You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jun 13, 2022. It is now read-only.
@@ -643,11 +641,11 @@ Yes, as long you are hashing them as you should, and you have secured your appli
643
641
644
642
***Can a user register two or more _devices_?**
645
643
646
-
Yes, but you need to manually attest (register) these. It's recommended to email him to register a new device.
644
+
Yes.
647
645
648
646
***What happens if a credential is cloned?**
649
647
650
-
The user won't be authenticated since the server counter will be greater than the reported by the credential. To intercede in the procedure, modify the Assertion Validator in the Service Container and add your own `CounterChecker`:
648
+
The user won't be authenticated since the "logins" counter will be greater than the reported by the original device. To intercede in the procedure, modify the Assertion Validator in the Service Container and add your own `CounterChecker`:
651
649
652
650
```php
653
651
$this->app->bind(CounterChecker::class, function () {
@@ -685,17 +683,21 @@ Yes, [use these recovery helpers](#6-set-up-account-recovery-optional).
685
683
686
684
Disabling a credential doesn't delete it, so it can be later enabled manually in the case the user recovers it. When the credential is deleted, it goes away forever.
687
685
686
+
***Can a user delete its credentials from its device?**
687
+
688
+
Yes. If it does, the other part of the credentials in your server gets virtually orphaned. You may want to show the user a list of registered credentials to delete them.
689
+
688
690
***How secure is this against passwords or 2FA?**
689
691
690
-
Extremely secure since it works only on HTTPS, and no password or codes are exchanged.
692
+
Extremely secure since it works only on HTTPS (or `localhost`), and no password are exchanged, or codes are visible in the screen.
691
693
692
694
***Can I deactivate the password fallback? Can I enforce only WebAuthn authentication?**
693
695
694
-
Yes. Just be sure to [use the recovery helpers](#6-set-up-account-recovery-optional) to avoid users locked out.
696
+
Yes. Just be sure to [use the recovery helpers](#6-set-up-account-recovery-optional) to avoid locking out your users..
695
697
696
698
***Does this includes a frontend Javascript?**
697
699
698
-
[Yes.](#5-use-the-javascript-helper-optional)
700
+
[Yes](#5-use-the-javascript-helper-optional), but it's very _basic_.
699
701
700
702
***Does this encodes/decode the strings automatically in the frontend?**
701
703
@@ -707,7 +709,15 @@ Yes, the included [WebAuthn Helper](#5-use-the-javascript-helper-optional) does
707
709
708
710
***Can I use my smartphone as authenticator through a PC desktop/laptop/terminal?**
709
711
710
-
Depends on the OS and hardware. Some will require previously pairing the device to an "account". Others won't and will only work with USB keys. This is up to hardware and software vendor themselves.
712
+
Depends on the OS and hardware. Some will require previously pairing the device to an "account". Others will only work with USB keys. This is up to hardware and software vendor themselves.
713
+
714
+
***Why my device doesn't show Windows Hello/TouchId/FaceId/fingerprint authentication?**
715
+
716
+
By default, this WebAuthn implementation accepts almost everything. Some combinations of devices, OS and web browsers may differ on what to make available for WebAuthn authentication. In other words, it's not my fault.
717
+
718
+
***I'm trying to test this in my development server but it doesn't work**
719
+
720
+
Use `localhost` exclusively, or use [ngrok](https://ngrok.com/) (or similar) to tunnel your site through HTTPS. WebAuthn only works on `localhost` or `HTTPS` only.
0 commit comments