Download the PHP package davidearl/webauthn without Composer
On this page you can find all versions of the php package davidearl/webauthn. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Short Description An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)
All versions of webauthn with dependencies
Informations about the package webauthn
PHP webauthn implementation
- Live example: https://webauthn.savesnine.info.
webauthn allows for log in or second factor authentication for web sites that support the protocol in browsers that also support it, using a physical key (such as a Yubikey 2 security key or Google's Titan USB key), biometrics such as fingerprints and face recognition, and now even your Windows 10 login PIN.
Webauthn was announced for Firefox 60 in May 2018 and also later added to Chrome 67 later in 2018.
Windows 10 version 1903 distributed in summer 2019 links the Windows password-less login system to webauthn, meaning that the same methods used to log in to Windows 10 can now also be used to log in to (or as second factor authentication for) web sites supporting webauthn. Somewhere along the line Android also added webauthn support for fingerprint readers. Chrome and Firefox on Mac also support webauthn via MacBook built-in fingerprint readers and also USB keys (Yubico 2/5, Titan). Sadly, iOS is lagging behind as of August 2019: nothing on iPhone or iPad supports webauthn, to my knowledge.
The idea of the age of password-less logins was widely broadcast in the technical press when Firefox 60 first came out. But the reality is the whole thing is just too complicated for easy adoption. It needs another layer to simplify it for routine use.
Webauthn is fiendishly complicated, not so much in the cryptography as the way the structures are packed and named. Unnecessarily so (CBOR? What? Surely browsers could have unpacked it from that even if space is at such a premium that keys themselves require this weird binary format; and why not produce the key in PEM format. And so on).
So I spent quite a while translating the "coffee" example into a PHP class for Yubico 2 keys, while doing the minimum at the browser side (just unpacking enough to put into a convenient JSON form to transport to the server), and I thought I would share it. Several others have since helped with support for broader application with fingerprints and Windows Hello.
Changes from branch 0.1.0
The original code was updated in August 2019 by a number of contributors (thank you!) to use composer for dependencies and update name space, class and method names into line with conventions.
As a result, if you downloaded the original code, the various names in
your code will need to be updated. Now
\Davidearl for the namespace
(upper case D), class name and the directory where it lives is now
WebAuthn, and the method names are
If you want the code with the original names, download branch 0.1.0. That will not be updated in future.
- PHP CBOR library: can be installed using composer install in the project directory
- phpseclib, ditto
- A recent openssl included in PHP (openssl_verify in particular)
- PHP 5.6 or later (preferably PHP 7)
The example code is live at https://webauthn.savesnine.info.
To host the example yourself,
- put the code in the document hierarchy for your server (say
- install CBOR etc. using
- visit yoururl
If you put all the directories in webauthn at your document root and
add an index.php as follows, you can run it at the top level as e.g.
https://example.com (use your domain name, obviously).
<?php chdir('example'); include_once('index.php');