YubiKit 3.1.0

This release introduces the new fido-android-ui module, desktop multi-device and NFC reader support, sensitive data hardening across all modules, and build tooling improvements.

New in this release:

• fido-android-ui module (new):
  • High-level Kotlin API for WebAuthn operations using hardware security keys, including WebView integration and customizable UI; AndroidDemo includes usage examples (#277)
• fido module:
  • Support for WebAuthn previewSign extension v4 (#304)
  • Fixed shared mutable state in HmacSecretExtension result lambda (#315)
  • Improved USB device detection using HID report descriptor parsing for FIDO Alliance usage page (0xF1D0) (#285)
• desktop module:
  • Added multi-device selection support (DesktopDeviceSelector, listDeviceRecords, getDeviceBySerial, getDeviceBySelector, requireSingleDevice) (#287)
  • Added NFC reader support for external readers (e.g. OMNIKEY) alongside USB (#307)
• oath module:
  • Added Destroyable interface to CredentialData for zeroing secret key material (#312)
• piv module:
  • Added generateKey() as replacement for deprecated generateKeyValues() (#295)
• core module:
  • Added ZeroingByteArrayOutputStream utility for secure memory handling (#312)
  • Fixed thread safety in UsbDeviceManager with volatile keyword (#285)
  • Made DeviceFilter methods public to allow proper extension (#285)
• security (all modules):
  • Zero sensitive cryptographic material (private keys, PINs, shared secrets, ECDH outputs) after use across all modules (#312, #315)
  • Switched to SLF4J fluent API for lazy log argument evaluation to prevent sensitive data from being eagerly placed on the heap (#315)
• testing:
  • Added YubiOtp device tests for Android and Desktop (#286)
• build system:
  • Upgraded to AGP 9.1.0 (#284)
  • Added consumer ProGuard rules for R8/ProGuard compatibility (#294, #297)
  • Added release build support for AndroidDemo with signing and minification (#305)
  • Updated dependencies and GitHub Actions (#301, #316)

Full Changelog: 3.0.1...3.1.0

YubiKit 3.0.1

This release includes bug fixes and improvements for certificate handling, device identification, and build configuration.

New in this release:

• piv module:
  • Support for additional compressed certificate formats (zlib with custom header) (#278)
  • Deprecated GzipUtils (will become package-private in a future release)
• support module:
  • Fixed device naming for FIDO Edition devices with explicit capability checks (#281)
• build system:
  • Adjusted spotbugs-annotations to compileOnly scope (#255)
  • Updated dependencies and GitHub Actions workflows

Full Changelog: 3.0.0...3.0.1

YubiKit 3.0.0

This release brings major breaking API changes, new USB and FIDO features, CTAP2.3 & CTAP1 support, and enhanced null-safety.

New in this release:

• android module:
  • Minimum supported Android API level is now 21 (was 19) (breaking change)
• core module:
  • All previously deprecated APIs have been removed (breaking change) (#237)
  • Renamed all ALL CAPS abbreviations in public API identifiers to CamelCase (breaking change) (#230)
  • Added unified, configurable USB device filtering using DeviceFilter (#241)
  • Adopted JSpecify nullness annotations for improved null-safety
    Kotlin generics now require non-nullable type arguments (<T : Any>) (breaking change) (#231)
• fido module:
  • Replaced BasicWebAuthnClient with new WebAuthnClient (breaking change) (#240)
  • Client data must now be provided via ClientDataProvider, not as raw byte arrays (breaking change) (#233)
  • Added support for CTAP2.3 (encCredStoreState, authenticatorConfigCommands) (#229)
  • Initial support for CTAP1 flows (via new clients and session classes) (#240)
  • Added human-readable error names to CtapException (#238)
  • WebAuthnClient now supports user verification (fingerprints) (#234)
  • Replaced PinInvalidClientError with new AuthInvalidClientError for PIN/UV errors (breaking change) (#234)
• openpgp module:
  • Fixed implementation of parseFingerprints (#221)
• testing modules:
  • Improved testability of ApplicationSessions (#243)

Breaking changes summary:

• Minimum supported Android API is now 21 (was 19)
• All previously deprecated APIs have been removed
• Method/class names with ALL CAPS abbreviations have been updated to CamelCase, requiring updates to any old references
• Major FIDO/WebAuthn flow changes — see migration guide!

