Webauthn Framework
Search…
v4.0
The project
Introduction
Web Browser Support
Installation
Contributing
Webauthn In A Nutshell
Authenticators
Ceremonies
Metadata Statement
User Verification
Extensions
Token Binding
Prerequisites
The Relying Party
Credential Source Repository
User Entity
Javascript
Pure PHP
Webauthn Server
Register Authenticators
Authenticate Your Users
Advanced Behaviours
Debugging
User Verification
Authenticator Selection Criteria
Attestation and Metadata Statement
Authentication without username
Extensions
Authenticator Counter
Dealing with “localhost”
Symfony Bundle
Bundle Installation
Credential Source Repository
User Entity Repository
Firewall
Configuration References
Advanced Behaviors
Migration
From v3.x to v4.0
Powered By GitBook
Authenticator Selection Criteria
By default, any type of authenticator can be used by your users and interact with you application. In certain circumstances, you may need to select specific authenticators e.g. when user verification is required.
The Webauthn API and this library allow you to define a set of options to disallow the registration of authenticators that do not fulfill with the conditions.
The class Webauthn\AuthenticatorSelectionCriteria is designed for this purpose. It is used when generating the Webauthn\PublicKeyCredentialCreationOptions object.

Available Criteria

Authenticator Attachment Modality

You can indicate if the authenticator must be attached to the client (platform authenticator i.e. it is usually not removable from the client device) or must be detached (roaming authenticator).
Possible values are:
  • AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE: there is no requirement (default value),
  • AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM: the authenticator must be attached,
  • AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM: must be a roaming authenticator.
A primary use case for platform authenticators is to register a particular client device as a "trusted device" for future authentication. This gives the user the convenience benefit of not needing a roaming authenticator, e.g., the user will not have to dig around in their pocket for their key fob or phone.

Resident Key

With this criterion, a Public Key Credential Source will be stored in the authenticator, client or client device. Such storage requires an authenticator capable to store such a resident credential.
A resident key shall be created you want to authenticate users without username.

User Verification

Example

With this example, with require the user verification (PIN, fingerprint...), a resident key and an authenticator embedded onto a device. This is typacally what you will require for Windows Hello or Face ID authentication.
1
$authenticatorSelectionCriteria = AuthenticatorSelectionCriteria::create()
2
->setUserVerification(AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED)
3
->setResidentKey(AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_REQUIRED)
4
->setAuthenticatorAttachment(AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM)
5
;
6
7
$publicKeyCredentialCreationOptions =
8
PublicKeyCredentialCreationOptions::create(
9
$rpEntity,
10
$userEntity,
11
$challenge,
12
$publicKeyCredentialParametersList,
13
)
14
->setAuthenticatorSelection($authenticatorSelectionCriteria)
15
;
Copied!
Previous
User Verification
Next
Attestation and Metadata Statement
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Available Criteria
Authenticator Attachment Modality
Resident Key
User Verification
Example