Report URI has open-sourced passkeys-php, a MIT-licensed PHP WebAuthn server library forked from lbuchs/WebAuthn at v2.2.0. The fork was created after a penetration test revealed several WebAuthn conformance issues in the upstream library, which has since gone dormant. Key security fixes include a tighter RP-ID origin check (preventing evil-example.com from matching example.com), cross-origin ceremony rejection, attestation none hardening, backup flag validation, and Token Binding rejection. The most significant change is the complete removal of attestation verification — over 1,100 lines deleted — leaving only the 'none' attestation format supported. This deliberate trade-off reduces attack surface for the common SaaS passkey use case where enterprise attestation is not needed. The library is PSR-4 autoloaded, installable via Composer, and is already running in production on Report URI.
Sort: