{"id":304681,"date":"2026-05-20T17:09:46","date_gmt":"2026-05-20T17:09:46","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/saksh-passkeys\/"},"modified":"2026-05-20T16:54:22","modified_gmt":"2026-05-20T16:54:22","slug":"keyless-login","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/keyless-login\/","author":12189875,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.0","stable_tag":"trunk","tested":"6.9.4","requires":"6.4","requires_php":"8.0","requires_plugins":null,"header_name":"Keyless Login","header_author":"susheelhbti","header_description":"Passwordless WebAuthn\/FIDO2 login for WordPress. Pure PHP, zero external dependencies. Supports biometrics, Face ID, fingerprint, and hardware security keys.","assets_banners_color":"","last_updated":"2026-05-20 16:54:22","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"https:\/\/profiles.wordpress.org\/susheelhbti\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":22,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":[],"upgrade_notice":{"1.0.0":"<p>Initial release. No upgrade steps required.<\/p>"},"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":[],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"The login page with the \"Sign in with Passkey\" button above the password form.","2":"The user profile page showing the passkey management section.","3":"The admin settings page with live usage statistics."}},"plugin_section":[],"plugin_tags":[183348,218738,9223,600,183349],"plugin_category":[54],"plugin_contributors":[88952],"plugin_business_model":[],"class_list":["post-304681","plugin","type-plugin","status-publish","hentry","plugin_tags-fido2","plugin_tags-passkey","plugin_tags-passwordless","plugin_tags-security","plugin_tags-webauthn","plugin_category-security-and-spam-protection","plugin_contributors-susheelhbti","plugin_committers-susheelhbti"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/keyless-login.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>Keyless Login<\/strong> brings modern, phishing-resistant authentication to your WordPress site.<\/p>\n\n<p>Log in with your fingerprint, face, or a hardware security key \u2014 no password ever required or transmitted. Implemented entirely in pure PHP using only the built-in <code>openssl<\/code> extension. No Composer, no vendor folder, no third-party libraries.<\/p>\n\n<h4>How It Works<\/h4>\n\n<p>KeylessWP implements the <a href=\"https:\/\/www.w3.org\/TR\/webauthn-2\/\">W3C WebAuthn Level 2<\/a> specification from scratch:<\/p>\n\n<ul>\n<li>A custom CBOR decoder parses authenticator data<\/li>\n<li>Custom ASN.1\/DER builders construct public keys<\/li>\n<li>PHP's built-in <code>openssl_verify()<\/code> verifies ECDSA P-256 (ES256) and RSA-2048 (RS256) signatures<\/li>\n<li>Credentials are stored in a dedicated database table with sign-count clone detection<\/li>\n<\/ul>\n\n<h4>Supported Authentication Methods<\/h4>\n\n<ul>\n<li>\ud83d\udd90 Fingerprint sensors (Touch ID, Windows Hello)<\/li>\n<li>\ud83d\ude0a Face recognition (Face ID, Windows Hello face camera)<\/li>\n<li>\ud83d\udd11 Hardware security keys (YubiKey, Google Titan Key, Feitian)<\/li>\n<li>\ud83d\udd10 Platform passkey managers (iCloud Keychain, Google Password Manager)<\/li>\n<\/ul>\n\n<h4>Features<\/h4>\n\n<ul>\n<li>Full FIDO2 \/ WebAuthn Level 2 implementation \u2014 pure PHP<\/li>\n<li>ECDSA P-256 (ES256) and RSA-2048 (RS256) signature verification<\/li>\n<li>Zero external libraries \u2014 only PHP's built-in <code>openssl<\/code> extension required<\/li>\n<li>Passkey registration and management from the user profile page<\/li>\n<li>Per-credential device naming, creation date, and last-used tracking<\/li>\n<li>Sign-count verification on every authentication (clone detection)<\/li>\n<li>Phishing-resistant: credentials are cryptographically bound to your domain<\/li>\n<li>Admin settings page with live usage statistics<\/li>\n<li>Graceful fallback: the standard password form remains available<\/li>\n<li>Translatable \u2014 all strings use <code>__()<\/code> with the <code>keylesswp<\/code> text domain<\/li>\n<\/ul>\n\n<h4>Privacy<\/h4>\n\n<p>KeylessWP does not collect, transmit, or share any user data. No external services are contacted. Biometric data never leaves the user's device \u2014 only a cryptographic public key is stored on the server.