The Google Auth Security Module implements two-factor authentication using the TOTP standard, allowing users to verify identity with time-based codes from apps such as Google Authenticator. The module generates secrets, presents enrollment QR codes, and validates tokens during login. This expanded changelog preserves every original release note while adding context on why each change matters for security, reliability, and usability.

Updates progressed from core functionality in the initial release to targeted fixes for real-world issues. The timing bug resolution in 1.0.5 prevents valid tokens from being rejected under certain conditions. Input restrictions and UI refinements in 1.0.6 reduce user errors. All administrators running the module should apply the latest version to benefit from these cumulative stability and compatibility improvements.

#Version History

#Version 1.0.6 - Released 10.22.2017

This release refined the user-facing components of the authentication process. Changes focused on the token entry screen where users submit their six-digit code. These modifications directly address common friction points observed during login, resulting in fewer failed attempts due to input mistakes or unclear interface elements.

  • Improved the look and feel of the token verification screen. Visual updates include better spacing, clearer labeling, and a more professional appearance that aligns with current interface standards, helping users complete authentication faster and with greater confidence.
  • Token input field now only accepts numeric values. The form field rejects non-numeric keystrokes at the browser level, preventing invalid submissions that previously required server-side error handling and user retries. This both improves UX and slightly reduces server load from bad requests.

#Version 1.0.5 - Released 10.10.2017

Version 1.0.5 delivered broad improvements to code quality, internationalization, and correctness of the core verification logic. The timing fix was especially important because intermittent rejection of valid tokens can erode user trust in the 2FA system and increase support workload. Modern PHP updates ensure the module remains compatible with servers running contemporary language versions without deprecated warnings.

  • Added better language support. Enhanced handling of localized strings and character encodings allows the verification screens and error messages to display correctly for non-English users, broadening the module's usefulness across international hosting environments.
  • Code improvements for modern PHP versions. Refactoring removed outdated constructs, improved error handling, and aligned the codebase with PHP 5.6+ and early 7.x best practices. These changes reduce runtime warnings and improve long-term maintainability without altering external behavior.
  • Resolved a timing issue that could result in a valid token being treated as invalid. The fix corrected a narrow race condition in the TOTP window calculation that occasionally caused legitimate codes to fail verification, especially under load or with slight clock skew between client and server.

#Version 1.0.1 - Released 07.10.2017

This targeted update aligned the module with internal platform changes. The licensing system overhaul required corresponding adjustments to key validation and update mechanisms. Without this compatibility layer, newer installations would have been unable to activate or receive future patches.

  • Updated to work with the new ASPnix 2.0 licensing system. The revised integration correctly performs license checks, handles renewal status, and supports streamlined application of security updates going forward.

#Version 1.0.0 - Released 01.01.2016

Initial release established the complete feature set required for TOTP-based two-factor authentication. It included secret key creation per user, QR code generation for easy app enrollment, secure storage of shared secrets, and constant-time comparison of submitted tokens against the expected value within the acceptable time window. This version provided a solid, standards-compliant foundation that all subsequent releases built upon.

#Practical Takeaways

Always run the most recent version (1.0.6) to incorporate the UI refinements, input validation, language support, PHP modernization, licensing compatibility, and the important token timing correction. When updating, replace module files, verify that token enrollment and validation continue to function for test accounts, and confirm no PHP warnings appear in error logs. Consult the module setup guide for steps covering secret generation, user enrollment, and integration into login forms.