• Stars
    star
    354
  • Rank 120,042 (Top 3 %)
  • Language
    Scala
  • License
    Other
  • Created over 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations

java-webauthn-server

Build Status Mutation test coverage Binary reproducibility

Server-side Web Authentication library for Java. Provides implementations of the Relying Party operations required for a server to support Web Authentication, including passkey authentication.

Warning
Psychic signatures in Java

In April 2022, CVE-2022-21449 was disclosed in Oracleโ€™s OpenJDK (and other JVMs derived from it) which can impact applications using java-webauthn-server. The impact is that for the most common type of WebAuthn credential, invalid signatures are accepted as valid, allowing authentication bypass for users with such a credential. Please read Oracleโ€™s advisory and make sure you are not using one of the impacted OpenJDK versions. If you are, we urge you to upgrade your Java deployment to a version that is safe.

Table of contents

Features

  • Generates request objects suitable as parameters to navigator.credentials.create() and .get()

  • Performs all necessary validation logic on the response from the client

  • No mutable state or side effects - everything (except builders) is thread safe

  • Optionally integrates with an "attestation trust source" to verify authenticator attestations

  • Reproducible builds: release signatures match fresh builds from source. See Reproducible builds below.

Non-features

This library has no concept of accounts, sessions, permissions or identity federation, and it is not an authentication framework; it only deals with executing the WebAuthn authentication mechanism. Sessions, account management and other higher level concepts can make use of this authentication mechanism, but the authentication mechanism alone does not make a security system.

Dependency configuration

Maven:

<dependency>
  <groupId>com.yubico</groupId>
  <artifactId>webauthn-server-core</artifactId>
  <version>2.4.1</version>
  <scope>compile</scope>
</dependency>

Gradle:

implementation("com.yubico:webauthn-server-core:2.4.1")
Note
You may need additional dependencies with JCA providers to support some signature algorithms. In particular, OpenJDK 14 and earlier does not include providers for the EdDSA family of algorithms. The library will log warnings if you try to configure it for algorithms with no JCA provider available.

Semantic versioning

This library uses semantic versioning. The public API consists of all public classes, methods and fields in the com.yubico.webauthn package and its subpackages, i.e., everything covered by the Javadoc, with the exception of features annotated with a @Deprecated annotation and a @deprecated EXPERIMENTAL: tag in JavaDoc. Such features are considered unstable and may receive breaking changes without a major version increase.

Package-private classes and methods are NOT part of the public API. The com.yubico:yubico-util module is NOT part of the public API. Breaking changes to these will NOT be reflected in version numbers.

Additional modules

In addition to the main webauthn-server-core module, there is also:

Documentation

See the Javadoc for in-depth API documentation.

Getting started

Using this library comes in two parts: the server side and the client side. The server side involves:

  1. Implement the CredentialRepository interface with your database access logic.

  2. Instantiate the RelyingParty class.

  3. Use the RelyingParty.startRegistration(...) and RelyingParty.finishRegistration(...) methods to perform registration ceremonies.

  4. Use the RelyingParty.startAssertion(...) and RelyingParty.finishAssertion(...) methods to perform authentication ceremonies.

  5. Optionally use additional features: passkeys, passwordless multi-factor authentication, credential backup state.

The client side involves:

  1. Call navigator.credentials.create() or .get(), passing the result from RelyingParty.startRegistration(...) or .startAssertion(...) as the argument.

  2. Encode the result of the successfully resolved promise and return it to the server. For this you need some way to encode Uint8Array values; this guide will use GitHubโ€™s webauthn-json library.

Example code is given below. For more detailed example usage, see webauthn-server-demo for a complete demo server.

1. Implement a CredentialRepository

The CredentialRepository interface abstracts your database in a database-agnostic way. The concrete implementation will be different for every project, but you can use InMemoryRegistrationStorage as a simple example.

