v13.2.2

Changes

• [browser] [server] In the spirit of contributing to increased software supply chain transparency, both libraries are now published via GitHub Actions workflows. Package listings on JSR and NPM feature build transparency logs at the bottom of their respective pages (#725, #726, #727)

v13.2.1

Changes:

• [server] generateRegistrationOptions() will now correctly encoded the userID argument to base64url when it is an instance of Node's Buffer (#724)

v13.2.0

• [server] The return value from verifyRegistrationResponse() has been defined more strictly to communicate that registrationInfo will only ever be present if verified is true (#715)
• [server] verifyRegistrationResponse() can now verify attestations containing SHA256 hashes by using EC public keys with the P-384 curve (#721)
• [server] The Android SafetyNet "CTS profile match" system integrity check can now be disabled by setting attestationSafetyNetEnforceCTSCheck: false when calling verifyRegistrationResponse(). This check remains enforced by default (#722)
• [browser] [server] These libraries now have better support in Deno 2.2+ projects which use generic typing for Uint8Array via TypeScript 5.7. SimpleWebAuthn values of type Uint8Array_ are equivalent to Uint8Array in Deno 2.1 and earlier, and Uint8Array<ArrayBuffer> in Deno 2.2 and later. (#717)

v13.1.2

Changes

• [browser] [server] Exported the ResidentKeyRequirement type to help with type inference (#704)

v13.1.1

Changes:

• [server] "android-key" attestation statement verification has been modernized (#675)
• [server] More TPM manufacturers are recognized while verifying "tpm" attestation statements (#673)

v13.1.0

Changes:

• [server] The cross-fetch dependency has been removed from the project to silence in the console DeprecationWarning's about a "punycode" module (#661)
• [browser] startRegistration() and startAuthentication() will now warn about calls made using the pre-v11 call structure to encourage refactoring to use the current call structure, but still try to handle such calls the best they can (#664)

v13.0.0 - The one where they share a type

Hot on the heels of the last major release, v13 introduces support for registration hints! Refined types and improved attestation trust anchor verification are also included. Last but not least, we say goodbye to one of the project's packages for better docs and fewer dependencies to install. Read on for more information, including refactor advice for dealing with the retirement of @simplewebauthn/types.

Changes:

• [server] A new preferredAuthenticatorType argument can be set when calling generateRegistrationOptions() to generate options that encourage the browser to direct the user to register one of three types of authenticators: 'securityKey', 'localDevice', or 'remoteDevice' (a.k.a. opinionated WebAuthn hints support) (#653)
• [browser] startRegistration() will recognize hints if specified in optionsJSON (#652)
• [server] Attestation verification now recognizes intermediate certificates as trust anchors (#650)
• [browser] [server] The types previously maintained in the types package are now included within the browser and server packages. See Breaking Changes below for more info (#655)

Breaking Changes

@typescript/types is being retired.

Its types will now be included directly in @simplewebauthn/browser and @simplewebauthn/server.

To refactor existing imports from /types, simply import them from /browser or /server instead:

Before:

import type {
  AuthenticationResponseJSON,
  RegistrationResponseJSON,
  WebAuthnCredential,
} from '@simplewebauthn/types'; // <--

After:

import type {
  AuthenticationResponseJSON,
  RegistrationResponseJSON,
  WebAuthnCredential,
} from '@simplewebauthn/server'; // <--

---

[server] attestationType no longer accepts 'indirect'

The benefits of indirect attestation are too minimal to be useful for Relying Parties. In practice it is almost never used over ignoring the concept completely with 'none' or needing to be intentional and setting 'direct'.

RP's that have been specifying attestationType: 'indirect' when calling generateRegistrationOptions() will need to refactor their code to either omit attestationType (generateRegistrationOptions() will default to attestationType: 'none') or set attestationType: 'direct' instead:

Before:

const options = await generateRegistrationOptions({
  // ...
  attestationType: 'indirect'
});

After:

const options = await generateRegistrationOptions({
  // ...
});

-or-

const options = await generateRegistrationOptions({
  // ...
  attestationType: 'direct'
});

v12.0.0 - The one that claims a JSR scope

All SimpleWebAuthn packages are now available for installation from the JavaScript Registry (JSR)! JSR is an "open-source package registry for modern JavaScript and TypeScript" - you can read more about this new package registry and its ESM-centric capabilities here.

All packages in v12.0.0 are functionally identical to v11.0.0! And JSR package hosting is in addition to existing package hosting on NPM. Nothing changes about package installation via npm install. Read on for more information.

Packages

• @simplewebauthn/[email protected]
• @simplewebauthn/[email protected]
• @simplewebauthn/[email protected]

Changes

• [browser] [server] [types] All packages can now be installed from JSR wherever JSR imports are supported (#634)
• [browser] Deno projects using frameworks like Fresh can now import and use @simplewebauthn/browser (#634)

To install from JSR, use npx jsr add @simplewebauthn/... or deno add jsr:@simplewebauthn/... depending on which package manager is available.

