diff --git a/.coditsu/ci.yml b/.coditsu/ci.yml
new file mode 100644
index 0000000..dff43e8
--- /dev/null
+++ b/.coditsu/ci.yml
@@ -0,0 +1,3 @@
+repository_id: 'f789891f-3f4e-42be-a25b-068d49708ddb'
+api_key: <%= ENV['CODITSU_API_KEY'] %>
+api_secret: <%= ENV['CODITSU_API_SECRET'] %>
diff --git a/.gitignore b/.gitignore
index b6a0a6d..c3c5c77 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,4 +30,6 @@
 .rvmrc
 
 # Example files
-/example/.bundle
\ No newline at end of file
+/example/.bundle
+vendor
+.coditsu/local.yml
diff --git a/.rubocop.yml b/.rubocop.yml
new file mode 100644
index 0000000..ac31b24
--- /dev/null
+++ b/.rubocop.yml
@@ -0,0 +1,15 @@
+Documentation:
+  Enabled: false
+AllCops:
+  TargetRubyVersion: 2.6
+
+Metrics/LineLength:
+  Max: 100
+
+Metrics/ModuleLength:
+  Exclude:
+    - "**/*_spec.rb"
+
+Metrics/BlockLength:
+  Exclude:
+    - "**/*_spec.rb"
diff --git a/.ruby-version b/.ruby-version
new file mode 100644
index 0000000..57cf282
--- /dev/null
+++ b/.ruby-version
@@ -0,0 +1 @@
+2.6.5
diff --git a/.travis.yml b/.travis.yml
index 9e4c0dd..14d4699 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,47 @@
-language: ruby
-rvm:
-  - 2.0.0
-  - 2.1.8
-  - 2.2.4
-  - 2.3.0
+services:
+  - docker
+
+dist: trusty
+sudo: false
+cache: bundler
+
+git:
+  depth: false
+
+test: &test
+  stage: test
+  language: ruby
+  before_install:
+    - gem install bundler
+    - gem update --system
+
+jobs:
+  include:
+    - <<: *test
+      rvm: 2.6.5
+    - <<: *test
+      rvm: 2.5.7
+    - <<: *test
+      rvm: 2.4.8
+
+    - stage: coditsu
+      language: ruby
+      rvm: 2.6.3
+      before_install:
+        - gem update --system
+        - gem install bundler
+      before_script:
+        - docker create -v /sources --name sources alpine:3.4 /bin/true
+        - docker cp ./ sources:/sources
+      script: >
+        docker run
+        -e CODITSU_API_KEY
+        -e CODITSU_API_SECRET
+        -e CODITSU_REPOSITORY_ID
+        -e CODITSU_BUILD_BRANCH=$TRAVIS_BRANCH
+        --volumes-from sources
+        coditsu/build-runner:latest
+
+stages:
+  - test
+  - coditsu
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..5de477a
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,6 @@
+## master
+- [#58](https://github.com/castle/ruby-u2f/pull/58) drop support for ruby 2.3
+- [#41](https://github.com/castle/ruby-u2f/pull/41) drop support for ruby 2.2
+
+## 1.0.0 (2016-02-18)
+- update ruby-u2f to work with the v1.1 U2F JavaScript API.
diff --git a/Gemfile b/Gemfile
index 3be9c3c..c88b5df 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,2 +1,13 @@
-source "https://rubygems.org"
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
 gemspec
+
+gem 'rake'
+
+group :test do
+  gem 'coveralls_reborn'
+  gem 'json_expressions'
+  gem 'rspec'
+  gem 'simplecov'
+end
diff --git a/Gemfile.lock b/Gemfile.lock
index ddfb09b..5913015 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,85 +1,54 @@
 PATH
   remote: .
   specs:
-    u2f (0.2.1)
+    u2f (1.0.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    ast (2.0.0)
-    astrolabe (1.3.0)
-      parser (>= 2.2.0.pre.3, < 3.0)
-    coveralls (0.8.10)
-      json (~> 1.8)
-      rest-client (>= 1.6.8, < 2)
-      simplecov (~> 0.11.0)
-      term-ansicolor (~> 1.3)
-      thor (~> 0.19.1)
-      tins (~> 1.6.0)
-    diff-lcs (1.2.5)
-    docile (1.1.5)
-    domain_name (0.5.25)
-      unf (>= 0.0.5, < 1.0.0)
-    http-cookie (1.0.2)
-      domain_name (~> 0.5)
-    json (1.8.3)
-    json_expressions (0.8.3)
-    mime-types (2.99)
-    netrc (0.11.0)
-    parser (2.2.0.pre.7)
-      ast (>= 1.1, < 3.0)
-      slop (~> 3.4, >= 3.4.5)
-    powerpack (0.0.9)
-    rainbow (2.0.0)
-    rake (10.3.2)
-    rest-client (1.8.0)
-      http-cookie (>= 1.0.2, < 2.0)
-      mime-types (>= 1.16, < 3.0)
-      netrc (~> 0.7)
-    rspec (3.1.0)
-      rspec-core (~> 3.1.0)
-      rspec-expectations (~> 3.1.0)
-      rspec-mocks (~> 3.1.0)
-    rspec-core (3.1.7)
-      rspec-support (~> 3.1.0)
-    rspec-expectations (3.1.2)
+    coveralls_reborn (0.16.0)
+      simplecov (~> 0.18.1)
+      term-ansicolor (~> 1.6)
+      thor (>= 0.20.3, < 2.0)
+      tins (~> 1.16)
+    diff-lcs (1.3)
+    docile (1.3.2)
+    json_expressions (0.9.0)
+    rake (13.0.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.1.0)
-    rspec-mocks (3.1.3)
-      rspec-support (~> 3.1.0)
-    rspec-support (3.1.2)
-    rubocop (0.27.1)
-      astrolabe (~> 1.3)
-      parser (>= 2.2.0.pre.7, < 3.0)
-      powerpack (~> 0.0.6)
-      rainbow (>= 1.99.1, < 3.0)
-      ruby-progressbar (~> 1.4)
-    ruby-progressbar (1.7.0)
-    simplecov (0.11.1)
-      docile (~> 1.1.0)
-      json (~> 1.8)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.0)
-    slop (3.6.0)
-    term-ansicolor (1.3.2)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    simplecov (0.18.5)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.2)
+    sync (0.5.0)
+    term-ansicolor (1.7.1)
       tins (~> 1.0)
-    thor (0.19.1)
-    tins (1.6.0)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.7.1)
+    thor (1.0.1)
+    tins (1.25.0)
+      sync
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  coveralls (~> 0.8.10)
-  json_expressions (~> 0.8.3)
-  rake (~> 10.3)
-  rspec (~> 3.1)
-  rubocop (~> 0.27.1)
-  simplecov (~> 0.11.1)
+  coveralls_reborn
+  json_expressions
+  rake
+  rspec
+  simplecov
   u2f!
 
 BUNDLED WITH
-   1.11.0
+   2.1.4
diff --git a/README.md b/README.md
index 1a95f8c..326ae53 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,9 @@
 # Ruby U2F
 
-[![Gem Version](https://badge.fury.io/rb/u2f.png)](http://badge.fury.io/rb/u2f)
-[![Dependency Status](https://gemnasium.com/castle/ruby-u2f.svg)](https://gemnasium.com/castle/ruby-u2f)
+[![Gem Version](https://badge.fury.io/rb/u2f.svg)](https://badge.fury.io/rb/u2f)
 [![security](https://hakiri.io/github/castle/ruby-u2f/master.svg)](https://hakiri.io/github/castle/ruby-u2f/master)
 
-[![Build Status](https://travis-ci.org/castle/ruby-u2f.png)](https://travis-ci.org/castle/ruby-u2f)
+[![Build Status](https://travis-ci.org/castle/ruby-u2f.svg?branch=API_v1_1)](https://travis-ci.org/castle/ruby-u2f)
 [![Code Climate](https://codeclimate.com/github/castle/ruby-u2f/badges/gpa.svg)](https://codeclimate.com/github/castle/ruby-u2f)
 [![Coverage Status](https://img.shields.io/coveralls/castle/ruby-u2f.svg)](https://coveralls.io/r/castle/ruby-u2f)
 
@@ -40,7 +39,9 @@ The U2F library has two major tasks:
 
 Each task starts by generating a challenge on the server, which is rendered to a web view, read by the browser APIs and transmitted to the plugged in U2F devices for verification. The U2F device responds and triggers a callback in the browser, and a form is posted back to your server where you verify the challenge and store the U2F device information to your database.
 
-You'll need an instance of `U2F::U2F`, which is conveniently placed in an [instance method](https://github.com/castle/ruby-u2f/blob/master/example/app/helpers/helpers.rb) on the controller. The initializer takes an **App ID** as argument.
+Note that ordinarily, each user will have one or more U2F registrations (as it's a common usage pattern for users to have more than one U2F device -- for example one for regular use, and a second stored safely as a backup). While it's omitted from examples here for brevity, a new registration should typically be associated with the particular user registering. Likewise, when authenticating, queries over "all registrations" should actually be scoped to registrations associated with the particular user being authenticated.
+
+You'll need an instance of `U2F::U2F`, which is conveniently placed in an [instance method](https://github.com/castle/ruby-u2f/blob/API_v1_1/example/app/helpers/helpers.rb) on the controller. The initializer takes an **App ID** as argument.
 
 ```ruby
 def u2f
@@ -67,6 +68,8 @@ def new
   key_handles = Registration.map(&:key_handle)
   @sign_requests = u2f.authentication_requests(key_handles)
 
+  @app_id = u2f.app_id
+
   render 'registrations/new'
 end
 ```
@@ -82,10 +85,11 @@ Render a form that will be automatically posted when the U2F device reponds.
 
 ```javascript
 // render requests from server into Javascript format
-var registerRequests = <%= @registration_requests.as_json.to_json.html_safe %>;
+var appId = <%= @app_id.to_json.html_safe %>
+var registerRequests = <%= @registration_requests.to_json.html_safe %>;
 var signRequests = <%= @sign_requests.as_json.to_json.html_safe %>;
 
-u2f.register(registerRequests, signRequests, function(registerResponse) {
+u2f.register(appId, registerRequests, signRequests, function(registerResponse) {
   var form, reg;
 
   if (registerResponse.errorCode) {
@@ -138,10 +142,12 @@ def new
   return 'Need to register first' if key_handles.empty?
 
   # Generate SignRequests
+  @app_id = u2f.app_id
   @sign_requests = u2f.authentication_requests(key_handles)
+  @challenge = u2f.challenge
 
-  # Store challenges. We need them for the verification step
-  session[:challenges] = @sign_requests.map(&:challenge)
+  # Store challenge. We need it for the verification step
+  session[:challenge] = @challenge
 
   render 'authentications/new'
 end
@@ -158,9 +164,11 @@ Render a form that will be automatically posted when the U2F device reponds.
 
