Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to manage multiple authenticators per user? #36

Closed
marciuz opened this issue Oct 7, 2019 · 2 comments
Closed

How to manage multiple authenticators per user? #36

marciuz opened this issue Oct 7, 2019 · 2 comments

Comments

@marciuz
Copy link

marciuz commented Oct 7, 2019

I don't know if the question is about the library or I have to manage this at implementation level, but isn't clear for me how to manage multiple devices.

For example, if I have to store for the same user the data about a mobile (with fingerprint) AND my macbook (with fingerprint) for the same user, how to manage it?

I read the protocol allows multiple authenticators, but in this library I cannot do it.

Thanks
@davidearl
Copy link
Owner

The library does support this and I am using it successfully in this way in more than one website.

You have to store the key information with the user account in your database. The example uses a trivial file system, but you will most likely have a database with a users table, and you need a full text field to store the keys, which are a JSON string.

When calling register(), as well as the info for the registration in progress, you also pass in the current keys field from the user as the second parameter - this parameter can be NULL if you don't have any yet, but otherwise it is a string. The function returns an amended string (representing a set of keys) which you store back in the user keys field in the database. (If you look at the JSON it manages, you'll see it is an array, each element of which is a different key for the user).

When calling authenticate() you pass in the user keys field (again second parameter) and it attempts to authenticate against any of they keys they have registered.

If you use it for 2FA instead of login, the procedure is exactly the same, except that you would have already verified them against a (strongly-hashed) password by the time you do the authenticate() call.

@marciuz
Copy link
Author

marciuz commented Oct 7, 2019

Hi David,

thanks for the quick answer and the solution.
I was wrong because every time I started the webauthnkeys again.
I changed the initialization in this way and now it's okay.

Best regards

if(empty($user)) {
                $data = [
                    'name' => $username,
                    'id' => md5(time() . '-' . rand(1, 1000000000)),
                    'webauthnkeys' => $webauthn->cancel(),
                ];
            }
            else{
                $data = [
                    'name' => $username,
                    'id' => $user->id,
                    'webauthnkeys' => $user->webauthnkeys,
                ];
            }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidearl @marciuz