1 of 36

v3.3

Introduction

Overview of the framework

Webauthn defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.

The complete specification can be found on the W3C dedicated page.

This framework contains PHP libraries and Symfony bundle to allow developers to integrate that authentication mechanism into their web applications.

Class, Constant and Property Names

Naming things may be complicated. That’s why the following rule applies on the whole framework: the name of classes, constants and properties are identical to the ones you will find in the specification.

As an example, the shows an object named AuthenticatorAssertionResponse that extends AuthenticatorResponse with the following properties:

authenticatorData
signature
userHandle

Supported features

Attestation Types
- Empty
- Basic

Compatible Authenticators

The framework is already compatible with all authenticators except the one that use ECDAA Attestation format.

The ECDAA Attestation format is very rare at that time (January 2020) thus this framework can safely be used in production.

The compliance of the framework is ensured by running unit and functional tests during its development.

It is also tested using the official FIDO Alliance testing tools. The status of the compliance tests are . At the time of writing (end of January. 2020), the main features and algorithms are supported and 99% of the tests pass. Full compliance with the Webauthn specification is expected in early 2020.

Support

I bring solutions to your problems and answer your questions.

If you really love that project, and the work I have done or if you want I prioritize your issues, then !

Contributing

Requests for new features, bug fixed and all other ideas to make this framework useful are welcome.

If you feel comfortable writing code, you could try to fix or .

Do not forget to follow .

If you think you have found a security issue, DO NOT open an issue. .

Web Browser Support

Adoption by web browsers

Webauthn is now supported by all main web browsers:

Mozilla Firefox 60+ and Firefox for Android 68+
Google Chrome 67+
Microsoft EDGE 18+ and Microsoft EDGE Chromium 79+
Opera 54+
Safari 13+ and iOS Safari 13.3+
Android Browser 76+

For more information and limitation on these browsers, please have a look at the following page:

Installation

How to install the library or the Symfony bundle?

This framework contains several sub-packages that you don’t necessarily need. It is highly recommended to install what you need and not the whole framework.

The preferred way to install the library you need is to use composer:

Hereafter the dependency tree:

web-auth/webauthn-lib: this is the core library. This package can be used in any PHP project or within any popular framework (Laravel, CakePHP…)
web-auth/webauthn-symfony-bundle: this is a Symfony bundle that ease the integration of this authentication mechanism in your Symfony project.
web-auth/conformance-toolset: this component helps you to verify your application is compliant with the specification. It is meant to be used with the FIDO Alliance Tools. You usually don’t need it.

The core library also depends on web-auth/cose-lib and web-auth/metadata-service. What are these dependencies?

web-auth/cose-lib contains several cipher algorithms and COSE key support to verify the digital signatures sent by the authenticators during the creation and authentication ceremonies. These algorithms are compliant with the . This library can be used by any other PHP projects. At the moment only signature algorithms are available, but it is planned to add encryption algorithms.

web-auth/metadata-service provides classes to support the . If you plan to use Attestation Statements during the creation ceremony, this service is mandatory. Please note that Attestation Statements decreases the user privacy as they may leak data that allow to identify a specific user. The use of Attestation Statements and this service are generally not recommended unless you REALLY need this information. This library can also be used by any other PHP projects.

Framework and Dependency Sizes

The total size of the core package is approximately 760ko. Hereafter the detail for each component:

web-auth/cose-lib: 85ko
web-auth/metadata-service: 81ko
web-auth/webauthn-lib

The total size of the core package + the direct dependencies is approximately 1.7Mo.

Contributing

You have just found a bug?

First of all, thank you for contributing.

Bugs or feature requests can be posted online on the GitHub issues section of the project.

Few rules to ease code reviews and merges:

You MUST follow the and coding standards.

Webauthn In A Nutshell

Authenticators

What is an authenticator?

An Authenticator is a cryptographic entity used to generate a public key credential and registered by a Relying Party (i.e. an application). This public key is used to authenticate by potentially verifying a user in the form of an authentication assertion and other data.

Authenticators may have additional features such as PIN code or biometric sensors (fingerprint, facial recognition…) that offer user verification.

Roaming Authenticators

The roaming authenticator may have different forms. The most common form is a USB device the user plugs into its computer. It can be a paired Bluetooth device or a card with NFC capabilities.

Authenticators of this class are removable from, and can "roam" among, client devices.

Platform Authenticators

A platform authenticator is usually not removable from the client device. For example an Android smartphone or a Windows 10 computer with the associated security chips can act as an authenticator.

Ceremonies

Registration and Authentication process overview

In the Webauthn context, there are two ceremonies:

The attestation ceremony: it corresponds to the registration of a new authenticator,
The assertion ceremony: it is used for the authentication of a user.

For both ceremonies, there are two steps to perform:

Pre-requisites

The Relying Party

aka the application you are interacting with

The Relying Party (or rp) corresponds to the application that will ask for the user to interact with the authenticator.

The library provides a simple class to handle the rp information: Webauthn\PublicKeyCredentialRpEntity.

This $rpEntity object will be useful for the next steps.

Relying Party ID

In the example above, we created a simple relying party object with it’s name. The relying party may also have an ID that corresponds to the domain applicable for that rp. By default, the relying party ID is null i.e. the current domain will be used.

It may be useful to specify the rp ID, especially if your application has several sub-domains. The rp ID can be set during the creation of the object as 2nd constructor parameter.

Even if it is optional, we highly recommend setting the application ID

The rp ID shall be the domain of the application without the scheme, userinfo, port, path, user…. IP addresses are not allowed either.

Allowed: www.sub.domain.com, sub.domain.com, domain.com

Not allowed:

www.sub.domain.com:1337, https://domain.com:443, sub.domain.com/index,

The domain localhost can be used if the browser considers the context is safe (especially the IP address corresponds to a local address)

How to determine the Relying Party ID?

The Relying Party ID should be determined depending on the common URLs for your web application.

If you have a web application that can be reached at (for mobiles) and or (for other devices), your Relying Party ID should be my-app.com.

If the domain is shared between sub-projects, the rp ID should be limited to that sub-projects.

For example, a web site is located at https://(www.)site1.host.com and another at https://(www.)site2.host.com, then the Relying Party IDs should be site1.host.com and site2.host.com respectively. If you set host.com, there is a risk that users from site1.host.com can log in at site2.host.com.

