Advanced Behaviors

This section covers advanced WebAuthn features and customization options for Symfony Bundle implementations.

Overview

The Symfony WebAuthn Bundle provides sensible defaults for most applications. However, you can customize various behaviors to meet specific security requirements or enhance user experience.

Available Topics

Security Features

Fake Credentials - Prevent user enumeration attacks with fake credentials
Authenticator Counter - Detect cloned authenticators
Attestation and Metadata Statement - Verify authenticator trust
Debugging - Enable debug logging for troubleshooting

User Experience

User Verification - Configure biometric or PIN requirements
Authenticator Selection Criteria - Control authenticator types
Authentication without Username - Passwordless authentication with resident keys
Register Additional Authenticators - Allow users to add backup authenticators

Technical Configuration

Extensions - Use WebAuthn protocol extensions
Cross Origin Authentication - Development environment configuration

Configuration vs Code

The Symfony Bundle allows configuration through:

YAML Configuration - Most settings can be configured in config/packages/webauthn.yaml
Custom Services - Advanced behaviors require creating custom service classes
Event Listeners - Hook into the authentication process with Symfony events

Symfony-Specific Features

The bundle provides several Symfony-specific features not available in pure PHP:

Firewall Integration - Seamless integration with Symfony Security
Dependency Injection - All services available through the service container
Configuration Profiles - Multiple authentication profiles for different use cases
Event System - React to WebAuthn events throughout your application

Quick Configuration Example

Here's a common advanced configuration:

config/packages/webauthn.yaml

webauthn:
    credential_repository: 'App\Repository\WebauthnCredentialRepository'
    user_repository: 'App\Repository\UserRepository'

    # Enable debugging in development
    logger: 'monolog.logger'

    # Custom counter checker to detect cloned authenticators
    counter_checker: 'App\Security\CustomCounterChecker'

    creation_profiles:
        default:
            rp:
                name: 'My Application'
                id: 'example.com'

            # Require resident keys for passwordless auth
            authenticator_selection_criteria:
                authenticator_attachment: !php/const Webauthn\AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM
                require_resident_key: true
                user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED

    request_profiles:
        default:
            rp_id: 'example.com'
            user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED