🚀 Try the Live Demo - Interactive WebAuthn demo with biometric authentication A hardware-secured identity provider for OrbitDB using WebAuthn authentication. This provider enables hardware-secured database access (Ledger, Yubikey, etc.) where private keys never leave the secure hardware element and biometric authentication via Passkey.
- Features
- Installation
- Quick Start
- Browser & Platform Support
- Architecture & Security
- Documentation
- Development
- Credits
- License
- 🔐 Hardware-secured authentication - Uses WebAuthn with platform authenticators (Face ID, Touch ID, Windows Hello)
- 🚫 Private keys never leave hardware - Keys are generated and stored in secure elements
- 🌐 Cross-platform compatibility - Works across modern browsers and platforms
- 📱 Biometric authentication - Seamless user experience with fingerprint, face recognition, or PIN
- 🔒 Quantum-resistant - P-256 elliptic curve cryptography with hardware backing
- 🆔 DID-based identity - Generates deterministic
did:keyDIDs based on WebAuthn credentials
npm install orbitdb-identity-provider-webauthn-didimport { WebAuthnDIDProvider, OrbitDBWebAuthnIdentityProviderFunction } from 'orbitdb-identity-provider-webauthn-did'
// Create WebAuthn credential (triggers biometric prompt)
const credential = await WebAuthnDIDProvider.createCredential({
userId: 'alice@example.com',
displayName: 'Alice'
})
// Create OrbitDB identity with WebAuthn
const identity = await identities.createIdentity({
provider: OrbitDBWebAuthnIdentityProviderFunction({ webauthnCredential: credential })
})
// Use with OrbitDB
const orbitdb = await createOrbitDB({ ipfs, identities, identity })
const db = await orbitdb.open('my-database')📖 See Usage Guide for complete examples and API reference.
Browsers: Chrome 67+, Firefox 60+, Safari 14+, Edge 18+
Platforms:
- macOS/iOS: Face ID, Touch ID
- Windows: Windows Hello (face, fingerprint, PIN)
- Android: Fingerprint, face unlock, screen lock
- Linux: FIDO2 security keys, fingerprint readers
Hardware Keys: Ledger, YubiKey, and other FIDO2-compliant devices
DID Generation: DIDs are deterministically generated from WebAuthn P-256 public key
- Format:
did:key:{base58btc-encoded-multikey} - Implementation:
src/index.jslines 222-296
OrbitDB Keystore: Separate keystore (secp256k1) signs database operations
- Location:
./orbitdb/keystore/(IndexedDB) ⚠️ Currently unencrypted - vulnerable to XSS/extensions- WebAuthn signs identity (once), keystore signs operations (fast)
✅ Hardware-backed authentication - Private keys never leave secure element
✅ Biometric verification - Each WebAuthn operation requires user presence
- Keystore-based DID (instead of P-256): Better UCAN compatibility
- WebAuthn-encrypted keystore: One biometric prompt per session
- Offline-first encryption: No centralized dependencies
📖 See Keystore Security Architecture for detailed analysis
- Usage Guide - Complete examples and API reference
- Passkey Authentication Architecture - How WebAuthn integrates with OrbitDB
- Keystore Security Architecture - Vulnerability analysis and solutions
- PWA & Capacitor Keystore Encryption - Encryption strategies
- Lit Protocol Integration - Decentralized key management option
- WebAuthn DID and OrbitDB Identity - DID/identity relationship
test/directory - Unit and integration testsexamples/directory - Working demo applications
npm install # Install dependencies
npm run build # Build the library
npm test # Run test suiteTests include unit tests and browser integration tests for WebAuthn across different platforms.
This project builds upon:
- OrbitDB DID Identity Provider - Foundational DID implementation
- OpenFort EIP-7702 WebAuthn Sample - WebAuthn reference implementation
- Passkey Wallet Demo - Passkey wallet patterns
Contributions welcome! Please ensure all tests pass before submitting PRs.
MIT License - see LICENSE file for details.
Security Disclosures: For security issues, email security@le-space.de (not GitHub issues).