 ```javascript
 // render requests from server into Javascript format
-var signRequests = <%= @sign_requests.as_json.to_json.html_safe %>;
+var signRequests = <%= @sign_requests.to_json.html_safe %>;
+var challenge = <%= @challenge.to_json.html_safe %>;
+var appId = <%= @app_id.to_json.html_safe %>;
 
-u2f.sign(signRequests, function(signResponse) {
+u2f.sign(appId, challenge, signRequests, function(signResponse) {
   var form, reg;
 
   if (signResponse.errorCode) {
@@ -187,13 +195,13 @@ def create
   return 'Need to register first' unless registration
 
   begin
-    u2f.authenticate!(session[:challenges], response,
+    u2f.authenticate!(session[:challenge], response,
                       Base64.decode64(registration.public_key),
                       registration.counter)
   rescue U2F::Error => e
     return "Unable to authenticate: <%= e.class.name %>"
   ensure
-    session.delete(:challenges)
+    session.delete(:challenge)
   end
 
   registration.update(counter: response.counter)
diff --git a/Rakefile b/Rakefile
index 5786e6a..25864e6 100644
--- a/Rakefile
+++ b/Rakefile
@@ -1,7 +1,9 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
 
 RSpec::Core::RakeTask.new
 
-task :default => :spec
-task :test => :spec
\ No newline at end of file
+task default: :spec
+task test: :spec
diff --git a/example/Gemfile b/example/Gemfile
index 73e40be..0d2042c 100644
--- a/example/Gemfile
+++ b/example/Gemfile
@@ -1,20 +1,25 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 # Project requirements
 gem 'rake'
 
 # Component requirements
-gem 'haml'
+gem 'dm-aggregates'
+gem 'dm-constraints'
+gem 'dm-core'
+gem 'dm-migrations'
 gem 'dm-sqlite-adapter'
-gem 'dm-validations'
 gem 'dm-timestamps'
-gem 'dm-migrations'
-gem 'dm-constraints'
-gem 'dm-aggregates'
 gem 'dm-types'
-gem 'dm-core'
+gem 'dm-validations'
+gem 'haml'
 
 # Padrino Stable Gem
-gem 'padrino', '0.12.4'
+gem 'padrino'
+
+# To enable https
+gem 'thin'
 
-gem 'u2f'#, path: '../.'
+gem 'u2f', '1.0.0'
diff --git a/example/Gemfile.lock b/example/Gemfile.lock
index 227ba34..7e44068 100644
--- a/example/Gemfile.lock
+++ b/example/Gemfile.lock
@@ -1,18 +1,16 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (4.1.7)
-      i18n (~> 0.6, >= 0.6.9)
-      json (~> 1.7, >= 1.7.7)
-      minitest (~> 5.1)
-      thread_safe (~> 0.1)
-      tzinfo (~> 1.1)
-    addressable (2.3.6)
-    bcrypt (3.1.9)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
+    bcrypt (3.1.18)
     bcrypt-ruby (3.1.5)
       bcrypt (>= 3.1.3)
-    data_objects (0.10.14)
+    concurrent-ruby (1.2.2)
+    daemons (1.2.6)
+    data_objects (0.10.17)
       addressable (~> 2.1)
+    date (3.3.3)
     dm-aggregates (1.2.0)
       dm-core (~> 1.2.0)
     dm-constraints (1.2.0)
@@ -39,79 +37,89 @@ GEM
       uuidtools (~> 2.1)
     dm-validations (1.2.0)
       dm-core (~> 1.2.0)
-    do_sqlite3 (0.10.14)
-      data_objects (= 0.10.14)
+    do_sqlite3 (0.10.17)
+      data_objects (= 0.10.17)
+    eventmachine (1.2.7)
     fastercsv (1.5.5)
-    haml (4.0.5)
+    haml (5.0.4)
+      temple (>= 0.8.0)
       tilt
-    http_router (0.11.1)
-      rack (>= 1.0.0)
-      url_mount (~> 0.2.1)
-    i18n (0.6.11)
-    json (1.8.1)
-    mail (2.5.4)
-      mime-types (~> 1.16)
-      treetop (~> 1.4.8)
-    mime-types (1.25.1)
-    minitest (5.4.2)
-    moneta (0.7.20)
-    multi_json (1.10.1)
-    padrino (0.12.4)
-      padrino-admin (= 0.12.4)
-      padrino-cache (= 0.12.4)
-      padrino-core (= 0.12.4)
-      padrino-gen (= 0.12.4)
-      padrino-helpers (= 0.12.4)
-      padrino-mailer (= 0.12.4)
-      padrino-support (= 0.12.4)
-    padrino-admin (0.12.4)
-      padrino-core (= 0.12.4)
-      padrino-helpers (= 0.12.4)
-    padrino-cache (0.12.4)
-      moneta (~> 0.7.0)
-      padrino-core (= 0.12.4)
-      padrino-helpers (= 0.12.4)
-    padrino-core (0.12.4)
-      activesupport (>= 3.1)
-      http_router (~> 0.11.0)
-      padrino-support (= 0.12.4)
-      rack-protection (>= 1.5.0)
-      sinatra (~> 1.4.2)
-      thor (~> 0.18)
-    padrino-gen (0.12.4)
-      bundler (~> 1.0)
-      padrino-core (= 0.12.4)
-    padrino-helpers (0.12.4)
-      i18n (~> 0.6, >= 0.6.7)
-      padrino-support (= 0.12.4)
-      tilt (~> 1.4.1)
-    padrino-mailer (0.12.4)
-      mail (~> 2.5.3)
-      padrino-core (= 0.12.4)
-    padrino-support (0.12.4)
-      activesupport (>= 3.1)
-    polyglot (0.3.5)
-    rack (1.5.2)
-    rack-protection (1.5.3)
+    i18n (0.9.5)
+      concurrent-ruby (~> 1.0)
+    json (1.8.6)
+    mail (2.8.1)
+      mini_mime (>= 0.1.1)
+      net-imap
+      net-pop
+      net-smtp
+    mime-types (2.99.3)
+    mini_mime (1.1.2)
+    moneta (1.1.1)
+    multi_json (1.15.0)
+    mustermann (2.0.2)
+      ruby2_keywords (~> 0.0.1)
+    net-imap (0.3.4)
+      date
+      net-protocol
+    net-pop (0.1.2)
+      net-protocol
+    net-protocol (0.2.1)
+      timeout
+    net-smtp (0.3.3)
+      net-protocol
+    padrino (0.15.3)
+      padrino-admin (= 0.15.3)
+      padrino-cache (= 0.15.3)
+      padrino-core (= 0.15.3)
+      padrino-gen (= 0.15.3)
+      padrino-helpers (= 0.15.3)
+      padrino-mailer (= 0.15.3)
+      padrino-support (= 0.15.3)
+    padrino-admin (0.15.3)
+      padrino-core (= 0.15.3)
+      padrino-helpers (= 0.15.3)
+    padrino-cache (0.15.3)
+      moneta (~> 1.1.0)
+      padrino-core (= 0.15.3)
+      padrino-helpers (= 0.15.3)
+    padrino-core (0.15.3)
+      padrino-support (= 0.15.3)
+      sinatra (>= 2.2.4)
+      thor (~> 1.0)
+    padrino-gen (0.15.3)
+      bundler (>= 1.0, < 3)
+      padrino-core (= 0.15.3)
+    padrino-helpers (0.15.3)
+      i18n (>= 0.6.7, < 2)
+      padrino-support (= 0.15.3)
+      tilt (>= 1.4.1, < 3)
+    padrino-mailer (0.15.3)
+      mail (~> 2.5)
+      mime-types (< 4)
+      padrino-core (= 0.15.3)
+    padrino-support (0.15.3)
+    public_suffix (5.0.1)
+    rack (2.2.9)
+    rack-protection (2.2.4)
       rack
-    rake (10.3.2)
-    sinatra (1.4.5)
-      rack (~> 1.4)
-      rack-protection (~> 1.4)
-      tilt (~> 1.3, >= 1.3.4)
+    rake (12.3.3)
+    ruby2_keywords (0.0.5)
+    sinatra (2.2.4)
+      mustermann (~> 2.0)
+      rack (~> 2.2)
+      rack-protection (= 2.2.4)
+      tilt (~> 2.0)
     stringex (1.5.1)
-    thor (0.19.1)
-    thread_safe (0.3.4)
-    tilt (1.4.1)
-    treetop (1.4.15)
-      polyglot
-      polyglot (>= 0.3.1)
-    tzinfo (1.2.2)
-      thread_safe (~> 0.1)
-    u2f (0.2.0)
-    url_mount (0.2.1)
-      rack
-    uuidtools (2.1.5)
+    temple (0.8.0)
+    thin (1.7.2)
+      daemons (~> 1.0, >= 1.0.9)
+      eventmachine (~> 1.0, >= 1.0.4)
+      rack (>= 1, < 3)
+    thor (1.2.1)
+    tilt (2.1.0)
+    timeout (0.3.2)
+    u2f (1.0.0)
+    uuidtools (2.2.0)
 
 PLATFORMS
   ruby
@@ -126,6 +134,10 @@ DEPENDENCIES
   dm-types
   dm-validations
   haml
-  padrino (= 0.12.4)
+  padrino
   rake
-  u2f
+  thin
+  u2f (= 1.0.0)
+
+BUNDLED WITH
+   1.16.3
diff --git a/example/README.md b/example/README.md
index f0b8d23..2e6271c 100644
--- a/example/README.md
+++ b/example/README.md
@@ -1,5 +1,5 @@
 ```bash
 bundle install
 padrino rake db:migrate
-padrino start
+thin start --ssl-disable-verify
 ```
diff --git a/example/Rakefile b/example/Rakefile
index 98c59df..42ac015 100644
--- a/example/Rakefile
+++ b/example/Rakefile
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'bundler/setup'
 require 'padrino-core/cli/rake'
 
diff --git a/example/app/app.rb b/example/app/app.rb
index 41befd0..7a3f5f8 100644
--- a/example/app/app.rb
+++ b/example/app/app.rb
@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module U2FExample
   class App < Padrino::Application
     register Padrino::Helpers
     enable :sessions
 
-    get "/" do
+    get '/' do
       render 'index'
     end
   end
diff --git a/example/app/controllers/authentications.rb b/example/app/controllers/authentications.rb
index de76458..7be566a 100644
--- a/example/app/controllers/authentications.rb
+++ b/example/app/controllers/authentications.rb
@@ -1,11 +1,15 @@
+# frozen_string_literal: true
+
 require 'base64'
 U2FExample::App.controllers :authentications do
   get :new do
     key_handles = Registration.map(&:key_handle)
     return 'Need to register first' if key_handles.empty?
 