Relying Party Icon

Your application may also have a logo. You can indicate this logo as third argument. Please note that for safety reason this icon is a priori authenticated URL i.e. an image that uses the data scheme.

The Webauthn specification does not set any limit for the length of the third argument.

The icon may be ignored by browsers, especially if its length is greater than 128 bytes.

Credential Source Repository

Authenticator details and how to manage them

After the registration of an authenticator, you will get a Public Key Credential Source object. It contains all the credential data needed to perform user authentication and much more.

Each Credential Source is managed using the Public Key Credential Source Repository.

The library does not provide any concrete implementation. It is up to you to create it depending on your application constraints. This only constraint is that your repository class must implement the interface Webauthn\PublicKeyCredentialSourceRepository.

Javascript

Examples for dynamic interactions

You will interact with the authenticators through an HTML page and Javascript using the Webauthn API.

A package is available at https://github.com/web-auth/webauthn-helper. It contains functions that will ease the interaction with the login or the registration endpoints.

It is mandatory to use the HTTPS scheme to use Webauthn otherwise it will not work.

Installation

You can use npm or yarn to install the package:

Registration

Additional options can be set during the registration process. See the section “Deep into the framework” to know more. Hereafter another example:

The specification Webauthn L2 deprecates the use of the parameter requireResidentKey; you should use residentKey instead with one of the following value: required, preferred or discouraged.

To have the same behavior as above, please use required.

Authentication

As done during the registration, additional options are available. See the section “Deep into the framework” to know more. Hereafter another example:

Easy or Hard Way?

Is it complicated?

In this documentation, different ways to setup a Webauthn server are presented:

The easy way: the examples are designed for developers who want to start quickly without knowing all specification details
The hard way: you will find detailed information about the classes and how to prepare a tailor-made server

The Symfony way is for Symfony developers. These pages contain configuration examples for Symfony-based applications.

The Webauthn Server

The Easy Way

How to run a basic Webauthn server?

The easiest way to create a Webauthn Server is to use the class Webauthn\Server.

<?php

use Webauthn\Server;
use Webauthn\PublicKeyCredentialRpEntity;

$rpEntity = new PublicKeyCredentialRpEntity(
    'Webauthn Server',
    'my.domain.com'
);
$publicKeyCredentialSourceRepository = …; //Your repository here. Must implement Webauthn\PublicKeyCredentialSourceRepository

$server = new Server(
    $rpEntity
    $publicKeyCredentialSourceRepository
);

That’s it!

You can now register a new authenticator or authenticate your users.

Register Authenticators

First authenticator registration

Credential Creation Options

Now we want to register a new authenticator and attach it to a user. This step can be done during the creation of a new user account or if the user already exists and you want to add another authenticator.

Authenticate Your Users

First user authentication

Credential Request Options

To authenticate you user, you need to send a Webauthn\PublicKeyCredentialRequestOptions object.

To generate that object, you just need to call the method generatePublicKeyCredentialRequestOptions of the $server

The Hard Way

If you want a fine grained Webauthn server

You will need the following components before loading or verifying the data:

Register Authenticators

During this step, your application will send a challenge to the device. The device will resolve this challenge by adding information and digitally signing the data.

The application will check the response from the device and get its credential ID. This ID will be used for further authentication requests.

Creation Request

To associate a device to a user, you need to instantiate a Webauthn\PublicKeyCredentialCreationOptions

Authenticate Your Users

During this step, your application will send a challenge to the list of registered devices of the user. The security token will resolve this challenge by adding information and digitally signing the data.

Assertion Request

To perform a user authentication using a security device, you need to instantiate a Webauthn\PublicKeyCredentialRequestOptions object.

Deep into the framework

Register Additional Authenticators

In some circumstances, you may need to register a new authenticator for a user e.g. when adding a new authenticator or when an administrator acts as another user to replace a lost device.

It is possible to perform this ceremony programmatically.

You can attach several authenticators to a user account. It is recommended in case of lost devices or if the user gets access on your application using multiple platforms (smartphone, laptop…).

Debugging

If you have troubles during the development of your application or if you want to keep track of every critical/error messages in production, you can use a .

The Easy Way

User Verification

User verification may be instigated through various authorization gesture modalities: a touch plus PIN code, password entry, or biometric recognition (presenting a fingerprint). The intent is to be able to distinguish individual users.

Eligible authenticators are filtered and only capable of satisfying this requirement will interact with the user.

Possible user verification values are:

required: this value indicates that the application requires user verification for the operation and will fail the operation if the response does not have the UV

Token Binding

Browsers may support the Token Binding protocol (see ). This protocol defines a way to bind a token (the Responses in the Webauthn context) to the underlying TLS layer.

When receiving a Webauthn Response, the property tokenBinding in the Webauthn\CollectedClientData object has one of the following values:

null: the token binding is not supported by the browser

Authenticator Counter

The authenticators may have an internal counter. This feature is very helpful to detect cloned devices.

The default behaviour is to reject the assertions. This behaviour might cause some troubles as it could reject the real device whilst the fake one can continue to be used.

It is therefore required to go deeper in the protection of your application by logging the error and locking the associated account.

To do so , you have to create a custom Counter Checker and inject it to your Authenticator Assertion Response Validator. The checker must implement the interface Webauthn\Counter\CounterChecker.

Dealing with “localhost”

aka non-https relying parties

Secured Context

If your are working on a development environment, https may not be available but the context could be considered as secured. You can bypass the scheme verification by passing the list of rpIds you consider secured.