See the 3.0 Migration Guide for complete upgrade details.

Full Changelog: 2.9.0...3.0.0

YubiKit 2.9.0

This release brings targetSdk 36 support, new CTAP 2.2 features, and multiple bug fixes.

New in this release:

• android module:
  • Updated targetSdk to 36 (#202)
• core module:
  • Fixed a bug in formatting short APDUs (#199)
• fido module:
  • Added support for following CTAP 2.2 features (#176)
    • New getInfo members
    • persistentPinUvAuthToken
    • Processing of hmac-secret-mc and thirdPartyPayments extensions
  • Added support for NFCCTAP_GETRESPONSE (#204)
  • Fixed credential list pre-flight (#193)
• openpgp module:
  • Fixed implementation of verifyUserPin (#196)

Full Changelog: 2.8.2...2.9.0

YubiKit 2.8.2

• core module:
  • fixed SCP processing (#188)
• oath module:
  • fixed parsing OATH URI where issuer contains ampersand character (#186)
• yubiotp module:
  • fixed programming sequence update evaluation (#190)
• fido modules:
  • added support for using SCP over CCID (#188)
  • fixed largeBlob extension authenticator inputs naming (#183)
• test modules:
  • added support for test device serial number allow list (#184)
• build system:
  • migrated publishing to ossrh-staging-api service (#191)

Full Changelog: 2.8.1...2.8.2

YubiKit 2.8.1

• fido module:
  • Handle allowList without existing credentials (#170)
• general improvements:
  • better support of legacy Yubico devices (#169)
  • Treat FUNCTION_NOT_SUPPORTED as ApplicationNotAvailableException (#175)
  • Added support for Version Qualifier (#174)
  • Added support for using SmartCardConnection only with short APDUs (#177)

Full Changelog: 2.8.0...2.8.1

YubiKit 2.8.0

• fido module:
  • added updateUserInformation subcommand in credential management
  • added extensible support for FIDO extensions
  • added processing of defined FIDO extensions:
    • credBlob
    • credProps
    • credProtect
    • hmac-secret / prf
    • largeBlob
    • minPinLength
• general updates:
  • updated targetSdk to 35
  • new experimental desktop support
  • integrated spotless plugin for java source code formatting
  • improved integration tests to run on older YubiKeys
  • improved javadoc
  • updated build dependencies and libraries

YubiKit 2.7.0

• support module:
  • fixed missing property values for DeviceInfo in DeviceUtil.readInfo()
• general updates:
  • new support for communication over SCP03 and SCP11 protocols
  • new support for managing SCP03 and SCP11 keys through Security Domain session
  • improved integration tests with support to run over SCP
  • updated build dependencies and libraries

YubiKit 2.6.0

• piv module:
  • support for RSA3072 and RSA4096 (keys with FW 5.7+)
  • support for Ed25519 and X25519 (keys with FW 5.7+)
  • support for move/delete private key (keys with FW 5.7+)
  • support for metadata and verify extensions (Bio multi-protocol keys)
  • new verification policies PIN_OR_MATCH_ONCE/ALWAYS (Bio multi-protocol keys)
• general updates:
  • updated build dependencies and libraries

YubiKit 2.5.0

• fido module:
  • added support for authenticatorBioEnrollment
  • fixed setMinPinLength() implementation
  • fixed handling of UserVerificationRequirement.DISCOURAGED
• management module:
  • deprecated constructors of DeviceInfo
  • added DeviceInfo.Builder which replaces deprecated constructors
  • added support for reading all pages of YubiKey configuration
  • added support for device wide reset
• general:
  • updated build dependencies and libraries