Update fido2 requirement from ~=1.1 to ~=2.0

[dependabot]

Updates the requirements on fido2 to permit the latest version.

Release notes

Sourced from fido2's releases.

python-fido2 2.0.0

Version 2.0.0 (released 2025-05-20)

• See also the migration guide: doc/Migration_1-2.adoc.
• Python 3.10 or later is now required.
• WebAuthn dataclasses have been updated to align with the WebAuthn Level 3 Working Draft. Constructors now require keyword arguments (kwargs_only=True), and serialization to/from dictionaries is compatible with standardized JSON formats.
• The features.webauthn_json_mapping flag has been removed, as its behavior (standardized JSON mapping) is now default.
• Fido2Client and WindowsClient constructors now accept a ClientDataCollector instance instead of origin and verify parameters.
• WindowsClient has been relocated to fido2.client.windows. Importing this class on non-Windows platforms will now raise an ImportError.
• Fido2Client methods now return RegistrationResponse and AuthenticationResponse objects, instead of raw attestation/assertion data.
• CTAP2/WebAuthn extension handling has been redesigned. Fido2Client now expects a list of Ctap2Extension instances. Default behavior includes extensions commonly supported by browsers.
• The fido2.cbor module's load_x and dump_x functions have been made private (renamed with a leading underscore) and should not be used directly.
• Previously deprecated functions and APIs have been removed.
• The __version__ attribute in fido2/__init__.py has been removed. Use importlib.metadata.version('fido2') to get the package version.
• Add support for Persistent PinUvAuthToken and encIdentifier.
• Add support for hmac-secret-mc and thirdPartyPayments exensions.
• Add new GetInfo fields based on CTAP 2.2
• Update COSE algorithnm types.
• Building the library now requires Poetry version 2.0 or later.

Changelog

Sourced from fido2's changelog.

• Version 2.0.0 (released 2025-05-20) ** See also the migration guide: doc/Migration_1-2.adoc. ** Python 3.10 or later is now required. ** WebAuthn dataclasses have been updated to align with the WebAuthn Level 3 Working Draft. Constructors now require keyword arguments (kwargs_only=True), and serialization to/from dictionaries is compatible with standardized JSON formats. ** The features.webauthn_json_mapping flag has been removed, as its behavior (standardized JSON mapping) is now default. ** Fido2Client and WindowsClient constructors now accept a ClientDataCollector instance instead of origin and verify parameters. ** WindowsClient has been relocated to fido2.client.windows. Importing this class on non-Windows platforms will now raise an ImportError. ** Fido2Client methods now return RegistrationResponse and AuthenticationResponse objects, instead of raw attestation/assertion data. ** CTAP2/WebAuthn extension handling has been redesigned. Fido2Client now expects a list of Ctap2Extension instances. Default behavior includes extensions commonly supported by browsers. ** The fido2.cbor module's load_x and dump_x functions have been made private (renamed with a leading underscore) and should not be used directly. ** Previously deprecated functions and APIs have been removed. ** The __version__ attribute in fido2/__init__.py has been removed. Use importlib.metadata.version('fido2') to get the package version. ** Add new GetInfo fields based on CTAP 2.2. ** Add support for Persistent PinUvAuthToken and encIdentifier. ** Add support for hmac-secret-mc and thirdPartyPayments exensions. ** Update COSE algorithm types. ** Building the library now requires Poetry version 2.0 or later.

• Version 1.2.0 (released 2024-11-27) ** Improved extension handling: Several new extensions are now supported, both for Fido2Client and WindowsClient. Extension APIs have been redesigned, and old APIs have been deprecated, slated for removal in version 2.0. *** Disable hmac-secret extension by default, preferring prf. ** Improved (de-)serialization of dataclasses to/from JSON-friendly dicts. ** Fido2Client: *** Support allowCredentials/excludeCredentials of arbitrary length. *** Handle PUAT_REQUIRED by re-attempting with PIN/UV. ** Allow localhost (and subdomains) to use http:// in RP ID verification by default. ** NFC: Support for Authenticators that return SW=61XX on SELECT. ** USB: Improve connection recovery and use more specific exceptions for errors. ** Fix: Handle residentKey=preferred properly. ** Fix: Handle Authentictors that do not pass extensions in GetInfo.

• Version 1.1.3 (released 2024-03-13) ** Fix USB HID issue on MacOS that sometimes caused a pause while waiting for a timeout. ** Fix argument to CredProp extension where an enum value was required instead of also allowing a string.

... (truncated)

Commits

• 18cdb62 Update dependencies
• 3b28eee Update NEWS
• e484c54 Add comment for clarification
• 3c21f0c Bump version, update NEWS
• 2c39251 Use TYPE_CHECKING
• 57e970e Set sdist timestamps to commit date
• acd5616 Merge PR #254
• 3f258aa Update docstrings
• 2d685d2 Organize imports with ruff
• b7d6a01 Replace black and flake8 with ruff
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Test Results

0 tests   - 4   0 ✅  - 4   0s ⏱️ ±0s
0 suites  - 3   0 💤 ±0 
0 files    - 1   0 ❌ ±0 

Results for commit fc897b5. ± Comparison against base commit f0b8a4e.

[dependabot]

Superseded by #186.