Release Notes

This section contains release notes for the Yubico FIDO Connector, including feature updates, enhancements, resolved issues, and known limitations for the Yubico FIDO Connector releases. The changes reported in the release notes are cumulative.

---

2026

Release 1.2.7 (16 April 2026)

New Features & Enhancements

• Support for remote pre-programming: The FIDO Connector has been updated to allow remote FIDO Pre-reg programming of YubiKeys by default. Remote pre-programming enables enrollment of YubiKeys by trusted users that securely program credentials on a YubiKey outside of Yubico premises.

• PingOne AIC credential activation: In order for the FIDO Connector to support PingOne AIC (Advanced Identity Cloud), a Ping AIC activate credential method has been implemented. This method registers the credentials, and is called by either the activation routine, or the endpoint.

• Retry logic for activating credentials: Retry logic has been added in case of failure when registering a YubiKey for an end user account. During the credential activation, if registering the YubiKey fails and the PingOne AIC Journey has returned a new AuthId, the retry logic will use that new AuthId in the retry operation.

• Support for end-user provided PIN: Functionality has been added allowing an end user to provide their own PIN in the remote credential issuance workflow, to avoid sending the PIN via email. In the intended scenario, an IT Admin is processing the credential request with the end user in the same location. If end-user provided PIN is enabled, the enrollment flow will display a prompt, and the device is handed over to the end user who enter their PIN.

• PingOne AIC default relying party options: Functionality has been added to make the PingOne AIC default relying party an optional configuration. If credentials.relying_party_id is present in the request, then this will be used. Otherwise, if the PingOne AIC default relying party is configured in the FIDO Connector through the PING_AIC_DEFAULT_RELYING_PARTY environment variable, then this will be used. If non of these are provided, the Journey’s Relying-Party Identifier configuration is used.

API updates in this release:

• To support end-user provided PIN, a PinEntryMethod parameter to indicate whether the credential request allows a PIN to be entered, has been added to the FIDO Connector API. The value is received by the FIDO Connector, which will let the user enter their PIN in the mobile device if the value is set to “user_entered”. If the value is set to “generated”, the end-user provided PIN option will not be displayed in the mobile device, and the PIN will be auto-generated.

• The following new APIs are used to create and process credential requests:

  • Create Credential Request
  • Get Credential Request Status
  • Process Credential Request

  Note

  The current APIs to request shipment of FIDO pre-enrolled YubiKeys remain the same, if you also want to benefit from the Yubico Delivery service. For more information, see Create Shipment Request.

Release 1.2.3 (23 February 2026)

Resolved Issues

• Processing of shipments in Delivery Exception state: Previously, shipments in the Delivery Exception state (106) were treated as an error, causing the job to skip them. This resulted in delays in registering the YubiKey to the user’s account, as the next registration attempt was only made once the YubiKey was marked as Delivered. This issue has been resolved. The Delivery Exception state is treated as a valid status, indicating a delivery delay where the shipment is still expected to be delivered.

• Delegated subnet issue: An issue was reported where during deployment of the FIDO Connector, an error message “The environment network configuration is invalid: The delegated subnet cannot be used by any other Azure resources.” was received. Azure Container Apps require subnet delegation when the “Environment Type” is set to “Workload Profiles”. Azure has recently started to set this as the default. To resolve this issue, the deployment template has been modified to include the required subnet delegation.

2025

Release 1.2.0 (3 November 2025)

New Features & Enhancements

• Passkey name in FIDO Pre-reg calls: To make it easier for recipients to identify a passkey, a yubikey_name field has been added to the POST /v1/fpr/shipments request. The passkey name together with the YubiKey serial number is displayed in the IdP.

  The field is optional. If a custom name is not provided, the default name Pre-Reg YubiKey: {SERIAL} is displayed. If a custom name is provided, all characters must be ASCII and the field length must not exceed 18 characters. See Create Shipment Requests in the API Reference.

• Configurable IdP service: In order for the FIDO Connector to work with multiple IdPs, support has been added for configuration of IdP-specific application properties. The IdP to be used is set through properties that can be overridden by an environment variable (IDP_DEFAULT). Currently the supported IdPs are Microsoft Entra ID (property value set to entraid) and PingOne (property value set to pingone). If no value is set for the environment variable (IDP_DEFAULT), the FIDO Connector will use entraid as the default.

