Version 2.9.0

webauthn-server-core:

Security fixes:

• Fixed issue where RelyingParty.finishAssertion and RelyingPartyV2.finishAssertion could return a successful authentication result even though the authenticated credential is owned by a different user than StartAssertionOptions.username. For details see YSA-2026-02: https://www.yubico.com/support/security-advisories/ysa-2026-02/
  • This fix is forward-ported from version 2.8.2 since the issue is also present in pre-release 2.9.0-alpha1.

Fixes:

• Added @since tags to AttestationTrustSource javadoc.

webauthn-server-attestation:

Changes:

• FidoMetadataDownloader builder method .downloadBlob(URL) now logs a warning if the given URL is not an HTTPS URL. Javadoc relaxed to not describe HTTPS as required since this was never enforced.

New features:

• Added AuthenticatorStatus.RETIRED and Filters.notRetired().
• Added AttachmentHint.ATTACHMENT_HINT_SMART_CARD.
  • Thanks to Misagh Moayyed and Erlend Nukke for the contribution, see #468 and #467
• Added UNKNOWN constant to all enums in com.yubico.fido.metadata:
  • AttachmentHint
  • AuthenticationAlgorithm
  • AuthenticatorAttestationType
  • CtapCertificationId
  • CtapPinUvAuthProtocolVersion
  • CtapVersion
  • ProtocolFamily
  • PublicKeyRepresentationFormat
  • TransactionConfirmationDisplayType
• Added enum constant CtapVersion.FIDO_2_3.
• Added missing fields to FIDO MDS data model:
  • AuthenticatorGetInfo: attestationFormats, longTouchForReset, uvCountSinceLastPinEntry, transportsForReset, pinComplexityPolicy, pinComplexityPolicyURL, maxPINLength, authenticatorConfigCommands
  • BiometricAccuracyDescriptor: iAPARThreshold
  • MetadataStatement: friendlyNames, iconDark, providerLogoLight, providerLogoDark, keyScope, multiDeviceCredentialSupport, cxpConfigURL
  • StatusReport: certificationProfiles, sunsetDate, fipsRevision, fipsPhysicalSecurityLevel
• FidoMetadataDownloader now sends the If-None-Match request header set to the "no" of the cached BLOB, if any, and handles 304 Not Modified responses appropriately.
• In FidoMetadataDownloader if a BLOB download request returns an HTTP failure status, but returns an ETag response header matching the "no" of the cached BLOB, if any, this is now interpreted like a successful 304 Not Modified response.
• Added .cachePolicy setting to FidoMetadataDownloader to allow dynamically opting out of falling back to cache when a BLOB download fails.

Fixes:

• Added @since tags to AuthenticatorStatus and FidoMetadataService javadoc.
• All com.yubico.fido.metadata enums now deserialize unknown values to UNKOWN instead of crashing the parser.

Artifacts built with openjdk version "17.0.18" 2026-01-20.