Phido2 is a library for authentication by Fast IDentity Online (FIDO) 2.0credential, written in PHP and JavaScript.

Bạn đang xem:


Server-side, the only dependencies are on PHP & its OpenSSL extension.

Client-side, the only known FIDO 2.0 implementation is the Windows Helloauthenticator in Microsoft Edge.


Two workflows are defined: credential creation & assertion validation.


Instantiate an instance of the Phido2Phido2 class on the server. Ittakes two arguments: the site"s display and server names.

Generate request parameters using the getParams method of the Phido2object. It takes two arguments: the user"s tài khoản name, & an optionallist of existing credentials known to belong lớn the user; and returns a JSONstring.

function callback(response)document.getElementById("response-input").value = response;document.getElementById("response-form").submit();

Credential Creation

In the browser, hotline the makeCredential method of the Phido2 object with therequest parameters & callback constructed previously. This will cause thebrowser to authenticate its current user & provide the public authenticationcredentials to the callback.

Xem thêm: Vụ Kiện Thần Đồng Đất Việt Chính Thức Thắng Kiện, Họa Sĩ Lê Linh Thắng Kiện Vụ “Thần Đồng Đất Việt”

On the server, JSON-decode the credentials & validate them using thevalidateCredential method of the Phido2 object. This method is currently ano-op, but attestation validation would take place therein were anyauthenticators presently returning attestation information, and invalidcredentials would be indicated by raising an exception.

error)) raise new Exception($credential->error);$phido2->validateCredential($params, $credential);">

$credential = json_decode($_POST<"response-input">);if (isset($credential->error)) raise new Exception($credential->error);$phido2->validateCredential($params, $credential);
Store the validated credential in a database.

Assertion Validation

In the browser, điện thoại tư vấn the getAssertion method of the Phido2 object with therequest parameters & callback constructed previously. This will cause thebrowser to authenticate its current user và issue an assertion signed bythat user"s credential"s private key.

On the server, JSON-decode the attestation, retrieve the identifiedcredential"s public key from the database, & validate the assertion.An exception is raised if the given credential"s public key fails tovalidate the assertion"s signature.

error)) raise new Exception($assertion->error);$pkey = get_credential_from_database($assertion->id)->publicKey;$phido2->validateAssertion($params, $assertion, $pkey);">

$assertion = json_decode($_POST<"response-input">);if (isset($assertion->error)) raise new Exception($assertion->error);$pkey = get_credential_from_database($assertion->id)->publicKey;$phido2->validateAssertion($params, $assertion, $pkey);


This program is không tính phí software: you can redistribute it and/or modifyit under the terms of the GNU Affero General Public License aspublished by the không lấy phí Software Foundation, either version 3 of theLicense, or (at your option) any later version.

This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See theGNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public Licensealong with this program. If not, see

You signed in with another tab or window. Reload to lớn refresh your session. You signed out in another tab or window. Reload khổng lồ refresh your session.

Chuyên mục: Tin Tức