Migration

<?php /** * EGroupware WebAuthn * * @link https://www.egroupware.org * @author Ralf Becker <rb-At-egroupware.org> * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License */ namespace Acme\Repository; use Webauthn\PublicKeyCredentialSourceRepository as PublicKeyCredentialSourceRepositoryInterface; use Webauthn\PublicKeyCredentialSource; use Webauthn\PublicKeyCredentialUserEntity; class PublicKeyCredentialSourceRepository implements PublicKeyCredentialSourceRepositoryInterface { private $path = '/tmp/pubkey-repo.json'; public function findOneByCredentialId(string $publicKeyCredentialId): ?PublicKeyCredentialSource { $data = $this->read(); if (isset($data[base64_encode($publicKeyCredentialId)])) { return PublicKeyCredentialSource::createFromArray($data[base64_encode($publicKeyCredentialId)]); } return null; } /** * @return PublicKeyCredentialSource[] */ public function findAllForUserEntity(PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity): array { $sources = []; foreach($this->read() as $data) { $source = PublicKeyCredentialSource::createFromArray($data); if ($source->getUserHandle() === $publicKeyCredentialUserEntity->getId()) { $sources[] = $source; } } return $sources; } public function saveCredentialSource(PublicKeyCredentialSource $publicKeyCredentialSource): void { $data = $this->read(); $data[base64_encode($publicKeyCredentialSource->getPublicKeyCredentialId())] = $publicKeyCredentialSource; $this->write($data); } private function read(): array { if (file_exists($this->path)) { return json_decode(file_get_contents($this->path), true); } return []; } private function write(array $data): void { if (!file_exists($this->path)) { if (!mkdir($concurrentDirectory = dirname($this->path), 0700, true) && !is_dir($concurrentDirectory)) { throw new \RuntimeException(sprintf('Directory "%s" was not created', $concurrentDirectory)); } } file_put_contents($this->path, json_encode($data), LOCK_EX); } }

<?php declare(strict_types=1); /* * The MIT License (MIT) * * Copyright (c) 2014-2019 Spomky-Labs * * This software may be modified and distributed under the terms * of the MIT license. See the LICENSE file for details. */ namespace Webauthn\Repository; use Assert\Assertion; use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepositoryInterface; use Doctrine\Common\Persistence\ManagerRegistry; use Doctrine\ORM\EntityManagerInterface; use Webauthn\PublicKeyCredentialSource; use Webauthn\PublicKeyCredentialSourceRepository as PublicKeyCredentialSourceRepositoryInterface; use Webauthn\PublicKeyCredentialUserEntity; class PublicKeyCredentialSourceRepository implements PublicKeyCredentialSourceRepositoryInterface, ServiceEntityRepositoryInterface { /** * @var EntityManagerInterface */ private $manager; /** * @var string */ private $class; public function __construct(ManagerRegistry $registry, string $class) { Assertion::subclassOf($class, PublicKeyCredentialSource::class, sprintf( 'Invalid class. Must be an instance of "Webauthn\PublicKeyCredentialSource", got "%s" instead.', $class )); $manager = $registry->getManagerForClass($class); Assertion::isInstanceOf($manager, EntityManagerInterface::class, sprintf( 'Could not find the entity manager for class "%s". Check your Doctrine configuration to make sure it is configured to load this entity’s metadata.', $class )); $this->class = $class; $this->manager = $manager; } protected function getClass(): string { return $this->class; } protected function getEntityManager(): EntityManagerInterface { return $this->manager; } public function saveCredentialSource(PublicKeyCredentialSource $publicKeyCredentialSource, bool $flush = true): void { $this->manager->persist($publicKeyCredentialSource); if ($flush) { $this->manager->flush(); } } /** * {@inheritdoc} */ public function findAllForUserEntity(PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity): array { $qb = $this->manager->createQueryBuilder(); return $qb->select('c') ->from($this->getClass(), 'c') ->where('c.userHandle = :userHandle') ->setParameter(':userHandle', $publicKeyCredentialUserEntity->getId()) ->getQuery() ->execute() ; } public function findOneByCredentialId(string $publicKeyCredentialId): ?PublicKeyCredentialSource { $qb = $this->manager->createQueryBuilder(); return $qb->select('c') ->from($this->getClass(), 'c') ->where('c.publicKeyCredentialId = :publicKeyCredentialId') ->setParameter(':publicKeyCredentialId', base64_encode($publicKeyCredentialId)) ->setMaxResults(1) ->getQuery() ->getOneOrNullResult() ; } }

<?php

use Webauthn\PublicKeyCredentialUserEntity;