+    @app_id = u2f.app_id
     @sign_requests = u2f.authentication_requests(key_handles)
-    session[:challenges] = @sign_requests.map(&:challenge)
+    @challenge = u2f.challenge
+    session[:u2f_challenge] = @challenge
 
     render 'authentications/new'
   end
@@ -17,13 +21,13 @@
     return 'Need to register first' unless registration
 
     begin
-      u2f.authenticate!(session[:challenges], response,
+      u2f.authenticate!(session[:u2f_challenge], response,
                         Base64.decode64(registration.public_key),
                         registration.counter)
     rescue U2F::Error => e
       @error_message = "Unable to authenticate: #{e.class.name}"
     ensure
-      session.delete(:challenges)
+      session.delete(:u2f_challenge)
     end
 
     registration.update(counter: response.counter)
diff --git a/example/app/controllers/registrations.rb b/example/app/controllers/registrations.rb
index 67b0f49..0492654 100644
--- a/example/app/controllers/registrations.rb
+++ b/example/app/controllers/registrations.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 U2FExample::App.controllers :registrations do
   get :new do
     @registration_requests = u2f.registration_requests
@@ -6,25 +8,29 @@
     key_handles = Registration.map(&:key_handle)
     @sign_requests = u2f.authentication_requests(key_handles)
 
+    @app_id = u2f.app_id
+
     render 'registrations/new'
   end
 
   post :index do
     response = U2F::RegisterResponse.load_from_json(params[:response])
 
-    reg = begin
-      u2f.register!(session[:challenges], response)
+    begin
+      reg = u2f.register!(session[:challenges], response)
+
+      Registration.create!(
+        certificate: reg.certificate,
+        key_handle: reg.key_handle,
+        public_key: reg.public_key,
+        counter: reg.counter
+      )
     rescue U2F::Error => e
       @error_message = "Unable to register: #{e.class.name}"
     ensure
       session.delete(:challenges)
     end
 
-    Registration.create!(certificate: reg.certificate,
-                         key_handle:  reg.key_handle,
-                         public_key:  reg.public_key,
-                         counter:     reg.counter)
-
     render 'authentications/show'
   end
 end
diff --git a/example/app/helpers/helpers.rb b/example/app/helpers/helpers.rb
index 5d30d11..849fb4e 100644
--- a/example/app/helpers/helpers.rb
+++ b/example/app/helpers/helpers.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 U2FExample::App.helpers do
   def u2f
     # use base_url as app_id, e.g. 'http://localhost:3000'
diff --git a/example/app/views/authentications/new.haml b/example/app/views/authentications/new.haml
index ebac786..61cabf7 100644
--- a/example/app/views/authentications/new.haml
+++ b/example/app/views/authentications/new.haml
@@ -19,6 +19,8 @@
 
 :javascript
   var signRequests = #{@sign_requests.to_json.html_safe};
+  var challenge = #{@challenge.to_json.html_safe};
+  var appId = #{@app_id.to_json.html_safe};
   var $waiting = document.getElementById('waiting');
   var $error = document.getElementById('error');
   var errorMap = {
@@ -34,7 +36,7 @@
     $error.innerHTML = errorMap[code];
   };
 
-  u2f.sign(signRequests, function(signResponse) {
+  u2f.sign(appId, challenge, signRequests, function(signResponse) {
     var form, reg;
 
     if (signResponse.errorCode) {
diff --git a/example/app/views/authentications/show.haml b/example/app/views/authentications/show.haml
index 806ddfc..180695f 100644
--- a/example/app/views/authentications/show.haml
+++ b/example/app/views/authentications/show.haml
@@ -10,4 +10,4 @@
   .col-md-4.col-md-offset-4.text-center
     %hr
     %p
-      %a{:href => '/'} &laquo; Back to main page
\ No newline at end of file
+      %a{:href => '/'} &laquo; Back to main page
diff --git a/example/app/views/index.haml b/example/app/views/index.haml
index 0f1bdea..d6cbcc6 100644
--- a/example/app/views/index.haml
+++ b/example/app/views/index.haml
@@ -6,4 +6,4 @@
     %p.lead
       Welcome to the demo implementation of a U2F validation server in Ruby/Padrino.
     %a.btn.btn-default.btn-block.btn-lg{:href => 'registrations/new'} Register a new key
-    %a.btn.btn-default.btn-block.btn-lg{:href => 'authentications/new'} Validate a registered key
\ No newline at end of file
+    %a.btn.btn-default.btn-block.btn-lg{:href => 'authentications/new'} Validate a registered key
diff --git a/example/app/views/layouts/application.html.erb b/example/app/views/layouts/application.html.erb
index aab2f88..27f0dfa 100644
--- a/example/app/views/layouts/application.html.erb
+++ b/example/app/views/layouts/application.html.erb
@@ -11,12 +11,12 @@
     <meta name="viewport" content="width=device-width, initial-scale=1">
 
     <%= stylesheet_link_tag '//maxcdn.bootstrapcdn.com/bootstrap/3.3.1/css/bootstrap.min.css' %>
-    <link href='http://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,700' rel='stylesheet' type='text/css'>
+    <link href='//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,700' rel='stylesheet' type='text/css'>
     <style type="text/css">
       body { font-family: 'Source Sans Pro', sans-serif; }
     </style>
-    <script src="chrome-extension://pfboblefjcgdjicmnffhdgionmgcdmne/u2f-api.js"></script>
     <%= javascript_include_tag 'application' %>
+    <%= javascript_include_tag 'u2f-api' %>
   </head>
   <body>
     <!--[if lt IE 7]>
diff --git a/example/app/views/registrations/new.haml b/example/app/views/registrations/new.haml
index 0f40943..91cb50f 100644
--- a/example/app/views/registrations/new.haml
+++ b/example/app/views/registrations/new.haml
@@ -17,6 +17,7 @@
   = hidden_field_tag :response
 
 :javascript
+  var appId = #{@app_id.to_json.html_safe};
   var registerRequests = #{@registration_requests.to_json.html_safe};
   var signRequests = #{@sign_requests.to_json.html_safe};
   var $waiting = document.getElementById('waiting');
@@ -34,7 +35,7 @@
     $error.innerHTML = errorMap[code];
   };
 
-  u2f.register(registerRequests, signRequests, function(registerResponse) {
+  u2f.register(appId, registerRequests, signRequests, function(registerResponse) {
     var form, reg;
 
     if (registerResponse.errorCode) {
diff --git a/example/bin/u2f_example b/example/bin/u2f_example
index 994b989..f3e570f 100755
--- a/example/bin/u2f_example
+++ b/example/bin/u2f_example
@@ -1,6 +1,7 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
-Dir.chdir(File.dirname(__FILE__)+'/..')
+Dir.chdir(File.dirname(__FILE__) + '/..')
 
 require 'rubygems'
 require 'bundler/setup'
diff --git a/example/config.ru b/example/config.ru
index 63045a0..79132ae 100644
--- a/example/config.ru
+++ b/example/config.ru
@@ -1,9 +1,9 @@
 #!/usr/bin/env rackup
-# encoding: utf-8
+# frozen_string_literal: true
 
 # This file can be used to start Padrino,
 # just execute it from the command line.
 
-require File.expand_path("../config/boot.rb", __FILE__)
+require File.expand_path('config/boot.rb', __dir__)
 
 run Padrino.application
diff --git a/example/config/apps.rb b/example/config/apps.rb
index 18f7a55..7625510 100644
--- a/example/config/apps.rb
+++ b/example/config/apps.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Padrino.configure_apps do
   set :session_secret, '723c1901f2645a2f8c1bacb955f9da81346bf5a8200a4498'
   set :protection, except: :path_traversal
diff --git a/example/config/boot.rb b/example/config/boot.rb
index a661d2d..b7e6fbb 100644
--- a/example/config/boot.rb
+++ b/example/config/boot.rb
@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 # Defines our constants
-RACK_ENV = ENV['RACK_ENV'] ||= 'development'  unless defined?(RACK_ENV)
-PADRINO_ROOT = File.expand_path('../..', __FILE__) unless defined?(PADRINO_ROOT)
+RACK_ENV = ENV['RACK_ENV'] ||= 'development' unless defined?(RACK_ENV)
+PADRINO_ROOT = File.expand_path('..', __dir__) unless defined?(PADRINO_ROOT)
 
 # Load our dependencies
 require 'rubygems' unless defined?(Gem)
diff --git a/example/config/database.rb b/example/config/database.rb
index ec5b4d2..31e5b5f 100644
--- a/example/config/database.rb
+++ b/example/config/database.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 DataMapper.logger = logger
 DataMapper::Property::String.length(255)
 DataMapper.setup(:default, 'sqlite3://' + Padrino.root('db', 'u2f_example.db'))
diff --git a/example/db/migrate/001_create_registrations.rb b/example/db/migrate/001_create_registrations.rb
index 7de40e7..9f2d120 100644
--- a/example/db/migrate/001_create_registrations.rb
+++ b/example/db/migrate/001_create_registrations.rb
@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 migration 1, :create_registrations do
   up do
     create_table :registrations do
-      column :id, Integer, :serial => true
-      column :key_handle, DataMapper::Property::String, :length => 255
-      column :public_key, DataMapper::Property::String, :length => 255
+      column :id, Integer, serial: true
+      column :key_handle, DataMapper::Property::String, length: 255
+      column :public_key, DataMapper::Property::String, length: 255
       column :certificate, DataMapper::Property::Text
       column :counter, DataMapper::Property::Integer
     end
diff --git a/example/models/registration.rb b/example/models/registration.rb
index d54308d..24e8da3 100644
--- a/example/models/registration.rb
+++ b/example/models/registration.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Registration
   include DataMapper::Resource
 
