Release Notes

  • Version 0.9.0 (released 2021-01-20)

    • Server: Attestation is now done in two parts (to align better with the spec): First, type-specific validation is done to provide a trust chain. Second, validation of the trust chain is done.

    • Client: API changes to better support extensions.

      • Fido2Client can be configured with Ctap2Extensions to support.

      • Client.make_credential now returns a AuthenticatorAttestationResponse, which holds the AttestationObject and ClientData, as well as any client extension results for the credential.

      • Client.get_assertion now returns an AssertionSelection object, which is used to select between multiple assertions, resulting in an AuthenticatorAssertionResponse, which holds the ClientData, assertion values, as well as any client extension results for the assertion.

    • Renames: The CTAP1 and CTAP2 classes have been renamed to Ctap1 and Ctap2, respectively. The old names currently work, but will be removed in the future.

    • ClientPin: The ClientPin API has been restructured to support multiple PIN protocols, UV tokens, and token permissions.

    • CTAP 2.1 PRE: Several new features have been added for CTAP 2.1, including Credential Management, Bio Enrollment, Large Blobs, and Authenticator Config.

    • HID: The platform specific HID code has been revamped and cleaned up.

  • Version 0.8.1 (released 2019-11-25)

    • Bugfix: WindowsClient.make_credential error when resident key requirement is unspecified.

  • Version 0.8.0 (released 2019-11-25)

    • New fido2.webauthn classes modeled after the W3C WebAuthn spec introduced.

    • CTAP2 send_cbor/make_credential/get_assertion and U2fClient request/authenticate timeout arguments replaced with event used to cancel a request.

    • Fido2Client:

      • make_credential/get_assertion now take WebAuthn options objects.

      • timeout is now provided in ms in WebAuthn options objects. Event based cancelation also available by passing an Event.

    • Fido2Server:

      • ATTESTATION, USER_VERIFICATION, and AUTHENTICATOR_ATTACHMENT enums have been replaced with fido2.webauthn classes.

      • RelyingParty has been replaced with PublicKeyCredentialRpEntity, and name is no longer optional.

      • Options returned by register_begin/authenticate_begin now omit unspecified values if they are optional, instead of filling in default values.

      • Fido2Server.allowed_algorithms now contains a list of PublicKeyCredentialParameters instead of algorithm identifiers.

      • Fido2Server.timeout is now in ms and of type int.

    • Support native WebAuthn API on Windows through WindowsClient.

  • Version 0.7.3 (released 2019-10-24)

    • Bugfix: Workaround for size of int on Python 2 on Windows.

  • Version 0.7.2 (released 2019-10-24)

    • Support for the TPM attestation format.

    • Allow passing custom challenges to register/authenticate in Fido2Server.

    • Bugfix: CTAP2 CANCEL command response handling fixed.

    • Bugfix: Fido2Client fix handling of empty allow_list.

    • Bugfix: Fix typo in CTAP2.get_assertions() causing it to fail.

  • Version 0.7.1 (released 2019-09-20)

    • Support for FreeBSD.

    • Enforce canonical CBOR on Authenticator responses by default.

    • PCSC: Support extended APDUs.

    • Server: Verify that UP flag is set.

    • U2FFido2Server: Implement AppID exclusion extension.

    • U2FFido2Server: Allow custom U2F facet verification.

    • Bugfix: U2FFido2Server.authenticate_complete now returns the result.

  • Version 0.7.0 (released 2019-06-17)

    • Add support for NFC devices using PCSC.

    • Add support for the hmac-secret Authenticator extension.

    • Honor max credential ID length and number of credentials to Authenticator.

    • Add close() method to CTAP devices to explicitly release their resources.

  • Version 0.6.0 (released 2019-05-10)

    • Don’t fail if CTAP2 Info contains unknown fields.

    • Replace cbor loads/dumps functions with encode/decode/decode_from.

    • Server: Add support for AuthenticatorAttachment.

    • Server: Add support for more key algorithms.

    • Client: Expose CTAP2 Info object as Fido2Client.info.

  • Version 0.5.0 (released 2018-12-21)

    • Changes to server classes, some backwards breaking.

    • Add ability to authenticate U2F credentials by using the appid extension.

    • Make verification of attestation more explicit.

    • Add support for Android SafetyNet attestation.

    • Make it easier to work with U2F/CTAP1 data formats.

  • Version 0.4.0 (released 2018-09-27)

    • Add classes for implementing a server.

    • Various small changes, some affecting backwards compatibility.

  • Version 0.3.0 (released 2018-04-13)

    • Add conversion between string/int keys for AttestationObject.

    • Replace internal Exceptions with built-in types.

    • Bugfix: Don’t use TimeoutError which isn’t available on Python 2.

  • Version 0.2.2 (released 2018-04-11)

    • Bugfix: Better handling of unplugged devices on MacOS and avoid leaking threads.

  • Version 0.2.1 (released 2018-04-10)

    • Add server example.

    • Parse AttestationObjects that use string keys (Webauthn).

    • Fix bug in handling packets with the wrong channel id.

  • Version 0.2.0 (released 2018-04-05)

    • Changed name of project to python-fido2 to better reflect its scope.

    • Added attestation and assertion verification methods.

    • A lot of name changes, moved classes, etc.

    • New example for multi-device use.

  • Version 0.1.0 (released 2018-03-16)

    • First beta release.