Axton

Hi niezmywalny,

I’ve tested the plugin on a clean install and also a site moved from another (database exported by phpmyadmin as you mentioned), both work fine. Since transient is a WordPress builtin feature, I’m not really sure the reason for the error: too many possibilities. Really sorry about that. If you are willing to please contact me with email (i at yrc.me) or wordpress slack (check my profile) for a direct communication so I can figure out the problem.

Hi niezmywalny,
Yes transient is stored in the database (or in the memory, if there is a memory based caching plugin). I believe they are stored in wp_options with _transient_ prefix. Deleting all transients in your database or performing a clean install may work as a temporary work around. I’ll try to re-produce the error you have by following your steps anyway.

Hi niezmywalny,

Sorry for the late response. Looks like your WordPress transient is broken. WP-WebAuthn uses transient, a WordPress bulit-in feature, to safely store information temporarily across requests. But transient can be broken by some caching plugins sometimes. Have you installed any caching plugin recently?

Hi,

Sorry for the late response I was in a holiday in last few days.

This plug-in simply detects if the function sodium_crypto_sign_detached provided by Sodium exists (function_exists('sodium_crypto_sign_detached')). If you are sure this function works you can just ignore the warning. But this should work on PHP 7.2+ if Sodium is installed. More info is needed.

Hi My1,

That’s a great idea and I’ll definitely look into it. This may introduce security risks so this need to be designed carefully and the result may be different from what you mentioned.

Hi timmitra,

WP-WebAuthn detects sodium by checking whether the corresponding functions are available. Please make sure the extension is enabled in php.ini.

Sorry for the late response since the email notification is lost somehow.

Hi teeboy4real,

Will definitely look into it. Sorry for the late response since the email notification is lost somehow

Hi,

When using “Preferred”, we do not care about the UV flag, so it cannot really improve the security (but in some cases, it do improve the security). The main reason here is ,some devices like devices running iOS/iPadOS 13 and below do not support the value other than “Discouraged”, so we use “Discouraged” here for the best compatibility.

If you really want to use “Preferred”, I believe I can add an option to the plugin in the next version.

Sorry for the delay.

Hi,

I’m not a cPanel user, but I found this article and it may be helpful: https://support.cpanel.net/hc/en-us/articles/360056786594-How-to-install-the-libsodium-cryptographic-library-and-PHP-extension-on-cPanel

Sodium is modern encryption/decryption library. WP-WebAuthn use it to keep logging-in process secure. It’s a PHP built-in extension since PHP 7.2.0. I’m not sure why cPanel doesn’t install it.

Android doesn’t support user verification and user verification will not be supported in a short time. So that’s a compromise. You can track this issue here: https://bugs.chromium.org/p/chromium/issues/detail?id=997538

I believe for most users the default settings is secure enough. If someone else get your authenticator somehow, they do not know which services this authenticator has registered and which username you have used, so they cannot login to your account. For users who have higher security expectations, they can enable user verification feature, which is a FIDO2-only feature and will make the plugin reject all U2F authenticators.

Anyway, I’ll add a security warning next to the user verification option in later versions of this plugin. Thank you for using WP-WebAuthn and sorry for the inconvenience.

It requires PIN or not depends on your authenticator, your system and the way you register your authenticator.

Make sure you have “user verification” enabled in the plugin settings (which is disabled by default) and re-register your authenticators. On most authenticators “user verification” makes them ask for PIN.

Please note that some systems do not support “user verification” (Android, for example) and that’s why “user verification” is disabled in plugin settings by default. Anyway, if you need PIN please check that option out!

In fact, in WebAuthn we treat the authenticator as a safe password. So you are fine if you keep the authenticator well. “user verification” is an extra protection and authenticators handle this in different ways. Most authenticators will ask for a PIN.

Hope that could help you.

Hi,

PHP gmp is a PHP extension. WP-WebAuthn uses this extension to handle with big integers so you need to install it for your PHP to use WP-WebAuthn.

The way to install the extension may be various and depending on the platform. For example, if you are using a PHP management panel you may able to find a section to install it with one click, or you may need to run some install commands if you manage the PHP instance by yourself. Since the extension is widely used, you can find some help by simply searching it.

Hope this can help. I’d like to help if you offer more information.

hi corporatei,

sodium is a php extension and you need to install to use WP-WebAuthn. We’ll enchance the extension checking UI later.

Best, Axton

Hi,

Yes. And since WebAuthn is secure by default I recommand you to not enable MFA when using WebAuthn. If you want enable MFA for password logging-ins, you can install Two Factor plugin, which will enable MFA for your users. WP-WebAuthn is compatible with Two Factor and will skip MFA when user logging in with WebAuthn.

Hope this would help you.

Hi,

WP-WebAuthn is designed to replace the login password, not enable MFA. If you want to force WebAuthn login for your users, just go to Settings > WP-WebAuthn and set ‘Preferred login method’ to ‘WebAuthn only’. This will completely disable the password login and force all users to use WebAuthn. Please notice currently this will block new users from logging in, and we are working on making the experience better right now.

If you want MFA functionalities but not replacing passwords with WebAuthn, please use other MFA plugins.