Critical vulnerability with use of timing-sensitive comparison!

[rlittlefield]

https://github.com/chregu/GoogleAuthenticator.php/blob/master/lib/GoogleAuthenticator.php#L31

The checkCode generator currently uses == to compare the user-provided code to the system generating code. It should be switched to use PHP's hash_equals function, which is able to perform the comparison in a way that does not leak timing data.

http://php.net/manual/en/function.hash-equals.php

This is important because the 30 second TOTP window is likely enough to make many attempts to validate a code. Because the project isn't under active maintenance, I would suggest adding a line to the readme referring people to a different TOTP library, such as:

https://github.com/Spomky-Labs/otphp