* Fix TwoFactorAuth class actually uses the TimeProvider1.6.0

* Update README and DEMO to advise using 160+ bits secret

3 files changed, 12 insertions, 4 deletions

diff --git a/README.md b/README.md
index 0fba429..d65eb19 100644
--- a/README.md
+++ b/README.md
@@ -55,7 +55,7 @@ When a user wants to setup two-factor auth (or, more correctly, multi-factor aut
 $secret = $tfa->createSecret();
 ````
 
-The `createSecret()` method accepts two arguments: `$bits` (default: `80`) and `$requirecryptosecure` (default: `true`). The former is the number of bits generated for the shared secret. Make sure this argument is a multiple of 8 and, again, keep in mind that not all combinations may be supported by all apps. Google authenticator seems happy with 80 and 160, the default is set to 80 because that's what most sites (that I know of) currently use. The latter is used to ensure that the secret is cryptographically secure; if you don't care very much for cryptographically secure secrets you can specify `false` and use a **non**-cryptographically secure RNG provider.
+The `createSecret()` method accepts two arguments: `$bits` (default: `80`) and `$requirecryptosecure` (default: `true`). The former is the number of bits generated for the shared secret. Make sure this argument is a multiple of 8 and, again, keep in mind that not all combinations may be supported by all apps. Google authenticator seems happy with 80 and 160, the default is set to 80 because that's what most sites (that I know of) currently use; however a value of 160 or higher is recommended (see [RFC 4226 - Algorithm Requirements](https://tools.ietf.org/html/rfc4226#section-4)). The latter is used to ensure that the secret is cryptographically secure; if you don't care very much for cryptographically secure secrets you can specify `false` and use a **non**-cryptographically secure RNG provider.
 
 ````php
 // Display shared secret
diff --git a/demo/demo.php b/demo/demo.php
index baf1570..996dd92 100644
--- a/demo/demo.php
+++ b/demo/demo.php
@@ -8,13 +8,13 @@
         <?php
         require_once 'loader.php';
         Loader::register('../lib','RobThree\\Auth');
-        
+
         use \RobThree\Auth\TwoFactorAuth;
 
         $tfa = new TwoFactorAuth('MyApp');
 
         echo '<li>First create a secret and associate it with a user';
-        $secret = $tfa->createSecret();
+        $secret = $tfa->createSecret(160);  // Though the default is an 80 bits secret (for backwards compatibility reasons) we recommend creating 160+ bits secrets (see RFC 4226 - Algorithm Requirements)
         echo '<li>Next create a QR code and let the user scan it:<br><img src="' . $tfa->getQRCodeImageAsDataUri('My label', $secret) . '"><br>...or display the secret to the user for manual entry: ' . chunk_split($secret, 4, ' ');
         $code = $tfa->getCode($secret);
         echo '<li>Next, have the user verify the code; at this time the code displayed by a 2FA-app would be: <span style="color:#00c">' . $code . '</span> (but that changes periodically)';
@@ -23,5 +23,13 @@
         ?>
     </ol>
     <p>Note: Make sure your server-time is <a href="http://en.wikipedia.org/wiki/Network_Time_Protocol">NTP-synced</a>! Depending on the $discrepancy allowed your time cannot drift too much from the users' time!</p>
+    <?php
+    try {
+        $tfa->ensureCorrectTime();
+        echo 'Your hosts time seems to be correct / within margin';
+    } catch (RobThree\Auth\TwoFactorAuthException $ex) {
+        echo '<b>Warning:</b> Your hosts time seems to be off: ' . $ex->getMessage();
+    }
+    ?>
 </body>
 </html>
diff --git a/lib/TwoFactorAuth.php b/lib/TwoFactorAuth.php
index 838a51c..e6a1fa9 100644
--- a/lib/TwoFactorAuth.php
+++ b/lib/TwoFactorAuth.php
@@ -154,7 +154,7 @@ class TwoFactorAuth
 
     private function getTime($time)
     {
-        return ($time === null) ? $this->timeprovider->getTime() : $time;
+        return ($time === null) ? $this->getTimeProvider()->getTime() : $time;
     }
 
     private function getTimeSlice($time = null, $offset = 0)