diff --git a/example/public/javascripts/u2f-api.js b/example/public/javascripts/u2f-api.js
new file mode 100644
index 0000000..9244d14
--- /dev/null
+++ b/example/public/javascripts/u2f-api.js
@@ -0,0 +1,748 @@
+//Copyright 2014-2015 Google Inc. All rights reserved.
+
+//Use of this source code is governed by a BSD-style
+//license that can be found in the LICENSE file or at
+//https://developers.google.com/open-source/licenses/bsd
+
+/**
+ * @fileoverview The U2F api.
+ */
+'use strict';
+
+
+/**
+ * Namespace for the U2F api.
+ * @type {Object}
+ */
+var u2f = u2f || {};
+
+/**
+ * FIDO U2F Javascript API Version
+ * @number
+ */
+var js_api_version;
+
+/**
+ * The U2F extension id
+ * @const {string}
+ */
+// The Chrome packaged app extension ID.
+// Uncomment this if you want to deploy a server instance that uses
+// the package Chrome app and does not require installing the U2F Chrome extension.
+ u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
+// The U2F Chrome extension ID.
+// Uncomment this if you want to deploy a server instance that uses
+// the U2F Chrome extension to authenticate.
+// u2f.EXTENSION_ID = 'pfboblefjcgdjicmnffhdgionmgcdmne';
+
+
+/**
+ * Message types for messsages to/from the extension
+ * @const
+ * @enum {string}
+ */
+u2f.MessageTypes = {
+    'U2F_REGISTER_REQUEST': 'u2f_register_request',
+    'U2F_REGISTER_RESPONSE': 'u2f_register_response',
+    'U2F_SIGN_REQUEST': 'u2f_sign_request',
+    'U2F_SIGN_RESPONSE': 'u2f_sign_response',
+    'U2F_GET_API_VERSION_REQUEST': 'u2f_get_api_version_request',
+    'U2F_GET_API_VERSION_RESPONSE': 'u2f_get_api_version_response'
+};
+
+
+/**
+ * Response status codes
+ * @const
+ * @enum {number}
+ */
+u2f.ErrorCodes = {
+    'OK': 0,
+    'OTHER_ERROR': 1,
+    'BAD_REQUEST': 2,
+    'CONFIGURATION_UNSUPPORTED': 3,
+    'DEVICE_INELIGIBLE': 4,
+    'TIMEOUT': 5
+};
+
+
+/**
+ * A message for registration requests
+ * @typedef {{
+ *   type: u2f.MessageTypes,
+ *   appId: ?string,
+ *   timeoutSeconds: ?number,
+ *   requestId: ?number
+ * }}
+ */
+u2f.U2fRequest;
+
+
+/**
+ * A message for registration responses
+ * @typedef {{
+ *   type: u2f.MessageTypes,
+ *   responseData: (u2f.Error | u2f.RegisterResponse | u2f.SignResponse),
+ *   requestId: ?number
+ * }}
+ */
+u2f.U2fResponse;
+
+
+/**
+ * An error object for responses
+ * @typedef {{
+ *   errorCode: u2f.ErrorCodes,
+ *   errorMessage: ?string
+ * }}
+ */
+u2f.Error;
+
+/**
+ * Data object for a single sign request.
+ * @typedef {enum {BLUETOOTH_RADIO, BLUETOOTH_LOW_ENERGY, USB, NFC}}
+ */
+u2f.Transport;
+
+
+/**
+ * Data object for a single sign request.
+ * @typedef {Array<u2f.Transport>}
+ */
+u2f.Transports;
+
+/**
+ * Data object for a single sign request.
+ * @typedef {{
+ *   version: string,
+ *   challenge: string,
+ *   keyHandle: string,
+ *   appId: string
+ * }}
+ */
+u2f.SignRequest;
+
+
+/**
+ * Data object for a sign response.
+ * @typedef {{
+ *   keyHandle: string,
+ *   signatureData: string,
+ *   clientData: string
+ * }}
+ */
+u2f.SignResponse;
+
+
+/**
+ * Data object for a registration request.
+ * @typedef {{
+ *   version: string,
+ *   challenge: string
+ * }}
+ */
+u2f.RegisterRequest;
+
+
+/**
+ * Data object for a registration response.
+ * @typedef {{
+ *   version: string,
+ *   keyHandle: string,
+ *   transports: Transports,
+ *   appId: string
+ * }}
+ */
+u2f.RegisterResponse;
+
+
+/**
+ * Data object for a registered key.
+ * @typedef {{
+ *   version: string,
+ *   keyHandle: string,
+ *   transports: ?Transports,
+ *   appId: ?string
+ * }}
+ */
+u2f.RegisteredKey;
+
+
+/**
+ * Data object for a get API register response.
+ * @typedef {{
+ *   js_api_version: number
+ * }}
+ */
+u2f.GetJsApiVersionResponse;
+
+
+//Low level MessagePort API support
+
+/**
+ * Sets up a MessagePort to the U2F extension using the
+ * available mechanisms.
+ * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
+ */
+u2f.getMessagePort = function(callback) {
+  if (typeof chrome != 'undefined' && chrome.runtime) {
+    // The actual message here does not matter, but we need to get a reply
+    // for the callback to run. Thus, send an empty signature request
+    // in order to get a failure response.
+    var msg = {
+        type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+        signRequests: []
+    };
+    chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function() {
+      if (!chrome.runtime.lastError) {
+        // We are on a whitelisted origin and can talk directly
+        // with the extension.
+        u2f.getChromeRuntimePort_(callback);
+      } else {
+        // chrome.runtime was available, but we couldn't message
+        // the extension directly, use iframe
+        u2f.getIframePort_(callback);
+      }
+    });
+  } else if (u2f.isAndroidChrome_()) {
+    u2f.getAuthenticatorPort_(callback);
+  } else if (u2f.isIosChrome_()) {
+    u2f.getIosPort_(callback);
+  } else {
+    // chrome.runtime was not available at all, which is normal
+    // when this origin doesn't have access to any extensions.
+    u2f.getIframePort_(callback);
+  }
+};
+
+/**
+ * Detect chrome running on android based on the browser's useragent.
+ * @private
+ */
+u2f.isAndroidChrome_ = function() {
+  var userAgent = navigator.userAgent;
+  return userAgent.indexOf('Chrome') != -1 &&
+  userAgent.indexOf('Android') != -1;
+};
+
+/**
+ * Detect chrome running on iOS based on the browser's platform.
+ * @private
+ */
+u2f.isIosChrome_ = function() {
+  return ["iPhone", "iPad", "iPod"].indexOf(navigator.platform) > -1;
+};
+
+/**
+ * Connects directly to the extension via chrome.runtime.connect.
+ * @param {function(u2f.WrappedChromeRuntimePort_)} callback
+ * @private
+ */
+u2f.getChromeRuntimePort_ = function(callback) {
+  var port = chrome.runtime.connect(u2f.EXTENSION_ID,
+      {'includeTlsChannelId': true});
+  setTimeout(function() {
+    callback(new u2f.WrappedChromeRuntimePort_(port));
+  }, 0);
+};
+
+/**
+ * Return a 'port' abstraction to the Authenticator app.
+ * @param {function(u2f.WrappedAuthenticatorPort_)} callback
+ * @private
+ */
+u2f.getAuthenticatorPort_ = function(callback) {
+  setTimeout(function() {
+    callback(new u2f.WrappedAuthenticatorPort_());
+  }, 0);
+};
+
+/**
+ * Return a 'port' abstraction to the iOS client app.
+ * @param {function(u2f.WrappedIosPort_)} callback
+ * @private
+ */
+u2f.getIosPort_ = function(callback) {
+  setTimeout(function() {
+    callback(new u2f.WrappedIosPort_());
+  }, 0);
+};
+
+/**
+ * A wrapper for chrome.runtime.Port that is compatible with MessagePort.
+ * @param {Port} port
+ * @constructor
+ * @private
+ */
+u2f.WrappedChromeRuntimePort_ = function(port) {
+  this.port_ = port;
+};
+
+/**
+ * Format and return a sign request compliant with the JS API version supported by the extension.
+ * @param {Array<u2f.SignRequest>} signRequests
+ * @param {number} timeoutSeconds
+ * @param {number} reqId
+ * @return {Object}
+ */
+u2f.formatSignRequest_ =
+  function(appId, challenge, registeredKeys, timeoutSeconds, reqId) {
+  if (js_api_version === undefined || js_api_version < 1.1) {
+    // Adapt request to the 1.0 JS API
+    var signRequests = [];
+    for (var i = 0; i < registeredKeys.length; i++) {
+      signRequests[i] = {
+          version: registeredKeys[i].version,
+          challenge: challenge,
+          keyHandle: registeredKeys[i].keyHandle,
+          appId: appId
+      };
+    }
+    return {
+      type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+      signRequests: signRequests,
+      timeoutSeconds: timeoutSeconds,
+      requestId: reqId
+    };
+  }
+  // JS 1.1 API
+  return {
+    type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+    appId: appId,
+    challenge: challenge,
+    registeredKeys: registeredKeys,
+    timeoutSeconds: timeoutSeconds,
+    requestId: reqId
+  };
+};
+
+/**
+ * Format and return a register request compliant with the JS API version supported by the extension..
+ * @param {Array<u2f.SignRequest>} signRequests
+ * @param {Array<u2f.RegisterRequest>} signRequests
+ * @param {number} timeoutSeconds
+ * @param {number} reqId
+ * @return {Object}
+ */
+u2f.formatRegisterRequest_ =
+  function(appId, registeredKeys, registerRequests, timeoutSeconds, reqId) {
+  if (js_api_version === undefined || js_api_version < 1.1) {
+    // Adapt request to the 1.0 JS API
+    for (var i = 0; i < registerRequests.length; i++) {
+      registerRequests[i].appId = appId;
+    }
+    var signRequests = [];
+    for (var i = 0; i < registeredKeys.length; i++) {
+      signRequests[i] = {
+          version: registeredKeys[i].version,
+          challenge: registerRequests[0],
+          keyHandle: registeredKeys[i].keyHandle,
+          appId: appId
+      };
+    }
+    return {
+      type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
+      signRequests: signRequests,
+      registerRequests: registerRequests,
+      timeoutSeconds: timeoutSeconds,
+      requestId: reqId
+    };
+  }
+  // JS 1.1 API
+  return {
+    type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
+    appId: appId,
+    registerRequests: registerRequests,
+    registeredKeys: registeredKeys,
+    timeoutSeconds: timeoutSeconds,
+    requestId: reqId
+  };
+};
+
+
+/**
+ * Posts a message on the underlying channel.
+ * @param {Object} message
+ */
+u2f.WrappedChromeRuntimePort_.prototype.postMessage = function(message) {
+  this.port_.postMessage(message);
+};
+
+
+/**
+ * Emulates the HTML 5 addEventListener interface. Works only for the
+ * onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
+ * @param {string} eventName
+ * @param {function({data: Object})} handler
+ */
+u2f.WrappedChromeRuntimePort_.prototype.addEventListener =
+    function(eventName, handler) {
+  var name = eventName.toLowerCase();
+  if (name == 'message' || name == 'onmessage') {
+    this.port_.onMessage.addListener(function(message) {
+      // Emulate a minimal MessageEvent object
+      handler({'data': message});
+    });
+  } else {
+    console.error('WrappedChromeRuntimePort only supports onMessage');
+  }
+};
+
+/**
+ * Wrap the Authenticator app with a MessagePort interface.
+ * @constructor
+ * @private
+ */
+u2f.WrappedAuthenticatorPort_ = function() {
+  this.requestId_ = -1;
+  this.requestObject_ = null;
+}
+
+/**
+ * Launch the Authenticator intent.
+ * @param {Object} message
+ */
+u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) {
+  var intentUrl =
+    u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
+    ';S.request=' + encodeURIComponent(JSON.stringify(message)) +
+    ';end';
+  document.location = intentUrl;
+};
+
+/**
+ * Tells what type of port this is.
+ * @return {String} port type
+ */
+u2f.WrappedAuthenticatorPort_.prototype.getPortType = function() {
+  return "WrappedAuthenticatorPort_";
+};
+
+
+/**
+ * Emulates the HTML 5 addEventListener interface.
+ * @param {string} eventName
+ * @param {function({data: Object})} handler
+ */
+u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function(eventName, handler) {
+  var name = eventName.toLowerCase();
+  if (name == 'message') {
+    var self = this;
+    /* Register a callback to that executes when
+     * chrome injects the response. */
+    window.addEventListener(
+        'message', self.onRequestUpdate_.bind(self, handler), false);
+  } else {
+    console.error('WrappedAuthenticatorPort only supports message');
+  }
+};
+
+/**
+ * Callback invoked  when a response is received from the Authenticator.
+ * @param function({data: Object}) callback
+ * @param {Object} message message Object
+ */
+u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ =
+    function(callback, message) {
+  var messageObject = JSON.parse(message.data);
+  var intentUrl = messageObject['intentURL'];
+
+  var errorCode = messageObject['errorCode'];
+  var responseObject = null;
+  if (messageObject.hasOwnProperty('data')) {
+    responseObject = /** @type {Object} */ (
+        JSON.parse(messageObject['data']));
+  }
+
+  callback({'data': responseObject});
+};
+
+/**
+ * Base URL for intents to Authenticator.
+ * @const
+ * @private
+ */
+u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ =
+  'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';
+
+/**
+ * Wrap the iOS client app with a MessagePort interface.
+ * @constructor
+ * @private
+ */
+u2f.WrappedIosPort_ = function() {};
+
+/**
+ * Launch the iOS client app request
+ * @param {Object} message
+ */
+u2f.WrappedIosPort_.prototype.postMessage = function(message) {
+  var str = JSON.stringify(message);
+  var url = "u2f://auth?" + encodeURI(str);
+  location.replace(url);
+};
+
+/**
+ * Tells what type of port this is.
+ * @return {String} port type
+ */
+u2f.WrappedIosPort_.prototype.getPortType = function() {
+  return "WrappedIosPort_";
+};
+
+/**
+ * Emulates the HTML 5 addEventListener interface.
+ * @param {string} eventName
+ * @param {function({data: Object})} handler
+ */
+u2f.WrappedIosPort_.prototype.addEventListener = function(eventName, handler) {
+  var name = eventName.toLowerCase();
+  if (name !== 'message') {
+    console.error('WrappedIosPort only supports message');
+  }
+};
+
+/**
+ * Sets up an embedded trampoline iframe, sourced from the extension.
+ * @param {function(MessagePort)} callback
+ * @private
+ */
+u2f.getIframePort_ = function(callback) {
+  // Create the iframe
+  var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID;
+  var iframe = document.createElement('iframe');
+  iframe.src = iframeOrigin + '/u2f-comms.html';
+  iframe.setAttribute('style', 'display:none');
+  document.body.appendChild(iframe);
+
+  var channel = new MessageChannel();
+  var ready = function(message) {
+    if (message.data == 'ready') {
+      channel.port1.removeEventListener('message', ready);
+      callback(channel.port1);
+    } else {
+      console.error('First event on iframe port was not "ready"');
+    }
+  };
+  channel.port1.addEventListener('message', ready);
+  channel.port1.start();
+
+  iframe.addEventListener('load', function() {
+    // Deliver the port to the iframe and initialize
+    iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]);
+  });
+};
+
+
+//High-level JS API
+
+/**
+ * Default extension response timeout in seconds.
+ * @const
+ */
+u2f.EXTENSION_TIMEOUT_SEC = 30;
+
+/**
+ * A singleton instance for a MessagePort to the extension.
+ * @type {MessagePort|u2f.WrappedChromeRuntimePort_}
+ * @private
+ */
+u2f.port_ = null;
+
+/**
+ * Callbacks waiting for a port
+ * @type {Array<function((MessagePort|u2f.WrappedChromeRuntimePort_))>}
+ * @private
+ */
+u2f.waitingForPort_ = [];
+
+/**
+ * A counter for requestIds.
+ * @type {number}
+ * @private
+ */
+u2f.reqCounter_ = 0;
+
+/**
+ * A map from requestIds to client callbacks
+ * @type {Object.<number,(function((u2f.Error|u2f.RegisterResponse))
+ *                       |function((u2f.Error|u2f.SignResponse)))>}
+ * @private
+ */
+u2f.callbackMap_ = {};
+
+/**
+ * Creates or retrieves the MessagePort singleton to use.
+ * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
+ * @private
+ */
+u2f.getPortSingleton_ = function(callback) {
+  if (u2f.port_) {
+    callback(u2f.port_);
+  } else {
+    if (u2f.waitingForPort_.length == 0) {
+      u2f.getMessagePort(function(port) {
+        u2f.port_ = port;
+        u2f.port_.addEventListener('message',
+            /** @type {function(Event)} */ (u2f.responseHandler_));
+
+        // Careful, here be async callbacks. Maybe.
+        while (u2f.waitingForPort_.length)
+          u2f.waitingForPort_.shift()(u2f.port_);
+      });
+    }
+    u2f.waitingForPort_.push(callback);
+  }
+};
+
+/**
+ * Handles response messages from the extension.
+ * @param {MessageEvent.<u2f.Response>} message
+ * @private
+ */
+u2f.responseHandler_ = function(message) {
+  var response = message.data;
+  var reqId = response['requestId'];
+  if (!reqId || !u2f.callbackMap_[reqId]) {
+    console.error('Unknown or missing requestId in response.');
+    return;
+  }
+  var cb = u2f.callbackMap_[reqId];
+  delete u2f.callbackMap_[reqId];
+  cb(response['responseData']);
+};
+
+/**
+ * Dispatches an array of sign requests to available U2F tokens.
+ * If the JS API version supported by the extension is unknown, it first sends a
+ * message to the extension to find out the supported API version and then it sends
+ * the sign request.
+ * @param {string=} appId
+ * @param {string=} challenge
+ * @param {Array<u2f.RegisteredKey>} registeredKeys
+ * @param {function((u2f.Error|u2f.SignResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.sign = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
+  if (js_api_version === undefined) {
+    // Send a message to get the extension to JS API version, then send the actual sign request.
+    u2f.getApiVersion(
+        function (response) {
+          js_api_version = response['js_api_version'] === undefined ? 0 : response['js_api_version'];
+          console.log("Extension JS API Version: ", js_api_version);
+          u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
+        });
+  } else {
+    // We know the JS API version. Send the actual sign request in the supported API version.
+    u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
+  }
+};
+
+/**
+ * Dispatches an array of sign requests to available U2F tokens.
+ * @param {string=} appId
+ * @param {string=} challenge
+ * @param {Array<u2f.RegisteredKey>} registeredKeys
+ * @param {function((u2f.Error|u2f.SignResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.sendSignRequest = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
+  u2f.getPortSingleton_(function(port) {
+    var reqId = ++u2f.reqCounter_;
+    u2f.callbackMap_[reqId] = callback;
+    var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
+        opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
+    var req = u2f.formatSignRequest_(appId, challenge, registeredKeys, timeoutSeconds, reqId);
+    port.postMessage(req);
+  });
+};
+
+/**
+ * Dispatches register requests to available U2F tokens. An array of sign
+ * requests identifies already registered tokens.
+ * If the JS API version supported by the extension is unknown, it first sends a
+ * message to the extension to find out the supported API version and then it sends
+ * the register request.
+ * @param {string=} appId
+ * @param {Array<u2f.RegisterRequest>} registerRequests
+ * @param {Array<u2f.RegisteredKey>} registeredKeys
+ * @param {function((u2f.Error|u2f.RegisterResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.register = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
+  if (js_api_version === undefined) {
+    // Send a message to get the extension to JS API version, then send the actual register request.
+    u2f.getApiVersion(
+        function (response) {
+          js_api_version = response['js_api_version'] === undefined ? 0: response['js_api_version'];
+          console.log("Extension JS API Version: ", js_api_version);
+          u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
+              callback, opt_timeoutSeconds);
+        });
+  } else {
+    // We know the JS API version. Send the actual register request in the supported API version.
+    u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
+        callback, opt_timeoutSeconds);
+  }
+};
+
+/**
+ * Dispatches register requests to available U2F tokens. An array of sign
+ * requests identifies already registered tokens.
+ * @param {string=} appId
+ * @param {Array<u2f.RegisterRequest>} registerRequests
+ * @param {Array<u2f.RegisteredKey>} registeredKeys
+ * @param {function((u2f.Error|u2f.RegisterResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.sendRegisterRequest = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
+  u2f.getPortSingleton_(function(port) {
+    var reqId = ++u2f.reqCounter_;
+    u2f.callbackMap_[reqId] = callback;
+    var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
+        opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
+    var req = u2f.formatRegisterRequest_(
+        appId, registeredKeys, registerRequests, timeoutSeconds, reqId);
+    port.postMessage(req);
+  });
+};
+
+
+/**
+ * Dispatches a message to the extension to find out the supported
+ * JS API version.
+ * If the user is on a mobile phone and is thus using Google Authenticator instead
+ * of the Chrome extension, don't send the request and simply return 0.
+ * @param {function((u2f.Error|u2f.GetJsApiVersionResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.getApiVersion = function(callback, opt_timeoutSeconds) {
+ u2f.getPortSingleton_(function(port) {
+   // If we are using Android Google Authenticator or iOS client app,
+   // do not fire an intent to ask which JS API version to use.
+   if (port.getPortType) {
+     var apiVersion;
+     switch (port.getPortType()) {
+       case 'WrappedIosPort_':
+       case 'WrappedAuthenticatorPort_':
+         apiVersion = 1.1;
+         break;
+
+       default:
+         apiVersion = 0;
+         break;
+     }
+     callback({ 'js_api_version': apiVersion });
+     return;
+   }
+    var reqId = ++u2f.reqCounter_;
+    u2f.callbackMap_[reqId] = callback;
+    var req = {
+      type: u2f.MessageTypes.U2F_GET_API_VERSION_REQUEST,
+      timeoutSeconds: (typeof opt_timeoutSeconds !== 'undefined' ?
+          opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC),
+      requestId: reqId
+    };
+    port.postMessage(req);
+  });
+};
diff --git a/lib/u2f.rb b/lib/u2f.rb
index 7f193a0..1484682 100644
--- a/lib/u2f.rb
+++ b/lib/u2f.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'base64'
 require 'json'
 require 'openssl'
diff --git a/lib/u2f/client_data.rb b/lib/u2f/client_data.rb
index e03918d..0de96a8 100644
--- a/lib/u2f/client_data.rb
+++ b/lib/u2f/client_data.rb
@@ -1,13 +1,27 @@
+# frozen_string_literal: true
+
 module U2F
   ##
   # A representation of ClientData, chapter 7
   # http://fidoalliance.org/specs/fido-u2f-raw-message-formats-v1.0-rd-20141008.pdf
   class ClientData
-    REGISTRATION_TYP   = "navigator.id.finishEnrollment".freeze
-    AUTHENTICATION_TYP = "navigator.id.getAssertion".freeze
+    REGISTRATION_TYP   = 'navigator.id.finishEnrollment'
+    AUTHENTICATION_TYP = 'navigator.id.getAssertion'
 
