PHP Classes
PHP Classes

PHP Multi-Factor Authentication for Web Development

Recommend this page to a friend!
  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog PHP Multi-Factor Auth...   Post a comment Post a comment   See comments See comments (9)   Trackbacks (0)  


Posted on:

Categories: PHP Tutorials, PHP Security

When we need to provide our users access only to certain information, or limit access to features for authorized users only, we need to use user authentication.

We can never be 100% certain users are who they claim to be. However we can get close using multiple authentication factors.

Read this article to learn more about multi-factor authentication and when we should use them or not.


What are Authentication Factors?

Can You Keep a Secret?

Balancing The Scales

Open Says Me

Authentication in PHP

A Note on Credit Card Information


What are Authentication Factors?

To really understand user authentication, you have to understand the concept of authentication factors. The more factors you require, the more secure your systems will be.

One Factor Authentication (1FA) - What you know

The most common example of what you know, when related to the web, is the users' password.

Two Factor Authentication (2FA) - What you know and what you have

In addition to what the user knows, they must also posses something unique to them, what they have. The most common example of what you have, when related to the web, is a digital certificate.

There is a debate about whether what you have has to be something physical, like a USB stick for one time password (OTP) tokens, or if it can also be something the user does not even know they have, like a digital certificate. I personally think the payment card industry data security standard (PCI DSS) has made it clear in their following statement:

"Note that a digital certificate is a valid option for 'something you have' as long at it is unique for a particular user."

Three Factor Authentication (3FA) - What you know, what you have and what you are

In addition to what the user knows, and what they have, they must also provide something that identifies what they are. This factor would be a biometric like a fingerprint, voice print, retina scan, etc..

Multi-Factor Authentication (MFA) - Combining like Factors

MFA occurs when you combine factors of the same type, for example, a username (what you know) and a password (what you know), this is 1FA MMA and is a little more secure than just 1FA. If you added in a digital certificate to the previous example, you have 2FA MFA, what you know, what you know and what you have and is a little more secure than just 2FA.

Location Factor - Where you are

While this is not one of the official authentication factors, I feel it is important to mention. The payment card industry uses it whenever they place a hold on authorizing payments to prevent fraudulent purchases based on the card being used somewhere you are not. In relation to the web, a users IP address is used to verify that a request is coming from somewhere the user is known to be.

Can You Keep a Secret?

Anything used for an authentication factor is only a factor if it can remain a secret. Let us say you have a login script where the user provides a username and password, 1FA MFA, right?

Now suppose you also display the username whenever the user comments on an article, the username is no longer a secret so you are down to just the password as a factor, 1FA. Lets suppose further that the users password is... password, which will not remain a secret for long, so in this case there really is no authentication.

We encrypt information so that we can store it, or exchange it and still keep it a secret, however our secrets are only as good as our encryption. Use your favorite search engine and search for...


The first thing you will discover is that it is an MD5 hash, the next thing you will discover, if you continue to a site that reverses MD5 hashes is that the secret really is not much of a secret password.

Any sensitive information that is publicly accessible can only be considered an authentication factor if the encryption is strong enough to keep it a secret.

Balancing The Scales

Before implementing your own user authentication system, you have to weigh the importance of what you are protecting against the user experience. The higher the level of security, the more the user is inconvenienced.

Third party authentication

Third party authentication is where the user provides their authentication to a trusted third party. The third party then certifies that the user has been authenticated. We see this more and more as web sites offer their users the convenience of a unified login system through a third party like Facebook.

The level of security is only as high as the third parties authentication factors, which is 1FA MFA with Facebook. However it could be considered much lower if you also take into account the number of people that share their authentication details between family and friends.

1FA method

For user tracking with no access to sensitive information.

Simple password authentication - The user provides a unique username with a secret password. The username is an identifier and not an authentication factor so it can be used publicly to identify the user.

1FA MFA method

For user access to their own sensitive information like address, phone number, order details, etc...

User and Password pair authentication - The user provides a unique secret username and secret password. The user account will also have a display name to publicly identify the user so that the username and password can be kept secret.

For user access to other users sensitive information as administrators or moderators for example.

User, Password and PIN authentication. The user provides a secret username, secret password and secret personal identification number (PIN). The PIN should be something the user can frequently change, providing an extra layer of protection.

2FA method

For user access to sensitive information like credit card information. This is the minimum authentication level required by the PCI DSS.