2. Instantiate a RelyingParty

The RelyingParty class is the main entry point to the library. You can instantiate it using its builder methods, passing in your CredentialRepository implementation (called MyCredentialRepository here) as an argument:

RelyingPartyIdentity rpIdentity = RelyingPartyIdentity.builder()
    .id("example.com")  // Set this to a parent domain that covers all subdomains
                        // where users' credentials should be valid
    .name("Example Application")
    .build();

RelyingParty rp = RelyingParty.builder()
    .identity(rpIdentity)
    .credentialRepository(new MyCredentialRepository())
    .build();

3. Registration

A registration ceremony consists of 5 main steps:

  1. Generate registration parameters using RelyingParty.startRegistration(...).

  2. Send registration parameters to the client and call navigator.credentials.create().

  3. With cred as the result of the successfully resolved promise, call cred.getClientExtensionResults() and cred.response.getTransports() and return their results along with cred to the server.

  4. Validate the response using RelyingParty.finishRegistration(...).

  5. Update your database using the finishRegistration output.

This example uses GitHubโ€™s webauthn-json library to do both (2) and (3) in one function call.

First, generate registration parameters and send them to the client:

Optional<UserIdentity> findExistingUser(String username) { /* ... */ }

PublicKeyCredentialCreationOptions request = rp.startRegistration(
  StartRegistrationOptions.builder()
    .user(
        findExistingUser("alice")
            .orElseGet(() -> {
                byte[] userHandle = new byte[64];
                random.nextBytes(userHandle);
                return UserIdentity.builder()
                    .name("alice")
                    .displayName("Alice Hypothetical")
                    .id(new ByteArray(userHandle))
                    .build();
            })
    )
    .build());

String credentialCreateJson = request.toCredentialsCreateJson();
return credentialCreateJson;  // Send to client

You will need to keep this PublicKeyCredentialCreationOptions object in temporary storage so you can also pass it into RelyingParty.finishRegistration(...) later. If needed, you can use the toJson() and fromJson(String) methods to serialize and deserialize the value for storage.

Now call the WebAuthn API on the client side:

import * as webauthnJson from "@github/webauthn-json";

// Make the call that returns the credentialCreateJson above
const credentialCreateOptions = await fetch(/* ... */).then(resp => resp.json());

// Call WebAuthn ceremony using webauthn-json wrapper
const publicKeyCredential = await webauthnJson.create(credentialCreateOptions);

// Return encoded PublicKeyCredential to server
fetch(/* ... */, { body: JSON.stringify(publicKeyCredential) });

Validate the response on the server side:

String publicKeyCredentialJson = /* ... */;     // publicKeyCredential from client
PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> pkc =
    PublicKeyCredential.parseRegistrationResponseJson(publicKeyCredentialJson);

try {
    RegistrationResult result = rp.finishRegistration(FinishRegistrationOptions.builder()
        .request(request)  // The PublicKeyCredentialCreationOptions from startRegistration above
                           // NOTE: Must be stored in server memory or otherwise protected against tampering
        .response(pkc)
        .build());
} catch (RegistrationFailedException e) { /* ... */ }

Finally, if the previous step was successful, store the new credential in your database. Here is an example of things you will likely want to store:

storeCredential(              // Some database access method of your own design
  "alice",                    // Username or other appropriate user identifier
  result.getKeyId(),          // Credential ID and transports for allowCredentials
  result.getPublicKeyCose(),  // Public key for verifying authentication signatures
  result.getSignatureCount(), // Initial signature counter value
  result.isDiscoverable(),    // Is this a passkey?
  result.isBackupEligible(),  // Can this credential be backed up (synced)?
  result.isBackedUp(),        // Is this credential currently backed up?
  pkc.getResponse().getAttestationObject(), // Store attestation object for future reference
  pkc.getResponse().getClientDataJSON()     // Store client data for re-verifying signature if needed
);

4. Authentication

Like registration ceremonies, an authentication ceremony consists of 5 main steps:

  1. Generate authentication parameters using RelyingParty.startAssertion(...).

  2. Send authentication parameters to the client, call navigator.credentials.get() and return the response.

  3. With cred as the result of the successfully resolved promise, call cred.getClientExtensionResults() and return the result along with cred to the server.

