The Secret for this implementaiton is hard coded since it's just a website implementation.

In production $ga->createSecret(); is called for a new enrollment, this is used in an openssl_encrypt call with the password as Initialization Vector and a system wide key to store an encrypted value in an ldap userPassword attribute that will only reveal the users secret with their correct password and the system key.