Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

asoftware's avatar

One Time Password for Authentication

Does anybody have any good resources for honoring the Laravel best practices for authentication using an emailed One Time Password? I would like to use this as a login method but looking for resources that follow Laravel best practices. Are there any packages that exist that do this similar thing already?

0 likes
3 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

One Time Password (OTP) authentication is a method where a user is sent a password (usually through email or SMS) that is valid for only one login session or transaction. In Laravel, you can implement OTP authentication by leveraging the built-in features for authentication and notifications, or you can use packages that simplify the process.

Here's a basic outline of how you could implement OTP authentication in Laravel following best practices:

  1. User Requests OTP: When the user wants to log in, they provide their email address, and your application generates an OTP.

  2. Store the OTP: Save the OTP in your database associated with the user's account, along with a timestamp to ensure it expires after a certain period (e.g., 5 minutes).

  3. Send the OTP: Use Laravel's notification system to email the OTP to the user.

  4. User Enters OTP: The user receives the OTP and enters it on your login form.

  5. Validate the OTP: Check the entered OTP against the stored one and ensure it hasn't expired.

  6. Authenticate: If the OTP is correct and hasn't expired, authenticate the user.

Here's a simplified code example to illustrate the process:

// Step 1 & 2: Generate and store OTP
public function requestOtp(Request $request)
{
    $user = User::where('email', $request->email)->firstOrFail();

    $otp = rand(100000, 999999); // Generate a 6-digit OTP
    $user->otp = bcrypt($otp);
    $user->otp_created_at = now();
    $user->save();

    // Step 3: Send OTP via email
    $user->notify(new OtpNotification($otp));

    return back()->with('status', 'OTP has been sent to your email.');
}

// Step 4 & 5: Validate OTP
public function verifyOtp(Request $request)
{
    $user = User::where('email', $request->email)->firstOrFail();

    if (Hash::check($request->otp, $user->otp) && $user->otp_created_at->diffInMinutes(now()) < 5) {
        // Step 6: Authenticate user
        Auth::login($user);

        // Clear the OTP fields
        $user->otp = null;
        $user->otp_created_at = null;
        $user->save();

        return redirect()->intended('dashboard');
    } else {
        return back()->withErrors(['otp' => 'The provided OTP is invalid or has expired.']);
    }
}

For the notification, you would create a new notification class using php artisan make:notification OtpNotification and use Laravel's mail channel to send the OTP.

Regarding packages, there are several packages available for Laravel that can help you implement OTP authentication. One such package is laravel-otp which provides a simple API to generate and validate OTPs. You can find it on GitHub or Packagist and follow the installation instructions.

Remember to always keep security in mind. OTPs should be treated with the same security considerations as passwords. Ensure they are stored securely (e.g., hashed) and that they expire after a short period or after being used. Also, consider rate limiting the OTP requests to prevent abuse.

Please or to participate in this conversation.