  4. Validate the response using RelyingParty.finishAssertion(...).

  5. Update your database using the finishAssertion output, and act upon the result (for example, grant login access).

This example uses GitHubโ€™s webauthn-json library to do both (2) and (3) in one function call.

First, generate authentication parameters and send them to the client:

AssertionRequest request = rp.startAssertion(StartAssertionOptions.builder()
    .username("alice")     // Or .userHandle(ByteArray) if preferred
    .build());
String credentialGetJson = request.toCredentialsGetJson();
return credentialGetJson;  // Send to client

Again, you will need to keep this AssertionRequest object in temporary storage so you can also pass it into RelyingParty.finishAssertion(...) later. If needed, you can use the toJson() and fromJson(String) methods to serialize and deserialize the value for storage.

Now call the WebAuthn API on the client side:

import * as webauthnJson from "@github/webauthn-json";

// Make the call that returns the credentialGetJson above
const credentialGetOptions = await fetch(/* ... */).then(resp => resp.json());

// Call WebAuthn ceremony using webauthn-json wrapper
const publicKeyCredential = await webauthnJson.get(credentialGetOptions);

// Return encoded PublicKeyCredential to server
fetch(/* ... */, { body: JSON.stringify(publicKeyCredential) });

Validate the response on the server side:

String publicKeyCredentialJson = /* ... */;  // publicKeyCredential from client
PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> pkc =
    PublicKeyCredential.parseAssertionResponseJson(publicKeyCredentialJson);

try {
    AssertionResult result = rp.finishAssertion(FinishAssertionOptions.builder()
        .request(request)  // The PublicKeyCredentialRequestOptions from startAssertion above
        .response(pkc)
        .build());

    if (result.isSuccess()) {
        return result.getUsername();
    }
} catch (AssertionFailedException e) { /* ... */ }
throw new RuntimeException("Authentication failed");

Finally, if the previous step was successful, update your database using the AssertionResult. Most importantly, you should update the signature counter. That might look something like this:

updateCredential(              // Some database access method of your own design
  "alice",                     // Query by username or other appropriate user identifier
  result.getCredentialId(),    // Query by credential ID of the credential used
  result.getSignatureCount(),  // Set new signature counter value
  result.isBackedUp(),         // Set new backup state flag
  Clock.systemUTC().instant()  // Set time of last use (now)
);

Then do whatever else you need - for example, initiate a user session.

5. Optional features: passkeys, multi-factor, backup state

WebAuthn supports a number of additional features beyond the basics:

Passkeys: passwordless, username-less authentication

A passkey is a WebAuthn credential that can simultaneously both identify and authenticate the user. This is also called a discoverable credential. By default, credentials are created non-discoverable, which means the server must list them in the allowCredentials parameter before the user can use them to authenticate. This is typically because the credential private key is not stored within the authenticator, but instead encoded into one of the credential IDs in allowCredentials. This way even a small hardware authenticator can have an unlimited credential capacity, but with the drawback that the user must first identify themself to the server so the server can retrieve the correct allowCredentials list.

Passkeys are instead stored within the authenticator, and also include the userโ€™s user handle in addition to the credential ID. This way the user can be both identified and authenticated simultaneously. Many passkey-capable authenticators also offer a credential sync mechanism to allow one passkey to be used on multiple devices.

