New Features

• isBackupEligible & isBackedUp flags exposed
• Check for known android key hashes instead of URL origin check in case the origin string starts with android:apk-key-hash:;

Temp Directory Improvement

Verify EdDSA using Sodium Support for EdDSA algorithm (-8) using PHP Sodium (or Sodium Compat )

Updated PHP requirements.

v2

demo

• rewrite demo app with async function
• switch for attestation

Android

• allow to decide if you require ctsProfileMatch for android devices (default true, like on v1.x).
• • ctsProfileMatch: A stricter verdict of device integrity. If the value of ctsProfileMatch is true, then the profile of the device running your app matches the profile of a device that has passed Android compatibility testing and has been approved as a Google-certified Android device.
• • basicIntegrity: A more lenient verdict of device integrity. If only the value of basicIntegrity is true, then the device running your app likely wasn't tampered with. However, the device hasn't necessarily passed Android compatibility testing.
• usage: set $requireCtsProfileMatch on processCreate() to false to check only for basic integrity.

transport Hybrid

added support for transport hybrid. Hybrid indicates the respective authenticator can be contacted using a combination of (often separate) data-transport and proximity mechanisms. This supports, for example, authentication on a desktop computer using a smartphone.

⚠️Attention: new argument $allowHybrid on getGetArgs, CHECK YOUR IMPLEMENTATION!

public function getGetArgs($credentialIds=array(), $timeout=20, $allowUsb=true, $allowNfc=true, $allowBle=true, $allowHybrid=true, $allowInternal=true, $requireUserVerification=false)

v2

demo

rewrite demo app with async function

Android

• allow to decide if you require ctsProfileMatch for android devices (default true, like on v1.x).
• • ctsProfileMatch: A stricter verdict of device integrity. If the value of ctsProfileMatch is true, then the profile of the device running your app matches the profile of a device that has passed Android compatibility testing and has been approved as a Google-certified Android device.
• • basicIntegrity: A more lenient verdict of device integrity. If only the value of basicIntegrity is true, then the device running your app likely wasn't tampered with. However, the device hasn't necessarily passed Android compatibility testing.
• usage: set $requireCtsProfileMatch on processCreate() to false to check only for basic integrity.

transport Hybrid

added support for transport hybrid. Hybrid indicates the respective authenticator can be contacted using a combination of (often separate) data-transport and proximity mechanisms. This supports, for example, authentication on a desktop computer using a smartphone.

⚠️Attention: new argument on getGetArgs, check your implementation: public function getGetArgs($credentialIds=array(), $timeout=20, $allowUsb=true, $allowNfc=true, $allowBle=true, $allowHybrid=true, $allowInternal=true, $requireUserVerification=false)

PHP 8 issues (Object attribute access)

• Handle certificates correctly already containing line breaks
• The WebAuthn specification mandates that the counter check should be performed if either of the counters are non-zero.
• Support WebAuthn v2 residentKey field (#60)
• PHP 8.1 fixes