Authentry - Face ID, Fingerprint & Passkey Login
| 开发者 | hosseinalehabib |
|---|---|
| 更新时间 | 2026年5月30日 21:18 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPL-2.0+ |
| 版权网址: | 版权信息 |
详情介绍:
- 🚫 Zero-password login: tap a fingerprint or glance at the camera to sign in instantly
- 👆 Full biometric support: Face ID, Touch ID, Android fingerprint, and Windows Hello
- 👤 Usernameless sign-in: passkey account discovery lets users skip typing their email entirely, with a smart fallback for unsupported devices
- 🛡️ FIDO2 / WebAuthn compliant: follows the W3C WebAuthn Level 2 specification
- 🔑 ES256 and RS256 support: works with all major authenticator types
- 🛒 Full WooCommerce integration: passkey buttons on login and registration forms, plus a Security Keys tab in My Account
- ⚙️ User profile management: view, rename, and delete passkeys from WP Admin, WooCommerce My Account, or any page via the
[authentry_manage]shortcode - 📌 Three ready-to-use shortcodes:
[authentry_button]to sign in,[authentry_register]to add a passkey,[authentry_manage]for the full management UI - 🧰 Developer-friendly hooks: filters and actions for complete customization
- 🎨 Tabbed settings page: General, Appearance, Security, Advanced, and Integration
- ⏱️ Rate limiting: transient-based, 10 requests per IP per minute
- 🔄 Replay attack protection: sign count strictly enforced per credential
- 🌙 Dark mode support: full CSS dark mode included out of the box
- Chrome 67+ (desktop and Android)
- Safari 16+ (macOS and iOS)
- Firefox 60+
- Microsoft Edge 18+
- Samsung Internet 9.0+
[authentry_button label="Sign in with Passkey" style="default" redirect="" class=""]
Add a Passkey (logged-in users only)
[authentry_register label="Add a passkey" style="default" class="" reload="1"]
Omit label to use the value set in Appearance settings. Set reload="0" to stay on the page after a successful registration.
Full Passkey Management UI (logged-in users only)
[authentry_manage class="" title=""]
Lists all passkeys with rename, delete, and add controls, the same UI shown in WooCommerce My Account and the WP Admin profile page. Scripts load automatically.
Shortcode Attributes - [authentry_button]
label: button text (default: from Appearance settings)style:default,outline, orghostredirect: URL to send the user after a successful loginclass: additional CSS class names
[authentry_register]
label: button text (default: from Appearance settings)style:default,outline, orghostclass: extra CSS class on the wrapperreload:1(default) reloads the page after registration;0,false, ornostays on the current page
[authentry_manage]
class: extra CSS class on the wrappertitle: optional section heading (default: "Security Keys"; also filterable viaauthentry_manage_heading)
- Edit your custom login page
- Add a Shortcode block:
[authentry_button]
- Optionally, pass attributes:
[authentry_button label="Sign in with Passkey" redirect="https://yoursite.com/my-account/" style="outline"]
Authentry automatically enqueues its CSS and JavaScript on standard front-end pages. No extra setup needed.
Alternative: PHP Template
In your login template file:
do_action( 'authentry_render_button', [ 'redirect' => home_url( '/my-account/' ) ] );
Any missing keys fall back to your Authentry > Appearance and General settings.
Username / Email Field (non-usernameless flow)
When usernameless login is off, or when a browser falls back from discovery mode, Authentry looks for a username or email field using these selectors:
#user_login(WordPress default)input[name="username"]input[name="email"]
[authentry_manage]
Or just the "Add a passkey" button with no list:
[authentry_register]
In a theme template:
do_action( 'authentry_render_manage', [ 'title' => 'Security Keys' ] );
Page Builders & Late-Rendered Output
If the button is printed after wp_enqueue_scripts, for example in some page builders or AJAX-loaded forms, fire this hook once before output:
do_action( 'authentry_enqueue_public_assets' );
The [authentry_register] and [authentry_manage] shortcodes handle this automatically. Use the same hook in custom templates if styles or scripts appear to be missing.
Redirects & Customization
- Per-button redirect:
redirectattribute on[authentry_button], or theredirectkey inauthentry_render_button - Global redirect: Authentry > General > Redirect URL after login, or the
authentry_redirect_urlfilter - Button HTML:
authentry_button_htmlfilter
/wp-json/authentry/v1/...). The global window.Authentry object is also available for advanced JavaScript integrations.
