⚠️ Version 9.0.0 Breaking Change
Default Secret Key Length Increased
Version 9.0.0 introduces a breaking change: The default secret key length has been increased from 16 to 32 characters for enhanced security.
What Changed?
generateSecretKey()now generates 32-character secrets by default (previously 16)- This increases cryptographic entropy from 80 bits to 160 bits
- Maintains full compatibility with Google Authenticator and other TOTP apps
Migration Guide
If you want to keep the previous behavior (16-character secrets):
// Old default behavior (v8.x and below)
$secret = $google2fa->generateSecretKey();
// New way to get 16-character secrets (v9.0+)
$secret = $google2fa->generateSecretKey(16);
If you want to use the new default (32-character secrets):
// This now generates 32-character secrets by default
$secret = $google2fa->generateSecretKey();
Potential Impact Areas
- Database schemas: Check if your google2fa_secret columns can handle 32 characters
- Validation rules: Update any length validations that expect exactly 16 characters
- Tests: Update test assertions expecting 16-character secrets
- UI components: Ensure QR code displays and secret key fields accommodate longer secrets
Important: Existing 16-character secrets remain fully functional. Database updates are only needed if you want to use the new 32-character default behavior.
Why This Change?
While 16-character secrets meet RFC 6238 minimum requirements, 32-character secrets provide significantly better security:
- 16 chars: 80 bits of entropy (adequate but minimal)
- 32 chars: 160 bits of entropy (much stronger against brute force)
This change aligns with modern security best practices for cryptographic applications.