User and OTP token authentication. The user provides a secret username and one time password token. The OTP token can be generated by a proprietary (secret) program contained on a USB stick plugged into the computer or a digital display device that displays the current acceptable token.

User and Digital Certificate authentication. The user provides a secret username along with a unique digital certificate. The digital certificates are normally managed by a trusted third party certification authority (CA).

2FA MFA method

For user access to networks, credit card information and any other sensitive information.

These methods are generally the same as the 2FA methods already described except they add additional layers by including passwords, pass phrases, PIN's, etc...

3FA method

Currently biometrics is outside the scope of general web development. There are technologies available which allow fingerprint scanning detached from an operating system that could make 3FA viable and more common in the future.

Open Says Me

In web development, passwords are the most widely used authentication factor and there is a trend to force the user to make their passwords stronger. If you are not protecting anything worth stealing, or worth gaining access to, then you may consider allowing weak passwords as a convenience to your users. However, you must be aware that if a users account is compromised, the user is most likely going to blame you.

Passwords are strengthened by longer passwords and forcing users to use uppercase and lowercase letters with numbers and non alphanumeric characters while not using any word that exists in a dictionary of any language.

The dilemma is, the harder a password is to remember the more likely a user is going to write it down or store it somewhere, which means it is not longer a secret and compromises the stronger authentication it was supposed to be providing. Something to consider when you are deciding just how strong you want to make your password requirements.

When you need to store passwords, it is tempting to just use an MD5 hash so nobody can read them. As we saw earlier, you might as well not encrypt them at all. Instead, salt the MD5 hash with a randomly generated string.

Salting is adding additional text to a users password, so that the MD5 hash can not be easily reversed using MD5 translation tables. Then when authenticating the password the user provided, you retrieve the salt associated with their account, add it to the password they provided and the resulting md5 hash will match the saved md5 hash if they provided the correct password.

Authentication in PHP

Request based authentication is the most common method used, where a user supplies their credentials in a form to post to an authentication script. Once authenticated, the credentials can be encrypted and either stored in a session on the server, in cookies on the client side, or even in database managed sessions.

PHP also supports HTTP authentication using headers which trigger the browser to open a user and password dialog. The supplied credentials are then available to PHP in the $_SERVER super global as PHP_AUTH_USER, PHP_AUTH_PW and PHP_AUTH_TYPE.

Two types of authentication are available, basic and digest. Basic authentication is much less secure since the credentials are transmitted using plain text, so it should only be used over a SSL (Secure Socket Layer) connection. Since PHP 5.1, digest authentication is also available. It allows the credentials to be encrypted.

There are many authentication classes written in PHP to choose from and a better understanding of how user authentication works will help you choose one that is a right fit for your needs.

A Note on Credit Card Information

Requirements to store and protect credit card information is established by the PCI DSS and access to this information must be at a 2FA level minimum and only by users with the need to access it.

If you do not control your server and everyone who has access to it, you can not store credit card information. So if you are using a hosted server, hosted VPN or hosted Cloud, do not store credit card information, use third party payment processing services instead.


User authentication is a delicate balance between the sensitivity of the information or resources we want to protect and the amount of inconvenience our users will tolerate, the human factor.

Hopefully with a better understanding of how user authentication factors work you will be able to make an informed decision on what level of authentication is best for you and your users.

Post a comment here to ask questions or other opinions about when and how to use multiple factor authentication in your applications.

You need to be a registered user or login to post a comment

1,451,806 PHP developers registered to the PHP Classes site.
Be One of Us!

Login Immediately with your account on:



4. Multi Factor Auth - Cyril Ogana (2015-05-26 22:16)
Sequential Authentication Methods... - 3 replies
Read the whole comment and replies

3. good simple introduction to authetification - OSWALDO OLEA (2015-05-25 20:30)
follow up: digital certificates... - 1 reply
Read the whole comment and replies

2. 3FA - Kamilo Cervantes (2015-05-25 20:25)
Using hand gestures as an auth factor... - 1 reply
Read the whole comment and replies

1. Useful explanation - Sandeep Chavarkar (2015-05-25 19:25)
Real useful explanation by Dave... - 0 replies
Read the whole comment and replies

  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog PHP Multi-Factor Auth...   Post a comment Post a comment   See comments See comments (9)   Trackbacks (0)