Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
With Webauthn, it is possible to authenticate a user without username. This behavior implies several constraints:
During the registration of the authenticator, a Resident Key must have been asked,
The user verification is required,
The list of allowed authenticators must be empty
In case of failure, you should continue with the standard authentication process i.e. by asking the username of the user.
Selection criteria for the registration of the authenticator:
The Request Options:
The default values for the user verification and the resident key are set to preferred and resident keys may be created if the authenticator is compatible. This means that some users may log in without username.
By default, any type of authenticator can be used by your users and interact with you application. In certain circumstances, you may need to select specific authenticators e.g. when user verification is required.
The Webauthn API and this library allow you to define a set of options to disallow the registration of authenticators that do not fulfill with the conditions.
The class Webauthn\AuthenticatorSelectionCriteria
is designed for this purpose. It is used when generating the Webauthn\PublicKeyCredentialCreationOptions
object.
You can indicate if the authenticator must be attached to the client (platform authenticator i.e. it is usually not removable from the client device) or must be detached (roaming authenticator).
Possible values are:
AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE
: there is no requirement (default value),
AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM
: the authenticator must be attached,
AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM
: must be a roaming authenticator.
A primary use case for platform authenticators is to register a particular client device as a "trusted device" for future authentication. This gives the user the convenience benefit of not needing a roaming authenticator, e.g., the user will not have to dig around in their pocket for their key fob or phone.
With this criterion, a Public Key Credential Source will be stored in the authenticator, client or client device. Such storage requires an authenticator capable to store such a resident credential.
A resident key shall be created you want to authenticate users without username.
With this example, with require the user verification (PIN, fingerprint...), a resident key and an authenticator embedded onto a device. This is typacally what you will require for Windows Hello or Face ID authentication.
If you have troubles during the development of your application or if you want to keep track of every critical/error messages in production, you can use a PSR-3 compatible logger.
Several classes implement the interface Webauthn\MetadataService\CanLogData
. This interface allows setting a PSR-3 logger instance.
Disclaimer: you should not ask for the Attestation Statement unless you are working on an application that requires a high level of trust (e.g. Banking/Financial Company, Government Agency...).
First of all, you must prepare an Attestation Metadata Repository. This service will manage all Metadata Statements depending on their sources (local storage or distant service).
Your Metadata Statement Repository must implement the interface Webauthn\MetadataService\MetadataStatementRepository
that has two methods:
findOneByAAGUID(string $aaguid)
: this method retrieves the MetadataStatement
object with AAGUID. It shall return null
in case of the absence of the MDS.
The library does not provide any Metadata Statement Repository. It is up to you to select the MDS suitable for your application and store them in your database.
There are few steps to acheive. First, you have to add support classes for all attestation statement types into your Attestation Metatdata Manager.
The Android SafetyNet Attestation Statement is a JWT that can be verified by the library, but can also be checked online by hitting the Google API. This method drastically increase the security for the attestation type but requires a PSR-18 compatible HTTP Client and an API key.
For 4.5.0, the TPMAttestationStatementSupport
class accepts a PSR-20 clock as argument. This argument will be mandatory for 5.0.0.
In the example below, we use symfony/clock
component.
Next, you must inject the Metadata Statement Repository to your Attestation Object Loader.
By default, no Attestation Statement is asked to the Authenticators (type = none
). To change this behavior, you just have to set the corresponding parameter in the Webauthn\PublicKeyCredentialCreationOptions
object.
There are 3 conveyance modes available using PHP constants provided by the class Webauthn\PublicKeyCredentialCreationOptions
:
ATTESTATION_CONVEYANCE_PREFERENCE_NONE
: the Relying Party is not interested in authenticator attestation (default)
ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT
: the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements.
ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT
: the Relying Party wants to receive the attestation statement as generated by the authenticator.
The authenticators may have an internal counter. This feature is very helpful to detect cloned devices.
The default behaviour is to reject the assertions. This behaviour might cause some troubles as it could reject the real device whilst the fake one can continue to be used.
It is therefore required to go deeper in the protection of your application by logging the error and locking the associated account.
To do so , you have to create a custom Counter Checker and inject it to your Authenticator Assertion Response Validator. The checker must implement the interface Webauthn\Counter\CounterChecker
.
The following example is totally fictive. We will add an extension input loc=true
to the request option object.
An Extension Output Checker will check the extension output.
It must implement the interface Webauthn\AuthenticationExtensions\ExtensionOutputChecker
and throw an exception of type Webauthn\AuthenticationExtension\ExtensionOutputError
in case of error.
Devices may ignore the extension inputs. The extension outputs are therefore not guaranteed.
In the previous example, we asked for the location of the device and we expect to receive geolocation data in the extension output.
If your are working on a development environment, https
may not be available but the context could be considered as secured. You can bypass the scheme verification by passing the list of rpIds you consider secured.
Please be careful using this feature. It should NOT be used in production.