{"id":13703112,"url":"https://github.com/lbuchs/webauthn","last_synced_at":"2026-01-11T16:46:38.702Z","repository":{"id":34729811,"uuid":"149437753","full_name":"lbuchs/WebAuthn","owner":"lbuchs","description":"A simple PHP WebAuthn (FIDO2/Passkey) server library","archived":false,"fork":false,"pushed_at":"2024-07-04T08:47:50.000Z","size":922,"stargazers_count":505,"open_issues_count":18,"forks_count":89,"subscribers_count":32,"default_branch":"master","last_synced_at":"2025-04-24T15:44:47.704Z","etag":null,"topics":["2fa","apple-authenticator","fido","fido2","fido2-authenticator","passkey","passkeys","php-library","php-webauthn","safetynet-api","security","two-factor-authentication","webauthn","windows-hello"],"latest_commit_sha":null,"homepage":"https://webauthn.lubu.ch","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lbuchs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-19T11:06:28.000Z","updated_at":"2025-04-13T16:53:58.000Z","dependencies_parsed_at":"2023-10-17T00:14:55.437Z","dependency_job_id":"64de6495-cb61-4ff0-a768-2dbfbdc69040","html_url":"https://github.com/lbuchs/WebAuthn","commit_stats":{"total_commits":78,"total_committers":9,"mean_commits":8.666666666666666,"dds":0.5512820512820513,"last_synced_commit":"b31384c90ceb18bf0fad2755eef77db049cc9593"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lbuchs%2FWebAuthn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lbuchs%2FWebAuthn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lbuchs%2FWebAuthn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lbuchs%2FWebAuthn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lbuchs","download_url":"https://codeload.github.com/lbuchs/WebAuthn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252458323,"owners_count":21751016,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","apple-authenticator","fido","fido2","fido2-authenticator","passkey","passkeys","php-library","php-webauthn","safetynet-api","security","two-factor-authentication","webauthn","windows-hello"],"created_at":"2024-08-02T21:00:50.483Z","updated_at":"2026-01-11T16:46:38.696Z","avatar_url":"https://github.com/lbuchs.png","language":"PHP","readme":"[![Licensed under the MIT License](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/lbuchs/WebAuthn/blob/master/LICENSE)\n[![Requires PHP 7.1.0](https://img.shields.io/badge/PHP-7.1.0-green.svg)](https://php.net)\n[![Last Commit](https://img.shields.io/github/last-commit/lbuchs/WebAuthn.svg)](https://github.com/lbuchs/WebAuthn/commits/master)\n\n# WebAuthn\n*A simple PHP WebAuthn (FIDO2) server library*\n\nThe goal of this project is to provide a small, lightweight, understandable library to protect logins with passkeys, security keys like Yubico or Solo, fingerprint on Android, or Windows Hello.\n\n## Manual\nSee /_test for a simple usage of this library. Check [webauthn.lubu.ch](https://webauthn.lubu.ch) for a working example.\n\n### Supported attestation statement formats\n* android-key \u0026#x2705;\n* android-safetynet \u0026#x2705;\n* apple \u0026#x2705;\n* fido-u2f \u0026#x2705;\n* none \u0026#x2705;\n* packed \u0026#x2705;\n* tpm \u0026#x2705;\n\n\u003e [!NOTE]\n\u003e This library supports authenticators that are signed with an X.509 certificate or that are self-attested. ECDAA is not supported.\n\n## Workflow\n\n             JAVASCRIPT            |          SERVER\n    ------------------------------------------------------------\n                             REGISTRATION\n\n\n       window.fetch  -----------------\u003e     getCreateArgs\n                                                 |\n    navigator.credentials.create   \u003c-------------'\n            |\n            '-------------------------\u003e     processCreate\n                                                 |\n          alert ok or fail      \u003c----------------'\n\n\n    ------------------------------------------------------------\n                          VALIDATION\n\n\n       window.fetch ------------------\u003e      getGetArgs\n                                                 |\n    navigator.credentials.get   \u003c----------------'\n            |\n            '-------------------------\u003e      processGet\n                                                 |\n          alert ok or fail      \u003c----------------'\n\n## Attestation\nTypically, when someone logs in, you only need to confirm that they are using the same device they used during\nregistration. In this scenario, you do not require any form of attestation.\nHowever, if you need additional security, such as when your company mandates the use of a Solokey for login,\nyou can verify its authenticity through direct attestation. Companies may also purchase authenticators that\nare signed with their own root certificate, enabling them to validate that an authenticator is affiliated with\ntheir organization.\n\n### no attestation\nJust verify that the device is the same device used on registration.\nYou can use 'none' attestation with this library if you only check 'none' as format.\n\n\u003e [!TIP]\n\u003e This is probably what you want to use if you want secure login for a public website.\n\n### Indirect attestation\nThe browser may replace the AAGUID and attestation statement with a more privacy-friendly and/or more easily\nverifiable version of the same data (for example, by employing an anonymization CA).