विवरण
Keyless Login brings modern, phishing-resistant authentication to your WordPress site.
Log in with your fingerprint, face, or a hardware security key — no password ever required or transmitted. Implemented entirely in pure PHP using only the built-in openssl extension. No Composer, no vendor folder, no third-party libraries.
How It Works
KeylessWP implements the W3C WebAuthn Level 2 specification from scratch:
- A custom CBOR decoder parses authenticator data
- Custom ASN.1/DER builders construct public keys
- PHP’s built-in
openssl_verify()verifies ECDSA P-256 (ES256) and RSA-2048 (RS256) signatures - Credentials are stored in a dedicated database table with sign-count clone detection
Supported Authentication Methods
- 🖐 Fingerprint sensors (Touch ID, Windows Hello)
- 😊 Face recognition (Face ID, Windows Hello face camera)
- 🔑 Hardware security keys (YubiKey, Google Titan Key, Feitian)
- 🔐 Platform passkey managers (iCloud Keychain, Google Password Manager)
Features
- Full FIDO2 / WebAuthn Level 2 implementation — pure PHP
- ECDSA P-256 (ES256) and RSA-2048 (RS256) signature verification
- Zero external libraries — only PHP’s built-in
opensslextension required - Passkey registration and management from the user profile page
- Per-credential device naming, creation date, and last-used tracking
- Sign-count verification on every authentication (clone detection)
- Phishing-resistant: credentials are cryptographically bound to your domain
- Admin settings page with live usage statistics
- Graceful fallback: the standard password form remains available
- Translatable — all strings use
__()with thekeylesswptext domain
Privacy
KeylessWP does not collect, transmit, or share any user data. No external services are contacted. Biometric data never leaves the user’s device — only a cryptographic public key is stored on the server.
इंस्टॉलेशन
- Upload the
keylesswpfolder to/wp-content/plugins/ - Activate the plugin via Plugins Installed Plugins
- Go to Users Your Profile and click Register New Passkey
- Follow your device’s biometric or security-key prompt
- Log out and click Sign in with Passkey on the login page
Requirements
- PHP 8.0 or higher
- PHP
opensslextension (enabled by default on virtually all hosts) - HTTPS — required by the WebAuthn browser API
- WordPress 6.4 or higher
सामान्य प्रश्न
-
Does this plugin require any external library or Composer?
-
No. Everything — CBOR decoding, ASN.1/DER key building, ECDSA and RSA verification — is implemented in pure PHP using only the
opensslextension that ships with PHP. -
Does this work without HTTPS?
-
No. The WebAuthn browser API will refuse to run on non-secure origins. All modern WordPress hosting provides HTTPS.
-
Can users still log in with their password?
-
Yes. By default, the standard password form remains visible alongside the passkey button. You can change this under Settings Keyless Login.
-
What data is stored on the server?
-
Only the credential ID, public key (PEM format), sign count, device name, and timestamps. Biometric data is processed entirely on the user’s device and never transmitted.
-
Is this compatible with multisite?
-
Single-site support is the focus of v1.0. Multisite compatibility is planned for v1.1.
-
Privacy Policy
-
This plugin does not send any data to external servers. No tracking, no analytics, no third-party services are used. On uninstall, all plugin data is deleted from the database.
समीक्षाएं
इस प्लगइन के लिए कोई समीक्षा नहीं है।
सहायक &डेवलपर्स
Translate “Keyless Login” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
बदलाव विवरण
1.0.0
- Initial release
- Pure PHP CBOR decoder (RFC 7049)
- Pure PHP WebAuthn attestation and assertion verifier
- ES256 (ECDSA P-256) and RS256 (RSA-2048) support
- Custom DB table with sign-count clone detection
- Complete registration and authentication flows
- Admin settings page with usage statistics
- Full i18n support with
keylesswptext domain