Passkeys can be created by setting the authenticatorSelection.residentKey option to REQUIRED:

PublicKeyCredentialCreationOptions request = rp.startRegistration(
  StartRegistrationOptions.builder()
    .user(/* ... */)
    .authenticatorSelection(AuthenticatorSelectionCriteria.builder()
        .residentKey(ResidentKeyRequirement.REQUIRED)
        .build())
    .build());

The username can then be omitted when starting an authentication ceremony:

AssertionRequest request = rp.startAssertion(StartAssertionOptions.builder().build());

Some authenticators might create passkeys even if not required, and setting the residentKey option to PREFERRED will create a passkey if the authenticator supports it. The RegistrationResult.isDiscoverable() method can be used to determine whether the created credential is a passkey. This requires the credProps extension to be enabled, which it is by default.

User verification: passwordless multi-factor authentication

User verification can be enforced independently per authentication ceremony:

AssertionRequest request = rp.startAssertion(StartAssertionOptions.builder()
    .username("alice")
    .userVerification(UserVerificationRequirement.REQUIRED)
    .build());

Then RelyingParty.finishAssertion(...) will enforce that user verification was performed. However, there is no guarantee that the userโ€™s authenticator will support this unless the user has some credential created with the authenticatorSelection.userVerification option set:

PublicKeyCredentialCreationOptions request = rp.startRegistration(
  StartRegistrationOptions.builder()
    .user(/* ... */)
    .authenticatorSelection(AuthenticatorSelectionCriteria.builder()
        .userVerification(UserVerificationRequirement.REQUIRED)
        .build())
    .build());

User verification can be used with both discoverable credentials (passkeys) and non-discoverable credentials.

Using passkeys with autofill UI

Passkeys on platform authenticators may also support the WebAuthn autofill UI, also known as "conditional mediation". This can help onboard users who are unfamiliar with a fully username-less login flow, allowing a familiar username input field to opportunistically offer a shortcut using a passkey if the user has one on their device.

This library is compatible with the autofill UI but provides no server-side options for it, because the steps to enable it are taken on the front-end side. Using autofill UI does not affect the response verification procedure.

See the guide on passkeys.dev for complete instructions on how to enable the autofill UI. In particular you need to:

  • Add the credential request option mediation: "conditional" alongside the publicKey option generated by RelyingParty.startAssertion(...),

  • Add autocomplete="username webauthn" to a username input field on the page, and

  • Call navigator.credentials.get() in the background.

If the Promise resolves, handle it like any other assertion response as described in 4. Authentication above.

Because of technical limitations, autofill UI is as of May 2023 only supported for platform credentials, i.e., passkeys stored on the userโ€™s computing devices. Autofill UI might support passkeys on external security keys in the future.

Credential backup state

Some authenticators may allow credentials to be backed up and/or synced between devices. This capability and its current state is signaled via the Credential Backup State flags, which are available via the isBackedUp() and isBackupEligible() methods of RegistrationResult and AssertionResult. These can be used as a hint about how vulnerable a user is to authenticator loss. In particular, a user with only one credential which is not backed up may risk getting locked out if they lose their authenticator.

Migrating from version 1.x

Migrating from U2F

This section is only relevant for applications that have user credentials registered via the U2F JavaScript API. New WebAuthn deployments can skip this section.

The WebAuthn API is backwards-compatible with U2F authenticators, and credentials registered via the U2F API will continue to work with the WebAuthn API with the right settings.

To migrate to using the WebAuthn API, you need to do the following:

  1. Follow the Getting started guide above to set up WebAuthn support in general.

    Note that unlike a U2F AppID, the WebAuthn RP ID consists of only the domain name of the AppID. WebAuthn does not support U2F Trusted Facet Lists.

  2. Set the appId() setting on your RelyingParty instance. The argument to the appid() setting should be the same as you used for the appId argument to the U2F register and sign functions.

    This will enable the appid and appidExclude extensions and configure the RelyingParty to accept the given AppId when verifying authenticator signatures.