$userEntity = new PublicKeyCredentialUserEntity(
    'john.doe',
    'ea4e7b55-d8d0-4c7e-bbfa-78ca96ec574c',
    'John Doe',
    'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAABmJLR0QA/wD/AP+gvaeTAAAAB3RJTUUH4wkIDCoJiw0E+gAAFMhJREFUeNrtm3mcHdV157/3Vr16S7+l90W9aEFrswShBdngAHYggmBPogTbMeCEkNjxhMVm4jjOeGwImXGwMzi28GArGcOAHOeD8cYiid1YyFIasUlCoqWWGvWu3re3Vb26J3+87pZa6m51SyJOPpnzUX9aH1Xdc8/v3FtnF/x/+s9N6r3eoG7eQlo6mllWW+cElJQjshiRJSDzgdIxGUaBNpRqFKX3+WJ1loXw2twwzUcP/MdUwOJ51VQ6hgHfLlfi/56IXKtgOcg8IDzN3i6oVuBNlP6xUdaW+cXxwQNdPbx77Nh/HAWsqK1DtK0tk71OGfMlkFWAPUc2WVANovRG0fbPFOK+3dJyzmW1zjXD+toaUNqyTfZWJWYjsBTQZ8DKBuYr5FqFKROhoSwWTVeUVdE90P/vUwHLamuJeCOIsj6OyN8DxeeArQOsUVAm2n5JfM/tGR4+ZzKfyclMSZve7aGjtRUTr7gIkbuBwrmsF8AYQUSmkVP+QIt/pxerVvV1C/79KOB/NIzAVmFvd2H5J17quzU877xHEH/pJHAiTI0LjAi+MYQcmyvXLON9F583tuaUV21l2bet+Mjvf/ra55vLeU3ye58lnbER/NR3n0LVX4WVy0YJxz5sbPuuvobnf+3gN/4s4CeHEBRGDFopiuIF5IxheCSdB4eAgOPYlBZGWb6wkvWX1XPJijqyrsemH+1g2yv7cD0frY+LKMZQcc2N3uLPfO0tW6n7SQ0/6dvBUdn/Eps+ff2/nQLuecNlkZNWu4ZDK31l/5VR+rd8Lxs6+L//lP6dTyHKIh4NsXR+Bavq53P+eVVsfrqBju5B4tEQsYIQlaUJVi6voX5RFWVFUYIBGyMGUGSyHlt37OeHz75GS2fe4GmtQAzB8vnU3/3PhOctymhjnrYk97/WxTNvHHHD8pWVznuvgM/9Sxblu6G0Ct5otP1lg6pTGob3v8qB//lJTHKQtRct4uPrV3P+okrCoQDGCH1DSUSEcNDBCVgEbAtLa0QEc9J9VyovWmvXAE+8vJdde47Q2tVPLuejlWLBrfcy7yN/ghjQSIs2ub8OS/b7YjmZb1wafO8U8JlXkliYIj8Q/ksffbugwuNcjj58L+0/3sj1V13Mf/3or5OIhjHGMA5NqfGtprcHJ5NWCiNC72CSnXua2fbK2+w72ELJ5b/DkrseRGk9tr2kLcxGy0v/rY8eePDygnOrgCeaBtlyLISjpcLVzn0++mZOMKDGTbP/3puoHD7IVz+7gYqSGMbMEuVshFQKrRR9Q0m+9f0X2NkT5Px7HsOOFcLxbYyFedQx7hdco45dV5HhI4sLT6/k2QjwTE8ER0ulq4MbffQnJ61T4A5043Yf5forLqKyJH5OwUPei/jGUFJYwEd/czXhbD/Zvk7U5OPTPvqTrg5udLRUPtMTmRXv0yrg9p0ZAviFrnLu81E3cNKtURoy3e0kLI9LVtTlLfx7RMY3zK8qobowSKa3c6r7q3zUDa5y7gvgF96+M3N2CvjsziSOyTpZ7XzBV/oT073nDvWyqDJOVVli0ulrrfI/Kv9bqdN/cUpxfM3EuvwzAUJBm7J4iFxyaFoevtKfyGrnC47JOp/dmZxxv2kTlC+97vHkMZvLiv2P+ajbZnpXfJ+6yiLCwcCYgRMybo7mzj5auwZwcz7F8QhLassoTUQROCXiy3/nMJLK0tTWQ2dfPtytLI6zuKaUeEGI/JELQcfmNJbU9lG3pe2C/Tv6rUe/9LrH31wSmL0C/m5vmiMpxRUl/oVZ0V8RVHT6IwOnuAwrGOHto70c7hyks3+UpvY+DrX2knY9ABxbU1Ma40OrFvP+82spT0SwxoIc3wj9I2n2NnezreEgh9r6SLs+IhCwNfMri7hgUSXVJTEWVibwLQenqGxGEy6oqI/+yhUl/pv9ntr7d3vT/PmF4anEP5Vu3z6ERiJZJ/aQj/7oTKrO9h+j7dnNJH/5Q3I5n5G0i6UVsbBDOGhPuLKs6zOUymIEastirFs+j7XLqgBoaOxk96EuWnuGESPEIkFCjjWxNu3mGEm5+EaIhR201sQuv4Gaa24mWFwxk3hYmMeC7sgtBpXa+IHE6RXw1YY+3vGLiVn+Da7ohwU1rTkVERofuofOnz8OWhOwNFevrOMDF9RQUxonErTRY8HOaNqlrXeEl/e28vybreR8gxPIJ6Ou52Nbmt+4uJYrLqylpjRGNOyglMIYQyrr0dY7wi/2tvH8my14vgFjqLry91h2y1dmtC0KSTnK/OGIb/1wudXPF9eWzPwJtOfCJEiXZCV050zg84t9aoJpsrEgQ+kcl9VX87kNaymMhlBAKuPRP5xEK8WiqiLq55ezakklI2mPVw92EQ/nbcawCO9bXsV/27CW4niEjOuNRY6GskQBkVCA5XVlrFpSxWgmx853OkgUBKgJprHx8WeotQgq4om+MyHpF9tz4b5TMZxAd2w7SsoJEzTmOhG1ZibwAhSQ4ZYP1uKefxUPPPUWa5ZVURwL4xuho3eIZxsOMDCSAqCsMMo1a1dQWRLnksWVRII2N3/wfIwIm1/cz0WLyilNROjsG+bZhgP0Do4iQFEswjVrV1BVmqAkHmHVkkqMCJ9efwFWaS2PkWGI6IwRnaDW+HbwuqzWj96x7SjfWj9/agXoWDGxzHAkZUdvFMVpMwsthrJogOJIBTVlcUJOnp0xhu6BES67cBFlRTFEhK7+YTr7hqkojlEQClBdGueCheUA1OxtI+TYGIGuvmFWL59PRUkMhaJ7YIRj/SNUFMewtEVBKEB5YQH1C8rpVwG0mNPGswJOznBjzB3+kcSKU9PeADdQgK1klRh96enATzAf80aJiMPgaBaRvEu78Lx5+WRn7L3CWCSfGwh0DSSJR5wJVxhybAZHs4Bw/qIqtD4enhRGw/jG5O2BCJ39SUrjYcYy6lmTKH2pH4yuyonaPukQx/9yx5ONbF6j8AwbZI7VHKXg4kXl7GnuZiiZwRoLeozIWDEkL2rAtni7pZc9zd2sWVo5obz6uhL2vdvDwGgG29ITa8YzRa01tqV5p7WPNw4f4/0r5s1FvPFbUOgZNmxeo7jjycZTFWCVz+ePGzIJg5r16Rs0OSyMES5ZXEE8HGDT1rc42j1MzjcolVeOEaFvOM3W3Uf41s9e49cvqGFpdTGCYARWnldOaTzEpi1v0XxsaNJaEWFgJM2zrzfz9z/ZzftXVLG8tgQRye89h6KWQV36xw2ZhFV+3AZMfD23vWrQyNqM0dsEimbDUGPYkHqWS903EWXR2T/KI8/vo6lzkJJ4hERBEIUilfXoHkyiFaxfvZDL62uwrEn5FL3DKR5/5SCH2gcojkcojAZRSpHOeBwbTKIU/OYlC1i/ehHBgI3G51+ci/lx5JpZK0HBQEib9QbV8MAaPbE3mw8M8cJQnIiW211R35rDtaLUDHBNZgdL3cNElEsmm+NQez9NHQMMJDOIEQpCAWrL4iyrKaY4HqF/OEX/cGri01BKURyPEA0HOdzRz6GOAQZGM/jja0tjLKspobSwIO9ecTjonMezocvo1UVzKmo4Su5IGbXxQ4lhblqRyK+95aGXuXDTdarxG0P/1yjrljnwQwALw7Xpl7ki+yqG8aTnpFgfNZEDjAdG6awLQDjoEA076PF7P8NajfBycA1bw1fgo+dc0tLiP7Tsc4lb935qizx0yxV5LxCqWUrT3Y0BEarmylEBOTQt1jxyaDRTl7ZPTJO1UsQiQWKR4CQ++Txq5rWT95o7iVDVdHdjIKQtF8bcYKy4DIHIsG+VzbZcdbIS2u0KhnScYjOIzKBFL+cjIjiBydFb1suhlCJgWzPsIwzpBO12xRmXs5VllRWUVkYUuDDmBXwBI8SQM+vkKGBQx2m1Kscu69SkteJQazdbdr6NbwyW1lha4xvDlp1vc6i1e1IZfCoFtFqVDOr4mdfzhWIjxPwxMW0Ak2dXAMyujjQF5dC84dSzPHcER7yp9xYoThTQtnuQx55/ndqKvLNpPTZA31CS912wcMY0P6OCvOHUn/H1H6OIQU1UTW2AlK8BtDmLTpEGDtkLaLQX8mveO1O6JhGhqiTOx69exf7mLjp781Wd6rJCrl67nLKi6HStMTSGRnshh+wFZ9XOMqBT/vFQ0wbQSsYEVGdV0fOUzUuhdVT7xyiZxhaIQFlRjCuLj1eOtVaIMC14hdCri3gptA5P2WfV01cn4M0rFghrQ1gbX4F/FrzzxtCq4JnQB0ir0LT2QEQm1Q5naIqiENIqxDOhD9BunbnxO0FGP6yNH9bmuALGaHTs52w3YI+zjKfDV5JUEfRZ3CmNkFQRng5fyR5n2bma5piE0wYIKBAYQdGHsPhsdxA0rzoXMqyiXJt5mSq/B5j956XGuHRYZWwNXUFjYCHnbJhF0WcrRsa52QBDXa0o30ubsoU96LlOsky/0zvOIroDZVyWfZ3V6TcI4c1qZZoAu8Mr2RG8hH4VQ53DVoPxcz0jXc1psfJVYg0gIz089uElnqV12znAjdIgXpZc/zHajrbx+Ds5GntcRlNpsl4O3zcT3/24PfB9Q9bLMZpK09jj8qPGHG1H28j1H0O8LEpzTi6BpXXbYx9e4slIDzB2A/775VX4DWArtdvke5dntpUCkxph9ODrDO/fSaa3Az+dxFE5MldWkrIcTNqbaHyMFzPH835jBK0gM5ik4+eP4IqNFS4gVDqPeP37iC69BB2Jza0SMlk8sZXa/TsNeczfHVdAXU0ttzfk0IoGJVa3QMWZcM92NtP9wg9ItjRi/HxoK4By8vMCiWiQdDaHbwy+MYgZzwbB0hrH1oSDNvFsPsnxvSzGy+IO9TH67gEK9u2g/EO/T7Bq4RkpQUG3pUxDeAzzxA0AcPwMiBzGiuwHPTcFKPBHBul65hGSrY0obU20rsfJ0ppIyCHoBPKVIiMTSY5CocZuhaUVlh6zFWM3RCmFiGGkeR/yzCNU/+6dWJM7w7Mks9/20odP7KpOSKkHOjgSiaYs2D5XtkpBsul1Uu1NKD19MjPu6rVSWJbGtixsy8KydD4VZuaOl9IWyfYmkk2vM4s24ylkwfYjkWhKD3ScqoCvX7eUatdgK/mJQrpmDV6DnxxmpGkPYsypzwEj4BlmJbRS+XfNNIZIjGG0aQ9+ciRvGGcrJ9JlK/lJtWv4+nXHZ7gm+TwrM4wjuf1uqHj7WCt8Jo7gZRnav4vuXVtJdRwh4Ew9npLNGdoGslxUPbvJjdaBLNmcmfKZ0prefb8k1d9F+bpridevg0DwtJ+DRrYH0wP7XWWf9O8n0M0LDIOhEtdWPKxmiAqVglxfJ91bv0frE99l8PA+cm4W408dSftG2H10ZFpQJyvrtaMj+NMMWRjfJ+dmGTy8j9Ynvkv31u+RO3VY4uSzGrUVDw+GStybF0yWYZICVteVEPKSWF7yFxp5eTpumdZG2n/6bfreegWlNLYTRETwvOyUMb3Wij1tI2xvGp741qc8JaXY3jTMnraRKesCJ+5hO0GU0vS99QrtP/026ZbGaZ23Rl62vOQvQl6S1XUlJz07iT5WmySpwqOW5O5XyOShXAXpowdof+ofSHY0g9YopXCCISw7gO95eG6+wXHSMlKuz6O7Onnp4BC+AeuEIQhLK3wDLx0c5NFdnaRcf6o8Es/N4nselh3ACYbycYTWJDuaaX/qH0gfPXDKTVBIvyW5+5MqPPqx2lOHJabU2W0/78Pxs4F0tOLrOfSd429m25tof+I7ZHo7T3FzIoLvuXiei2XZBJwgMhbsTMyHCUQci1UL4qxZEKe2KG8zWgeyvPruMK+9O5wHf8JEiIigZAy8nyMQcLACzikdYTGGcOk8qv/Ln+LMO2/iDGzMN8Ojxz7vWkHvgStLTsE67X28bZeLpajLYP/YKLXKH+6n46ffZuToO6eAP5GM8cm5LuFQkMULF3C0o4vMWPV3HJQxQsDShJ28y0y7Pp5v8uMwJ/AKBR0WVFdy6Mi7pDNZbMdBz+RmjSE2fznzfvvPsOLFaJHXQuQ2+ELLA+umbnVOi6Q8KAwau8XGfFH5fs/g7mcYbWmcETyA1haBYIhEopBP33wDH7v+asT4Ey5Skb/+RoTRbI7RbA4jkm+nnQBEjM9Hr7+aT910A4lEIYFgaEbwkPcQoy2NDO5+BuX7PTbmi4PGbikPzlCnnO7Bl1cGKZFRLl9rveAefu2ewb07UsyBtGVRVlrCimVLsO0AguSBiZlIgtSYQo73Ak3+HQTbDlC/bAllpSVoa25T/YN7d6Tcw6/dc/la64USGeXLK6efHp0x973//XHW3/QZEwwG/9F42Sq0/gtEAsyS8mUu0FrPeHrHv2c1/mdssuR0s1BTaV57xst+Y+ClH/zj/9v2sNm2+cGZXz8dv22bHyTl5rKhguhXLdv+JkrNLqn/VZBSnmXb3wwVRL+acnPZ04GflQIAnnv0AdxMJhmKJu62neDXlFLpXzXWU7GrtO0EvxaKJu52M5nkc48+MKt1s46mX/zBdzDGT4bjhffawfDnldbdv2rQE+C17raD4c+H44X3GuMnX/zBd2a9dk4l9uce2YjSVraoZuGDTiR2k7btBtS5LFjNFbkSbdsNTiR2U1HNwgeVtrLPPbJxTizm3GPYsuk+KqtLTXJo6LlQLLHBsgP3K617/s2xa91j2YH7Q7HEhuTQ0HOV1aVmy6b75sznjCqg/+euPwFg/R/d1R4pKv2Cmxz5Wc7N3Gl8/2oxJn6uQJ5YNjsB+LC2rOdsJ/RNpyD2S/Fz/q6nNrPrqc1ntsfZCLjte/dTu+4qPxxNbC+sqrsxWBC7QVv2PymtOzjjyl2efONzpKWN5tZ2sq4rSusObdn/FCyI3VBYVXdjOJrYXrvuKn/b9+4/KyWfdQ18063XAnDxB38rO3/FymdR6sWc6y0PhkLrLdu+zMv5q1GqAph1/ABgBO/7P91yrKCgYHcq6+0IFcS2ofU7BfHC3NG3d/Pmi0/Dpr89W/Hfm/86++SRLFeVuehoNPj4E88t3fz4z9ZlUskLldILgMUiphIhYcxYV1ZbBsWQUroLaBIx7waC4b2i1K7epHcwIans6LxVvPHgXedc1n8F/rphWEnA06IAAAAldEVYdGRhdGU6Y3JlYXRlADIwMTktMDktMDhUMTI6NDI6MDktMDQ6MDD8ntmGAAAAJXRFWHRkYXRlOm1vZGlmeQAyMDE5LTA5LTA4VDEyOjQyOjA5LTA0OjAwjcNhOgAAAABJRU5ErkJggg=='
);

