search

davidearl / webauthn

An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)
https://webauthn.davidearl.uk
MIT License
129 stars 24 forks source link

Bio-metric Authentication #43

Open securewebsite opened 4 years ago

securewebsite commented 4 years ago

Hello,

Please let me know what needs to be change to enable webauthn.php to accept bio-metric based authentication. Current script does not have that option available.

Regards, Gaurav Maniar

davidearl commented 4 years ago

It should just work. I use it with a fingerprint reader on Windows 10 in conjunction with Windows Hello, and others have reported it works on recent Android with the fingerprint reader. It won’t work on iPhone at all as Safari doesn’t support webauthn, nor a Mac fingerprint reader, but a yubico or Titan security key works in chrome or Firefox on Mac. The code shouldn’t care what satisfies the authentication, though documentation is thin in the ground for some fields. I the case of Windows 10, my understanding is it is actually Windows Hello serving as intermediary between any device it supports and the webauthn interface in the browser.

securewebsite commented 4 years ago

Thanks David for the update. I have tested this with One Plus 7 and Samsung S8 phone in both case it is not working as expected. I have tested both phone with webauthn.me and it is working fine. Just curious what might be wrong if you can help me I appreciate it.

schiederme commented 4 years ago

It won’t work on iPhone at all as Safari doesn’t support webauthn, nor a Mac fingerprint reader

I maybe just don't get it right -> You just mean bio-metric authentication there?

davidearl commented 4 years ago

@schiederme The webauthn standard is not supported at all by Safari either on iOS or Mac, so you can't use an iPhone fingerprint reader or face detection with webauthn (yet) to authenticate on a website. On MacOS, Firefox and Chrome do support webauthn (not Safari) but they can't access the Mac's built-in fingerprint reader (if you have one), so they only work with separate devices, like USB security keys (Yubico/Titan). In short, Apple support for webauthn does not exist.

davidearl commented 4 years ago

@securewebsite Unfortunately I don't have an Android device I can test with. I do know that others reported earlier that it worked, at least on Android Pi. If you have set crossPlatform=TRUE in prepareChallengeForRegistration, try FALSE instead. Failing that, the most likely thing is that some other algorithm is used in $result->pubKeyCredParams. The thing to do is compare the code for one that is known to be working and see where the differences are. The documentation is very thin on the ground for waht you're supposed to do.

securewebsite commented 4 years ago

@davidearl Thanks for the update. I did that but this does not work. I will compare the code and will update you here how this worked for me. Thanks a lot for your inputs.

benjamindoe commented 4 years ago

Just to pitch in, You can use Mac's built-in fingerprint reader in Firefox and Chrome (Tested on latest MacBook Air, unsure of MacOS version). I've managed to get it working along with Android biometric readers (Tested on OnePlus 5 and OnePlus 6T).

I did have to create new code specific to the project I was working on due to key storage constraints so I wasn't able to use this package. I'd love to share the code but unfortunately it's under a proprietary licence.

It may help if you give us some information about why it doesn't work? Are there any message? What things do you see?

securewebsite commented 4 years ago

Thanks , I made this working but I found one issue with this. Though, in bio-metric it is used with one finger. I can use another finger and it authenticates the user. Even, I tried with same user with another person's finger print and it worked. I am still testing this and will update you soon. Is it issue with CORB or WebAuthn?

benjamindoe commented 3 years ago

This is an issue with the device you are using. WebAuthn knows nothing about the device or how it's authenticated. Only that it has been authenticated. If you're getting authenticated with a finger that you shouldn't you need to check the device settings. The device should reject the authentication which tells the web interface to reject it as well.

securewebsite commented 3 years ago

Thanks but as client does not recognize the which Finger it has and Desktop OS does not store Finger print data like Android or iOS. I have to store Finger print data somewhere which would help me to identify the which finger print is used and use it to verify each time before completing authentication.

schiederme commented 3 years ago

That’s not the scope of Webauthn and to save them by yourself is a bad, bad idea.

Maxi

On 13. Jul 2020, at 21:16, Gaurav Maniar notifications@github.com wrote:

 Thanks but as client does not recognize the which Finger it has and Desktop OS does not store Finger print data like Android or iOS. I have to store Finger print data somewhere which would help me to identify the which finger print is used and use it to verify each time before completing authentication.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

benjamindoe commented 3 years ago

I think you might need to take a step back from your project and reevaluate the WebAuthn API and its intended uses

https://webauthn.guide/