Version 3.2 (December 2024)

Prev Next

Welcome to OneSpan FIDO Universal Server SDK 3.2!

The FIDO Universal Server SDK consists of two SDKs that are designed to help implementing UAF 1.1 and FIDO2 services. The product package contains:

  • The FIDO UAF SDK library for integrations with the UAF protocol (uaf-core), the FIDO UAF SDK Integration Guide, and a sample web application (fido-sample-webapp).

    • uaf-core 3.0.7
    • fido-sample-webapp 3.0.9
  • The FIDO2 SDK library for integrations with the FIDO2 protocol (fido2-core), the FIDO2 SDK Integration Guide, and a FIDO2 SDK sample web application (fido2-sample-webapp).

    • fido2-core 2.0.12
    • fido2-sample-webapp 3.0.5

This document covers the following topics:

  • New features and enhancements
  • Fixes and other updates
  • Deprecated components and features, architectural changes
  • Known issues

For more information about configuring and using OneSpan FIDO Universal Server SDK, refer to the respective documentation.

New features and enhancements

FIDO2 policy validation  fido2  

The FIDO2 SDK now allows relying parties to flexibly configure allow and disallow policies to define which authenticators can be used for registrations and authentication operations.

A FIDO2 policy consists of an accepted list and an allowed list, each containing a list of match criteria. An authenticator is allowed for an operation if it matches any of the match criteria in the allowed list and does not match any of the match criteria in the disallowed list.

The FIDO2 SDK implementation includes a default policy provider that allows all types of authenticators and self-attestation by default.

FIDO2 sample web application updated  fido2‑sample 

The sample FIDO2 web application was updated to support the new FIDO2 policies introduced in the FIDO2 SDK implementation.

Moreover, the sample web application was refactored to use FIDO2 metadata v3 structures. All included JSON metadata and sample files were updated and converted to v3.

Metadata information for the new DIGIPASS FX2 BIO is now included.

Maven artifacts  fido2    fido2‑sample   uaf    uaf‑sample 

Release packaging has been improved. The FIDO Universal Server SDK is now delivered as a Maven artifact to separate the SDK class implementation (as JAR file) and third-party dependencies (as POM file). This helps to avoid dependency conflicts with customer projects incorporating the FIDO Universal Server SDK.

Fixes and other updates

Issue OAS-24683: Missing tables in dbschema.sql example  uaf  

Description: The example SQL schema included for FIDO UAF (dbschema.sql) omits some tables that were included in previous versions.

Affects: FIDO Universal Server SDK 3.1

Status: This issue has been fixed. The missing tables were included to provide a minimum database structure.

Issue OAS-22923: FIDO2 logon fails on Apple Mac  fido2  

Description: When the user tries to log on to the MyBank Demo app from an Apple Mac computer with TouchID, the registration with TouchID is successful but the logon fails with an internal server error, even though the registration is set to none attestation. The reason for the failure is the fact that Apple Mac computers return a valid aaguid value even when none attestation has been set, but OneSpan FIDO Universal Server SDK skips the policy validation for none-attestation registrations.

Status: This issue has been fixed. The implementation of the FIDO2 registration has been adjusted to always store a zero-value in the registration record when none attestation is used.

Issue OAS-22425: Inconsistencies in sample web application responses  uaf‑sample 

Description: A couple of inconsistencies in the sample web application responses have been identified that violate the FIDO UAF protocol specification:

  • The AuthenticationAlgorithm field is being returned as a string instead of an integer value.
  • The policy returned by the server contains the Authenticator Attestation ID key in uppercase (AAID), instead of lowercase (aaid).

Status: This issue has been fixed.

Issue OAS-21982: Incorrect policy matching logic for multiple assertions  uaf  

Description: If a registration response with multiple assertions is passed and the FIDO UAF server policy is configured with a combined accepted element, the registration is rejected.

Status: This issue has been fixed. Multiple assertions are now handled correctly.

Deprecated components and features

End-of-life of FIDO Universal Server SDK 3.1 and earlier

FIDO Universal Server SDK 3.2 supersedes all previous versions of FIDO Universal Server SDK. All versions of FIDO Universal Server SDK up to 3.1 will no longer be available for download and reach end-of-life by January 1, 2026. For more information, refer to the OneSpan product life cycle reference, available at https://www.onespan.com/support/security/product-life-cycle.

We strongly recommend to migrate to FIDO Universal Server SDK 3.2 at your earliest convenience to allow future upgrades and receive further product enhancements.

PDF documentation (Deprecated)

You can view the user documentation of most OneSpan products online already at https://docs.onespan.com/, and we plan to shift exclusively to online documentation.

This means that PDF documentation will be completely removed in future releases of OneSpan FIDO Universal Server SDK.