Hardware-bound digital signatures with FIDO passkeys
Test the future of hardware-backed digital identity, passkey experiences, and enterprise credential management
The YubiKey 5.8 early access program enables you to use the proposed W3C WebAuthn sign extension, the latest CTAP 2.3 passkey experiences, and enterprise-grade credential management. Build digital identity wallets, improve passkey UX, and automate YubiKey fleet operations before anyone else does.
BETA PROGRAM: YubiKey 5.8 firmware is in beta stage and subject to change.
Track 1 (Digital Signatures): Use temporary algorithm IDs which require migration once the YubiKey further becomes generally available.
All Tracks: Beta firmware subject to change before general availability.
Platform support is evolving. Native SDKs and mobile support varies by track. Check with your developer advocate for the latest compatibility during onboarding.
For production signing TODAY, use the PIV applet: developers.yubico.com/PIV/
What You’ll Get
For Accepted Developers:
- YubiKey 5.8 hardware with preview firmware
- Track-based onboarding call with Yubico developer advocates and fellow participants
- Direct support channel
- Track-specific documentation and code examples
Choose Your Track
We’ve organized this program into 4 tracks. Each track has different technical maturity, migration requirements, and support focus.
Track 1: Digital Signatures + Wallets
For: EUDI wallet builders, mDL implementers, verifiable credential platforms
What you’ll be able to test:
- previewSign extension with ARKG (Asynchronous Remote Key Generation) for unlinkable signatures
- PRF (Pseudo-Random Function) for encryption key derivation during credential creation
- Hardware attestation for trust chains
Specification: previewSign proposed for WebAuthn L4, PRF in CTAP 2.3
Ideal for:
- Building EUDI (European Digital Identity) wallets
- Creating verifiable credential managers
- Privacy-preserving digital identity solutions
Migration requirement: You’ll need to migrate from temporary algorithm ID to final ID once generally available.
Track 2: Passkey UX Enhancements
For: Consumer auth platforms, enterprise SSO, fintech apps
What you’ll be able to test:
- PPUAT (Persistent Platform User Authentication Token) for “remember this device”
- encIdentifier (privacy-preserving cached credential management)
- Improved passkey discovery and selection flows
Specification status: CTAP 2.3 stable
Ideal for:
- Improving login UX with autofill passkeys
- Enterprise single sign-on (SSO) improvements
- Consumer authentication platforms
Track 3: Secure Payment Confirmation
For: Payment processors, merchant platforms, payment service providers
What you’ll be able to test:
- thirdPartyPayment extension for cross-domain payment credentials
- Secure Payment Confirmation (SPC) integration patterns
- Transaction binding and verification flows
Specification: CTAP 2.3
Ecosystem status: Early adoption – browser and payment network support evolving
Ideal for:
- Exploring hardware-backed payment confirmation
- Providing feedback to browser vendors and payment networks
- Proof-of-concept payment confirmation flows
Migration requirement: beta firmware – ecosystem APIs are subject to change.
Note: Browser-based SPC doesn’t support roaming authenticators yet (Feb 2026). This track is exploratory.
Track 4: YubiKey Credential Management
For: Enterprise IT, MDM providers, credential lifecycle tools
What you’ll test:
- FIDO over CCID for offline credential management
- encCredStoreState (encrypted credential store state reporting)
- PIN enhancements (maxPINLength, pinComplexityPolicy, pinComplexityPolicyURL, uvCountSinceLastPinEntry)
Specification status: CTAP 2.2/2.3
Ideal for:
- Building enterprise YubiKey management tools
- Credential lifecycle automation
- Enterprise attestation and compliance
What we’ll need
Please fill out the following form, so we can select which use case will be best suited for our limited seats available.
Please expect a confirmation or rejection letter by mid March.