Webauthn Framework
v3.3
v3.3
  • Introduction
  • Web Browser Support
  • Installation
  • Contributing
  • Webauthn In A Nutshell
    • Authenticators
    • Ceremonies
  • Pre-requisites
    • The Relying Party
    • Credential Source Repository
    • User Entity
    • Javascript
    • Easy or Hard Way?
  • The Webauthn Server
    • The Easy Way
      • Register Authenticators
      • Authenticate Your Users
    • The Hard Way
      • Register Authenticators
      • Authenticate Your Users
    • The Symfony Way
      • Entities with Doctrine
      • Firewall
  • Deep into the framework
    • Register Additional Authenticators
    • Debugging
    • User Verification
    • Attestation and Metadata Statement
    • Authenticator Selection Criteria
    • Authentication without username
    • Extensions
    • Token Binding
    • Authenticator Counter
    • Dealing with “localhost”
  • Migration
    • From v2.x to v3.0
Powered by GitBook
On this page
  • The Easy Way
  • The Hard Way
  • The Symfony Way

Was this helpful?

Edit on GitHub
Export as PDF
  1. Deep into the framework

Authentication without username

PreviousAuthenticator Selection CriteriaNextExtensions

Last updated 3 years ago

Was this helpful?

With Webauthn, it is possible to authenticate a user without username. This behavior implies several constraints:

  1. During the registration of the authenticator, a ,

  2. The user verification is required,

  3. The list of allowed authenticators must be empty

In case of failure, you should continue with the standard authentication process i.e. by asking the username of the user.

The Easy Way

Selection criteria for the registration of the authenticator:

use Webauthn\AuthenticatorSelectionCriteria;
use Webauthn\PublicKeyCredentialCreationOptions;

$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
    AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE,
    true,                                                                  // Resident key required
    AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED // User verification required
);

The Request Options:

<?php

use Webauthn\PublicKeyCredentialRequestOptions;

$ublicKeyCredentialRequestOptions = $server->generatePublicKeyCredentialRequestOptions(
    PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_REQUIRED,
);

The Hard Way

Selection criteria for the registration of the authenticator:

$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
    AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE,
    true,                                                                  // Resident key required
    AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED // User verification required
);

$publicKeyCredentialCreationOptions = new PublicKeyCredentialCreationOptions(
    $rpEntity,
    $userEntity,
    $challenge,
    $publicKeyCredentialParametersList,
    $timeout,
    $excludedPublicKeyDescriptors,
    $authenticatorSelectionCriteria
);

The Request Options:

// Public Key Credential Request Options
$publicKeyCredentialRequestOptions = new PublicKeyCredentialRequestOptions(
    random_bytes(32),
    60000, 
    'foo.example.com',
    [],
    PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_REQUIRED
);

The Symfony Way

The bundle configuration should have a profile with the constraints listed above:

webauthn:
    credential_repository: '…'
    user_repository: '…'
    creation_profiles:
        default:
            rp:
                name: 'My application'
                id: 'example.com'
            authenticator_selection_criteria:
                require_resident_key: true
                user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED
    request_profiles:
        default:
            rp_id: 'example.com'
            user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED
Resident Key must have been asked