     attr_accessor :typ, :challenge, :origin
-    alias_method :type, :typ
+    alias type typ
+
+    def initialize(typ, challenge, origin)
+      @typ = typ
+      @challenge = challenge
+      @origin = origin
+
+      %i(typ challenge origin).each do |sym|
+        val = send(sym)
+        next if val.is_a?(String)
+        fail AttestationDecodeError, "Invalid #{sym}"
+      end
+    end
 
     def registration?
       typ == REGISTRATION_TYP
@@ -18,12 +32,13 @@ def authentication?
     end
 
     def self.load_from_json(json)
-      client_data = ::JSON.parse(json)
-      instance = new
-      instance.typ = client_data['typ']
-      instance.challenge = client_data['challenge']
-      instance.origin = client_data['origin']
-      instance
+      from_hash(::JSON.parse(json))
+      rescue JSON::ParserError => e
+      raise AttestationDecodeError, "Invalid JSON: #{e.message}"
+    end
+
+    def self.from_hash(data)
+      new(data['typ'], data['challenge'], data['origin'])
     end
   end
 end
diff --git a/lib/u2f/errors.rb b/lib/u2f/errors.rb
index ccd7d87..3e0c48e 100644
--- a/lib/u2f/errors.rb
+++ b/lib/u2f/errors.rb
@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module U2F
-  class Error < StandardError;end
+  class Error < StandardError; end
   class UnmatchedChallengeError < Error; end
   class ClientDataTypeError < Error; end
   class PublicKeyDecodeError < Error; end
@@ -10,16 +12,18 @@ class NoMatchingRequestError < Error; end
   class NoMatchingRegistrationError < Error; end
   class CounterTooLowError < Error; end
   class AuthenticationFailedError < Error; end
-  class UserNotPresentError < Error;end
+  class UserNotPresentError < Error; end
 
