Webauthn Framework
Search…
v4.0
The project
Introduction
Web Browser Support
Installation
Contributing
Webauthn In A Nutshell
Authenticators
Ceremonies
Metadata Statement
User Verification
Extensions
Token Binding
Prerequisites
The Relying Party
Credential Source Repository
User Entity
Javascript
Pure PHP
Webauthn Server
Register Authenticators
Authenticate Your Users
Advanced Behaviours
Symfony Bundle
Bundle Installation
Credential Source Repository
User Entity Repository
Firewall
Configuration References
Advanced Behaviors
Register Additional Authenticators
Debugging
User Verification
Attestation and Metadata Statement
Authenticator Selection Criteria
Authentication without username
Extensions
Token Binding
Authenticator Counter
Dealing with “localhost”
Migration
From v3.x to v4.0
Powered By GitBook
Authenticator Selection Criteria
By default, any type of authenticator can be used by your users and interact with you application. In certain circumstances, you may need to select specific authenticators e.g. when user verification is required.
The Webauthn API and this library allow you to define a set of options to disallow the registration of authenticators that do not fulfill with the conditions.
The class Webauthn\AuthenticatorSelectionCriteria is designed for this purpose. It is used when generating the Webauthn\PublicKeyCredentialCreationOptions object.

Available Criteria

Authenticator Attachment Modality

You can indicate if the authenticator must be attached to the client (platform authenticator i.e. it is usually not removable from the client device) or must be detached (roaming authenticator).
Possible values are:
  • AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE: there is no requirement (default value),
  • AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM: the authenticator must be attached,
  • AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM: must be a roaming authenticator.
A primary use case for platform authenticators is to register a particular client device as a "trusted device" for future authentication. This gives the user the convenience benefit of not needing a roaming authenticator, e.g., the user will not have to dig around in their pocket for their key fob or phone.

Resident Key

When this criterion is set to true, a Public Key Credential Source will be stored in the authenticator, client or client device. Such storage requires an authenticator capable to store such a resident credential.
This criterion is needed if you want to authenticate users without username.
config/packages/webauthn.yaml
1
webauthn:
2
3
creation_profiles:
4
default:
5
rp:
6
name: 'My Application'
7
id: 'example.com'
8
authenticator_selection_criteria:
9
attachment_mode: !php/const Webauthn\AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE
10
require_resident_key: false
11
user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED
Copied!
To be written
Previous
Attestation and Metadata Statement
Next
Authentication without username
Last modified 2mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Available Criteria
Authenticator Attachment Modality
Resident Key