorrectTime(); echo 'Your hosts time seems to be correct / within margin'; } catch (RobThree\Auth\TwoFactorAuthException $ex) { echo 'Warning: Your hosts time seems to be off: ' . $ex->getMessage(); } ?>