Projects using npm for package management:

npx jsr add @simplewebauthn/browser

npx jsr add @simplewebauthn/server

npx jsr add @simplewebauthn/types

Projects using deno for package management:

deno add jsr:@simplewebauthn/browser

deno add jsr:@simplewebauthn/server

deno add jsr:@simplewebauthn/types

Projects using HTTPS modules via deno.land/x:

v12.0.0 officially deprecates importing SimpleWebAuthn from deno.land/x. See Breaking Changes below for refactor guidance.

Breaking Changes

Importing SimpleWebAuthn packages from "https://deno.land/x/simplewebauthn/..." URLs is no longer supported. Please use Deno's native support for JSR imports instead, available in projects running Deno v1.42 and higher.

Before:

import { generateAuthenticationOptions } from 'https://deno.land/x/simplewebauthn/deno/server.ts';

After:

import { generateAuthenticationOptions } from 'jsr:@simplewebauthn/server';

Alternatively, use deno add to install these packages from JSR:

# Deno v1.42 and higher
deno add jsr:@simplewebauthn/server

import { generateAuthenticationOptions } from '@simplewebauthn/server';

v11.0.0 - The one that auto-registers

Say hello to support for automatic passkey registration, support for valid conditional UI <input> elements stashed away in web components, and to the new WebAuthnCredential type that modernizes some logic within.

There are some breaking changes in this release! Please see Breaking Changes below for refactor guidance.

Packages

• @simplewebauthn/[email protected]
• @simplewebauthn/[email protected]
• @simplewebauthn/[email protected]

Changes

• [browser] [server] A new useAutoRegister argument has been added to startRegistration() to support attempts to automatically register passkeys for users who just completed non-passkey auth. verifyRegistrationResponse() has gained a new requireUserPresence option that can be set to false when verifying responses from startRegistration({ useAutoRegister: true, ... }) (#623)
• [browser] A new verifyBrowserAutofillInput argument has been added to startAuthentication() to disable throwing an error when a correctly configured <input> element cannot be found (but perhaps a valid one is present in a web component shadow's DOM) (#621)
• [server] [types] The AuthenticatorDevice type has been renamed to WebAuthnCredential and has had its properties renamed. The return value out of verifyRegistrationResponse() and corresponding inputs into verifyAuthenticationResponse() have been updated accordingly. See Breaking Changes below for refactor guidance (#625)
• [server] verifyRegistrationResponse() now verifies that the authenticator data AAGUID matches the leaf cert's id-fido-gen-ce-aaguid extension AAGUID when it is present (#609)
• [server] TPM attestation verification recognizes the corrected TPM manufacturer identifier for IBM (#610)
• [server] Types for the defunct authenticator extensions uvm and dpk have been removed (#611)

Breaking Changes

[browser] Positional arguments in startRegistration() and startAuthentication() have been replaced by a single object

Property names in the object match the names of the previously-positional arguments. To update existing implementations, wrap existing options in an object with corresponding properties:

Before:

startRegistration(options);
startAuthentication(options, true);

After:

startRegistration({ optionsJSON: options });
startAuthentication({ optionsJSON: options, useBrowserAutofill: true });

[server] [types] The AuthenticatorDevice type has been renamed to WebAuthnCredential

AuthenticatorDevice.credentialID and AuthenticatorDevice.credentialPublicKey have been shortened to WebAuthnCredential.id and WebAuthnCredential.publicKey respectively.

verifyRegistrationResponse() has been updated accordingly to return a new credential value of type WebAuthnCredential. Update code that stores credentialID, credentialPublicKey, and counter out of verifyRegistrationResponse() to store credential.id, credential.publicKey, and credential.counter instead:

Before:

const { registrationInfo } = await verifyRegistrationResponse({...});

storeInDatabase(
  registrationInfo.credentialID,
  registrationInfo.credentialPublicKey,
  registrationInfo.counter,
  body.response.transports,
);

After:

const { registrationInfo } = await verifyRegistrationResponse({...});

storeInDatabase(
  registrationInfo.credential.id,
  registrationInfo.credential.publicKey,
  registrationInfo.credential.counter,
  registrationInfo.credential.transports,
);

Update calls to verifyAuthenticationResponse() to match the new credential argument that replaces the authenticator argument:

Before:

import { AuthenticatorDevice } from '@simplewebauthn/types';

const authenticator: AuthenticatorDevice = {
  credentialID: ...,
  credentialPublicKey: ...,
  counter: 0,
  transports: [...],
};

const verification = await verifyAuthenticationResponse({
  // ...
  authenticator,
});

After:

import { WebAuthnCredential } from '@simplewebauthn/types';

const credential: WebAuthnCredential = {
  id: ...,
  publicKey: ...,
  counter: 0,
  transports: [...],
};

const verification = await verifyAuthenticationResponse({
  // ...
  credential,
});

v10.0.1

Packages

• @simplewebauthn/[email protected]

Changes

• [server] isoCrypto.verify() now has better support for signature verification with ECC public keys using P-256, P-385, and P-521 curves (#594, with thanks to @nlordell)