fido2auth

FIDO2 Auth brings passwordless login to Drupal using the WebAuthn standard.
Users can authenticate with fingerprint, face scan, hardware security keys, or
their phone — eliminating weak or reused passwords from your site.

How it works

Instead of typing a password, users register one or more FIDO2 keys (security
keys, device biometrics, or cross-device passkeys). On subsequent visits they
enter only their username and complete a browser prompt — tap a YubiKey, scan
a fingerprint, or unlock their phone.

Features

- True passwordless login — username + authenticator, no password fallback
required
- Multiple authenticator types — USB/NFC/BLE security keys, platform
biometrics (Windows Hello, Touch ID, Android), and hybrid cross-device
passkeys
- User-managed keys — users register and revoke their own keys from their
profile page
- Configurable security policy — challenge timeout, resident key requirements,
user verification level (PIN/biometric), allowed transports, and max keys per
user
- Flood protection — rate-limited challenge and login endpoints per IP
- Anti-enumeration — unknown usernames receive a fake challenge so attackers
cannot probe for valid accounts
- Plays well with others — works alongside the standard password login form;
users can keep both or rely solely on passkeys

Requirements

- HTTPS (required by browsers for WebAuthn; localhost allowed during
development)
- PHP 8.1+ with gmp or bcmath
- The lbuchs/webauthn library (installed via Composer)