+  # This error represents various potential errors that a user can come across
+  # while attempting to register.
   class RegistrationError < Error
     CODES = {
-      1 => "OTHER_ERROR",
-      2 => "BAD_REQUEST",
-      3 => "CONFIGURATION_UNSUPPORTED",
-      4 => "DEVICE_INELIGIBLE",
-      5 => "TIMEOUT"
-    }
+      1 => 'OTHER_ERROR',
+      2 => 'BAD_REQUEST',
+      3 => 'CONFIGURATION_UNSUPPORTED',
+      4 => 'DEVICE_INELIGIBLE',
+      5 => 'TIMEOUT'
+    }.freeze
 
     attr_reader :code
 
diff --git a/lib/u2f/fake_u2f.rb b/lib/u2f/fake_u2f.rb
index 45551d4..94a74f1 100644
--- a/lib/u2f/fake_u2f.rb
+++ b/lib/u2f/fake_u2f.rb
@@ -1,194 +1,199 @@
-class U2F::FakeU2F
-  CURVE_NAME   = "prime256v1".freeze
-
-  attr_accessor :app_id, :counter, :key_handle_raw, :cert_subject
-
-  # Initialize a new FakeU2F device for use in tests.
-  #
-  # app_id  - The appId/origin this is being tested against.
-  # options - A Hash of optional parameters (optional).
-  #           :counter      - The initial counter for this device.
-  #           :key_handle   - The raw key-handle this device should use.
-  #           :cert_subject - The subject field for the certificate generated
-  #                           for this device.
-  #
-  # Returns nothing.
-  def initialize(app_id, options = {})
-    @app_id = app_id
-    @counter = options.fetch(:counter, 0)
-    @key_handle_raw = options.fetch(:key_handle, SecureRandom.random_bytes(32))
-    @cert_subject = options.fetch(:cert_subject, "/CN=U2FTest")
-  end
+# frozen_string_literal: true
+
+module U2F
+  # This class is for mocking a U2F device for testing purposes.
+  class FakeU2F
+    CURVE_NAME = 'prime256v1'
+
+    attr_accessor :app_id, :counter, :key_handle_raw, :cert_subject
+
+    # Initialize a new FakeU2F device for use in tests.
+    #
+    # app_id  - The appId/origin this is being tested against.
+    # options - A Hash of optional parameters (optional).
+    #           :counter      - The initial counter for this device.
+    #           :key_handle   - The raw key-handle this device should use.
+    #           :cert_subject - The subject field for the certificate generated
+    #                           for this device.
+    #
+    # Returns nothing.
+    def initialize(app_id, options = {})
+      @app_id = app_id
+      @counter = options.fetch(:counter, 0)
+      @key_handle_raw = options.fetch(:key_handle, SecureRandom.random_bytes(32))
+      @cert_subject = options.fetch(:cert_subject, '/CN=U2FTest')
+    end
+
+    # A registerResponse hash as returned by the u2f.register JavaScript API.
+    #
+    # challenge - The challenge to sign.
+    # error     - Boolean. Whether to return an error response (optional).
+    #
+    # Returns a JSON encoded Hash String.
+    def register_response(challenge, error = false)
+      if error
+        JSON.dump(errorCode: 4)
+      else
+        client_data_json = client_data(::U2F::ClientData::REGISTRATION_TYP, challenge)
+        JSON.dump(
+          registrationData: reg_registration_data(client_data_json),
+          clientData: ::U2F.urlsafe_encode64(client_data_json)
+        )
+      end
+    end
 
-  # A registerResponse hash as returned by the u2f.register JavaScript API.
-  #
-  # challenge - The challenge to sign.
-  # error     - Boolean. Whether to return an error response (optional).
-  #
-  # Returns a JSON encoded Hash String.
-  def register_response(challenge, error = false)
-    if error
-      JSON.dump(:errorCode => 4)
-    else
-      client_data_json = client_data(U2F::ClientData::REGISTRATION_TYP, challenge)
+    # A SignResponse hash as returned by the u2f.sign JavaScript API.
+    #
+    # challenge - The challenge to sign.
+    #
+    # Returns a JSON encoded Hash String.
+    def sign_response(challenge)
+      client_data_json = client_data(::U2F::ClientData::AUTHENTICATION_TYP, challenge)
       JSON.dump(
-        :registrationData => reg_registration_data(client_data_json),
-        :clientData => U2F.urlsafe_encode64(client_data_json)
+        clientData: ::U2F.urlsafe_encode64(client_data_json),
+        keyHandle: ::U2F.urlsafe_encode64(key_handle_raw),
+        signatureData: auth_signature_data(client_data_json)
       )
     end
-  end
 
-  # A SignResponse hash as returned by the u2f.sign JavaScript API.
-  #
-  # challenge - The challenge to sign.
-  #
-  # Returns a JSON encoded Hash String.
-  def sign_response(challenge)
-    client_data_json = client_data(U2F::ClientData::AUTHENTICATION_TYP, challenge)
-    JSON.dump(
-      :clientData => U2F.urlsafe_encode64(client_data_json),
-      :keyHandle => U2F.urlsafe_encode64(key_handle_raw),
-      :signatureData => auth_signature_data(client_data_json)
-    )
-  end
+    # The appId specific public key as returned in the registrationData field of
+    # a RegisterResponse Hash.
+    #
+    # Returns a binary formatted EC public key String.
+    def origin_public_key_raw
+      [origin_key.public_key.to_bn.to_s(16)].pack('H*')
+    end
 
-  # The appId specific public key as returned in the registrationData field of
-  # a RegisterResponse Hash.
-  #
-  # Returns a binary formatted EC public key String.
-  def origin_public_key_raw
-    [origin_key.public_key.to_bn.to_s(16)].pack('H*')
-  end
+    # The raw device attestation certificate as returned in the registrationData
+    # field of a RegisterResponse Hash.
+    #
+    # Returns a DER formatted certificate String.
+    def cert_raw
+      cert.to_der
+    end
 
-  # The raw device attestation certificate as returned in the registrationData
-  # field of a RegisterResponse Hash.
-  #
-  # Returns a DER formatted certificate String.
-  def cert_raw
-    cert.to_der
-  end
+    private
+
+    # The registrationData field returns in a RegisterResponse Hash.
+    #
+    # client_data_json - The JSON encoded clientData String.
+    #
+    # Returns a url-safe base64 encoded binary String.
+    def reg_registration_data(client_data_json)
+      ::U2F.urlsafe_encode64(
+        [
+          5,
+          origin_public_key_raw,
+          key_handle_raw.bytesize,
+          key_handle_raw,
+          cert_raw,
+          reg_signature(client_data_json)
+        ].pack("CA65CA#{key_handle_raw.bytesize}A#{cert_raw.bytesize}A*")
+      )
+    end
 
-  private
-
-  # The registrationData field returns in a RegisterResponse Hash.
-  #
-  # client_data_json - The JSON encoded clientData String.
-  #
-  # Returns a url-safe base64 encoded binary String.
-  def reg_registration_data(client_data_json)
-    U2F.urlsafe_encode64(
-      [
-        5,
-        origin_public_key_raw,
-        key_handle_raw.bytesize,
+    # The signature field of a registrationData field of a RegisterResponse.
+    #
+    # client_data_json - The JSON encoded clientData String.
+    #
+    # Returns an ECDSA signature String.
+    def reg_signature(client_data_json)
+      payload = [
+        "\x00",
+        ::U2F::DIGEST.digest(app_id),
+        ::U2F::DIGEST.digest(client_data_json),
         key_handle_raw,
-        cert_raw,
-        reg_signature(client_data_json)
-      ].pack("CA65CA#{key_handle_raw.bytesize}A#{cert_raw.bytesize}A*")
-    )
-  end
+        origin_public_key_raw
+      ].join
+      cert_key.sign(::U2F::DIGEST.new, payload)
+    end
 
-  # The signature field of a registrationData field of a RegisterResponse.
-  #
-  # client_data_json - The JSON encoded clientData String.
-  #
-  # Returns an ECDSA signature String.
-  def reg_signature(client_data_json)
-    payload = [
-      "\x00",
-      U2F::DIGEST.digest(app_id),
-      U2F::DIGEST.digest(client_data_json),
-      key_handle_raw,
-      origin_public_key_raw
-    ].join
-    cert_key.sign(U2F::DIGEST.new, payload)
-  end
+    # The signatureData field of a SignResponse Hash.
+    #
+    # client_data_json - The JSON encoded clientData String.
+    #
+    # Returns a url-safe base64 encoded binary String.
+    def auth_signature_data(client_data_json)
+      ::U2F.urlsafe_encode64(
+        [
+          1, # User present
+          self.counter += 1,
+          auth_signature(client_data_json)
+        ].pack('CNA*')
+      )
+    end
 
-  # The signatureData field of a SignResponse Hash.
-  #
-  # client_data_json - The JSON encoded clientData String.
-  #
-  # Returns a url-safe base64 encoded binary String.
-  def auth_signature_data(client_data_json)
-    ::U2F.urlsafe_encode64(
-      [
+    # The signature field of a signatureData field of a SignResponse Hash.
+    #
+    # client_data_json - The JSON encoded clientData String.
+    #
+    # Returns an ECDSA signature String.
+    def auth_signature(client_data_json)
+      data = [
+        ::U2F::DIGEST.digest(app_id),
         1, # User present
-        self.counter += 1,
-        auth_signature(client_data_json)
-      ].pack("CNA*")
-    )
-  end
+        counter,
+        ::U2F::DIGEST.digest(client_data_json)
+      ].pack('A32CNA32')
 
