Welcome to OneSpan FIDO Universal Server SDK 3.3!
The FIDO Universal Server SDK consists of two SDKs that are designed to help implementing UAF 1.1 and FIDO2 services. The product package contains:
The FIDO UAF SDK library for integrations with the UAF protocol (uaf-core) and a sample web application (fido-sample-webapp).
uaf-core-ext 3.2.1
fido-sample-webapp 3.2.1
The FIDO2 SDK library for integrations with the FIDO2 protocol (fido2-core) and a FIDO2 SDK sample web application (fido2-sample-webapp).
fido2-core-ext 2.2.1
fido2-sample-webapp 3.2.0
This document covers the following topics:
New features and enhancements
Fixes and other updates
Deprecated components and features, architectural changes
Known issues
For more information about configuring and using OneSpan FIDO Universal Server SDK, refer to the respective documentation.
Recently, a critical security vulnerability (CVE-2025-24813) in Apache Tomcat has been detected, which allows remote code execution. This security vulnerability affects all versions from 10.1.0-M1 to 10.1.34. We strongly recommend that you use Apache Tomcat 10.1.39 or later.
New features and enhancements
Software libraries
OneSpan FIDO Universal Server SDK now includes the following (updated) third-party libraries:
Apache Tomcat 10.1.48 fido2‑sample uaf‑sample
Bouncy Castle 1.80 fido2 fido2‑sample uaf uaf‑sample
SpringBoot 3.5.6 fido2 fido2‑sample uaf uaf‑sample
Web servers
The FIDO UAF sample web application can now be run on the following web application servers:
WebSphere 25.0.0.1 or later uaf‑sample
Fixes and other updates
Issue OAS-30703: Relax signature counter validation uaf
Description: The FIDO UAF signature counter indicates how many times an authenticator has performed signatures in the past. It is validated by the server when receiving authentication requests to verify that the authenticator's use counter has not been tampered with, preventing replay attacks by ensuring a signature is new. The server-side signature counter validation of FIDO Universal Server SDK enforces a strict increment by exactly 1, which does not allow lost responses, for example, due to network issues.
Affects: FIDO Universal Server SDK 3.0–3.2
Status: This issue has been fixed. The sign counter validation now verifies whether the signature counter has incremented, but not necessarily by 1.
Issue OAS-24867: Problem when parsing uvm extension in fido2-core fido2
Description: An issue has been reported that occurs when parsing the uvm field during FIDO2 authentication. The User Verification Method (UVM) is an extension field in the authenticator data that enables the use of a user verification method.
Status: This issue has been fixed. A deserializer for the uvm extension has been added to fido2-core.
Deprecated components and features
End-of-life of FIDO Universal Server SDK 3.1 and earlier
FIDO Universal Server SDK 3.3 supersedes all previous versions of FIDO Universal Server SDK. All versions of FIDO Universal Server SDK up to 3.1 will no longer be available for download and reach end-of-life by January 1, 2026. For more information, refer to the OneSpan product life cycle reference, available at https://www.onespan.com/support/security/product-life-cycle.
We strongly recommend to migrate to FIDO Universal Server SDK 3.3 at your earliest convenience to allow future upgrades and receive further product enhancements.
PDF documentation
The PDF documentation has been completely removed from the OneSpan FIDO Universal Server SDK product deliverable. You can view the OneSpan FIDO Universal Server SDK documentation exclusively online on the OneSpan documentation portal, available at https://docs.onespan.com/sec/docs/fido-ussdk-3-3.