WordPress.org
Get WordPress
WordPress.org

Plugin Directory

Keyless Login

Keyless Login

By susheelhbti
Download

Description

Keyless Login brings modern, phishing-resistant authentication to your WordPress site.

Log in with your fingerprint, face, or a hardware security key — no password ever required or transmitted. Implemented entirely in pure PHP using only the built-in openssl extension. No Composer, no vendor folder, no third-party libraries.

How It Works

KeylessWP implements the W3C WebAuthn Level 2 specification from scratch:

  • A custom CBOR decoder parses authenticator data
  • Custom ASN.1/DER builders construct public keys
  • PHP’s built-in openssl_verify() verifies ECDSA P-256 (ES256) and RSA-2048 (RS256) signatures
  • Credentials are stored in a dedicated database table with sign-count clone detection

Supported Authentication Methods

  • 🖐 Fingerprint sensors (Touch ID, Windows Hello)
  • 😊 Face recognition (Face ID, Windows Hello face camera)
  • 🔑 Hardware security keys (YubiKey, Google Titan Key, Feitian)
  • 🔐 Platform passkey managers (iCloud Keychain, Google Password Manager)

Features

  • Full FIDO2 / WebAuthn Level 2 implementation — pure PHP
  • ECDSA P-256 (ES256) and RSA-2048 (RS256) signature verification
  • Zero external libraries — only PHP’s built-in openssl extension required
  • Passkey registration and management from the user profile page
  • Per-credential device naming, creation date, and last-used tracking
  • Sign-count verification on every authentication (clone detection)
  • Phishing-resistant: credentials are cryptographically bound to your domain
  • Admin settings page with live usage statistics
  • Graceful fallback: the standard password form remains available
  • Translatable — all strings use __() with the keylesswp text domain

Privacy

KeylessWP does not collect, transmit, or share any user data. No external services are contacted. Biometric data never leaves the user’s device — only a cryptographic public key is stored on the server.

Installation

  1. Upload the keylesswp folder to /wp-content/plugins/
  2. Activate the plugin via Plugins Installed Plugins
  3. Go to Users Your Profile and click Register New Passkey
  4. Follow your device’s biometric or security-key prompt
  5. Log out and click Sign in with Passkey on the login page

Requirements

  • PHP 8.0 or higher
  • PHP openssl extension (enabled by default on virtually all hosts)
  • HTTPS — required by the WebAuthn browser API
  • WordPress 6.4 or higher

FAQ

Does this plugin require any external library or Composer?

No. Everything — CBOR decoding, ASN.1/DER key building, ECDSA and RSA verification — is implemented in pure PHP using only the openssl extension that ships with PHP.

Does this work without HTTPS?

No. The WebAuthn browser API will refuse to run on non-secure origins. All modern WordPress hosting provides HTTPS.

Can users still log in with their password?

Yes. By default, the standard password form remains visible alongside the passkey button. You can change this under Settings Keyless Login.

What data is stored on the server?

Only the credential ID, public key (PEM format), sign count, device name, and timestamps. Biometric data is processed entirely on the user’s device and never transmitted.

Is this compatible with multisite?

Single-site support is the focus of v1.0. Multisite compatibility is planned for v1.1.

Privacy Policy

This plugin does not send any data to external servers. No tracking, no analytics, no third-party services are used. On uninstall, all plugin data is deleted from the database.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Keyless Login” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Keyless Login” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.0

  • Initial release
  • Pure PHP CBOR decoder (RFC 7049)
  • Pure PHP WebAuthn attestation and assertion verifier
  • ES256 (ECDSA P-256) and RS256 (RSA-2048) support
  • Custom DB table with sign-count clone detection
  • Complete registration and authentication flows
  • Admin settings page with usage statistics
  • Full i18n support with keylesswp text domain

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum