Login keys are from devices that contain cryptographic keys. These can be used for two-factor authentication. The login key device must support the standard "[WebAuthn](https://w3c.github.io/webauthn/#webauthn-authenticator)".
It enables secure authentication of the user in web-based user interfaces via a browser. Instead of a password ("knowledge" factor), one logs in with special hardware that uses strong public key cryptography for verification ("ownership" factor). Due to the way it is implemented, FIDO2 logins cannot be intercepted by phishing.
FIDO2 describes the entire authentication process, WebAuthn and CTAP are subcomponents of this process. CTAP is the communication from the FIDO2 device to the client / browser. WebAuthn handles the transmission from the browser to the application (shop).
Any FIDO2-certified hardware can be used for registration. This can be:
- Smartphones with Touch ID (Android from version 7, iOS from version 14),
FIDO2 can be used as:
- an additional 2nd factor to the existing username-password combination
- as a secure substitute instead of a password (passwordless, still in connection with the entry of a user name)
- as a complete substitute for user name and password (with login data stored in the FIDO2 device).
In this module, passwordless login is currently implemented (2nd option).
For the 1st options we see too little security gain compared to option 2. The implementation of the 3rd option is technically feasible, but for the normal field of application not very relevant and technically complex. If required, we are available for enquiries.
When registering a FIDO2 key, access data is created in order to be able to check a later login attempt. These access data are firmly bound to the customer account and the shop and cannot be exchanged with each other.
Open a command line interface and navigate to the shop root directory (parent of source and vendor). Execute the following commands. Adapt the paths to your environment.
If a reference to an unsuitable package `symfony/process` is shown, this must be changed. To do this, please add the switch `-W` to the above command (`... require -W ...`).
Activate the module in the admin area of the shop in "Extensions -> Modules".
The shop account is opened (as usual) with user name and password. Afterwards, [FIDO2](https://fidoalliance.org/) keys can be added as an additional authentication option. From this moment on, logging into the shop (frontend and backend) can be done either with FIDO2 or with password. Both work independently of each other.
Logging in with password does not differ from the shop standard and remains as a fallback option.
To use the registered FIDO2 keys, simply leave the password field blank when logging in. As soon as at least one character is entered in the password field, a login with password is assumed. If the password field is left blank, the system checks for the existence of a key registration and, if successful, requests the corresponding device. If there is no registration, a login with password is also assumed.
The keys can be easily managed in the My Account area of the frontend and also in the customer account in the backend. The administration includes the registration of new keys (multiple keys per account are possible and recommended). A free text name can be assigned to each key. Furthermore, all registered keys are displayed with their names. Registered keys can also be deleted there.
Since a password is no longer required with a FIDO2-based login, the backup password can also be more complex than passwords suitable for everyday use.
See [CHANGELOG](CHANGELOG.md) for further informations.
## Contributing
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue. Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (git checkout -b feature/AmazingFeature)
- Commit your Changes (git commit -m 'Add some AmazingFeature')
- Push to the Branch (git push origin feature/AmazingFeature)
- Open a Pull Request
## Licence
(status: 2022-10-25)
Distributed under the GPLv3 license.
```
Copyright (c) D3 Data Development (Inh. Thomas Dartsch)
This software is distributed under the GNU GENERAL PUBLIC LICENSE version 3.
```
For full copyright and licensing information, please see the [LICENSE](LICENSE.md) file distributed with this source code.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.