  3. Generate a user handle for each existing user and store it in their account, or decide on a method for deriving one deterministically from existing user attributes. For example, if your user records are assigned UUIDs, you can use that UUID as the user handle. You SHOULD NOT use a plain username or e-mail address, or hash of either, as the user handle - for more on this, see the User Handle Contents privacy consideration.

  4. When your CredentialRepository creates a RegisteredCredential for a U2F credential, use the U2F key handle as the credential ID. If you store key handles base64 encoded, you should decode them using ByteArray.fromBase64 or ByteArray.fromBase64Url as appropriate before passing them to the RegisteredCredential.

  5. When your CredentialRepository creates a RegisteredCredential for a U2F credential, use the publicKeyEs256Raw() method instead of publicKeyCose() to set the credential public key.

  6. Replace calls to the U2F register method with calls to navigator.credentials.create() as described in Getting started.

  7. Replace calls to the U2F sign method with calls to navigator.credentials.get() as described in Getting started.

Existing U2F credentials should now work with the WebAuthn API.

Note that new credentials registered on U2F authenticators via the WebAuthn API are NOT backwards compatible with the U2F JavaScript API.

Architecture

The library tries to place as few requirements on the overall application architecture as possible. For this reason it is stateless and free from side effects, and does not directly interact with any database. This means it is database agnostic and thread safe. The following diagram illustrates an example architecture for an application using the library.

Example application architecture

The application manages all state and database access, and communicates with the library via POJO representations of requests and responses. The following diagram illustrates the data flow during a WebAuthn registration or authentication ceremony.

WebAuthn ceremony sequence diagram

In this diagram, the Client is the userโ€™s browser and the applicationโ€™s client-side scripts. The Server is the application and its business logic, the Library is this library, and the Users database stores registered WebAuthn credentials.

  1. The client requests to start the ceremony, for example by submitting a form. The username may or may not be known at this point. For example, the user might be requesting to create a new account, or we might be using username-less authentication.

  2. If the user does not already have a user handle, the application creates one in some application-specific way.

  3. The application may choose to authenticate the user with a password or the like before proceeding.

  4. The application calls one of the libraryโ€™s "start" methods to generate a parameter object to be passed to navigator.credentials.create() or .get() on the client.

  5. The library generates a random challenge and an assortment of other arguments depending on configuration set by the application.

  6. If the username is known, the library uses a read-only database adapter provided by the application to look up the userโ€™s credentials.

  7. The returned list of credential IDs is used to populate the excludeCredentials or allowCredentials parameter.

  8. The library returns a request object which can be serialized to JSON and passed as the publicKey argument to navigator.credentials.create() or .get(). For registration ceremonies this will be a PublicKeyCredentialCreationOptions, and for authentication ceremonies it will be a PublicKeyCredentialRequestOptions. The application stores the request in temporary storage.

  9. The applicationโ€™s client-side script runs navigator.credentials.create() or .get() with request as the publicKey argument.

  10. The user confirms the operation and the client returns a PublicKeyCredential object response to the application.

  11. The application retrieves the request from temporary storage and passes request and response to one of the libraryโ€™s "finish" methods to run the response validation logic.

  12. The library verifies that the response contents - challenge, origin, etc. - are valid.

  13. If this is an authentication ceremony, the library uses the database adapter to look up the public key for the credential named in response.id.

  14. The database adapter returns the public key.

  15. The library verifies the authentication signature.

  16. The library returns a POJO representation of the result of the ceremony. For registration ceremonies, this will include the credential ID and public key of the new credential. The application may opt in to also getting information about the authenticator model and whether the authenticator attestation is trusted. For authentication ceremonies, this will include the username and user handle, the credential ID of the credential used, and the new signature counter value for the credential.

  17. The application inspects the result object and takes any appropriate actions as defined by its business logic.

  18. If the result is not satisfactory, the application reports failure to the client.

  19. If the result is satisfactory, the application proceeds with storing the new credential if this is a registration ceremony.

  20. If this is an authentication ceremony, the application updates the signature counter stored in the database for the credential.

