I recently implemented Multi Factor Authentication in one of the projects I work. Antonio Ribeiro have a great package to make this implementation extremely easy and Christopher Thomas published a cool strategy for it. Let’s go over the steps.

1- Install google2fa-laravel

composer require pragmarx/google2fa-laravel

2- Generating a QR Code

The first thing the users will need is a way to enable/disable multi factor authentication. One way to achieve that is to expose a request on GET profile/token that will render an enable view if the user doesn’t have a private key, or disable if the user already enabled it.

In the showEnableTokenForm , the Google2FA Facade will be responsible for generating a secret key and generating the QR Code that the user can use to capture the secret key.

Don’t forget to show the QR Code through an image tag

<img src="{{ $QRCode }}" alt="">

3- Storing/Removing the Token

Once the user reads the QR Code, they can type in the one time password and submit it for the application to validate it for activation.

If the user submits the correct one time password, Google2FA Facade will validate that and store the secret on the user’s table.

4- The Authenticated Method

After activating the Token, the next step is to require it during the login process. With Laravel default Authentication system, LoginController comes with an authenticated method that can be used to trigger an action post-authentication. A perfect place to request the token.

The strategy is to check if the authenticated user have a token and require a one time password if they did. If the token is null, the regular behavior of redirecting to the home page will be applied. When that is not the case, the user gets redirected to the /token route.

Note: Make sure to add google_token column in your users table.

5- Requesting one time password during login

The TokenController will show a simple view with an input field requiring the one time password.

On the Form Submit of this view, the goal is to retrieve the user and verify their one time password against their google token. If it matches, they’re authenticated, otherwise ask again.

6- Final Thoughts