CS BioLogin – Seamless Biometric Authentication

CS BioLogin adds passwordless sign-in to WordPress using the WebAuthn standard (FIDO2 / passkeys). Visitors can authenticate with Face ID, Touch ID, Windows Hello, or a platform fingerprint reader. Biometric templates never leave the user’s device; only public key credentials are stored in your WordPress database.

What this plugin does

• Adds a Sign in with Biometrics option on the WordPress login screen (with optional password fallback).
• Lets logged-in users register, rename, update, and remove passkeys from their profile, a front-end shortcode page, or WooCommerce My Account.
• Provides an admin screen for settings, security logs, and per-user device management.
• Applies rate limiting and lockout on authentication attempts.

What this plugin does NOT do

• It does not send user data, credentials, or biometrics to third-party servers. All verification runs on your site over HTTPS.
• It does not store fingerprint or face images—only WebAuthn public keys and device metadata you configure.

How it works

1. Administrator enables the plugin under Settings → CS BioLogin and chooses which roles may use biometrics.
2. User opens their profile (WordPress admin profile, [csbisebi_device_manager] page, or WooCommerce My Account → CS BioLogin) and clicks Add Biometric Device. The browser shows the OS passkey/biometric prompt.
3. Login — On wp-login.php (or WooCommerce login), the user chooses biometric sign-in. The plugin issues a WebAuthn challenge via the REST API, verifies the signed response, and creates a normal WordPress session.

REST routes live under csbisebi-biometric-login/v1 on your own site (for example /wp-json/csbisebi-biometric-login/v1/auth/options). No external API keys are required.

WooCommerce

When WooCommerce is active, CS BioLogin adds a My Account tab, checkout/account login prompts, and automatic use of the account area instead of a standalone management page.

Requirements

• WordPress 6.2 or later
• PHP 7.4+ with OpenSSL
• HTTPS on production (WebAuthn requires a secure context; localhost and *.local are allowed for development)

Privacy and data storage

• Biometric samples stay on the user’s device.
• The plugin stores passkey public keys, optional device labels, timestamps, and security log entries in your WordPress database.
• Uninstalling the plugin (when data removal is enabled via uninstall) drops the custom credentials table and plugin options.