  21. Finally, the application reports success and resumes its business logic.

Using attestation

WebAuthn supports authenticator attestation, which provides a way for the web service to request cryptographic proof of what authenticator the user is using. Most services do not need this, and it is disabled by default.

The webauthn-server-attestation module provides optional additional features for working with attestation. See the module documentation for more details.

Alternatively, you can use the AttestationTrustSource interface to implement your own source of attestation root certificates and set it as the attestationTrustSource for your RelyingParty instance. Note that depending on your JCA provider configuration, you may need to set the enableRevocationChecking and/or policyTreeValidator settings for compatibility with some authenticators' attestation certificates. See the JavaDoc for these settings for more information.

Building

Use the included Gradle wrapper to build the .jar artifact:

$ ./gradlew :webauthn-server-core:jar

The output is built in the webauthn-server-core/build/libs/ directory, and the version is derived from the most recent Git tag. Builds done on a tagged commit will have a plain x.y.z version number, while a build on any other commit will result in a version number containing the abbreviated commit hash.

To run the tests:

$ ./gradlew check

To run the PIT mutation tests (this may take upwards of 30 minutes):

$ ./gradlew pitest

Reproducible builds

Starting in version 1.4.0-RC2, artifacts are built reproducibly. Fresh builds from tagged commits should therefore be verifiable by signatures from Maven Central and GitHub releases:

$ git checkout 1.4.0-RC2
$ ./gradlew :webauthn-server-core:jar

$ wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/1.4.0-RC2/webauthn-server-core-1.4.0-RC2.jar.asc
$ gpg --verify webauthn-server-core-1.4.0-RC2.jar.asc webauthn-server-core/build/libs/webauthn-server-core-1.4.0-RC2.jar

$ wget https://github.com/Yubico/java-webauthn-server/releases/download/1.4.0-RC2/webauthn-server-core-1.4.0-RC2.jar.asc
$ gpg --verify webauthn-server-core-1.4.0-RC2.jar.asc webauthn-server-core/build/libs/webauthn-server-core-1.4.0-RC2.jar

Note that building with a different JDK may produce a different artifact. To ensure binary reproducibility, please build with the same JDK as specified in the release notes. Reproducible builds also require building from a Git repository, since the build embeds version number and Git commit ID into the built artifacts.

Official Yubico software signing keys are listed on the Yubico Developers site.

More Repositories

1

yubioath-flutter

Yubico Authenticator for Desktop (Windows, macOS and Linux) and Android
Dart
832
star
2

yubikey-manager

Python library and command line tool for configuring any YubiKey over all USB interfaces.
Python
729
star
3

yubico-pam

Yubico Pluggable Authentication Module (PAM)
C
650
star
4

pam-u2f

Pluggable Authentication Module (PAM) for U2F and FIDO2
C
498
star
5

libfido2

Provides library functionality for FIDO2, including communication with a device over USB or NFC.
C
461
star
6

python-fido2

Provides library functionality for FIDO 2.0, including communication with a device over USB.
Python
362
star
7

libu2f-host

Yubico Universal 2nd Factor (U2F) Host C Library
C
321
star
8

php-u2flib-server

(OBSOLETE) U2F library in PHP
PHP
292
star
9

python-u2flib-server

Python based U2F server library
Python
287
star
10

yubikey-personalization

YubiKey Personalization cross-platform library and tool
C
279
star
11

yubico-piv-tool

Command line tool for the YubiKey PIV application
C
255
star
12

yubioath-android

Yubico Authenticator for Android
Kotlin
240
star
13

python-yubico

Python code to talk to YubiKeys
Python
220
star
14

ykneo-openpgp

OpenPGP applet for the YubiKey NEO
Java
214
star
15

yubikey-manager-qt

Cross-platform application for configuring any YubiKey over all USB interfaces.
QML
200
star
16