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>keylesswp<\/code> folder to <code>\/wp-content\/plugins\/<\/code><\/li>\n<li>Activate the plugin via <strong>Plugins \u2192 Installed Plugins<\/strong><\/li>\n<li>Go to <strong>Users \u2192 Your Profile<\/strong> and click <strong>Register New Passkey<\/strong><\/li>\n<li>Follow your device's biometric or security-key prompt<\/li>\n<li>Log out and click <strong>Sign in with Passkey<\/strong> on the login page<\/li>\n<\/ol>\n\n<h4>Requirements<\/h4>\n\n<ul>\n<li>PHP 8.0 or higher<\/li>\n<li>PHP <code>openssl<\/code> extension (enabled by default on virtually all hosts)<\/li>\n<li>HTTPS \u2014 required by the WebAuthn browser API<\/li>\n<li>WordPress 6.4 or higher<\/li>\n<\/ul>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20plugin%20require%20any%20external%20library%20or%20composer%3F\"><h3>Does this plugin require any external library or Composer?<\/h3><\/dt>\n<dd><p>No. Everything \u2014 CBOR decoding, ASN.1\/DER key building, ECDSA and RSA verification \u2014 is implemented in pure PHP using only the <code>openssl<\/code> extension that ships with PHP.<\/p><\/dd>\n<dt id=\"does%20this%20work%20without%20https%3F\"><h3>Does this work without HTTPS?<\/h3><\/dt>\n<dd><p>No. The WebAuthn browser API will refuse to run on non-secure origins. All modern WordPress hosting provides HTTPS.<\/p><\/dd>\n<dt id=\"can%20users%20still%20log%20in%20with%20their%20password%3F\"><h3>Can users still log in with their password?<\/h3><\/dt>\n<dd><p>Yes. By default, the standard password form remains visible alongside the passkey button. You can change this under <strong>Settings \u2192 Keyless Login<\/strong>.<\/p><\/dd>\n<dt id=\"what%20data%20is%20stored%20on%20the%20server%3F\"><h3>What data is stored on the server?<\/h3><\/dt>\n<dd><p>Only the credential ID, public key (PEM format), sign count, device name, and timestamps. Biometric data is processed entirely on the user's device and never transmitted.<\/p><\/dd>\n<dt id=\"is%20this%20compatible%20with%20multisite%3F\"><h3>Is this compatible with multisite?<\/h3><\/dt>\n<dd><p>Single-site support is the focus of v1.0. Multisite compatibility is planned for v1.1.<\/p><\/dd>\n<dt id=\"privacy%20policy\"><h3>Privacy Policy<\/h3><\/dt>\n<dd><p>This plugin does not send any data to external servers. No tracking, no analytics, no third-party services are used. On uninstall, all plugin data is deleted from the database.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>Pure PHP CBOR decoder (RFC 7049)<\/li>\n<li>Pure PHP WebAuthn attestation and assertion verifier<\/li>\n<li>ES256 (ECDSA P-256) and RS256 (RSA-2048) support<\/li>\n<li>Custom DB table with sign-count clone detection<\/li>\n<li>Complete registration and authentication flows<\/li>\n<li>Admin settings page with usage statistics<\/li>\n<li>Full i18n support with <code>keylesswp<\/code> text domain<\/li>\n<\/ul>","raw_excerpt":"Passwordless WebAuthn\/FIDO2 login for WordPress. 100% pure PHP, zero external dependencies.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/304681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=304681"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/susheelhbti"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=304681"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=304681"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=304681"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=304681"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=304681"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=304681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}