=== Keyless Login ===
Contributors: susheelhbti
Tags: passkey, webauthn, passwordless, fido2, security
Requires at least: 6.4
Tested up to: 6.9
Requires PHP: 8.0
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Passwordless WebAuthn/FIDO2 login for WordPress. 100% pure PHP, zero external dependencies.

== Description ==

**Keyless Login** brings modern, phishing-resistant authentication to your WordPress site.

Log in with your fingerprint, face, or a hardware security key — no password ever required or transmitted. Implemented entirely in pure PHP using only the built-in `openssl` extension. No Composer, no vendor folder, no third-party libraries.

= How It Works =

KeylessWP implements the [W3C WebAuthn Level 2](https://www.w3.org/TR/webauthn-2/) specification from scratch:

* A custom CBOR decoder parses authenticator data
* Custom ASN.1/DER builders construct public keys
* PHP's built-in `openssl_verify()` verifies ECDSA P-256 (ES256) and RSA-2048 (RS256) signatures
* Credentials are stored in a dedicated database table with sign-count clone detection

= Supported Authentication Methods =

* 🖐 Fingerprint sensors (Touch ID, Windows Hello)
* 😊 Face recognition (Face ID, Windows Hello face camera)
* 🔑 Hardware security keys (YubiKey, Google Titan Key, Feitian)
* 🔐 Platform passkey managers (iCloud Keychain, Google Password Manager)

= Features =

* Full FIDO2 / WebAuthn Level 2 implementation — pure PHP
* ECDSA P-256 (ES256) and RSA-2048 (RS256) signature verification
* Zero external libraries — only PHP's built-in `openssl` extension required
* Passkey registration and management from the user profile page
* Per-credential device naming, creation date, and last-used tracking
* Sign-count verification on every authentication (clone detection)
* Phishing-resistant: credentials are cryptographically bound to your domain
* Admin settings page with live usage statistics
* Graceful fallback: the standard password form remains available
* Translatable — all strings use `__()` with the `keylesswp` text domain

= Privacy =

KeylessWP does not collect, transmit, or share any user data. No external services are contacted. Biometric data never leaves the user's device — only a cryptographic public key is stored on the server.

== Installation ==

1. Upload the `keylesswp` folder to `/wp-content/plugins/`
2. Activate the plugin via **Plugins → Installed Plugins**
3. Go to **Users → Your Profile** and click **Register New Passkey**
4. Follow your device's biometric or security-key prompt
5. Log out and click **Sign in with Passkey** on the login page

= Requirements =

* PHP 8.0 or higher
* PHP `openssl` extension (enabled by default on virtually all hosts)
* HTTPS — required by the WebAuthn browser API
* WordPress 6.4 or higher

== Frequently Asked Questions ==

= Does this plugin require any external library or Composer? =

No. Everything — CBOR decoding, ASN.1/DER key building, ECDSA and RSA verification — is implemented in pure PHP using only the `openssl` extension that ships with PHP.

= Does this work without HTTPS? =

No. The WebAuthn browser API will refuse to run on non-secure origins. All modern WordPress hosting provides HTTPS.

= Can users still log in with their password? =

Yes. By default, the standard password form remains visible alongside the passkey button. You can change this under **Settings → Keyless Login**.

= What data is stored on the server? =

Only the credential ID, public key (PEM format), sign count, device name, and timestamps. Biometric data is processed entirely on the user's device and never transmitted.

= Is this compatible with multisite? =

Single-site support is the focus of v1.0. Multisite compatibility is planned for v1.1.

= Privacy Policy =

This plugin does not send any data to external servers. No tracking, no analytics, no third-party services are used. On uninstall, all plugin data is deleted from the database.

== Screenshots ==

1. The login page with the "Sign in with Passkey" button above the password form.
2. The user profile page showing the passkey management section.
3. The admin settings page with live usage statistics.

== Changelog ==

= 1.0.0 =
* Initial release
* Pure PHP CBOR decoder (RFC 7049)
* Pure PHP WebAuthn attestation and assertion verifier
* ES256 (ECDSA P-256) and RS256 (RSA-2048) support
* Custom DB table with sign-count clone detection
* Complete registration and authentication flows
* Admin settings page with usage statistics
* Full i18n support with `keylesswp` text domain

== Upgrade Notice ==

= 1.0.0 =
Initial release. No upgrade steps required.
