Version 3.0

This is a major release that includes support for additional interfaces, such as CCID.

New features

• Added support for OATH. It is based on YKOATH protocol specification via CCID interface.
• Added basic support for OTP (not useful yet).
• New HSM SDK.
• Added support for LED drivers based on WS2812, such as waveshare boards.

Enhancements

• Pico FIDO supports local build emulation. It creates an executable that implements CTAP 2.1 stack and allows remote testing.
• Upgraded to Pico SDK 1.5.
• Added interruption endpoint.
• Improved the compatibility with Windows host.
• Increased validity of certificate to 50 years.
• Added support for newer waveshare boards.

Fixes

• Fix AID selection.
• Fix ATR response.
• Fix returned version.
• Fix uninitialized variable.
• Fix increasing counter on make credential.
• Fix crash when missing PubKey type.
• Fix encoding map on credmgmt listing credentials for specific RP.
• Fix cbor processing when unknown command is used.
• Fix sending keepalive on cbor processing.
• Fix potential crash on delete file.
• Fix race condition.

Version 2.10

This release includes the following enhancements and new features:

New Features

• Enterprise attestation
• credBlobs extension
• largeBlobKey extension
• largeBlobs support (2048 bytes máx.)

Enhancements

• Added support for Entreprise Attestation. Once enabled, it allows to generate a CSR in the device, which is sent to our PKI. If valid, it returns a signed certificate by an intermediate CA that will be used for attestation.
• Upgraded pico-fido-tool.py to support Enterprise Attestation by uploading a CSR or a signed certificate.
• Added support for credBlob.
• Added MAX_MSG_SIZE parameter in getInfo.
• Added key derivation for largeBlob.
• Added support for largeBlobKey.
• Added minPinLength extension test.
• Added credBlob test.
• Added largeBlob support.
• Added lbw permission.

and fixes:

Fixes

• credProtect is not returned in getAssertion.
• Fixed buffer overflow deriving the credential key.
• Fixed double free .
• Fix GET permission in getAssertion.
• Fixed numberOfCredentials return.
• Fix token rp link clear.
• Fix credMgmt tests.

Version 2.8

This release includes the following enhancements:

Enhancements

• Added Enterprise Attestation support.
• Added vendor subcommand to upload and embed an enterprise certificate.
• Added --filename flag to pico-fido tool.

and the following bug fixes:

Bug fixes

• Fixed UV token request.
• Fixed RP attachment to token.
• Fixed RP enumeration.
• Fixed CM permission in credMgmt preview.
• Fixed memory free.

Version 2.6

This release includes the following enhancements:

Added

• Added minPinLength extension.
• Added support for setMinPinLength.
• Added support for authenticatorConfig verification.
• Added support for permissions.

And the following bug fixes:

Bug fixes

• Fix counting PIN retries.

Version 2.4

This version aims at improving the security of the device.

New

• Added a new feature called Secure Lock, which aims at encrypting the whole device to avoid flash dumpings in case the device is left unattended. Once enabled, the device must be unlocked when plugged.
• Backup with 24 words. Make a backup with 24 words and restore it in another device. With these just 24 words and the backup file you will be able to restore your device in case of damage and recover all your keys and credentials.
• All these features are implemented following the standard, via Vendor and Config Vendor commands.

See python3 pico-fido-tool.py --help for more information.

Version 2.2

This version includes the following major enhancements:

• Credential management: capability to manage discoverable credentials by listing, updating and deleting.
• Authenticator selection: some applications may require to select a specific authenticator if multiple are attached or at convenience.
• Get assertion also returns userName and userDisplayName.

Developer enhancements:

• Added a test suite which works with python-fido2 package version 1.0, which includes the latest enhancement of CTAP 2.1.

Bug fixes:

• Potential crash on meta edition (albeit pico fido does not use meta data).
• Counting mismatches.
• Consecutive assertion enumerations.
• Changing PIN if not set.
• User data is returned if there are more than 1 discoverable credential for that RP.
• Tons of bug fixes of ProtocolV2 with hmac-secret extension.
• Changing PIN with ProtocolV2.
• Verification of a key if it is U2F.
• Potential overflow on change PIN with ProtocolV2.
• Return numberOfCredentials.
• Public key size in credential id.
• Increasing signature counter.
• Credential creation if up is absent.
• PIN ProtocolV2.
• Severe crash generating internal device certificate.

Version 2.0

This is a major release that adds support for CTAP 2.1 and WebAuthn.

It maintains compatibility with U2F (CTAP 1).

Version 1.2

This version adds the following enhancements:

• Added user presence enforcement for registration and authentication. It requires the user to press the button to confirm.
• Added user presence enforcement flag and global counter on authentication.
• Verify key handle.
• Added SYNC, LOCK, PING commands to HID interface.

Also, many bug fixes.

Full Changelog: v1.0...v1.2

Version 1.0

This is the first release.

It supports U2F, the initial release.
It implements U2FHID protocol, with packet continuous flow.
It contains REGISTER, AUTHENTICATE and VERSION.

It has been tested with Yubico and Azure test portals without incidents with Chrome.
Firefox sends all-zeros payload, I do not why. And Safari requires touch/face ID previous interaction to trigger the event. So, it only works on Chrome.