yubikey-personalization-gui

YubiKey Personalization GUI
C++
183
star
17

yubikit-ios

Yubico Mobile iOS SDK - YubiKit
Objective-C
171
star
18

php-yubico

PHP class for Yubico authentication
PHP
133
star
19

java-u2flib-server

(OBSOLETE) Java server-side library for U2F
Java
130
star
20

yubikey-val

YubiKey OTP validation server in PHP
PHP
130
star
21

Yubico.NET.SDK

A YubiKey SDK for .NET developers
C#
98
star
22

libu2f-server

Yubico Universal 2nd Factor (U2F) Server C Library
C
94
star
23

yubico-c

YubiKey C low-level library (libyubikey)
C
92
star
24

yubico-c-client

Yubico C client library
C
87
star
25

yubikit-android

Yubico Mobile Android SDK - YubiKit
Java
77
star
26

u2fval

Python based U2F Validation Server
Python
75
star
27

yubihsm-shell

yubihsm-shell and libyubihsm
C
73
star
28

python-pyhsm

Python code for YubiHSM
Python
67
star
29

ykneo-oath

OATH App for the YubiKey NEO
Java
63
star
30

yubico-java-client

Client library for verifying YubiKey one-time passwords (OTPs).
Java
62
star
31

webauthn-recovery-extension

Asynchronous delegated key generation without shared secrets (DRAFT)
Python
59
star
32

yubikey-neo-manager

Cross platform personalization tool for the YubiKey NEO
Python
57
star
33

yubico-windows-auth

YubiKey Logon for windows
C++
56
star
34

yubikey-ksm

YubiKey Key Storage Module
Perl
55
star
35

yubico-dotnet-client

Yubico validation protocol 2.0 client
C#
52
star
36

developers.yubico.com

Source code for generating our website
HTML
49
star
37

python-u2flib-host

Python based U2F host library
Python
47
star
38

wordpress-u2f

A Wordpress U2F plugin.
PHP
42
star
39

python-yubihsm

Python
42
star
40

yubiclip-android

YubiKey NEO OTP to clipboard app for Android
Java
41
star
41

yubikey-piv-manager

Tool for configuring your PIV-enabled YubiKey
Python
40
star
42

yubiauth

Authentication backend written in Python
Python
29
star
43

yubix

Yubico reference authentication software stack. This package installs and configures various packages contained in the YubiX stack.
Perl
29
star
44

yubihsm-connector

Go
28
star
45

yubioath-ios

Yubico Authenticator for iOS
Swift
27
star
46

ykneo-curves

Applet for testing ecc curves
Java
25
star
47

android-u2f-demo

U2F demo app for Android using NFC
Java
24
star
48

yubix-vm

Scripts for building a VM image for Yubi-X
Shell
18
star
49

u2fval-client-php

PHP connector library for communicating with a U2FVAL server
PHP
17
star
50

yubico-shibboleth-idp-multifactor-login-handler

Multi-factor Login Handler for Shibboleth IdP.
Java
16
star
51

yubico.github.com

Release artifacts for all projects.
HTML
15
star
52

u2fval-client-python

Python connector library for communicating with a U2FVAL server
Python
14
star
53

yubico-j

Low-level library for decrypting and parsing Yubikey One-Time Passwords (OTP), written in Java.
Java
14
star
54

yubikey-neo-demo

Android demo application for uses of the YubiKey NEO
Java
14
star
55

python-yubicommon

Common utility modules shared between various Python based Yubico projects.
Python
13
star
56

yubico-bitcoin-java

Java client library for communicating with the ykneo-bitcoin applet for the YubiKey NEO
Java
13
star
57

yubitotp-android

Android application for TOTP with YubiKey NEO
Java
13
star
58

yubico-dbus-notifier

Get D-Bus notifications when a YubiKey is inserted/removed
Python
12
star
59

libykneomgr

YubiKey NEO CCID Manager C Library
C
11
star
60

yubico-perl-client

AnyEvent based Perl extension for validating YubiKey OTPs against the Yubico Validation Protocol version 2.0
Perl
11
star
61

