mchuluq/laravel-mfa
Composer 安装命令:
composer require mchuluq/laravel-mfa
包简介
Multi-Factor Authentication package for Laravel with TOTP, Email OTP, and WebAuthn support
README 文档
README
Multi-Factor Authentication package for Laravel 8+ with support for TOTP, Email OTP, and WebAuthn/Passkey.
Features
- 🔐 Multiple MFA Methods: TOTP (Authenticator Apps), Email OTP, WebAuthn/Passkey
- 🎨 Driver Pattern: Easy to extend with custom drivers
- 🛡️ Security First: Rate limiting, backup codes, device remembering
- 🎯 Middleware Based: Simple integration as authentication layer
- 📱 User Friendly: Multiple methods per user, fallback options
- 🔧 Highly Configurable: Extensive configuration options
- 🎭 Laravel 8+ Compatible: Built specifically for Laravel 8
Requirements
- PHP ^7.4 or ^8.0
- Laravel ^8.0
- MySQL/PostgreSQL/SQLite
Installation
1. Install via Composer
composer require mchuluq/laravel-mfa
2. Publish
php artisan vendor:publish --tag=mfa-config php artisan vendor:publish --tag=mfa-migrations php artisan vendor:publish --tag=mfa-vue php artisan vendor:publish --tag=mfa-blade php artisan migrate
3. Add Trait to User Model
use Mchuluq\LaravelMFA\Traits\HasMFA; class User extends Authenticatable { use HasMFA; // ... }
Configuration
Edit config/mfa.php:
return [ 'enabled' => true, 'drivers' => [ 'totp' => [ 'enabled' => true, // ... ], 'email_otp' => [ 'enabled' => true, // ... ], 'webauthn' => [ 'enabled' => true, // ... ], ], // ... ];
Usage
Protect Routes with MFA
// routes/web.php Route::middleware(['auth', 'mfa'])->group(function () { Route::get('/dashboard', [DashboardController::class, 'index']); Route::get('/profile', [ProfileController::class, 'show']); });
Setup MFA for User
// In your controller public function enableTotp(Request $request) { $user = auth()->user(); // Setup TOTP $setup = mfa('totp')->setup($user); return view('mfa.setup.totp', [ 'qrCode' => $setup['qr_code'], 'secret' => $setup['secret'], 'backupCodes' => $setup['backup_codes'], ]); } public function verifyTotp(Request $request) { $user = auth()->user(); $code = $request->input('code'); if (mfa('totp')->verify($user, $code)) { return redirect()->route('dashboard') ->with('success', 'MFA enabled successfully!'); } return back()->withErrors(['code' => 'Invalid code']); }
Check MFA Status
// Check if user has MFA enabled if ($user->hasMFAEnabled()) { // ... } // Get enabled methods $methods = $user->getMFAMethods(); // Get primary method $primary = $user->getPrimaryMFAMethod();
Using Helper Functions
// Get MFA manager $manager = mfa(); // Get specific driver $totp = mfa('totp'); // Check if MFA is verified in session if (mfa_verified()) { // User has verified MFA } // Check if user requires MFA if (mfa_required()) { // Redirect to challenge }
Available Drivers
1. TOTP (Time-based One-Time Password)
Works with authenticator apps like:
- Google Authenticator
- Microsoft Authenticator
- Authy
- 1Password
// Setup $setup = mfa('totp')->setup($user); // Verify $isValid = mfa('totp')->verify($user, $code); // Disable mfa('totp')->disable($user);
2. Email OTP
Send verification codes via email.
// Send challenge mfa('email_otp')->challenge($user); // Verify $isValid = mfa('email_otp')->verify($user, $code);
3. WebAuthn / Passkey
Hardware security keys and biometric authentication.
// Setup $options = mfa('webauthn')->setup($user); // Verify $isValid = mfa('webauthn')->verify($user, $credential);
Security Features
- Rate Limiting: Configurable max attempts and lockout
- Backup Codes: Emergency access codes for TOTP
- Remember Device: Optional trusted device feature
- Session Timeout: Automatic MFA session expiration
- Audit Logging: Track all MFA events
Events
Listen to MFA events:
use Mchuluq\LaravelMFA\Events\MFAEnabled; use Mchuluq\LaravelMFA\Events\MFAVerified; use Mchuluq\LaravelMFA\Events\MFAFailed; // In EventServiceProvider protected $listen = [ MFAEnabled::class => [ SendMFAEnabledNotification::class, ], MFAVerified::class => [ LogMFAVerification::class, ], ];
License
The MIT License (MIT). Please see License File for more information.
Credits
mchuluq/laravel-mfa 适用场景与选型建议
mchuluq/laravel-mfa 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 4 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 01 月 05 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「Authentication」 「two-factor」 「laravel」 「otp」 「totp」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 mchuluq/laravel-mfa 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 mchuluq/laravel-mfa 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 mchuluq/laravel-mfa 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Filament Two Factor Authentication: Google 2FA + Passkey Authentication
Automatically logs-in users if they are already authenticated by a remote source. (e.g. environment variable REMOTE_USER)
GraphQL authentication for your headless Craft CMS applications.
Novactive eZ 2FA Bundle is an Ibexa bundle that provides two-factor authentication for your Ibexa project
Provide a way to secure accesses to all routes of an symfony application.
Two-factor Authentication for WordPress
统计信息
- 总下载量: 4
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 34
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-01-05