Welcome to "Laravel Definitive Security Framework" demo.

- Feel free to register a user and try any section of the app.
- Or use this credentials: user: demouser pass: tfa!grate10
- The database is reset every day.
- This demo does not generate emails, sms or phone calls.. but your code will be shown.
- The app will ask for the 2FA code when activating and the first time you login. To check this function again you can delete your device in "Known Devices".

This is the configuration file, is super easy to enable or disable all functions:

Config file
Config file
Config file

Laravel Definitive Security Framework is a "Laravel Package" ready to add with Composer to your existing or new Laravel app. It comes pre-installed in Laravel with a full demonstration of all its functions.


New security and authenticate options for Laravel: 2FA, Known Devices, Recovery Codes, Google Authenticate, TOTP, Password Strength, Blacklisted, SMS, reCAPTCHA, Throttling, Verify Phone Number, Quick Register, Restricted Areas, and much more...



  • Everything is easily customizable with more than 50 configuration variables.
  • All controllers use a trait so you can easily override any method.
  • Non-invasive, all files are in their respective vendor folder.



  • Login with both fields: email and username.


Two Factor Authentication

  • After login the user is ask for a secondary password, there are 3 techniques:
    • SMS:
      • A code is send via written message to the user cell phone.
    • Voice:
      • A code is send via phone call to the user cell phone or landline.
    • TOTP:
      • Using a QR code and an app like "Google Authenticator" the code is obtain.
      • It is very easy, fast and it is free! Don't need no make any kind of call.
    • The codes expire after the given time.
    • The 2FA it's only required when using a new device.
      • After successful login, the new device will be added to the list of "Known Devices".
      • The user can manage Known Devices.
    • The app will also generate "one time use" recovery codes:
      • In the case the user lost his cell phone for example, he can login with one of this codes and change his telephone number.
      • Also the administrator may have their own set for each user.


Password Rules

  • Password Strength:
    • Percentage of strength based on "Zxcvbn Algorithm" and common matches.
    • The result is a percentage of strength.
  • Password "Must Include" Rules:
    • Length, letter, case difference, number and symbol.


Quick Registration

  • The idea is that the user don't hesitate so it could be as simple as an email field.
  • The user will receive a password and next time he attempts to login, he will be ask to complete his profile.


Request on Demand

  • You can request all users to change password or update profile.


Restricted Areas

  • You may restrict some areas or functions in two ways:
    • Asking for confirmation, as bank portals, this can be via, SMS, Voice and TOTP.
      • After certain minutes the user has to confirm again.
    • Asking for an email or phone number to be "Verify", this can be via Email, SMS and Voice.
      • Once verify is confirm permanently.


Users Blacklisted

  • 3 stages: Limited, Banned and Blacklisted (or Inactive).
    • Blacklisted users are blocked from login.
    • Limited and Banned may have other restrictions.
  • New users won't be able to register using email o phone number once used by blacklisted users.


Multiple Fields

  • Full control of multiple emails and phone numbers per user.
    • Rules to avoid repeats among themselves and among other users.
  • Column names mapping, to use your existing migrations.


Reset or Change Password

  • You can choose between the Laravel default email; or SMS, Voice and TOTP.
  • The app will reject the old password.



  • It has multi-language support built in.
  • It comes in English and Spanish but can be easily translated into other languages.
  • Recaptcha 2 for registration forms and other known abused areas.
  • Recaptcha 3
    • You can take actions after a form is submit based on the score return by Recaptcha 3.
    • Take further action after reviewing Google's report of danger areas.
  • Three independent throttling configurations to block user after to many attempts:
    • Applies in: Enter password, Send notification and Users registrations.
  • All passwords, codes and tokens are hashed or encrypted.
  • Just Laravel Requirements: Laravel 6.x Installation and Laravel 7.x Installation
  • Compatible with Laravel 6.x (PHP 7.2.0) to 7.x. (PHP 7.2.5 or newer)
  • The Zip file includes a copy of Laravel 7.1 with the package fully installed, configured and with demo routines for each function.
  • If you want to install it in an already started project it is necessary to include the package in the composer.json and copy the content of some files (see the documentation).

Actually the most important part of the documentation are the comments in the "config tfa" file and in the ".env" file; the demo is also a great help resource.

Download Zip file with extra information.

The charge we make for the package includes all the code except:

  • Composer dependencies.
  • A few paragraphs in which, in the comments is specified where it was get from.


Please do not freely distribute the code or put it in a repository since it is not an open source package. Read the license terms and consider the extended license if you plan to use the package in multiple projects.