Keyless Login

Keyless Login brings modern, phishing-resistant authentication to your WordPress site.

Log in with your fingerprint, face, or a hardware security key — no password ever required or transmitted. Implemented entirely in pure PHP using only the built-in openssl extension. No Composer, no vendor folder, no third-party libraries.

How It Works

KeylessWP implements the W3C WebAuthn Level 2 specification from scratch:

• A custom CBOR decoder parses authenticator data
• Custom ASN.1/DER builders construct public keys
• PHP’s built-in openssl_verify() verifies ECDSA P-256 (ES256) and RSA-2048 (RS256) signatures
• Credentials are stored in a dedicated database table with sign-count clone detection

Supported Authentication Methods

• 🖐 Fingerprint sensors (Touch ID, Windows Hello)
• 😊 Face recognition (Face ID, Windows Hello face camera)
• 🔑 Hardware security keys (YubiKey, Google Titan Key, Feitian)
• 🔐 Platform passkey managers (iCloud Keychain, Google Password Manager)

Features

• Full FIDO2 / WebAuthn Level 2 implementation — pure PHP
• ECDSA P-256 (ES256) and RSA-2048 (RS256) signature verification
• Zero external libraries — only PHP’s built-in openssl extension required
• Passkey registration and management from the user profile page
• Per-credential device naming, creation date, and last-used tracking
• Sign-count verification on every authentication (clone detection)
• Phishing-resistant: credentials are cryptographically bound to your domain
• Admin settings page with live usage statistics
• Graceful fallback: the standard password form remains available
• Translatable — all strings use __() with the keylesswp text domain

Privacy

KeylessWP does not collect, transmit, or share any user data. No external services are contacted. Biometric data never leaves the user’s device — only a cryptographic public key is stored on the server.