PHPackages ihorchyshkala/passkey-plugin - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. ihorchyshkala/passkey-plugin ActiveOctober-plugin[Authentication & Authorization](/categories/authentication) ihorchyshkala/passkey-plugin ============================ WebAuthn/Passkey authentication for October CMS backend v1.0.1(3mo ago)00MITPHPPHP >=8.0.2 Since Feb 16Pushed 3mo agoCompare [ Source](https://github.com/iMateo/oc-passkey-plugin)[ Packagist](https://packagist.org/packages/ihorchyshkala/passkey-plugin)[ RSS](/packages/ihorchyshkala-passkey-plugin/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (3)Versions (3)Used By (0) Passkey Authentication Plugin ============================= [](#passkey-authentication-plugin) WebAuthn/Passkey authentication for the October CMS backend. Lets administrators sign in using fingerprint, face recognition, or screen lock instead of a password. Features -------- [](#features) - **Passwordless login** — "Sign in with Passkey" button on the backend login page - **Discoverable credentials** — no username required, the passkey identifies the user - **Multi-device support** — USB security keys, NFC, Bluetooth, hybrid, and platform authenticators - **Per-user management** — register, name, and delete passkeys from the user profile tab - **Admin management** — users with `admins.manage` permission can manage passkeys for other users - **Rate limiting** — max 10 authentication attempts per minute per IP - **IDOR protection** — user context derived from URL parameters and permissions, not POST data - **Signature counter validation** — detects cloned authenticators - **15 languages** — Arabic, Chinese, Dutch, English, French, German, Japanese, Korean, Latvian, Polish, Portuguese, Russian, Spanish, Turkish, Ukrainian Requirements ------------ [](#requirements) - October CMS 3.1+ (plugin v1.x) or October CMS 4.x (plugin v2.x) - PHP 8.0.2+ (v1.x) or PHP 8.2+ (v2.x) - HTTPS (required by the WebAuthn specification) - A WebAuthn-capable browser (all modern browsers) Installation ------------ [](#installation) ### Via Composer [](#via-composer) ``` composer require ihorchyshkala/passkey-plugin ``` ### Via October CMS Marketplace [](#via-october-cms-marketplace) Search for **Passkey Authentication** in the October CMS plugin marketplace, or install from the admin panel: ``` Settings → Updates & Plugins → Install Plugins → "Passkey Authentication" ``` ### Manual Installation [](#manual-installation) Clone this repository into `plugins/ihorchyshkala/passkey/` and run migrations: ``` php artisan october:migrate ``` Usage ----- [](#usage) ### Signing in with a Passkey [](#signing-in-with-a-passkey) Once a passkey is registered, the login page shows a **"Sign in with Passkey"** button below the standard login form. Click it, authenticate with your device (fingerprint, face, PIN), and you're in — no password needed. ### Registering a Passkey [](#registering-a-passkey) 1. Go to **Settings → Administrators → (your user) → Passkeys** tab, or **My Account → Passkeys** 2. Click **Add Passkey** 3. Give it a descriptive name (e.g. "MacBook Pro", "YubiKey") 4. Click **Create Passkey** and follow the browser prompt 5. The passkey appears in the list immediately ### Removing a Passkey [](#removing-a-passkey) Click **Remove** next to any passkey in the list. A confirmation dialog prevents accidental deletion. Version Compatibility --------------------- [](#version-compatibility) BranchPluginOctober CMSPHPLaravel`1.x`v1.xv3.1+>=8.0.29 / 10 / 11`master`v2.xv4.x>=8.212Composer constraints on `october/rain` ensure the correct version is installed automatically. The namespace `IHORCHYSHKALA\Passkey` is the same on both branches. How It Works ------------ [](#how-it-works) The plugin implements the [WebAuthn Level 2](https://www.w3.org/TR/webauthn-2/) specification using the [lbuchs/webauthn](https://github.com/nicoswd/webauthn) PHP library. **Registration flow:** 1. Backend generates a challenge with user info and excluded credentials 2. Browser calls `navigator.credentials.create()` with the options 3. Authenticator creates a key pair and signs the challenge 4. Backend verifies the attestation and stores the public key **Authentication flow:** 1. Backend generates a challenge (no user info — discoverable credentials) 2. Browser calls `navigator.credentials.get()` 3. Authenticator signs the challenge with the private key 4. Backend verifies the signature against the stored public key and logs the user in Challenges are stored in the server session with a 120-second TTL and are consumed on use (one-time). Security -------- [](#security) - All credentials are stored server-side; private keys never leave the authenticator - Challenges expire after 120 seconds and are single-use - Rate limiting prevents brute-force attempts (10/min per IP) - User verification is required for both registration and authentication - Signature counters are validated to detect cloned authenticators - IDOR protection: user targeting uses URL parameters verified against permissions, not client-supplied POST data - Generic error messages prevent credential enumeration Database -------- [](#database) The plugin creates one table: `ihorchyshkala_passkey_credentials` ColumnTypeDescription`id`intPrimary key`backend_user_id`intForeign key to `backend_users` (cascade delete)`credential_id`varchar(512)Base64url-encoded credential ID (indexed)`public_key`textCOSE public key`name`stringUser-given name for the passkey`sign_count`intSignature counter`transports`textJSON array of supported transports`created_at`timestamp`updated_at`timestampLicense ------- [](#license) MIT ### Health Score 33 — LowBetter than 75% of packages Maintenance82 Actively maintained with recent releases Popularity0 Limited adoption so far Community6 Small or concentrated contributor base Maturity40 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 2 Last Release 91d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/6b601e3de652d9141f0d82e5aaf6b06632346dd25094816157d0c7bd3f0efa58?d=identicon)[iMateo](/maintainers/iMateo) --- Top Contributors [![iMateo](https://avatars.githubusercontent.com/u/7630935?v=4)](https://github.com/iMateo "iMateo (4 commits)") --- Tags securityAuthenticationFIDO2webauthnoctoberoctobercmspasskey ### Embed Badge ![Health badge](/badges/ihorchyshkala-passkey-plugin/health.svg) ``` [![Health](https://phpackages.com/badges/ihorchyshkala-passkey-plugin/health.svg)](https://phpackages.com/packages/ihorchyshkala-passkey-plugin) ``` ### Alternatives [hwi/oauth-bundle Support for authenticating users using both OAuth1.0a and OAuth2 in Symfony. 2.4k21.5M69](/packages/hwi-oauth-bundle)[lusitanian/oauth PHP 7.2 oAuth 1/2 Library 1.1k23.2M121](/packages/lusitanian-oauth)[rainlab/user-plugin User plugin for October CMS 11954.3k13](/packages/rainlab-user-plugin)[web-auth/webauthn-lib FIDO2/Webauthn Support For PHP 1225.3M72](/packages/web-auth-webauthn-lib)[rainlab/builder-plugin Builder plugin for October CMS 17147.2k1](/packages/rainlab-builder-plugin)[rainlab/translate-plugin Translate plugin for October CMS 12666.5k9](/packages/rainlab-translate-plugin) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)