laravel-2fa maintained by mortogo321
Description
A comprehensive Laravel package for Two-Factor Authentication with support for TOTP, WebAuthn/Passkey, SMS, and Email providers
Author
Last update
2026/03/06 19:06
(dev-main)
License
Downloads
0
Tags
security - laravel - totp - authy - 2fa - two-factor-authentication - google-authenticator - webauthn - passkey
Laravel 2FA
A Laravel package that adds multi-provider two-factor authentication (TOTP, WebAuthn/Passkey, SMS, and Email) to any Laravel application, with recovery codes and route-level middleware protection.
What's inside
- TOTP provider — compatible with Google Authenticator, Authy, and other standard TOTP apps, including QR code generation for enrollment.
- WebAuthn/Passkey provider — registration and verification backed by a WebAuthn credential repository, for hardware keys and platform authenticators.
- SMS provider — code generation and verification, with the actual SMS delivery left to be wired up to a provider of your choice.
- Email provider — verification codes sent via a built-in mailable.
- Recovery codes — generated per user, with regeneration and one-time-use verification.
- Middleware —
two-factorto enforce a completed challenge on protected routes, andtwo-factor.verifiedto gate the challenge flow itself. - Facade (
TwoFactor) — programmatic access to enable/disable providers, verify codes, and check verification state. - Extensible provider architecture — new providers can be registered against a common
TwoFactorProvidercontract.
Tech stack
- PHP
- Laravel (package targets the Laravel 10–12 range)
pragmarx/google2fafor TOTPweb-auth/webauthn-libandweb-auth/cose-libfor WebAuthnbacon/bacon-qr-codefor QR code rendering
Quickstart
This is a Composer package meant to be installed into a host Laravel application, not run standalone.
# 1. Install into your Laravel app
composer require mortogo321/laravel-2fa
# 2. Publish config and migrations
php artisan vendor:publish --tag=two-factor-config
php artisan vendor:publish --tag=two-factor-migrations
php artisan migrate
# 3. (Optional) Publish views to customize the Blade templates
php artisan vendor:publish --tag=two-factor-views
Add the trait to your user model and protect routes with the middleware:
// app/Models/User.php
use YourVendor\Laravel2FA\Traits\HasTwoFactorAuthentication;
class User extends Authenticatable
{
use HasTwoFactorAuthentication;
}
// routes/web.php
Route::middleware(['auth', 'two-factor'])->group(function () {
Route::get('/dashboard', [DashboardController::class, 'index']);
});
Note: the PSR-4 namespace declared in
composer.jsonand used throughoutsrc/isYourVendor\Laravel2FA(a placeholder that has not been renamed to a real vendor namespace yet).
Project structure
src/Contracts/—TwoFactorProviderandTwoFactorAuthenticatableinterfaces.src/Providers/— the four built-in providers (TOTP, WebAuthn, SMS, Email).src/Services/—TwoFactorManager(provider orchestration),RecoveryCodeService,WebAuthnCredentialRepository.src/Http/Controllers/—TwoFactorAuthenticationControllerhandling the challenge, settings, enable/disable, and recovery code actions.src/Http/Middleware/—RequireTwoFactorAuthenticationandEnsureTwoFactorIsVerified.src/Models/—TwoFactorMethod,RecoveryCode,WebAuthnKeyEloquent models.src/Traits/HasTwoFactorAuthentication.php— mixed into the host app's user model.src/Facades/TwoFactor.php— facade overTwoFactorManager.config/two-factor.php— per-provider settings, table names, route prefix/middleware, rate limiting, and session behavior.database/migrations/— tables for two-factor methods, recovery codes, and WebAuthn keys.routes/web.php— package routes, registered under the configurabletwo-factorprefix.
Routes
Registered under the configurable prefix (two-factor by default) with the middleware set in config/two-factor.php (web, auth by default):
| Method | URI | Name | Description |
|---|---|---|---|
| GET | /two-factor/challenge |
two-factor.challenge | Show the 2FA challenge page |
| POST | /two-factor/challenge |
two-factor.verify | Verify a submitted 2FA code |
| GET | /two-factor/settings |
two-factor.index | Show the 2FA settings page |
| POST | /two-factor/enable/{provider} |
two-factor.enable | Enable a provider for the current user |
| POST | /two-factor/disable/{provider} |
two-factor.disable | Disable a provider for the current user |
| GET | /two-factor/recovery-codes |
two-factor.recovery-codes.show | View recovery codes |
| POST | /two-factor/recovery-codes |
two-factor.recovery-codes.regenerate | Regenerate recovery codes |
License
MIT — see LICENSE.