Hamdy ELbatal

Posted on May 3

Vaultic: WebAuthn Authentication for Laravel – The Death of Passwords

#laravel #webauthn #passkeys #security

Vaultic: WebAuthn Authentication for Laravel

The Death of Passwords is Here

** Passwords are dead.**

We all know it. You know it. Your users know it. Yet here we are in 2026, still storing password hashes like it's 2016.

The future is passwordless. And it's not coming—it's already here.

But implementing WebAuthn (FIDO2) is a nightmare: challenges, assertions, public-key cryptography, browser compatibility... the complexity is overwhelming.

Until now.

Meet Vaultic: a production-ready WebAuthn/Passkeys package for Laravel that makes passwordless authentication as simple as installing a composer package.

Face ID. Touch ID. Windows Hello. Security Keys.

All working in your Laravel app. Today.

Why Should You Care About Passkeys?

The Problem with Passwords

Issue	Impact
🔓 Phishing	Users fall for fake login prompts
🔑 Reuse	Same password across 100 sites
💥 Breaches	33 billion passwords leaked in 2024
📞 Support Cost	Password resets waste admin time
😤 UX Pain	Users hate remembering passwords

Why Passkeys Win

🛡️  Phishing-proof      → Keys locked to YOUR domain only
📱  Biometric-first     → Face ID, Touch ID, Windows Hello
⚡  Lightning fast       → Tap instead of typing
🔐  Cryptographically   → FIDO2 standard (unbreakable)
    secure
🌍  Universal support   → All modern browsers, all platforms

The result?

Companies switching to passkeys report:

📉 50% fewer password reset tickets
⚡ 90% faster login experience
🚫 ~0% phishing attacks (keys can't be stolen)
😊 Higher user satisfaction

What is Vaultic?

Vaultic is a Laravel package that abstracts away all the WebAuthn complexity. Think of it as the Rails framework for passkeys—you don't write boilerplate, you just ship.

Feature Checklist

Feature	Status
🎯 Multi-guard support (web + API)	✅
📱 Stateful + stateless flows	✅
🎨 Pre-built Blade components	✅
📊 Activity tracking (last login, IP, device)	✅
🔄 Fallback authentication	✅
🚀 Laravel Sanctum integration	✅
⚙️ Zero configuration needed	✅
🔧 Custom WebAuthn verifier	✅
📚 Comprehensive tests	✅
🏆 Battle-tested (19+ releases)	✅

⚡ Quick Start: Passkeys in 5 Minutes

Step 1️⃣: Install

composer require hamzi/vaultic

Step 2️⃣: Publish Assets & Migrate

php artisan vendor:publish --provider="Hamzi\\Vaultic\\VaulticServiceProvider" --tag=vaultic-config
php artisan vendor:publish --provider="Hamzi\\Vaultic\\VaulticServiceProvider" --tag=vaultic-migrations
php artisan vendor:publish --provider="Hamzi\\Vaultic\\VaulticServiceProvider" --tag=vaultic-views
php artisan migrate

Step 3️⃣: Add Button to Your Login

Blade:

<x-vaultic::passkey-button size="md" :full-width="true" />

Step 4️⃣: 🎉 Done!

Your users can now register and log in with:

👤 Face ID
👆 Touch ID
🪟 Windows Hello
🔑 Security Keys

That's it. No WebAuthn knowledge required.

🏗️ Architecture: How It Works

Vaultic uses a clean, layered architecture:

┌─────────────────────────────────┐
│  HTTP Layer                     │
│  (Controllers + Middleware)     │
└────────────┬────────────────────┘
             │
┌────────────▼────────────────────┐
│  Service Layer                  │
│  (WebAuthn Orchestration)       │
└────────────┬────────────────────┘
             │
┌────────────▼────────────────────┐
│  Repository Layer               │
│  (Passkey Persistence)          │
└────────────┬────────────────────┘
             │
┌────────────▼────────────────────┐
│  Eloquent Models                │
│  (Database)                     │
└─────────────────────────────────┘

Clean separation of concerns. Easy to test. Easy to extend.

💼 Real-World Example: Multi-Guard Setup

Your app has both a web UI (Blade) and an API (Sanctum). Vaultic handles both with one package:

// config/vaultic.php
'auth' => [
    'guards' => [
        // 🌐 Web Login
        'web' => [
            'guard' => 'web',
            'provider_model' => App\Models\User::class,
            'identifier_column' => 'email',
        ],
        // 📱 API Auth
        'api' => [
            'guard' => 'sanctum',
            'provider_model' => App\Models\User::class,
            'identifier_column' => 'email',
            'token_issuer' => Hamzi\Vaultic\Services\SanctumApiTokenIssuer::class,
        ],
    ],
],

The flow:

🌐 Web user → taps passkey button → gets session → redirects to dashboard
📱 Mobile client → sends public key → gets Sanctum token → calls API

Both use the same passkey database. No duplication. No complexity.

🎁 Key Features Deep Dive

1️⃣ Passkey Management Panel

Let users manage their own passkeys:

<x-vaultic::passkey-panel />

Users see:

📋 List of linked authenticators (iPhone, Yubikey, Windows Hello, etc.)
🕐 Last used timestamp
🌍 Last used IP address
🗑️ One-click delete for lost devices

Transparency = Trust.

