v2.4.2

Fixes a minor problem that could sometimes prevent creating a config token valid for >1 Relying Party ID.

v2.4.1

This is the same content as release 2.4.0, but with a higher firmware version reported by the applet.

v2.4.0

This release fixes a vulnerability where credential IDs were protected by an unintentionally-short nonce.

An attacker in possession of both the authenticator and a credential previously issued by it could:

1. Use that credential without a PIN despite the credential being set credProtect=3
2. Use the credential after its deletion despite the credential being originally created as resident, WHERE the Relying Party was also lax in its own checks

Although the attack surface for either problem is fairly low, it is still best to update to this applet version.

The first problem is only exploitable when alwaysUv is disabled, so enabling that setting negates it. The second problem is only exploitable when the Relying Party also has a problem. Neither problem exists for resident credentials when USE_LOW_SECURITY_FOR_SOME_RKS and LOW_SECURITY_MAXIMUM_COMPLIANCE are explicitly set to false at applet install time (the default is for them to be set to true).

v2.3.0

Fix iterating through credentials with readers that do not handle eAPDUs.

v2.2.1

Doesn't leak memory when deleting credentials on cards that do not auto-GC.

v2.1.2

Support more than 127 discoverable credentials at once

v2.1.1

Fixes another statekeeping corner case in resident key handling

v2.1.0

Fixes a variety of uncommon bugs. Reported FIDO2 firmware version is now 6.

Recommended over earlier versions.

v2.0.5

Allows installing using a suffix of the FIDO2 AID.
Bumps the FW version number to 5.

v2.0.4

A variety of small bug fixes.

From this version, the applet forces the use of the official FIDO AID, due to problems getting the applet's own AID on certain smartcards.

Example installation parameters: a7050506182007190400081820091904000a1904000b00.