search
githubEdit

Authentication without username

With Webauthn, it is possible to authenticate a user without username. This behavior implies several constraints:

  1. During the registration of the authenticator, a Resident Key must have been asked,

  2. The user verification is required,

  3. The list of allowed authenticators must be empty

circle-info

In case of failure, you should continue with the standard authentication process i.e. by asking the username of the user.

hashtag
The Easy Way

Selection criteria for the registration of the authenticator:

use Webauthn\AuthenticatorSelectionCriteria;
use Webauthn\PublicKeyCredentialCreationOptions;

$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
    AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE,
    true,                                                                   // Resident key required
    AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED, // User verification required
    AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_REQUIRED
);

The Request Options:

<?php

use Webauthn\PublicKeyCredentialRequestOptions;

$ublicKeyCredentialRequestOptions = $server->generatePublicKeyCredentialRequestOptions(
    PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_REQUIRED,
);

hashtag
The Hard Way

Selection criteria for the registration of the authenticator:

The Request Options:

hashtag
The Symfony Way

The bundle configuration should have a profile with the constraints listed above:

PreviousAuthenticator Selection CriteriaNextExtensions

Last updated

Was this helpful?