2️⃣ Activity Logging & Security Events

Listen to security events:

Event::listen(PasskeyAuthenticated::class, function ($event) {
    Log::info('User authenticated with passkey', [
        'user_id' => $event->user->id,
        'ip' => request()->ip(),
        'device' => $event->passkey->metadata,
    ]);
});

Events available:

✅ PasskeyRegistered — New key added
✅ PasskeyAuthenticated — User logged in
❌ AuthenticationFailed — Attack detected

3️⃣ Rate Limiting (Built-In)

Protection against brute force attacks:

'rate_limit' => [
    'attempts' => 10,
    'decay_seconds' => 60,
],

After 10 failed attempts → locked out for 60 seconds.

4️⃣ Fallback Authentication

If passkey fails (lost device, browser doesn't support):

'fallback' => [
    'driver' => 'password', // or 'otp' or custom
],

Users can fall back to password or recovery codes.

5️⃣ Custom WebAuthn Verifier

Use your own FIDO2 library (Duo, Yubico, etc.):

$this->app->bind(
    Hamzi\Vaultic\Contracts\WebAuthnVerifier::class,
    App\Security\CustomWebAuthnVerifier::class
);

No vendor lock-in. Total flexibility.

🔌 API Endpoints for Custom UIs

Vaultic exposes clean JSON endpoints:

📝 Registration
  POST /passkeys/register/options      → Get challenge
  POST /passkeys/register              → Save passkey

🔓 Authentication
  POST /passkeys/authenticate/options  → Get challenge
  POST /passkeys/authenticate          → Log in & get token

🗑️ Management
  DELETE /passkeys/{passkey}           → Remove passkey

All JSON responses. Build custom UIs with:

⚛️ React / Vue / Svelte
📱 Native iOS / Android
🤖 Headless systems
🌐 Custom frontends

🌍 Browser & Device Support

Vaultic works everywhere:

Platform Authenticators

🍎 iOS/macOS: Face ID, Touch ID
🪟 Windows: Windows Hello (face, fingerprint, PIN)
🐧 Linux: Fingerprint readers

Cross-Device Auth

📱 Phone as Security Key: Via Bluetooth (tap on your iPhone to unlock your Mac)

Hardware Keys

🔑 Yubikey, Google Titan, Ledger (USB/NFC/BLE)

Vaultic is configured to prefer discoverable credentials, meaning:

No username entry needed
Browser handles biometric prompt
Seamless UX on all devices

📦 Browser Compatibility

Browser	WebAuthn Support
✅ Chrome 67+	Full support
✅ Firefox 60+	Full support
✅ Safari 13+	Full support
✅ Edge 18+	Full support
✅ Opera 54+	Full support

Bottom line: If your users are on modern browsers (which they are), passkeys work everywhere.

🚀 Deployment Checklist

Before shipping to production:

✅ APP_URL is correct (WebAuthn is domain-locked)
✅ CACHE_DRIVER configured (file, Redis, etc.)
✅ Trusted proxies set (if behind load balancer)
✅ composer test passes
✅ Tested on real devices
✅ Event listeners configured
✅ Fallback auth tested
✅ Security.md policy in place

📊 Real Impact Numbers

Companies that switched to passkeys:

Metric	Impact
📞 Support tickets	⬇️ 50% fewer
⚡ Login speed	⬇️ 90% faster
🔓 Phishing attacks	⬇️ ~0%
😊 User satisfaction	⬆️ Significantly higher
🔐 Security incidents	⬇️ Nearly zero

❓ FAQ: Your Questions Answered

Q: "What if a user loses their device?"

A: Vaultic supports fallback auth. Configure:

'fallback' => ['driver' => 'password'],

Lost device? Fall back to password or recovery codes.

Q: "Will my users actually use passkeys?"

A: Yes. When users see a biometric login option, they prefer it. No friction = instant adoption.

Q: "Is it production-ready?"

A: 100%. Vaultic has 19+ releases, comprehensive tests, and follows Laravel standards (CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md).

Q: "Can I keep passwords alongside passkeys?"

A: Yes. Passkeys are optional, not forced. You can:

Offer passkeys as an option
Keep password login alongside
Gradually migrate users
Monitor adoption via events

Q: "What about old browsers?"

A: Use fallback auth. Gracefully degrade to passwords if WebAuthn not supported.

Q: "How does this affect my auth flow?"

A: Minimal changes. Vaultic integrates seamlessly with Laravel's auth system.

🎯 The Future is Passwordless

Timeline:

2023: Apple, Google, Microsoft announce passkey support
2024: Enterprise adoption accelerates
2025: Passkeys become mainstream
2026: Passwords are legacy (where we are now)

Your Laravel app doesn't need to wait for the future—you can move to passwordless authentication today.

🚀 Getting Started (3 Steps)

1. Read the Documentation

👉 github.com/hamdyelbatal122/vaultic

2. Install the Package

composer require hamzi/vaultic

3. Add a Button

<x-vaultic::passkey-button />

That's it. Users can register and log in with passkeys.

💚 Support Vaultic

If Vaultic helps your project:

⭐ Star the repo: github.com/hamdyelbatal122/vaultic
💬 Share your experience: Tweet us or comment below
🐛 Report issues: Help us improve
📖 Contribute docs: Better docs = more users
💰 Sponsor: GitHub Sponsors

Open source thrives on community support. Every star, every issue, every contribution matters.