CS BioLogin – Seamless Biometric Authentication

Plugin Banner

CS BioLogin – Seamless Biometric Authentication

by Concatstring Solutions

Download
Description

CS BioLogin adds passwordless sign-in to WordPress using the WebAuthn standard (FIDO2 / passkeys). Visitors can authenticate with Face ID, Touch ID, Windows Hello, or a platform fingerprint reader. Biometric templates never leave the user’s device; only public key credentials are stored in your WordPress database.

What this plugin does

  • Adds a Sign in with Biometrics option on the WordPress login screen (with optional password fallback).
  • Lets logged-in users register, rename, update, and remove passkeys from their profile, a front-end shortcode page, or WooCommerce My Account.
  • Provides an admin screen for settings, security logs, and per-user device management.
  • Applies rate limiting and lockout on authentication attempts.

What this plugin does NOT do

  • It does not send user data, credentials, or biometrics to third-party servers. All verification runs on your site over HTTPS.
  • It does not store fingerprint or face images—only WebAuthn public keys and device metadata you configure.

How it works

  1. Administrator enables the plugin under Settings CS BioLogin and chooses which roles may use biometrics.
  2. User opens their profile (WordPress admin profile, [csbisebi_device_manager] page, or WooCommerce My Account CS BioLogin) and clicks Add Biometric Device. The browser shows the OS passkey/biometric prompt.
  3. Login — On wp-login.php (or WooCommerce login), the user chooses biometric sign-in. The plugin issues a WebAuthn challenge via the REST API, verifies the signed response, and creates a normal WordPress session.

REST routes live under csbisebi-biometric-login/v1 on your own site (for example /wp-json/csbisebi-biometric-login/v1/auth/options). No external API keys are required.

WooCommerce

When WooCommerce is active, CS BioLogin adds a My Account tab, checkout/account login prompts, and automatic use of the account area instead of a standalone management page.

Requirements

  • WordPress 6.2 or later
  • PHP 7.4+ with OpenSSL
  • HTTPS on production (WebAuthn requires a secure context; localhost and *.local are allowed for development)

Privacy and data storage

  • Biometric samples stay on the user’s device.
  • The plugin stores passkey public keys, optional device labels, timestamps, and security log entries in your WordPress database.
  • Uninstalling the plugin (when data removal is enabled via uninstall) drops the custom credentials table and plugin options.
  1. Upload the plugin folder cs-biologin-seamless-biometric-authentication to /wp-content/plugins/ (the zip must contain readme.txt and cs-biologin.php at the root of that folder—not inside a trunk/ subfolder).
  2. Activate CS BioLogin – Seamless Biometric Authentication on the Plugins screen.
  3. Ensure your site uses HTTPS in production.
  4. Go to Settings CS BioLogin and save your preferences.
  5. Log in as a test user, open Users Profile (or WooCommerce My Account CS BioLogin), and register a passkey before testing front-end login.
  1. Biometric login popup on the WordPress login page.

    Biometric login popup on the WordPress login page.

  2. Device management in WooCommerce My Account.

    Device management in WooCommerce My Account.

  3. Registration flow with browser prompt.

    Registration flow with browser prompt.

  4. Admin settings page with security options.

    Admin settings page with security options.

  5. Security logs showing login events.

    Security logs showing login events.

Does this store my fingerprint or face on the server?

No. WebAuthn keeps biometrics on the device. The site only stores a public key used to verify future logins.

Does the plugin call external services?

No. Challenges, verification, and credential storage all run on your WordPress installation. JavaScript and CSS are bundled with the plugin (no third-party CDNs).

Is HTTPS required?

Yes, for production sites. The plugin shows an admin notice if HTTPS is missing (localhost and .local hosts are exempt for development).

Can users still log in with a password?

Yes, when Allow Password Fallback is enabled in settings.

Can visitors create WordPress accounts through the plugin?

Only if Settings General Membership Anyone can register is enabled, or if you explicitly enable Allow REST account registration when WordPress registration is disabled under Settings CS BioLogin. Account creation is rate-limited and disabled by default otherwise.

Is WooCommerce supported?

Yes. Device management appears under My Account, and biometric login can appear on WooCommerce login forms when enabled.

Which browsers are supported?

Recent Chrome, Safari, Edge, and Firefox on desktop and mobile, where the OS provides a platform authenticator or passkey store. Unsupported browsers can hide the login button via settings.

Password managers block the biometric prompt. What should I do?

Extensions such as 1Password, Bitwarden, or LastPass may intercept passkey prompts. Enable passkey support in the manager or disable autofill for your site so the native OS dialog (Touch ID, Face ID, Windows Hello) can appear.

Can administrators manage user devices?

Yes. Use Settings CS BioLogin User Management to reset devices, view logs, and register passkeys on behalf of users (with appropriate capability checks).

1.2.1

  • Fixed the minor issue where activating the plugin triggered, fatal error.

1.2.0

  • Fixed the issue where, the registration working when ZOHO vault is enabled
  • Added i18n support in js files for translation

1.0.0

  • Initial release on the WordPress Plugin Directory.
  • WebAuthn / FIDO2 / Passkeys registration and authentication (ES256 and RS256).
  • Passwordless login on the WordPress login screen with optional password fallback.
  • WooCommerce: My Account endpoint, checkout and account login popups, and device management UI.
  • Multi-device support with rename, update passkey, remove, and duplicate-device handling.
  • Admin settings (roles, force biometric, rate limits, lockout, UI options) plus security event logs and user device management.
  • Passkey setup reminder banner for users without a registered device.
  • No external services or CDNs; credentials stored locally in the database.
Back to top