Hook-Only Example (theme login template)
Step 1 - In your login markup:
do_action( 'authentry_render_button', [ 'context' => 'my-theme-login' ] );
Step 2 - In functions.php or your login class:
add_filter( 'authentry_login_username_selectors', function( $selectors ) { $selectors[] = '#my-login-email'; return $selectors; } );
add_filter( 'authentry_redirect_url', function( $url, $user ) { return home_url( '/account/' ); }, 10, 2 );
🧑💻 Developer Hooks
Actions - Render UI in Theme Templates
do_action( 'authentry_render_button', $args );
do_action( 'authentry_render_manage', [ 'class' => '', 'title' => '' ] );
do_action( 'authentry_render_passkey_reminder', [ 'context' => 'member-dashboard' ] );
Filters
authentry_creation_options: modify WebAuthn credential creation optionsauthentry_request_options: modify WebAuthn authentication request optionsauthentry_redirect_url: modify the post-login redirect URLauthentry_button_html: modify the rendered login button HTMLauthentry_register_shortcode_html: modify the rendered[authentry_register]HTMLauthentry_manage_shortcode_html: modify the rendered[authentry_manage]HTMLauthentry_manage_heading: modify the section heading on the management UIauthentry_render_manage_args: adjust args beforeauthentry_render_manageoutputauthentry_render_button_args: adjust args beforeauthentry_render_buttonoutputauthentry_login_username_selectors: CSS selectors for username/email fields on custom login formsauthentry_user_has_passkey: filter whether a user has at least one registered passkeyauthentry_show_passkey_reminder: control the built-in passkey setup reminder noticeauthentry_passkey_reminder_profile_url: change the profile URL linked from the built-in reminder
authentry_has_passkey:1when the user has at least one passkey, otherwise0(kept in sync automatically)
authentry_user_has_passkey( $user_id = 0 ): returns true when the user has registered at least one passkeyauthentry_render_passkey_reminder( $args ): echo the built-in reminder in a custom template or panelauthentry_get_passkey_reminder_html( $args ): return the reminder HTML as a string
authentry_enqueue_public_assets: enqueue public CSS/JS (useful when output is built late)authentry_before_manage_passkeys/authentry_after_manage_passkeys: fires before/after the management UI blockauthentry_before_render_login_button: fires before sign-in button HTML is echoed in custom templatesauthentry_after_render_login_button: fires after sign-in button HTML is echoed in custom templates
安装:
- Upload the
authentryfolder to/wp-content/plugins/. - Activate the plugin via the Plugins menu in WordPress.
- Go to Authentry in the WordPress admin sidebar and configure your settings.
- Your site must be served over HTTPS. WebAuthn requires a secure context. This is a strict browser-level requirement and cannot be overridden.
屏幕截图:
常见问题:
🔒 Does Authentry require HTTPS?
Yes. The WebAuthn standard requires a secure context (HTTPS). Authentry will not work on HTTP sites. This is a browser-level security requirement and cannot be overridden.
🔑 Will this remove the password login form?
No. By default, the passkey button is added alongside the existing login form. Users can still log in with their username and password. You can optionally configure Authentry to replace the password field entirely.
👤 Can users log in without entering a username?
Yes Enable "Enable usernameless passkey login" in settings to allow discoverable-credential login where the authenticator and browser support it. If account discovery isn't available on a device, Authentry automatically falls back to the standard username/email + passkey flow.
📱 Which authenticators are supported?
Any FIDO2-compatible authenticator works, including:
- Platform authenticators: Touch ID, Face ID, Windows Hello, Android fingerprint
- Roaming authenticators: YubiKey, Google Titan Key, and similar hardware security keys
👆 Does this support Face ID and fingerprint login?
Yes On compatible devices and browsers, users can authenticate using Face ID, Touch ID, Android fingerprint, or Windows Hello, all through the standard WebAuthn passkey flow.
💡 Why offer passkey login to subscribers and customers?
Most people already trust biometrics to unlock their phone. Passkeys use the same built-in device security, so signing into your site feels as natural as unlocking a screen: one touch or one glance instead of typing a password. Less friction at checkout, in member areas, and on return visits, all while staying fully phishing-resistant.
🔢 How many passkeys can a user register?
The default limit is 5 passkeys per user. You can adjust this (from 1 to 20) under Authentry > Security.
🛒 Is Authentry compatible with WooCommerce?
Yes Authentry adds passkey buttons to WooCommerce login and registration forms, and can display passkey management in My Account (toggle Show passkeys in WooCommerce My Account under Authentry > General). You can choose between:
- Separate menu item (endpoint): a dedicated Security Keys tab
- Inside Account details (edit profile): passkeys embedded on the account settings screen
🛡️ Is it safe? How is replay attack protection handled?
Each authentication uses a cryptographically random 32-byte challenge stored as a single-use transient. The challenge is deleted immediately after verification. Sign counts are tracked per credential. If the received count is not strictly greater than the stored count, authentication is rejected, indicating a possible cloned authenticator. All signatures are cryptographically verified using OpenSSL.
💾 Where are passkeys stored?
Passkey public keys are stored in a custom database table ({prefix}authentry_credentials). The private key never leaves the user's device. Only the public key is ever sent to your server.
🌐 Can I use Authentry on a WordPress Multisite network?
Authentry is compatible with WordPress Multisite but operates on a per-site basis. Each site in the network maintains its own credential table and settings.
⚡ Does it work with caching plugins?
Yes. The REST API endpoints used by Authentry bypass full-page caching automatically (they return JSON, not HTML). No special configuration is required for most caching plugins.
📵 What happens if a user loses their device?
The user can still log in with their password (if they remember it), then remove the lost device's passkey from their profile. Administrators can also delete credentials directly from the user's profile in WP Admin.
🎨 I use a custom login page. How do I add passkey login?
Place [authentry_button] on your custom login page, or call do_action( 'authentry_render_button' ); in your login template.
Disable Enable on WordPress login form under Authentry > General if you don't use wp-login.php. See the Custom Login Pages section above for full details on username fields, redirects, and enrollment using [authentry_register].
更新日志:
- Added optional passkey setup reminder notices for users without a registered passkey (Authentry > General).
- Added
authentry_user_has_passkey()helper,authentry_user_has_passkeyfilter, andauthentry_has_passkeyuser meta for custom integrations. - Added
authentry_render_passkey_reminderaction and helper functions for custom account panels. - WooCommerce reminder displays inside My Account(if enable in setting).
- Admin can choose whether the reminder stays visible until a passkey is added, or reappears after a configurable number of days once dismissed.
- Initial release.