=== CS BioLogin – Seamless Biometric Authentication ===
Contributors: concatstring, shobhit2412, kakshak, sumittejani, hlakkad1998, vrutti22
Tags: biometric, login, security, fingerprint, webauthn
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.2.1
License: GPLv3
License URI: https://www.gnu.org/licenses/gpl-3.0.html

Secure biometric login (WebAuthn / FIDO2 / Passkeys) for WordPress and WooCommerce using Face ID, Touch ID, or fingerprint.

== Description ==

**CS BioLogin** adds passwordless sign-in to WordPress using the WebAuthn standard (FIDO2 / passkeys). Visitors can authenticate with Face ID, Touch ID, Windows Hello, or a platform fingerprint reader. Biometric templates never leave the user's device; only public key credentials are stored in your WordPress database.

= What this plugin does =

* Adds a **Sign in with Biometrics** option on the WordPress login screen (with optional password fallback).
* Lets logged-in users **register, rename, update, and remove** passkeys from their profile, a front-end shortcode page, or WooCommerce My Account.
* Provides an admin screen for **settings, security logs, and per-user device management**.
* Applies **rate limiting and lockout** on authentication attempts.

= What this plugin does NOT do =

* It does **not** send user data, credentials, or biometrics to third-party servers. All verification runs on your site over HTTPS.
* It does **not** store fingerprint or face images—only WebAuthn public keys and device metadata you configure.

= How it works =

1. **Administrator** enables the plugin under **Settings → CS BioLogin** and chooses which roles may use biometrics.
2. **User** opens their profile (WordPress admin profile, `[csbisebi_device_manager]` page, or WooCommerce **My Account → CS BioLogin**) and clicks **Add Biometric Device**. The browser shows the OS passkey/biometric prompt.
3. **Login** — On `wp-login.php` (or WooCommerce login), the user chooses biometric sign-in. The plugin issues a WebAuthn challenge via the REST API, verifies the signed response, and creates a normal WordPress session.

REST routes live under `csbisebi-biometric-login/v1` on your own site (for example `/wp-json/csbisebi-biometric-login/v1/auth/options`). No external API keys are required.

= WooCommerce =

When WooCommerce is active, CS BioLogin adds a **My Account** tab, checkout/account login prompts, and automatic use of the account area instead of a standalone management page.

= Requirements =

* WordPress 6.2 or later
* PHP 7.4+ with OpenSSL
* **HTTPS** on production (WebAuthn requires a secure context; `localhost` and `*.local` are allowed for development)

= Privacy and data storage =

* Biometric samples stay on the user's device.
* The plugin stores passkey public keys, optional device labels, timestamps, and security log entries in your WordPress database.
* Uninstalling the plugin (when data removal is enabled via uninstall) drops the custom credentials table and plugin options.

== Installation ==

1. Upload the plugin folder `cs-biologin-seamless-biometric-authentication` to `/wp-content/plugins/` (the zip must contain `readme.txt` and `cs-biologin.php` at the root of that folder—not inside a `trunk/` subfolder).
2. Activate **CS BioLogin – Seamless Biometric Authentication** on the **Plugins** screen.
3. Ensure your site uses **HTTPS** in production.
4. Go to **Settings → CS BioLogin** and save your preferences.
5. Log in as a test user, open **Users → Profile** (or WooCommerce **My Account → CS BioLogin**), and register a passkey before testing front-end login.

== Frequently Asked Questions ==

= Does this store my fingerprint or face on the server? =

No. WebAuthn keeps biometrics on the device. The site only stores a public key used to verify future logins.

= Does the plugin call external services? =

No. Challenges, verification, and credential storage all run on your WordPress installation. JavaScript and CSS are bundled with the plugin (no third-party CDNs).

= Is HTTPS required? =

Yes, for production sites. The plugin shows an admin notice if HTTPS is missing (localhost and `.local` hosts are exempt for development).

= Can users still log in with a password? =

Yes, when **Allow Password Fallback** is enabled in settings.

= Can visitors create WordPress accounts through the plugin? =

Only if **Settings → General → Membership → Anyone can register** is enabled, or if you explicitly enable **Allow REST account registration when WordPress registration is disabled** under **Settings → CS BioLogin**. Account creation is rate-limited and disabled by default otherwise.

= Is WooCommerce supported? =

Yes. Device management appears under **My Account**, and biometric login can appear on WooCommerce login forms when enabled.

= Which browsers are supported? =

Recent Chrome, Safari, Edge, and Firefox on desktop and mobile, where the OS provides a platform authenticator or passkey store. Unsupported browsers can hide the login button via settings.

= Password managers block the biometric prompt. What should I do? =

Extensions such as 1Password, Bitwarden, or LastPass may intercept passkey prompts. Enable passkey support in the manager or disable autofill for your site so the native OS dialog (Touch ID, Face ID, Windows Hello) can appear.

= Can administrators manage user devices? =

Yes. Use **Settings → CS BioLogin → User Management** to reset devices, view logs, and register passkeys on behalf of users (with appropriate capability checks).

== Screenshots ==

1. Biometric login popup on the WordPress login page.
2. Device management in WooCommerce My Account.
3. Registration flow with browser prompt.
4. Admin settings page with security options.
5. Security logs showing login events.
6. Device already registered warning dialog.

== Changelog ==

= 1.2.1 =
* Fixed the minor issue where activating the plugin triggered, fatal error.

= 1.2.0 =
* Fixed the issue where, the registration working when ZOHO vault is enabled
* Added i18n support in js files for translation

= 1.0.0 =
* Initial release on the WordPress Plugin Directory.
* WebAuthn / FIDO2 / Passkeys registration and authentication (ES256 and RS256).
* Passwordless login on the WordPress login screen with optional password fallback.
* WooCommerce: My Account endpoint, checkout and account login popups, and device management UI.
* Multi-device support with rename, update passkey, remove, and duplicate-device handling.
* Admin settings (roles, force biometric, rate limits, lockout, UI options) plus security event logs and user device management.
* Passkey setup reminder banner for users without a registered device.
* No external services or CDNs; credentials stored locally in the database.

== Upgrade Notice ==
= 1.2.1 =
Fixed the minor issue where activating the plugin triggered, fatal error.

= 1.2.0 =
Fixed the issue where, the registration working when ZOHO vault is enabled
Added i18n support in js files for translation

= 1.0.0 =
First WordPress.org release. Use HTTPS in production, configure settings under **Settings → CS BioLogin**, then register a passkey from your profile or WooCommerce account