\nYou cannot validate against any root CA if the browser uses an anonymization certificate.\nThis library sets attestation to indirect if you select multiple formats but don't provide any root CA.\n\n\u003e [!TIP]\n\u003e A hybrid solution. Clients may be discouraged by browser warnings, but then you know what device they're using (statistics rulez!).\n\n### Direct attestation\nThe browser provides data about the identificator device, which can be identified uniquely.\nUsers could be tracked across multiple sites. Because of this, the browser may show a warning message about providing this data during registration.\nThis library sets attestation to direct if you select multiple formats and provide root CAs.\n\n\u003e [!TIP]\n\u003e This is probably what you want if you know what devices your clients are using and want to ensure that only these devices are used.\n\n## Passkeys / Client-side discoverable Credentials\nA Client-side discoverable Credential Source is a public key credential source whose credential private key is stored in the authenticator,\nclient, or client device. Such client-side storage requires a resident credential-capable authenticator.\nThis is only supported by FIDO2 hardware, not older U2F hardware.\n\n\u003e[!NOTE]\n\u003e Passkeys is a technique that allows sharing credentials stored on the device with other devices. So from a technical standpoint of the server, there is no difference from client-side discoverable credentials. The difference is only that the phone or computer system automatically syncs the credentials between the user’s devices via a cloud service. The cross-device sync of passkeys is managed transparently by the OS.\n\n### How does it work?\nIn a typical server-side key management process, a user initiates a request by entering their username and, in some cases, their password. \nThe server validates the user's credentials and, upon successful authentication, retrieves a list of all public key identifiers associated with that user account. \nThis list is then returned to the authenticator, which selects the first credential identifier it issued and responds with a signature that can be verified using the public key registered during the registration process.\n\nIn a client-side key process, the user does not need to provide a username or password.\nInstead, the authenticator searches its own memory to see if it has saved a key for the relying party (domain).\nIf a key is found, the authentication process proceeds in the same way as it would if the server had sent a list\nof identifiers. There is no difference in the verification process.\n\n### How can I use it with this library?\n#### On registration\nWhen calling `WebAuthn\\WebAuthn-\u003egetCreateArgs`, set `$requireResidentKey` to true\nto notify the authenticator that it should save the registration in its memory.\n\n#### On login\nWhen calling `WebAuthn\\WebAuthn-\u003egetGetArgs`, don't provide any `$credentialIds` (the authenticator will look up the IDs in its own memory and return the user ID as userHandle).\nSet the type of authenticator to `hybrid` (Passkey scanned via QR Code) and `internal` (Passkey stored on the device itself).\n\n#### Disadvantage\nThe RP ID (= domain) is saved on the authenticator. If an authenticator is lost, it is theoretically possible to find the services it was used against and login there.\n\n### Device support\nAvailability of built-in passkeys that automatically synchronize to all of a user’s devices: (see also [passkeys.dev/device-support](https://passkeys.dev/device-support/))\n* Apple iOS 16+ / iPadOS 16+ / macOS Ventura+\n* Android 9+\n* Microsoft Windows 11 23H2+\n\n## Requirements\n* PHP \u003e= 8.0 with [OpenSSL](http://php.net/manual/en/book.openssl.php) and [Multibyte String](https://www.php.net/manual/en/book.mbstring.php)\n* Browser with [WebAuthn support](https://caniuse.com/webauthn) (Firefox 60+, Chrome 67+, Edge 18+, Safari 13+)\n* PHP [Sodium](https://www.php.net/manual/en/book.sodium.php) (or [Sodium Compat](https://github.com/paragonie/sodium_compat) ) for [Ed25519](https://en.wikipedia.org/wiki/EdDSA#Ed25519) support\n\n## Infos about WebAuthn\n* [Wikipedia](https://en.wikipedia.org/wiki/WebAuthn)\n* [W3C](https://www.w3.org/TR/webauthn/)\n* [MDN](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API)\n* [dev.yubico](https://developers.yubico.com/FIDO2/)\n* [FIDO Alliance](https://fidoalliance.org)\n* [passkeys](https://passkeys.dev/)\n\n## FIDO2 Hardware\n* [Yubico](https://www.yubico.com)\n* [Solo](https://solokeys.com) Open Source!\n* [Nitrokey](https://www.nitrokey.com/)\n* [Feitan](https://fido.ftsafe.com/)\n* [TrustKey](https://www.trustkeysolutions.com)\n* [Google Titan](https://cloud.google.com/titan-security-key)\n* [Egis](https://www.egistec.com/u2f-solution/)\n* [OneSpan](https://www.vasco.com/products/two-factor-authenticators/hardware/one-button/digipass-secureclick.html)\n* [Hypersecu](https://hypersecu.com/tmp/products/hyperfido)\n* [Kensington VeriMark™](https://www.kensington.com/)\n* [Token2](https://www.token2.com/shop/category/fido2-keys)\n","funding_links":[],"categories":["Server Libraries"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flbuchs%2Fwebauthn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flbuchs%2Fwebauthn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flbuchs%2Fwebauthn/lists"}