Awesome Open Source
Awesome Open Source

Licensed under the MIT License Requires PHP 5.6 Last Commit


A simple PHP WebAuthn (FIDO2) server library

Goal of this project is to provide a small, lightweight, understandable library to protect logins with security keys like Yubico or Solo or fingerprint on Android.


See /_test for a simple usage of this library. Check for a working example.

Supported attestation statement formats

  • android-key ✅
  • android-safetynet ✅
  • fido-u2f ✅
  • none ✅
  • packed ✅
  • tpm ❌

This library supports authenticators which are signed with a X.509 certificate or self attestation. ECDAA is not supported.


         JAVASCRIPT            |          SERVER

   window.fetch  ----------------->     getCreateArgs
navigator.credentials.create   <-------------'
        '------------------------->     processCreate
      alert ok or fail      <----------------'


   window.fetch ------------------>      getGetArgs
navigator.credentials.get   <----------------'
        '------------------------->      processGet
      alert ok or fail      <----------------'

Resident Credential

A Client-side-resident Public Key Credential Source, or Resident Credential for short, is a public key credential source whose credential private key is stored in the authenticator, client or client device. Such client-side storage requires a resident credential capable authenticator. This is only supported by FIDO2 hardware, not by older U2F hardware.

How does it work?

With normal server-side key process, the user enters its username (and maybe password), then the server replys with a list of all public key credential identifier, which had been registered by the user. Then, the authenticator takes the first of the provided credential identifier, which has been issued by himself, and responses with a signature which can be validated with the public key provided on registration. With client-side key process, the user don't have to provide an username or password. The server don't send any identifier; rather, the authenticator is looking up in it's own memory, if there is a key saved for this relying party. If yes, he's responding the same way like he's doing if you provide a list of identifier, there is no difference in checking the registration. Resident Credential is supported by Windows 10 (Firefox, Chromium). Browser on old OS like Windows 7 do a fallback to FIDO U2F, which doesn't support resident credential.

How can I use it with this library?

on registration

When calling WebAuthn\WebAuthn->getCreateArgs, set $requireResidentKey to true, to notify the authenticator that he should save the registration in its memory.

on login

When calling WebAuthn\WebAuthn->getGetArgs, don't provide any $credentialIds (the authenticator will look up the ids in its own memory).


Infos about WebAuthn

FIDO2 Hardware

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
php (15,572
php-library (87
2fa (44
two-factor-authentication (35
webauthn (31
fido2 (26

Find Open Source By Browsing 7,000 Topics Across 59 Categories