You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+25-24Lines changed: 25 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
# WebAuthn
6
6
*A simple PHP WebAuthn (FIDO2) server library*
7
7
8
-
Goal of this project is to provide a small, lightweight, understandable library to protect logins with passkeys, security keys like Yubico or Solo, fingerprint on Android or Windows Hello.
8
+
The goal of this project is to provide a small, lightweight, understandable library to protect logins with passkeys, security keys like Yubico or Solo, fingerprint on Android, or Windows Hello.
9
9
10
10
## Manual
11
11
See /_test for a simple usage of this library. Check [webauthn.lubu.ch](https://webauthn.lubu.ch) for a working example.
@@ -20,7 +20,7 @@ See /_test for a simple usage of this library. Check [webauthn.lubu.ch](https://
20
20
* tpm ✅
21
21
22
22
> [!NOTE]
23
-
> This library supports authenticators which are signed with a X.509 certificate or which are selfattested. ECDAA is not supported.
23
+
> This library supports authenticators that are signed with an X.509 certificate or that are self-attested. ECDAA is not supported.
24
24
25
25
## Workflow
26
26
@@ -59,35 +59,36 @@ are signed with their own root certificate, enabling them to validate that an au
59
59
their organization.
60
60
61
61
### no attestation
62
-
just verify that the device is the same device used on registration.
62
+
Just verify that the device is the same device used on registration.
63
63
You can use 'none' attestation with this library if you only check 'none' as format.
64
64
65
65
> [!TIP]
66
-
> this is propably what you want to use if you want secure login for a public website.
66
+
> This is probably what you want to use if you want secure login for a public website.
67
67
68
-
### indirect attestation
69
-
the browser may replace the AAGUID and attestation statement with a more privacy-friendly and/or more easily
68
+
### Indirect attestation
69
+
The browser may replace the AAGUID and attestation statement with a more privacy-friendly and/or more easily
70
70
verifiable version of the same data (for example, by employing an anonymization CA).
71
-
You can not validate against any root ca, if the browser uses a anonymization certificate.
72
-
this library sets attestation to indirect, if you select multiple formats but don't provide any root ca.
71
+
You cannot validate against any root CA if the browser uses an anonymization certificate.
72
+
This library sets attestation to indirect if you select multiple formats but don't provide any root CA.
73
73
74
74
> [!TIP]
75
-
> hybrid soultion, clients may be discouraged by browser warnings but then you know what device they're using (statistics rulez!)
75
+
> A hybrid solution. Clients may be discouraged by browser warnings, but then you know what device they're using (statistics rulez!).
76
76
77
-
### direct attestation
78
-
the browser proviedes data about the identificator device, the device can be identified uniquely. User could be tracked over multiple sites, because of that the browser may show a warning message about providing this data when register.
79
-
this library sets attestation to direct, if you select multiple formats and provide root ca's.
77
+
### Direct attestation
78
+
The browser provides data about the identificator device, which can be identified uniquely.
79
+
Users could be tracked across multiple sites. Because of this, the browser may show a warning message about providing this data during registration.
80
+
This library sets attestation to direct if you select multiple formats and provide root CAs.
80
81
81
82
> [!TIP]
82
-
> this is probably what you want if you know what devices your clients are using and make sure that only this devices are used.
83
+
> This is probably what you want if you know what devices your clients are using and want to ensure that only these devices are used.
A Client-side discoverable Credential Source is a public key credential source whose credential private key is stored in the authenticator,
86
-
client or client device. Such client-side storage requires a resident credentialcapable authenticator.
87
-
This is only supported by FIDO2 hardware, not by older U2F hardware.
87
+
client, or client device. Such client-side storage requires a resident credential-capable authenticator.
88
+
This is only supported by FIDO2 hardware, not older U2F hardware.
88
89
89
90
>[!NOTE]
90
-
>Passkeys is a technique that allows sharing credentials stored on the device with other devices. So from a technical standpoint of the server, there is no difference to client-side discoverable credentials. The difference is only that the phone or computer system is automatically syncing the credentials between the user’s devices via a cloud service. The cross-device sync of passkeys is managed transparently by the OS.
91
+
>Passkeys is a technique that allows sharing credentials stored on the device with other devices. So from a technical standpoint of the server, there is no difference from client-side discoverable credentials. The difference is only that the phone or computer system automatically syncs the credentials between the user’s devices via a cloud service. The cross-device sync of passkeys is managed transparently by the OS.
91
92
92
93
### How does it work?
93
94
In a typical server-side key management process, a user initiates a request by entering their username and, in some cases, their password.
@@ -100,18 +101,18 @@ If a key is found, the authentication process proceeds in the same way as it wou
100
101
of identifiers. There is no difference in the verification process.
101
102
102
103
### How can I use it with this library?
103
-
#### on registration
104
-
When calling `WebAuthn\WebAuthn->getCreateArgs`, set `$requireResidentKey` to true,
105
-
to notify the authenticator that he should save the registration in its memory.
104
+
#### On registration
105
+
When calling `WebAuthn\WebAuthn->getCreateArgs`, set `$requireResidentKey` to true
106
+
to notify the authenticator that it should save the registration in its memory.
106
107
107
-
#### on login
108
-
When calling `WebAuthn\WebAuthn->getGetArgs`, don't provide any `$credentialIds` (the authenticator will look up the ids in its own memory and returns the user ID as userHandle).
108
+
#### On login
109
+
When calling `WebAuthn\WebAuthn->getGetArgs`, don't provide any `$credentialIds` (the authenticator will look up the IDs in its own memory and return the user ID as userHandle).
109
110
Set the type of authenticator to `hybrid` (Passkey scanned via QR Code) and `internal` (Passkey stored on the device itself).
110
111
111
-
#### disadvantage
112
-
The RP ID (= domain) is saved on the authenticator. So If an authenticator is lost, its theoretically possible to find the services, which the authenticator is used and login there.
112
+
#### Disadvantage
113
+
The RP ID (= domain) is saved on the authenticator. If an authenticator is lost, it is theoretically possible to find the services it was used against and login there.
113
114
114
-
### device support
115
+
### Device support
115
116
Availability of built-in passkeys that automatically synchronize to all of a user’s devices: (see also [passkeys.dev/device-support](https://passkeys.dev/device-support/))
0 commit comments