The Symfony Way

Lucky Symfony applications!

An official bundle is provided in the package web-auth/webauthn-symfony-bundle.

Starting at v3.2.4, the bundle can be installed on Symfony 4.4 or 5.0+.

If you use Laravel, you may be interested in

Before installing it, please make sure you installed and configured:

The package ,
The package or any package,
The and enabled the PSR-7 support.

If you are using Symfony Flex then the bundle will automatically be installed and the default configuration will be set. Otherwise you need to add it in your AppKernel.php file:

And add the Webauthn Route Loader:

Repositories

The first step is to create and .

Only . Other storage systems like filesystem or Doctrine ODM may be added in the future but, at the moment, you have to create these from scratch.

Configuration

With Flex, you have a minimal configuration file installed through a Flex Recipe. You must set the repositories you have just created. You also have to modify the environment variables Relying_PARTY_ID and Relying_PARTY_NAME.

You may also need to adjust other parameters.

If you don’t use Flex, hereafter an example of configuration file:

Repositories

The credential_repository and user_repository parameters correspond to the services we created above.

Token Binding Handler

Please refer to . You should let the default value as it is.

Creation Profiles

If you don't create the creation_profiles section, a default profile is set.

Relying Party (rp)

The realying Party corresponds to your application. Please refer for more information.

The parameter id is optional but highly recommended.

Challenge Length

By default, the length of the challenge is 32 bytes. You may need to select a smaller or higher length. This length can be configured for each profile:

Timeout

The default timeout is set to 60 seconds (60 000 milliseconds). You can change this value as follows:

For v4.0+, the timeout will be set to null. The values recommended by the specification are as follow:

If the user verification is discouraged, timeout should be between 30 and 180 seconds

Authenticator Selection Criteria

This set of options allows you to select authenticators depending on their capabilities. The values are described in of the protocol.

Public Key Credential Parameters

This option indicates the algorithms allowed for your application. By default, a large list of algorithms is defined, but you can add custom algorithms or reduce the list.

The order is important. Preferred algorithms go first.

It is not recommended changing the default list unless you exactly know what you are doing.

Attestation Conveyance

If you need the , you can specify the preference regarding attestation conveyance during credential generation.

Please note that the metadata service is mandatory when you use this option.

The use of Attestation Statements is generally not recommended unless you REALLY need this information.

Extensions

You can set as many extensions as you want in the profile. Please also for more information.

The example below is totally fictive. Some extensions are but the support depends on the authenticators, on the browsers and on the relying parties (your applications).

Request Profiles

If you don't create the creation_profiles section, a default profile is set.

The parameters for the request profiles (i.e. the authentication) are very similar to the creation profiles. The only difference is that you don’t need all the detail of the Relying Party, but only its ID (i.e. its domain).

Please note that all parameters are optional. The following configuration is perfectly valid. However, and as mentioned above, the parameter id is highly recommended.

