webauthn allows for browser logins using a physical key (such as a Yubikey 2 security key) or, in due course, biometrics such as fingerprints, that support the protocol. Google announced a pair of compatible hardware keys recently too, but I don't have one yet to test code this with.
Webauthn was announced for Firefox 60 in May 2018 and also later added to Chrome. The idea of the age of password-less logins was widely broadcast in the technical press. But the reality is the whole thing is just too complicated for easy adoption. It needs another layer to simplify it for routine use.
There are a couple examples in Javascript (see the "coffee" example). But the whole point is that the challenge and authentication must be done server-side.
It's fiendishly complicated, not so much in the cryptography as the way the structures are packed and named. Unnecessarily so (CBOR? What? Surely browsers could have unpacked it from that even if space is at such a premium that keys themselves require this weird binary format; and why not produce the key in PEM format. And so on).
So I spent quite a while translating the "coffee" example into a PHP class, while doing the minimum at the browser side (just unpacking enough to put into a convenient JSON form to transport to the server), and I thought I would share it.
This requires
- PHP CBOR library
- A recent openssl included in PHP (openssl_verify in particular)
The example code is live at https://webauthn.savesnine.info.