-  # The signature field of a signatureData field of a SignResponse Hash.
-  #
-  # client_data_json - The JSON encoded clientData String.
-  #
-  # Returns an ECDSA signature String.
-  def auth_signature(client_data_json)
-    data = [
-      U2F::DIGEST.digest(app_id),
-      1, # User present
-      counter,
-      U2F::DIGEST.digest(client_data_json)
-    ].pack("A32CNA32")
-
-    origin_key.sign(U2F::DIGEST.new, data)
-  end
+      origin_key.sign(::U2F::DIGEST.new, data)
+    end
 
-  # The clientData hash as returned by registration and authentication
-  # responses.
-  #
-  # typ       - The String value for the 'typ' field.
-  # challenge - The String url-safe base64 encoded challenge parameter.
-  #
-  # Returns a JSON encoded Hash String.
-  def client_data(typ, challenge)
-    JSON.dump(
-      :challenge => challenge,
-      :origin    => app_id,
-      :typ       => typ
-    )
-  end
+    # The clientData hash as returned by registration and authentication
+    # responses.
+    #
+    # typ       - The String value for the 'typ' field.
+    # challenge - The String url-safe base64 encoded challenge parameter.
+    #
+    # Returns a JSON encoded Hash String.
+    def client_data(typ, challenge)
+      JSON.dump(
+        challenge: challenge,
+        origin: app_id,
+        typ: typ
+      )
+    end
 
-  # The appId-specific public/private key.
-  #
-  # Returns a OpenSSL::PKey::EC instance.
-  def origin_key
-    @origin_key ||= generate_ec_key
-  end
+    # The appId-specific public/private key.
+    #
+    # Returns a OpenSSL::PKey::EC instance.
+    def origin_key
+      @origin_key ||= generate_ec_key
+    end
 
-  # The self-signed device attestation certificate.
-  #
-  # Returns a OpenSSL::X509::Certificate instance.
-  def cert
-    @cert ||= OpenSSL::X509::Certificate.new.tap do |c|
-      c.subject = c.issuer = OpenSSL::X509::Name.parse(cert_subject)
-      c.not_before = Time.now
-      c.not_after = Time.now + 365 * 24 * 60 * 60
-      c.public_key = cert_key
-      c.serial = 0x1
-      c.version = 0x0
-      c.sign cert_key, U2F::DIGEST.new
+    # The self-signed device attestation certificate.
+    #
+    # Returns a OpenSSL::X509::Certificate instance.
+    def cert
+      @cert ||= OpenSSL::X509::Certificate.new.tap do |c|
+        c.subject = c.issuer = OpenSSL::X509::Name.parse(cert_subject)
+        c.not_before = Time.now
+        c.not_after = Time.now + 365 * 24 * 60 * 60
+        c.public_key = cert_key
+        c.serial = 0x1
+        c.version = 0x0
+        c.sign cert_key, ::U2F::DIGEST.new
+      end
     end
-  end
 
-  # The public key used for signing the device certificate.
-  #
-  # Returns a OpenSSL::PKey::EC instance.
-  def cert_key
-    @cert_key ||= generate_ec_key
-  end
+    # The public key used for signing the device certificate.
+    #
+    # Returns a OpenSSL::PKey::EC instance.
+    def cert_key
+      @cert_key ||= generate_ec_key
+    end
 
-  # Generate an eliptic curve public/private key.
-  #
-  # Returns a OpenSSL::PKey::EC instance.
-  def generate_ec_key
-    OpenSSL::PKey::EC.new().tap do |ec|
-      ec.group = OpenSSL::PKey::EC::Group.new(CURVE_NAME)
-      ec.generate_key
-      # https://bugs.ruby-lang.org/issues/8177
-      ec.define_singleton_method(:private?) { private_key? }
-      ec.define_singleton_method(:public?) { public_key? }
+    # Generate an elliptic curve public/private key.
+    #
+    # Returns a OpenSSL::PKey::EC instance.
+    def generate_ec_key
+      OpenSSL::PKey::EC.new.tap do |ec|
+        ec.group = OpenSSL::PKey::EC::Group.new(CURVE_NAME)
+        ec.generate_key
+        # https://bugs.ruby-lang.org/issues/8177
+        ec.define_singleton_method(:private?) { private_key? }
+        ec.define_singleton_method(:public?) { public_key? }
+      end
     end
   end
 end
diff --git a/lib/u2f/register_request.rb b/lib/u2f/register_request.rb
index ee71f02..2d9092c 100644
--- a/lib/u2f/register_request.rb
+++ b/lib/u2f/register_request.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module U2F
   class RegisterRequest
     include RequestBase
@@ -7,7 +9,7 @@ def initialize(challenge)
       @challenge = challenge
     end
 
-    def as_json(options = {})
+    def as_json(_options = {})
       {
         version: version,
         challenge: challenge
diff --git a/lib/u2f/register_response.rb b/lib/u2f/register_response.rb
index 4c52fb1..26eeb76 100644
--- a/lib/u2f/register_response.rb
+++ b/lib/u2f/register_response.rb
@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module U2F
   ##
   # Representation of a U2F registration response.
   # See chapter 4.3:
   # http://fidoalliance.org/specs/fido-u2f-raw-message-formats-v1.0-rd-20141008.pdf
   class RegisterResponse
-    attr_accessor :client_data, :client_data_json, :registration_data_raw
+    attr_reader :client_data, :client_data_json, :registration_data_raw
 
     PUBLIC_KEY_OFFSET = 1
     PUBLIC_KEY_LENGTH = 65
@@ -12,22 +14,38 @@ class RegisterResponse
     KEY_HANDLE_LENGTH_OFFSET = PUBLIC_KEY_OFFSET + PUBLIC_KEY_LENGTH
     KEY_HANDLE_OFFSET = KEY_HANDLE_LENGTH_OFFSET + KEY_HANDLE_LENGTH_LENGTH
 
+    def initialize(client_data_encoded, registration_data_encoded)
+      begin
+        unless client_data_encoded.is_a?(String)
+          fail AttestationDecodeError, 'Must be a string'
+        end
+        @client_data_json = ::U2F.urlsafe_decode64(client_data_encoded)
+        @client_data = ClientData.load_from_json(client_data_json)
+      rescue AttestationDecodeError => e
+        raise AttestationDecodeError, "Invalid clientData: #{e.message}"
+      end
+
+      unless registration_data_encoded.is_a?(String)
+        fail AttestationDecodeError, 'Invalid registrationData: Not a string'
+      end
+      @registration_data_raw = ::U2F.urlsafe_decode64(registration_data_encoded)
+    end
+
     def self.load_from_json(json)
       # TODO: validate
-      data = JSON.parse(json)
+      from_hash(::JSON.parse(json))
+    rescue JSON::ParserError => e
+      raise AttestationDecodeError, "Invalid JSON: #{e.message}"
+    end
+
+    def self.from_hash(data)
+      raise RegistrationError, code: data['errorCode'] if data['errorCode']&.positive?
 
-      if data['errorCode'] && data['errorCode'] > 0
-        fail RegistrationError, :code => data['errorCode']
+      if !data.key?('clientData') || !data.key?('registrationData')
+        raise RegistrationError, message: 'Invalid JSON'
       end
 
-      instance = new
-      instance.client_data_json =
-        ::U2F.urlsafe_decode64(data['clientData'])
-      instance.client_data =
-        ClientData.load_from_json(instance.client_data_json)
-      instance.registration_data_raw =
-        ::U2F.urlsafe_decode64(data['registrationData'])
-      instance
+      new(data['clientData'], data['registrationData'])
     end
 
     ##
@@ -67,7 +85,7 @@ def key_handle_length
     ##
     # Returns the public key, extracted from the registration data
     def public_key
-      # Base64 encode without linefeeds
+      # Base64 encode without line feeds
       Base64.strict_encode64(public_key_raw)
     end
 
@@ -79,7 +97,8 @@ def public_key_raw
     # Returns the signature, extracted from the registration data
     def signature
       registration_data_raw.byteslice(
-        (KEY_HANDLE_OFFSET + key_handle_length + certificate_length)..-1)
+        (KEY_HANDLE_OFFSET + key_handle_length + certificate_length)..-1
+      )
     end
 
     ##
diff --git a/lib/u2f/registration.rb b/lib/u2f/registration.rb
index 9b6233a..9c12215 100644
--- a/lib/u2f/registration.rb
+++ b/lib/u2f/registration.rb
@@ -1,8 +1,12 @@
+# frozen_string_literal: true
+
 module U2F
   ##
   # A representation of a registered U2F device
   class Registration
-    attr_accessor :key_handle, :public_key, :certificate, :counter
+    attr_writer :counter
+    attr_accessor :key_handle, :public_key, :certificate
+
     def initialize(key_handle, public_key, certificate)
       @key_handle = key_handle
       @public_key = public_key
@@ -13,4 +17,4 @@ def counter
       @counter.nil? ? 0 : @counter
     end
   end
-end
\ No newline at end of file
+end
diff --git a/lib/u2f/request_base.rb b/lib/u2f/request_base.rb
index 7c4ca2d..74d820e 100644
--- a/lib/u2f/request_base.rb
+++ b/lib/u2f/request_base.rb
@@ -1,7 +1,7 @@
+# frozen_string_literal: true
+
 module U2F
   module RequestBase
-    attr_accessor :version
-
     def to_json(options = {})
       ::JSON.pretty_generate(as_json, options)
     end
diff --git a/lib/u2f/sign_request.rb b/lib/u2f/sign_request.rb
index 567b331..585c150 100644
--- a/lib/u2f/sign_request.rb
+++ b/lib/u2f/sign_request.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module U2F
   class SignRequest
     include RequestBase
@@ -7,7 +9,7 @@ def initialize(key_handle)
       @key_handle = key_handle
     end
 
