PHPackages bnf/mfa-webauthn - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. bnf/mfa-webauthn ActiveTypo3-cms-extension[Authentication & Authorization](/categories/authentication) bnf/mfa-webauthn ================ WebAuthn Provider for TYPO3 Multi Factor Authentication 1.2.5(1y ago)715.5k↓22.5%3[2 issues](https://github.com/bnf/mfa_webauthn/issues)[1 PRs](https://github.com/bnf/mfa_webauthn/pulls)GPL-3.0-or-laterPHPPHP ^8.1 Since Feb 16Pushed 1y ago1 watchersCompare [ Source](https://github.com/bnf/mfa_webauthn)[ Packagist](https://packagist.org/packages/bnf/mfa-webauthn)[ RSS](/packages/bnf-mfa-webauthn/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (8)Dependencies (3)Versions (20)Used By (0) WebAuthn Provider for TYPO3 Multi Factor Authentication ======================================================= [](#webauthn-provider-for-typo3-multi-factor-authentication) This TYPO3 extension integrates into the TYPO3 Multi Factor Authentication (MFA) API, adding authenticators using the [WebAuthn standard](https://webauthn.io). It provides support for FIDO2/U2F Hardware tokens and Internal Authenticators (e.g. Android Screenlock or Windows hello) as second factor during authentication. Installation ------------ [](#installation) ``` composer require bnf/mfa-webauthn ``` Prerequisites and Limitations ----------------------------- [](#prerequisites-and-limitations) The WebAuthn API has some design-driven limitations. Authentication is reserved for secure environments in order to prevent spoofing of credentials, and therefore a WebAuthn credential is additonally bound to a domain. This puts the following limitations on usages of this provider: - Requires a valid SSL certificate or a localhost environment (therefore use `http://{myproject}.localhost` as local development URL) - Works only for one domain, multi domain sites need to have TYPO3 backend redirected to exactly one domain, or should use alternative MFA providers. ### Using WebAuthn Provider in production and staging environments [](#using-webauthn-provider-in-production-and-staging-environments) It is still possible to use WebAuthn in production and staging environments, but it requires some manual steps: 1. Create a security token in the production environment. 2. Create recovery codes or register a time-based one-time password (TOTP) in production. 3. Sync the `be\_user' table from production to staging. 4. Log in to staging with a recovery code or TOTP. 5. Create a security token in the staging environment. 6. Sync the user's `be\_users.mfa' database field back to production. 7. Optional: Regenerate recovery codes in production to have a fresh set of tokens. Alternative Extensions ---------------------- [](#alternative-extensions) If the restriction to one backend domain is too limiting, consider using [mfa\_yubikey](https://github.com/derhansen/mfa_yubikey)or [mfa\_hotp](https://github.com/o-ba/mfa_hotp) instead. Note, both providers are less secure than webauthn, as the user can be spoofed with a faked domain name, but they are more flexible and both allow to use hardware tokens with a multi domain setup. (`mfa_hotp` is intended for software HOTP authenticators, but the HOTP secret can also be burned to cheap HOTP hardware tokens.) ### Health Score 40 — FairBetter than 88% of packages Maintenance30 Infrequent updates — may be unmaintained Popularity33 Limited adoption so far Community11 Small or concentrated contributor base Maturity70 Established project with proven stability Bus Factor1 Top contributor holds 98.6% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~78 days Recently: every ~116 days Total 18 Last Release 582d ago Major Versions 0.2.1 → 1.0.02021-10-05 PHP version history (2 changes)0.0.1PHP >=7.2 1.2.0PHP ^8.1 ### Community Maintainers ![](https://www.gravatar.com/avatar/a8b7c224af04cc109194abd9d592618e75e05ec95ad86f2e4381b4bd110f99bd?d=identicon)[bnf](/maintainers/bnf) --- Top Contributors [![bnf](https://avatars.githubusercontent.com/u/473155?v=4)](https://github.com/bnf "bnf (69 commits)")[![peterkraume](https://avatars.githubusercontent.com/u/4234704?v=4)](https://github.com/peterkraume "peterkraume (1 commits)") ### Code Quality Static AnalysisPHPStan Type Coverage Yes ### Embed Badge ![Health badge](/badges/bnf-mfa-webauthn/health.svg) ``` [![Health](https://phpackages.com/badges/bnf-mfa-webauthn/health.svg)](https://phpackages.com/packages/bnf-mfa-webauthn) ``` ### Alternatives [jeffgreco13/filament-breezy A custom package for Filament with login flow, profile and teams support. 1.0k1.7M41](/packages/jeffgreco13-filament-breezy)[spatie/laravel-passkeys Use passkeys in your Laravel app 444494.4k16](/packages/spatie-laravel-passkeys)[in2code/femanager Modern TYPO3 Frontend User Registration. 49745.4k6](/packages/in2code-femanager)[web-auth/webauthn-symfony-bundle FIDO2/Webauthn Security Bundle For Symfony 63397.4k6](/packages/web-auth-webauthn-symfony-bundle)[marcelweidum/filament-passkeys Use passkeys in your filamentphp app 5925.8k](/packages/marcelweidum-filament-passkeys)[friendsoftypo3/openid OpenID authentication for TYPO3 CMS 1396.0k](/packages/friendsoftypo3-openid) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)