Google2FA Files

⚠️ Version 9.0.0 Breaking Change

### Default Secret Key Length Increased

Version 9.0.0 introduces a breaking change: The default secret key length has been increased from 16 to 32 characters for enhanced security.

#### What Changed? - generateSecretKey() now generates 32-character secrets by default (previously 16) - This increases cryptographic entropy from 80 bits to 160 bits - Maintains full compatibility with Google Authenticator and other TOTP apps

#### Migration Guide

If you want to keep the previous behavior (16-character secrets):

```php // Old default behavior (v8.x and below) $secret = $google2fa->generateSecretKey();

// New way to get 16-character secrets (v9.0+) $secret = $google2fa->generateSecretKey(16);

If you want to use the new default (32-character secrets):

// This now generates 32-character secrets by default $secret = $google2fa->generateSecretKey();

Potential Impact Areas

• Database schemas: Check if your google2fa_secret columns can handle 32 characters
• Validation rules: Update any length validations that expect exactly 16 characters
• Tests: Update test assertions expecting 16-character secrets
• UI components: Ensure QR code displays and secret key fields accommodate longer secrets

Important: Existing 16-character secrets remain fully functional. Database updates are only needed if you want to use the new 32-character default behavior.

Why This Change?

While 16-character secrets meet RFC 6238 minimum requirements, 32-character secrets provide significantly better security:

• 16 chars: 80 bits of entropy (adequate but minimal)
• 32 chars: 160 bits of entropy (much stronger against brute force)

This change aligns with modern security best practices for cryptographic applications. ```