Firewall

Now you have a fully configured bundle, you can protect your routes and manage the user registration and authenticatin through the .

webauthn: # logger: null # PSR-3 compatible logging service credential_repository: 'Webauthn\Bundle\Repository\DummyPublicKeyCredentialSourceRepository' # CREATE YOUR REPOSITORY AND CHANGE THIS! user_repository: 'Webauthn\Bundle\Repository\DummyPublicKeyCredentialUserEntityRepository' # CREATE YOUR REPOSITORY AND CHANGE THIS! token_binding_support_handler: 'Webauthn\TokenBinding\IgnoreTokenBindingHandler' # We ignore the token binding instructions by default creation_profiles: # Authenticator registration profiles default: # Unique name of the profile rp: # Relying Party information name: '%env(Relying_PARTY_NAME)%' # CHANGE THIS! or create the corresponding env variable id: '%env(Relying_PARTY_ID)%' # Please adapt the env file with the correct relying party ID or set null # icon: null # Secured image (data:// scheme) # challenge_length: 32 # timeout: 60000 # authenticator_selection_criteria: # attachment_mode: !php/const Webauthn\AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE # require_resident_key: false # user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED # extensions: # loc: true # public_key_credential_parameters: # You should not change this list # - !php/const Cose\Algorithms::COSE_ALGORITHM_EdDSA #Order is important. Preferred algorithms go first # - !php/const Cose\Algorithms::COSE_ALGORITHM_ES256 # - !php/const Cose\Algorithms::COSE_ALGORITHM_ES256K # - !php/const Cose\Algorithms::COSE_ALGORITHM_ES384 # - !php/const Cose\Algorithms::COSE_ALGORITHM_ES512 # - !php/const Cose\Algorithms::COSE_ALGORITHM_RS256 # - !php/const Cose\Algorithms::COSE_ALGORITHM_RS384 # - !php/const Cose\Algorithms::COSE_ALGORITHM_RS512 # - !php/const Cose\Algorithms::COSE_ALGORITHM_PS256 # - !php/const Cose\Algorithms::COSE_ALGORITHM_PS384 # - !php/const Cose\Algorithms::COSE_ALGORITHM_PS512 # attestation_conveyance: !php/const Webauthn\PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE request_profiles: # Authentication profiles default: # Unique name of the profile rp_id: '%env(Relying_PARTY_ID)%' # Please adapt the env file with the correct relying party ID or set null # challenge_length: 32 # timeout: 60000 # user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED # extensions: # loc: true # metadata_service: # enabled: false # repository: 'App\Repository\MetadataStatementRepository'

<?php declare(strict_types=1); use Cose\Algorithm\Manager; use Cose\Algorithm\Signature\ECDSA; use Cose\Algorithm\Signature\EdDSA; use Cose\Algorithm\Signature\RSA; use Webauthn\AttestationStatement\AndroidSafetyNetAttestationStatementSupport; use Webauthn\AttestationStatement\AndroidKeyAttestationStatementSupport; use Webauthn\AttestationStatement\AttestationStatementSupportManager; use Webauthn\AttestationStatement\FidoU2FAttestationStatementSupport; use Webauthn\AttestationStatement\NoneAttestationStatementSupport; use Webauthn\AttestationStatement\PackedAttestationStatementSupport; use Webauthn\AttestationStatement\TPMAttestationStatementSupport; use Webauthn\AttestationStatement\AppleAttestationStatementSupport; // You normally already do this $attestationStatementSupportManager = new AttestationStatementSupportManager(); $attestationStatementSupportManager->add(new NoneAttestationStatementSupport()); // Additional classes to add $attestationStatementSupportManager->add(new FidoU2FAttestationStatementSupport()); $attestationStatementSupportManager->add(new AppleAttestationStatementSupport()); $attestationStatementSupportManager->add(new AndroidSafetyNetAttestationStatementSupport()); $attestationStatementSupportManager->add(new AndroidKeyAttestationStatementSupport( $psr18Client, // Can be null if you don’t want to use the Google API $googleApiKey, // Can be null if you don’t want to use the Google API $psr17RequestFactory // Can be null if you don’t want to use the Google API )); $attestationStatementSupportManager->add(new TPMAttestationStatementSupport()); // Cose Algorithm Manager // The list of algorithm depends on the algorithm list you defined in your options // You should use at least ES256 and RS256 algorithms that are widely used. $coseAlgorithmManager = new Manager(); $coseAlgorithmManager->add(new ECDSA\ES256()); $coseAlgorithmManager->add(new RSA\RS256()); $attestationStatementSupportManager->add(new PackedAttestationStatementSupport($coseAlgorithmManager));

Firewall

How to register and authenticate my users?

Security Bundle

To authenticate or register your users with Symfony, the best and easiest way is to use the Security Bundle. First, install that bundle.

Next, you have to create a custom user provider that will retrieve users on login requests. The following example uses the user repository showed on this page.

Firewall Configuration

Now you can tell Symfony to use your user provider and you enable the dedicated firewall

In some case, you may have several user providers that are used by other parts of your application. This Webauthn bundle allow you to override the default user provider.

Logout

Users can logout as usual. You just have to add under your firewall and add the route.

User Authentication

As you have noticed, there is nothing to configure to have a fully functional firewall. The firewall routes are automatically created for you. They are namely:

/login/options: to create the request options (POST only)
/login: to submit the assertion response (POST only)

You should also ensure to allow anonymous users to contact those endpoints.

Credential Request Options

Prior to the authentication of the user, you must create a PublicKey Credential Request Options object. To do so, send a POST request to /login/options.

The body of this request is a JSON object that must contain a username field with the name of the user being authenticated.

No need to reinvent the wheel, you can use the package.

It is mandatory to set the Content-Type header to application/json.

In case of success, you receive a valid PublicKeyCredentialRequestOptions object and your user will be asked to interact with one of its registered security devices.

The default path is /login/options. You can change it if needed:

Assertion Response

When the user touched the security device, you will receive a response from it. You just have to send a POST request to /login.

The body of this request is the response of the security device.

It is mandatory to set the Content-Type header to application/json.

The default path is /login. You can change that path if needed:

Your user can now be authenticated and retrieved as usual.

Request Profile

By default, the default profile is used. You may have created a request profile in the bundle configuration. You can use this profile instead of the default one.

User Registration

The user registration is also managed by the firewall. It is disabled by default. If you want that feature, please enable it:

The firewall routes are automatically created for you. They are namely:

/register/options: to create the creation options (POST only)
/register: to submit the attestation response (POST only)

You should also ensure to allow anonymous users to contact those endpoints.

Credential Creation Options

Prior to the registration of a user and its authenticator, you must create a PublicKey Credential Creation Options object. To do so, send a POST request to /register/options.

The body of this request is a JSON object that must contain username and displayName fields with the username of the user being registered and the name displayed in the application.

It is mandatory to set the Content-Type header to application/json.

In case of success, you receive a valid PublicKeyCredentialCreationOptions object and your user will be asked to interact with its security device.

The default path is /register/options. You can change it if needed:

Attestation Response

When the user touched the security device, you will receive a response from it. You just have to send a POST request to /register.

