Release Notes - FIDO Connector

The following lists public releases of new features, resolved issues, and known limitations for new versions of the Yubico FIDO Connector App.

Release 1.2.0 (3 November 2025)

New Features & Enhancements

  • Passkey name in FIDO Pre-reg calls: To make it easier for recipients to identify a passkey, a yubikey_name field has been added to the POST /v1/fpr/shipments request. The passkey name together with the YubiKey serial number is displayed in the IdP.

    The field is optional. If a custom name is not provided, the default name Pre-Reg YubiKey: {SERIAL} is displayed. If a custom name is provided, all characters must be ASCII and the field length must not exceed 18 characters. See Create Shipment Requests in the API Reference.

  • Configurable IdP service: In order for the FIDO Connector to work with multiple IdPs, support has been added for configuration of IdP-specific application properties. The IdP to be used is set through properties that can be overridden by an environment variable (IDP_DEFAULT). Currently the supported IdPs are Microsoft Entra ID (property value set to entraid) and PingOne (property value set to pingone). If no value is set for the environment variable (IDP_DEFAULT), the FIDO Connector will use entraid as the default.
  • Passkey name provided in PIN email: To make it easier for recipients to identify passkeys, functionality has been added to provide the passkey name together with the PIN in the email sent to recipients. The payload sent to the Azure Logic App providing the email now includes a new field yubikeyDisplayName, which is the authenticator display name. The email also includes the serial number of the YubiKey.
  • PingOne Object_Id (username) as user_id: As part of the added FIDO Connector PingOne support, functionality has been added to verify that the user_id used is a GUID, when creating the MFA User Device on PingOne. If the value is not a GUID, it is handled as an Object_Id, and the GUID user ID for it is retrieved from the PingOne endpoint /environments/{environments}/users. The user_id is then saved as the GUID value.

  • Email sending of PIN to recipient: The Logic App, which controls the sending of the PIN emails, has been updated to support more IdPs. It is now used only to send emails and does not contain any IdP-specific logic. By default the email sender Logic App is configured to send PIN email to “recipient_email” provided in the POST /v1/fpr/shipments request.

    The POST /v1/fpr/shipments request also has a new enrollment_contacts.emails_to field which takes a list of strings with email addresses to which the PIN can be sent. Using the "enrollment_contacts" object is optional for every IdP implementation. When using this method, the default Send Shipment Pin Azure Logic App must be appropriately modified to use emailsTo. See Create Shipment Requests in the API Reference.

  • Matching authentication method display names: Functionality has been added to the FIDO Connector to match the “YubiKey Display Name”, sent in the PIN email, with the Auth Methods “Nickname” available in PingOne.
  • Email functionality: The default Logic App functionality has been updated to send the PIN email to the email addresses received in the new emailsTo list. If no email addresses are provided, sending the PIN email will fail. As part of this, the ARM template has also been updated to support the Logic App updates.

Resolved Issues

  • Resending PIN not possible: An issue was reported where it was not possible to resend the PIN due to issues with the Logic App. The credentials were activated but the shipment request remained in state “Ongoing”. In this case, the PIN resend functionality expects the state to be “Complete”. This issue has been resolved, and resending a PIN now works as expected.

Release 1.1.6 (16 October 2025)

New Features & Enhancements

  • Expiration date for Azure Key Vault secrets: A default expiration date has been set for Key Vault secrets in order to align with policies requiring an expiration date. When creating a Key Vault secret, the FIDO Connector will set SecretProperties setExpiresOn(OffsetDateTime expiresOn) to 45 days. This value can be changed in the Azure portal. For more information, see Key Vault - Secrets (Microsoft documentation).

Release 1.1.4 (22 August 2025)

New Features & Enhancements

  • Get user using UPN (User Principal Name): Previously, in the JSON request the user_id was provided as Object ID. To enhance the user experience, the input now allows user_id to be provided either as Object ID, for example "user_id": "123456-abc-123456-xyz", or as UPN, for example "user_id": "username@yubico123.sample.com".
  • Connector container app version: Functionality has been updated to show the application version. /v1/status now returns the "FIDO_CONNECTOR_VERSION": "string" field displaying the version of the FIDO Connector application software.

Resolved Issues

  • Connector API response: Previously the API was returning a “500 Internal Server Error” message, for example when an invalid YubiEnterprise API token was used. To provide more guidance to the user, the error message has been changed to show a “401 Unauthorized” error message instead.

Release 1.1.1 (25 June 2025)

New Features & Enhancements

  • PIN length changed to 4-63. The validation in the API accepts a PIN length value between 4 to 63, inclusive. This means you can enter any number from 4 up to 63 (including either 4 or 63) as PIN length. See API Reference.
  • Support for address validation override. An address_validation_bypass flag (true/false) has been added to the API. If set to “true”, the API will accept the provided address without further validation. See Address Validation.

Release 1.0.0 (3 April 2025)

First release of the Yubico FIDO Connector App. The application is deployed to a Microsoft Azure subscription and handles most of the Customer Orchestration complexities. For more information about included features, see Yubico FIDO Connector App.