lbuchs/WebAuthn

A simple PHP WebAuthn (FIDO2) server library.

Simple working demo for the lbuchs/WebAuthn library.

Use Client-side discoverable Credentials / Passkeys Warning: most client-side modules and authenticators don't allow to delete single client side credentials. You have to reset the full device to remove the credentials again.

Relying Party

A valid domain string that identifies the WebAuthn Relying Party
on whose behalf a given registration or authentication ceremony is being performed.

RP ID:

User

User ID (Hex): You get the user ID back when checking registration (as userHandle), if you're using client-side discoverable credentials. You can identify with this ID the user who wants to login. A user handle is an opaque byte sequence with a maximum size of 64 bytes, and is not meant to be displayed to the user. The user handle MUST NOT contain personally identifying information about the user, such as a username or e-mail address.

User Name: only for display, i.e., aiding the user in determining the difference between user accounts with similar display names.

User Display Name: A human-palatable name for the user account, intended only for display.

user verification

required User verification is required (e.g. by pin), the operation will fail if the response does not have the UV flag.

preferred user verification is prefered, the operation will not fail if the response does not have the UV flag.

discouraged user verification should not be employed as to minimize the user interaction during the process.

type of authenticator

USB

NFC

BLE

hybrid Passkeys via mobile device, ...

internal Passkeys on the device, Windows Hello, Android SafetyNet, Apple, ...

attestation

yes

attestation statement format

android-key

android-safetynet

apple

fido-u2f

none

packed

tpm

attestation root certificates

Accept keys signed by FIDO Alliance Metadata Service

Accept keys signed by apple root ca

Accept keys signed by yubico root ca

Accept keys signed by solokeys root ca

Accept keys signed by hypersecu root ca

Accept keys signed by google root ca

Accept keys signed by Microsofts collection of trusted TPM root ca

(Nothing checked = accept all)

If you select a root ca, direct attestation is required to validate your client with the root.
The browser may warn you that he will provide informations about your device.
When not checking against any root ca (deselect all certificates), the client may change the assertion from the authenticator (for instance, using an anonymization CA),
the browser may not warn about providing informations about your device.

Here you can see what's saved on the server: