python-fido2 2.1.1

Version 2.1.1 (released 2026-01-19)

• Fix: Platform detection in fido2.hid module for BSD's.

python-fido2 2.1.0

Version 2.1.0 (released 2026-01-14)

• CTAP 2.3 support:
  • Add new GetInfo fields: enc_cred_store_state.
  • Add support for pinComplexityPolicy extension.
  • Add thirdPartyPayment bit to credman.
  • Check support for config subcommands.
• WebAuthn:
  • Allow UserEntity without 'name' field for improved spec compliance.
  • Update MDS3 dataclasses with new fields.
• Fido2Client:
  • Fallback to PIN after UV_BLOCKED error.
  • Improve preflight handling when message exceeds maximum size.
• WindowsClient:
  • Fix: Parse 'credentialProtectionPolicy' properly.
  • Update win_api.py from latest webauthn.h.
  • Add support for hmac-secret-mc extension.
  • Add support for hints.
• Development:
  • Switch from Poetry to uv for project management.
  • Add pyright and ty for improved type checking.
  • Replace bandit and flake8 with ruff for linting.

python-fido2 2.0.0

Version 2.0.0 (released 2025-05-20)

• See also the migration guide: doc/Migration_1-2.adoc.
• Python 3.10 or later is now required.
• WebAuthn dataclasses have been updated to align with the WebAuthn Level 3
  Working Draft. Constructors now require keyword arguments (kwargs_only=True),
  and serialization to/from dictionaries is compatible with standardized JSON
  formats.
• The features.webauthn_json_mapping flag has been removed, as its
  behavior (standardized JSON mapping) is now default.
• Fido2Client and WindowsClient constructors now accept a
  ClientDataCollector instance instead of origin and verify parameters.
• WindowsClient has been relocated to fido2.client.windows. Importing this
  class on non-Windows platforms will now raise an ImportError.
• Fido2Client methods now return RegistrationResponse and
  AuthenticationResponse objects, instead of raw attestation/assertion data.
• CTAP2/WebAuthn extension handling has been redesigned. Fido2Client now
  expects a list of Ctap2Extension instances. Default behavior includes
  extensions commonly supported by browsers.
• The fido2.cbor module's load_x and dump_x functions have been made
  private (renamed with a leading underscore) and should not be used directly.
• Previously deprecated functions and APIs have been removed.
• The __version__ attribute in fido2/__init__.py has been removed. Use
  importlib.metadata.version('fido2') to get the package version.
• Add support for Persistent PinUvAuthToken and encIdentifier.
• Add support for hmac-secret-mc and thirdPartyPayments exensions.
• Add new GetInfo fields based on CTAP 2.2
• Update COSE algorithnm types.
• Building the library now requires Poetry version 2.0 or later.

python-fido2 2.0.0-beta.1

Version 2.0.0-beta.1 (released 2025-02-26) Preview release

Preview release: The API may undergo changes prior to the final 2.0.0 release!

• Require Python >= 3.10
• Building requires Poetry >= 2.0
• WebAuthn dataclasses have been updated to reflect the current state of the spec
  (level 3 working draft), constructors require arguments to be passed by name
  (kwargs_only), and serialization to/from dict is compatible with the standardized
  JSON formats.
• features.webauthn_json_mapping has been removed, as this behavior is now the
  standard.
• WindowsClient has been moved to fido2.client.windows. This class can no longer be
  imported on non-windows platforms (throws ImportError).
• Use RegistrationResponse and AuthenticationResponse classes as return values in
  Fido2Client.
• CTAP2/WebAuthn extension handling has been rewritten, Fido2Client now takes a list
  of Ctap2Extension instances. The default behavior is to include extensions which are
  generally supported by browsers.
• fido2.cbor load_x/dump_x functions have been made private, these should not be
  directly used.
• Removal of previously deprecated functions.
• Removal of __version__ in fido2/__init__.py (use importlib.metadata if needed).

python-fido2 1.2.0

Version 1.2.0 (released 2024-11-27)

• Improved extension handling:
  Several new extensions are now supported, both for Fido2Client and WindowsClient.
  Extension APIs have been redesigned, and old APIs have been deprecated, slated for
  removal in version 2.0.
  • Disable hmac-secret extension by default, preferring prf.
• Improved (de-)serialization of dataclasses to/from JSON-friendly dicts.
• Fido2Client:
  • Support allowCredentials/excludeCredentials of arbitrary length.
  • Handle PUAT_REQUIRED by re-attempting with PIN/UV.
• Allow localhost (and subdomains) to use http:// in RP ID verification by default.
• NFC: Support for Authenticators that return SW=61XX on SELECT.
• USB: Improve connection recovery and use more specific exceptions for errors.
• Fix: Handle residentKey=preferred properly.
• Fix: Handle Authentictors that do not pass extensions in GetInfo.

python-fido2 1.1.3

Version 1.1.3 (released 2024-03-13)

• Fix USB HID issue on MacOS that sometimes caused a pause while waiting for a timeout.
• Fix argument to CredProp extension where an enum value was required instead of also allowing a string.
• Fix parsing of some key types (ES384, ES512) causing signature verification to fail.
• Deprecation: Calling websafe_decode with a bytes argument instead of str. This will raise a TypeError in the next major version of the library.

python-fido2 1.1.2

Version 1.1.2 (released 2023-07-06)

• Fix ClientPin usage for Authenticators that do not support passing a PIN.
• Fix: Handle correct CTAP response codes in authenticatorSelection.

python-fido2 1.1.1

Version 1.1.1 (released 2023-04-05)

• Add community provided support for NetBSD.
• Bugfix: Don't set length for largeBlob when offset is 0.
• Bugfix: Remove print statement in webauthn parsing.

python-fido2 1.1.0

Version 1.1.0 (released 2022-10-17)

• Bugfix: Fix name of "crossOrigin" in CollectedClientData.create().
• Bugfix: Some incorrect type hints in the MDS3 classes were fixed.
• Stricter checking of dataclass field types.
• Add support for JSON-serialization of WebAuthn data classes.
  This changes the objects dict representation to align with new additions in the
  WebAuthn specification. As this may break compatibility, the new behavior
  requires explicit opt-in until python-fido2 2.0 is released.
• Update server example to use JSON serialization.
• Server: Add support for passing RegistrationResponse/AuthenticationResponse (or
  their deserialized JSON data) to register_complete/authenticate_complete.
• Add new "hybrid" AuthenticatorTransport.
• Add new AuthenticatorData flags, and use 2-letter names as in the WebAuthn spec
  (long names are still available as aliases).

python-fido2 1.0.0

Version 1.0.0 (released 2022-06-08)

• First stable release.