Skip to content
An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
example make clearer where .users is if it fails to be created Mar 12, 2019
src Changed authenticatorData flag checking to properly check flag (#11) May 7, 2019
LICENSE Initial commit Jul 31, 2018

PHP webauthn implementation

webauthn allows for browser logins using a physical key (such as a Yubikey 2 security key) or, in due course, biometrics such as fingerprints, that support the protocol. Google also recently started selling Titan, a pair of compatible hardware keys, but I don't have one yet to test code this with which I have now been able to test with and confirmed works with no change to the code.

Webauthn was announced for Firefox 60 in May 2018 and also later added to Chrome. The idea of the age of password-less logins was widely broadcast in the technical press. But the reality is the whole thing is just too complicated for easy adoption. It needs another layer to simplify it for routine use.

There are a couple examples in Javascript (see the "coffee" example). But the whole point is that the challenge and authentication must be done server-side.

It's fiendishly complicated, not so much in the cryptography as the way the structures are packed and named. Unnecessarily so (CBOR? What? Surely browsers could have unpacked it from that even if space is at such a premium that keys themselves require this weird binary format; and why not produce the key in PEM format. And so on).

So I spent quite a while translating the "coffee" example into a PHP class, while doing the minimum at the browser side (just unpacking enough to put into a convenient JSON form to transport to the server), and I thought I would share it.


This requires


The example code is live at

You can’t perform that action at this time.