Im trying to implement 2FA with authy and using authy php library and authy API key to add users to authy, so that user can scan the QR code nd get my app authentication in phone.
I did documentation as mentioned in that library github page. User data is saving successfully but im getting some random numeric secret key (which is generated for user by authy) secret to store in database, if i enter that secret in app it is showing secret key is invalid error, Checkout the screenshots below
We need to enter secret something like this but im getting numeric secret, if i enter that manually app is showing error like below screenshot
documentation is like below
require_once dirname(__DIR__) . '/extra/Authy/vendor/autoload.php';
$authy_api = new Authy\AuthyApi('MY_API_KEY');
$user = $authy_api->registerUser('email@gmail.com', '9999999999', 91); // (email, phone number, country code)
if($user->ok()){
echo json_encode($user->id());
}else{
foreach($user->errors() as $field => $message) {
printf("$field = $message");
}
}
and another problem is how can i generate QR code which Authy can understand? I've searched for some and i didn't get any solutions. please help me.
Twilio/Authy developer evangelist here.
I must apologise, our documentation here has gotten a bit behind. I'll try to help.
First up, I recommend you take a look through this documentation on two factor authentication with Twilio and Authy.
Second, let me explain the process with Authy with regards to how far you've got.
You've set up the API and credentials correctly and then you have registered a user using the call to
$authy_api->registerUser
. The user ID that you got back from that response should not be shared with anyone. It is your reference to your user in the Authy database. You should store that ID against the user that is signing up and use that ID any time you need to send codes or verify codes.You don't need to use QR codes to share anything with the user either. To start the two factor authentication process you now need to call:
With the ID that you got back from the API as the
$usedID
in this code.The method call suggests that it's going to send an SMS, however that's just a bit of legacy.
Finally, once the user enters the code on your site you should call to verify the token:
In this case, the
$userID
is that ID you got back from theregisterUser
call initially and that you saved to your user. The$token
is the code they enter from the app or the SMS.Please let me know if that helps or if you have any other questions.