The body of this request is the response of the security device.

It is mandatory to set the Content-Type header to application/json.

The default path is /register. You can change that path is needed:

In case of success, the user and the authenticator are correctly registered and automatically logged in.

Creation Profile

By default, the default profile is used. You may have created a creation profile in the bundle configuration. You can use this profile instead of the default one.

Authentication Attributes

The security token returned by the firewall sets some attributes depending on the assertion and the capabilities of the authenticator. The attributes are:

IS_USER_PRESENT: the user was present during the authentication ceremony. This attribute is usually set to true by authenticators,
IS_USER_VERIFIED: the user was verified by the authenticator. Verification may be performed by several means including biometrics ones (fingerprint, iris, facial recognition…).

You can then set constraints to the access controls. In the example below, the /admin path can be reached by users with the role ROLE_ADMIN and that have been verified during the ceremony.

Options Storage

Webauthn authentication and registration are 2 steps round trip processes:

Options issuance
Authenticator response verification

It is required to store the options and the user entity associated to it to verify the authenticator responses.

By default, the firewall uses Webauthn\Bundle\Security\Storage\SessionStorage. This storage system stores the data in a session.

If this behaviour does not fit on your needs (e.g. you want to use a database, Redis…), you can implement a custom data storage for that purpose. Your custom storage system has to implement Webauthn\Bundle\Security\Storage\RequestOptionsStorage and be declared as a container service.

When done, you can set your new service in the firewall configuration:

Response Handlers

You can customize the responses returned by the firewall by using a custom handler. This could be useful when you want to return additional information to your application.

There are 4 types of responses and handlers:

Request options,
Creation options,
Authentication Success,

Request Options Handler

This handler is called when a client sends a valid POST request to the options_path during the authentication process. The default Request Options Handler is Webauthn\Bundle\Security\Handler\DefaultRequestOptionsHandler. It returns a JSON Response with the Public Key Credential Request Options objects in its body.

Your custom handler has to implement the interface Webauthn\Bundle\Security\Handler\RequestOptionsHandler and be declared as a service.

When done, you can set your new service in the firewall configuration:

Creation Options Handler

This handler is very similar to the previous one, except that it is called during the registration of a new user and has to implement the interface Webauthn\Bundle\Security\Handler\CreationOptionsHandler.

Authentication Success Handler

This handler is called when a client sends a valid assertion from the authenticator. The default handler is Webauthn\Bundle\Security\Handler\DefaultSuccessHandler.

Your custom handler has to implement the interface Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface and be declared as a container service.

When done, you can set your new service in the firewall configuration:

Authentication Failure Handler

This handler is called when an error occurred during the authentication process. The default handler is Webauthn\Bundle\Security\Handler\DefaultFailureHandler.

Your custom handler has to implement the interface Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface and be declared as a container service.

When done, you can set your new service in the firewall configuration:

v3.3

Introduction

hashtagClass, Constant and Property Names

hashtagSupported features

hashtagCompatible Authenticators

hashtagSupport

hashtagContributing

Web Browser Support

Installation

hashtagFramework and Dependency Sizes

Contributing

Webauthn In A Nutshell

Authenticators

hashtagRoaming Authenticators

hashtagPlatform Authenticators

Ceremonies

Pre-requisites

The Relying Party

hashtagRelying Party ID

hashtagHow to determine the Relying Party ID?

hashtagRelying Party Icon

Credential Source Repository

hashtag

Javascript

hashtagInstallation

hashtagRegistration

hashtagAuthentication

Easy or Hard Way?

The Webauthn Server

The Easy Way

Register Authenticators

hashtagCredential Creation Options

Authenticate Your Users

hashtagCredential Request Options

The Hard Way

Register Authenticators

hashtagCreation Request

Authenticate Your Users

hashtagAssertion Request

Deep into the framework

Register Additional Authenticators

Debugging

hashtagThe Easy Way

hashtag

User Verification

Token Binding

Authenticator Counter

Dealing with “localhost”

hashtagSecured Context

Migration

Easy or Hard Way?

Web Browser Support

Contributing

Ceremonies

hashtagRun test suite

The Easy Way

Introduction

hashtagClass, Constant and Property Names

hashtagSupported features

hashtagCompatible Authenticators

hashtagSupport

hashtagContributing

Installation

hashtagFramework and Dependency Sizes

Authenticators

hashtagRoaming Authenticators

hashtagPlatform Authenticators

Register Authenticators

hashtagCredential Creation Options

Authenticate Your Users

hashtagCredential Request Options

Debugging

hashtagThe Easy Way

hashtag

Dealing with “localhost”

hashtagSecured Context

hashtagResponse Verification

hashtagResponse Verification

hashtagThe Symfony Way

hashtagThe Easy Way

Class, Constant and Property Names

Supported features

Compatible Authenticators

Support

Contributing

Framework and Dependency Sizes

Roaming Authenticators

Platform Authenticators

Relying Party ID

How to determine the Relying Party ID?

Relying Party Icon

Installation

Registration

Authentication

Credential Creation Options

Credential Request Options

Creation Request

Assertion Request

The Easy Way

Secured Context

Run test suite

Class, Constant and Property Names

Supported features

Compatible Authenticators

Support

Contributing

Framework and Dependency Sizes

Roaming Authenticators

Platform Authenticators

Credential Creation Options

Credential Request Options

The Easy Way

Secured Context

Response Verification

Response Verification

The Symfony Way

The Easy Way

The Hard Way

The Symfony Way

Installation

Registration

Authentication

Relying Party ID

How to determine the Relying Party ID?

Relying Party Icon

Assertion Request

The Hard Way

The Symfony Way

The Easy Way

The Hard Way

The Symfony Way

Allowed Credentials

User Verification

Extensions

Example

Response Handling

Data Loading

Response Verification

Creation Request

Filesystem Repository

Doctrine Repository

The Hard Way

The Symfony Way

Creation Profile

Response Handlers

Creation Options Handler

Success Handler

Failure Handler

Public Key Credential Source Repository

Token Binding Handler

Attestation Statement Support Manager

Attestation Object Loader

Public Key Credential Loader

Extension Output Checker Handler

Authenticator Attestation Response Validator

Authenticator Assertion Response Validator

The Easy Way

The Hard Way

Authenticator registration

User Authentication