Advanced Behaviors

This section covers advanced WebAuthn features and customization options for Symfony Bundle implementations.

Overview

The Symfony WebAuthn Bundle provides sensible defaults for most applications. However, you can customize various behaviors to meet specific security requirements or enhance user experience.

Available Topics

Security Features

• Fake Credentials - Prevent user enumeration attacks with fake credentials

• Authenticator Counter - Detect cloned authenticators

• Attestation and Metadata Statement - Verify authenticator trust

• Debugging - Enable debug logging for troubleshooting

User Experience

• User Verification - Configure biometric or PIN requirements

• Authenticator Selection Criteria - Control authenticator types

• Authentication without Username - Passwordless authentication with resident keys

• Register Additional Authenticators - Allow users to add backup authenticators

Technical Configuration

• Extensions - Use WebAuthn protocol extensions

• Cross Origin Authentication - Development environment configuration

Configuration vs Code

The Symfony Bundle allows configuration through:

1. YAML Configuration - Most settings can be configured in config/packages/webauthn.yaml

2. Custom Services - Advanced behaviors require creating custom service classes

3. Event Listeners - Hook into the authentication process with Symfony events

Symfony-Specific Features

The bundle provides several Symfony-specific features not available in pure PHP:

• Firewall Integration - Seamless integration with Symfony Security

• Dependency Injection - All services available through the service container

• Configuration Profiles - Multiple authentication profiles for different use cases

• Event System - React to WebAuthn events throughout your application

Quick Configuration Example

Here's a common advanced configuration:

webauthn:
    credential_repository: 'App\Repository\WebauthnCredentialRepository'
    user_repository: 'App\Repository\UserRepository'

    # Enable debugging in development
    logger: 'monolog.logger'

    # Custom counter checker to detect cloned authenticators
    counter_checker: 'App\Security\CustomCounterChecker'

    creation_profiles:
        default:
            rp:
                name: 'My Application'
                id: 'example.com'

            # Require resident keys for passwordless auth
            authenticator_selection_criteria:
                authenticator_attachment: !php/const Webauthn\AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM
                require_resident_key: true
                user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED

    request_profiles:
        default:
            rp_id: 'example.com'
            user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED

See Also

• Firewall Configuration - Basic Symfony Security setup

• Configuration References - Complete configuration options

• Pure PHP Advanced Behaviours - Framework-agnostic implementations