By default, any type of authenticator can be used by your users and interact with you application. In certain circumstances, you may need to select specific authenticators e.g. when user verification is required.
The Webauthn API and this library allow you to define a set of options to disallow the registration of authenticators that do not fulfill with the conditions.
The class Webauthn\AuthenticatorSelectionCriteria
is designed for this purpose. It is used when generating the Webauthn\PublicKeyCredentialCreationOptions
object.
You can indicate if the authenticator must be attached to the client (platform authenticator i.e. it is usually not removable from the client device) or must be detached (roaming authenticator).
Possible values are:
AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE
: there is no requirement (default value),
AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM
: the authenticator must be attached,
AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM
: must be a roaming authenticator.
A primary use case for platform authenticators is to register a particular client device as a "trusted device" for future authentication. This gives the user the convenience benefit of not needing a roaming authenticator, e.g., the user will not have to dig around in their pocket for their key fob or phone.
When this criterion is set to true
, a Public Key Credential Source will be stored in the authenticator, client or client device. Such storage requires an authenticator capable to store such a resident credential.
This criterion is needed if you want to authenticate users without username.
This parameter will be deprecated in the next version of the Webauthn specification.
You can still set true or false as second argument, but also use the fourth one described hereafter.
Fourth argument possible values are:
AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_NONE
: there is no requirement (default value),
AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_DISCOURAGED
: indicates the Relying Party prefers creating a server-side credential, but will accept a client-side discoverable credential,
AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_PREFERRED
: indicates the Relying Party prefers creating a client-side discoverable credential, but will accept a server-side credential.
AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_REQUIRED
:
indicates the Relying Party requires a client-side discoverable credential, and is prepared to receive an error if a client-side discoverable credential cannot be created