yubiadmin

Web based administration tool for Yubico software components including YK-VAL, YK-KSM and rlm_yubikey
Python
11
star
62

ifd-yubico

Yubico OS X libccid patcher
Python
10
star
63

yubikey-personalization-gui-dpkg

Debian packaging of yubico-personalization-gui
C++
8
star
64

yubihsmrs

rust wrapper for libyubihsm
Rust
8
star
65

yubico-pam-dpkg

Debian packaging of yubico-pam
Shell
7
star
66

yubikey-neo-manager-dpkg

Debian packaging for yubikey-neo-manager
Python
7
star
67

yubikey-salesforce-client

Apex classes for validating YubiKey one-time passwords
Apex
7
star
68

rlm-yubico

FreeRADIUS module for using YubiKeys for authentication
Perl
7
star
69

yubico-piv-tool-dpkg

Moved to https://salsa.debian.org/auth-team/yubico-piv-tool
C
7
star
70

yubikey-personalization-dpkg

Debian package of yubikey-personalization
C
6
star
71

yubioath-desktop-dpkg

Debian package for yubioath-desktop.
Python
6
star
72

yubikit-swift

Yubico Swift SDK - YubiKit
Swift
6
star
73

yubico-bitcoin-python

Python client library and command line tool for communicating with the ykneo-bitcoin applet for the YubiKey NEO
Python
6
star
74

python-yubico-client-dpkg

Debian package for python-yubico-client.
Python
5
star
75

gradle-gpg-signing-plugin

GnuPG signing backend for Gradle's Signing plugin
Java
5
star
76

python-yubico-dpkg

Debian packaging of python-yubico
Python
5
star
77

python-pyhsm-dpkg

Debian packaging of python-pyhsm
Python
4
star
78

yubihsm-setup

Rust
4
star
79

libu2f-server-dpkg

Debian packaging for libu2f-server
Shell
4
star
80

ykneo-ccid-tools

YubiKey NEO CCID Tools
Objective-C
4
star
81

arkg-rfc

Internet-Draft: The Asynchronous Remote Key Generation (ARKG) algorithm
Makefile
4
star
82

yubico-c-dpkg

Debian packaging of the Yubico C library (libyubikey)
Shell
4
star
83

webauthn-sign-kem-extensions

DRAFT: WebAuthn extension(s) for arbitrary signing and key encapsulation
4
star
84

pam-u2f-dpkg

Debian packaging for pam-u2f
Shell
3
star
85

php-yubico-dpkg

Debian packaging of php-yubico
PHP
3
star
86

yubikey-piv-manager-dpkg

Debian packaging for yubikey-piv-manager
Python
3
star
87

yubico-c-client-dpkg

Debian package of Yubico C Client
Shell
2
star
88

libu2f-host-dpkg

debian packaging of libu2f-host
Shell
2
star
89

yubikey-ksm-dpkg

Debian package of YubiKey KSM project
Perl
2
star
90

yubikey-val-dpkg

Debian package of YubiKey VAL project
PHP
2
star
91

globalplatform-dpkg

Debian packaging for globalplatform
C
2
star
92

rlm-yubico-dpkg

Debian package of rlm-yubico
Perl
2
star
93

gpshell-dpkg

Debian packaging for gpshell
C
2
star
94

gppcscconnectionplugin-dpkg

Debian packaging for gppcscconnectionplugin
Shell
2
star
95

yubiauth-dpkg

Debian package of the YubiAuth project
Python
2
star
96

yubico-perl-client-dpkg

Debian packaging for yubico-perl-client
Perl
2
star
97

yubiadmin-dpkg

Debian package for yubiadmin
Python
2
star
98

libykneomgr-dpkg

Debian packaging of libykneomgr
Shell
2
star