• Passkey name provided in PIN email: To make it easier for recipients to identify passkeys, functionality has been added to provide the passkey name together with the PIN in the email sent to recipients. The payload sent to the Azure Logic App providing the email now includes a new field yubikeyDisplayName, which is the authenticator display name. The email also includes the serial number of the YubiKey.

• PingOne Object_Id (username) as user_id: As part of the added FIDO Connector PingOne support, functionality has been added to verify that the user_id used is a GUID, when creating the MFA User Device on PingOne. If the value is not a GUID, it is handled as an Object_Id, and the GUID user ID for it is retrieved from the PingOne endpoint /environments/{environments}/users. The user_id is then saved as the GUID value.

• Email sending of PIN to recipient: The Logic App, which controls the sending of the PIN emails, has been updated to support more IdPs. It is now used only to send emails and does not contain any IdP-specific logic. By default the email sender Logic App is configured to send PIN email to “recipient_email” provided in the POST /v1/fpr/shipments request.

  The POST /v1/fpr/shipments request also has a new enrollment_contacts.emails_to field which takes a list of strings with email addresses to which the PIN can be sent. Using the "enrollment_contacts" object is optional for every IdP implementation. When using this method, the default Send Shipment Pin Azure Logic App must be appropriately modified to use emailsTo. See Create Shipment Requests in the API Reference.

• Matching authentication method display names: Functionality has been added to the FIDO Connector to match the “YubiKey Display Name”, sent in the PIN email, with the Auth Methods “Nickname” available in PingOne.

• Email functionality: The default Logic App functionality has been updated to send the PIN email to the email addresses received in the new emailsTo list. If no email addresses are provided, sending the PIN email will fail. As part of this, the ARM template has also been updated to support the Logic App updates.

Resolved Issues

• Resending PIN not possible: An issue was reported where it was not possible to resend the PIN due to issues with the Logic App. The credentials were activated but the shipment request remained in state “Ongoing”. In this case, the PIN resend functionality expects the state to be “Complete”. This issue has been resolved, and resending a PIN now works as expected.

Release 1.1.6 (16 October 2025)

New Features & Enhancements

• Expiration date for Azure Key Vault secrets: A default expiration date has been set for Key Vault secrets in order to align with policies requiring an expiration date. When creating a Key Vault secret, the FIDO Connector will set SecretProperties setExpiresOn(OffsetDateTime expiresOn) to 45 days. This value can be changed in the Azure portal. For more information, see Key Vault - Secrets (Microsoft documentation).

Release 1.1.4 (22 August 2025)

New Features & Enhancements

• Get user using UPN (User Principal Name): Previously, in the JSON request the user_id was provided as Object ID. To enhance the user experience, the input now allows user_id to be provided either as Object ID, for example "user_id": "123456-abc-123456-xyz", or as UPN, for example "user_id": "username@yubico123.sample.com".

• Connector container app version: Functionality has been updated to show the application version. /v1/status now returns the "FIDO_CONNECTOR_VERSION": "string" field displaying the version of the FIDO Connector application software.

Resolved Issues

• Connector API response: Previously the API was returning a “500 Internal Server Error” message, for example when an invalid YubiEnterprise API token was used. To provide more guidance to the user, the error message has been changed to show a “401 Unauthorized” error message instead.

Release 1.1.1 (25 June 2025)

New Features & Enhancements

• PIN length changed to 4-63. The validation in the API accepts a PIN length value between 4 to 63, inclusive. This means you can enter any number from 4 up to 63 (including either 4 or 63) as PIN length. See API Reference.

• Support for address validation override. An address_validation_bypass flag (true/false) has been added to the API. If set to “true”, the API will accept the provided address without further validation. See Address Validation.

Release 1.0.0 (3 April 2025)

First release of the Yubico FIDO Connector App. The application is deployed to a Microsoft Azure subscription and handles most of the Customer Orchestration complexities. For more information about included features, see Yubico FIDO Connector App.