PHP webauthn implementation
webauthn allows for browser logins
using a physical key (such as a Yubikey 2 security
key) or, in
due course, biometrics such as fingerprints, that support the
protocol. Google also recently started selling Titan, a pair of compatible hardware keys,
but I don't have one yet to test code this with which I have now been able to test with
and confirmed works with no change to the code.
Webauthn was announced for Firefox 60 in May 2018 and also later added to Chrome. The idea of the age of password-less logins was widely broadcast in the technical press. But the reality is the whole thing is just too complicated for easy adoption. It needs another layer to simplify it for routine use.
It's fiendishly complicated, not so much in the cryptography as the way the structures are packed and named. Unnecessarily so (CBOR? What? Surely browsers could have unpacked it from that even if space is at such a premium that keys themselves require this weird binary format; and why not produce the key in PEM format. And so on).
So I spent quite a while translating the "coffee" example into a PHP class, while doing the minimum at the browser side (just unpacking enough to put into a convenient JSON form to transport to the server), and I thought I would share it.
The example code is live at https://webauthn.savesnine.info.