-    def as_json(options = {})
+    def as_json(_options = {})
       {
         version: version,
         keyHandle: key_handle
diff --git a/lib/u2f/sign_response.rb b/lib/u2f/sign_response.rb
index c6425ec..3a80972 100644
--- a/lib/u2f/sign_response.rb
+++ b/lib/u2f/sign_response.rb
@@ -1,32 +1,54 @@
+# frozen_string_literal: true
+
 module U2F
   class SignResponse
-    attr_accessor :client_data, :client_data_json, :key_handle, :signature_data
+    attr_reader :key_handle, :client_data_json, :client_data
+    attr_reader :signature_data_raw
+
+    def initialize(key_handle, client_data_encoded, signature_data_encoded)
+      unless key_handle.is_a?(String)
+        fail AttestationDecodeError, 'Invalid keyHandle: Not a string'
+      end
+      @key_handle = key_handle
+
+      begin
+        unless client_data_encoded.is_a?(String)
+          fail AttestationDecodeError, 'Not a string'
+        end
+        @client_data_json = ::U2F.urlsafe_decode64(client_data_encoded)
+        @client_data = ClientData.load_from_json(client_data_json)
+      rescue AttestationDecodeError => e
+        raise AttestationDecodeError, "Invalid clientData: #{e.message}"
+      end
+
+      unless signature_data_encoded.is_a?(String)
+        fail AttestationDecodeError, 'Invalid signatureData: Not a string'
+      end
+      @signature_data_raw = ::U2F.urlsafe_decode64(signature_data_encoded)
+    end
 
     def self.load_from_json(json)
-      data = ::JSON.parse(json)
-      instance = new
-      instance.client_data_json =
-        ::U2F.urlsafe_decode64(data['clientData'])
-      instance.client_data =
-        ClientData.load_from_json(instance.client_data_json)
-      instance.key_handle = data['keyHandle']
-      instance.signature_data =
-        ::U2F.urlsafe_decode64(data['signatureData'])
-      instance
+      from_hash(::JSON.parse(json))
+    rescue JSON::ParserError => e
+      raise AttestationDecodeError, "Invalid JSON: #{e.message}"
+    end
+
+    def self.from_hash(data)
+      new(data['keyHandle'], data['clientData'], data['signatureData']) 
     end
 
     ##
     # Counter value that the U2F token increments every time it performs an
     # authentication operation
     def counter
-      signature_data.byteslice(1, 4).unpack('N').first
+      signature_data_raw.byteslice(1, 4).unpack('N').first
     end
 
     ##
     # signature is to be verified using the public key obtained during
     # registration.
     def signature
-      signature_data.byteslice(5..-1)
+      signature_data_raw.byteslice(5..-1) || ''
     end
 
     # Bit 0 being set to 1 indicates that the user is present. A different value
@@ -36,7 +58,7 @@ def signature
     ##
     # If user presence was verified
     def user_present?
-      byte = signature_data.byteslice(0).unpack('C').first
+      byte = signature_data_raw.byteslice(0).unpack('C').first
       byte & USER_PRESENCE_MASK == 1
     end
 
@@ -46,7 +68,7 @@ def user_present?
     def verify(app_id, public_key_pem)
       data = [
         ::U2F::DIGEST.digest(app_id),
-        signature_data.byteslice(0, 5),
+        signature_data_raw.byteslice(0, 5),
         ::U2F::DIGEST.digest(client_data_json)
       ].join
 
diff --git a/lib/u2f/u2f.rb b/lib/u2f/u2f.rb
index 99a2409..781ad08 100644
--- a/lib/u2f/u2f.rb
+++ b/lib/u2f/u2f.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module U2F
   class U2F
     attr_accessor :app_id
@@ -29,38 +31,35 @@ def authentication_requests(key_handles)
     # Authenticate a response from the U2F device
     #
     # * *Args*:
-    #   - +challenges+:: +Array+ of challenge strings
+    #   - +challenge+:: Challenge string
     #   - +response+:: Response from the U2F device as a +SignResponse+ object
     #   - +registration_public_key+:: Public key of the registered U2F device as binary string
-    #   - +registration_counter+:: +Integer+ with the current counter value of the registered device.
+    #   - +registration_counter+:: +Integer+ with the current counter value of the registered
+    #     device
     #
     # * *Raises*:
-    #   - +NoMatchingRequestError+:: if the challenge in the response doesn't match any of the provided ones.
+    #   - +NoMatchingRequestError+:: if the challenge in the response doesn't match any of the
+    #     provided ones
     #   - +ClientDataTypeError+:: if the response is of the wrong type
     #   - +AuthenticationFailedError+:: if the authentication failed
     #   - +UserNotPresentError+:: if the user wasn't present during the authentication
-    #   - +CounterTooLowError+:: if there is a counter mismatch between the registered one and the one in the response.
+    #   - +CounterTooLowError+:: if there is a counter mismatch between the registered one and
+    #     the one in the response
     #
-    def authenticate!(challenge, response, registration_public_key,
-                      registration_counter)
-
-      # TODO: check that it's the correct key_handle as well
-      unless challenge == response.client_data.challenge
-        fail NoMatchingRequestError
-      end
-
-      fail ClientDataTypeError unless response.client_data.authentication?
-
+    def authenticate!(response, registration_public_key, registration_counter)
       pem = U2F.public_key_pem(registration_public_key)
 
       fail AuthenticationFailedError unless response.verify(app_id, pem)
+      challenge = yield response.client_data.challenge if block_given?
+
+      raise NoMatchingRequestError unless challenge == response.client_data.challenge
+
+      raise ClientDataTypeError unless response.client_data.authentication?
 
-      fail UserNotPresentError unless response.user_present?
+      raise UserNotPresentError unless response.user_present?
 
       unless response.counter > registration_counter
-        unless response.counter == 0 && registration_counter == 0
-          fail CounterTooLowError
-        end
+        raise CounterTooLowError unless response.counter.zero? && registration_counter.zero?
       end
     end
 
@@ -96,36 +95,30 @@ def registration_requests
     #   - A +Registration+ object
     #
     # * *Raises*:
-    #   - +UnmatchedChallengeError+:: if the challenge in the response doesn't match any of the provided ones.
+    #   - +UnmatchedChallengeError+:: if the challenge in the response doesn't match any of
+    #     the provided ones
     #   - +ClientDataTypeError+:: if the response is of the wrong type
     #   - +AttestationSignatureError+:: if the registration failed
     #
-    def register!(challenges, response)
-      challenges = [challenges] unless challenges.is_a? Array
-      challenge = challenges.detect do |chg|
-        chg == response.client_data.challenge
-      end
-
-      fail UnmatchedChallengeError unless challenge
-
-      fail ClientDataTypeError unless response.client_data.registration?
-
+    def register!(response)
       # Validate public key
       U2F.public_key_pem(response.public_key_raw)
 
-      # TODO:
-      # unless U2F.validate_certificate(response.certificate_raw)
-      #   fail AttestationVerificationError
-      # end
+      raise AttestationSignatureError unless response.verify(app_id)
 
-      fail AttestationSignatureError unless response.verify(app_id)
+      challenge = yield response.client_data.challenge if block_given?
+
+      unless challenge == response.client_data.challenge
+        fail UnmatchedChallengeError
+      end
 
-      registration = Registration.new(
+      fail ClientDataTypeError unless response.client_data.registration?
+
+      Registration.new(
         response.key_handle,
         response.public_key,
         response.certificate
       )
-      registration
     end
 
     ##
@@ -140,28 +133,26 @@ def register!(challenges, response)
     #   - +PublicKeyDecodeError+:: if the +key+ argument is incorrect
     #
     def self.public_key_pem(key)
-      fail PublicKeyDecodeError unless key.bytesize == 65 && key.byteslice(0) == "\x04"
+      raise PublicKeyDecodeError unless key.bytesize == 65 && key.byteslice(0) == "\x04"
+
       # http://tools.ietf.org/html/rfc5480
-      der = OpenSSL::ASN1::Sequence([
-        OpenSSL::ASN1::Sequence([
-          OpenSSL::ASN1::ObjectId('1.2.840.10045.2.1'),  # id-ecPublicKey
-          OpenSSL::ASN1::ObjectId('1.2.840.10045.3.1.7') # secp256r1
-        ]),
-        OpenSSL::ASN1::BitString(key)
-      ]).to_der
+      der = OpenSSL::ASN1::Sequence(
+        [
+          OpenSSL::ASN1::Sequence(
+            [
+              OpenSSL::ASN1::ObjectId('1.2.840.10045.2.1'),  # id-ecPublicKey
+              OpenSSL::ASN1::ObjectId('1.2.840.10045.3.1.7') # secp256r1
+            ]
+          ),
+          OpenSSL::ASN1::BitString(key)
+        ]
+      ).to_der
 
       pem = "-----BEGIN PUBLIC KEY-----\r\n" +
             Base64.strict_encode64(der).scan(/.{1,64}/).join("\r\n") +
             "\r\n-----END PUBLIC KEY-----"
       pem
     end
-
-    # def self.validate_certificate(_certificate_raw)
-      # TODO
-      # cacert = OpenSSL::X509::Certificate.new()
-      # cert = OpenSSL::X509::Certificate.new(certificate_raw)
-      # cert.verify(cacert.public_key)
-    # end
   end
 
   ##
@@ -169,11 +160,10 @@ def self.public_key_pem(key)
   #
   def self.urlsafe_decode64(string)
     string = case string.length % 4
-      when 2 then string + '=='
-      when 3 then string + '='
-      else
-        string
-    end
+             when 2 then string + '=='
+             when 3 then string + '='
+             else string
+             end
     Base64.urlsafe_decode64(string)
   end
 
diff --git a/lib/version.rb b/lib/u2f/version.rb
similarity index 53%
rename from lib/version.rb
rename to lib/u2f/version.rb
index 40ae72d..2985f1f 100644
--- a/lib/version.rb
+++ b/lib/u2f/version.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module U2F
   VERSION = '1.0.0'
 end
diff --git a/spec/lib/client_data_spec.rb b/spec/lib/client_data_spec.rb
index 078e773..c72cc12 100644
--- a/spec/lib/client_data_spec.rb
+++ b/spec/lib/client_data_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper.rb'
 
 describe U2F::ClientData do
@@ -5,34 +7,36 @@
   let(:registration_type) { U2F::ClientData::REGISTRATION_TYP }
   let(:authentication_type) { U2F::ClientData::AUTHENTICATION_TYP }
 
-  let(:client_data) do
-    cd = U2F::ClientData.new
-    cd.typ = type
-    cd
-  end
+  let(:client_data) { U2F::ClientData.new(type, '', '') }
 
   describe '#registration?' do
     subject { client_data.registration? }
-    context 'for correct type' do
+
+    context 'with correct type' do
       let(:type) { registration_type }
+
       it { is_expected.to be_truthy }
     end
 
-    context 'for incorrect type' do
+    context 'with incorrect type' do
       let(:type) { authentication_type }
+
       it { is_expected.to be_falsey }
     end
   end
 
   describe '#authentication?' do
     subject { client_data.authentication? }
-    context 'for correct type' do
+
+    context 'with correct type' do
       let(:type) { authentication_type }
+
       it { is_expected.to be_truthy }
     end
 
-    context 'for incorrect type' do
+    context 'with incorrect type' do
       let(:type) { registration_type }
+
       it { is_expected.to be_falsey }
     end
   end
diff --git a/spec/lib/register_request_spec.rb b/spec/lib/register_request_spec.rb
index 5f7417f..6c9bc04 100644
--- a/spec/lib/register_request_spec.rb
+++ b/spec/lib/register_request_spec.rb
@@ -1,14 +1,17 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe U2F::RegisterRequest do
   let(:challenge) { 'fEnc9oV79EaBgK5BoNERU5gPKM2XGYWrz4fUjgc0Q7g' }
 
   let(:sign_request) do
-    U2F::RegisterRequest.new(challenge)
+    described_class.new(challenge)
   end
 
   describe '#to_json' do
     subject { sign_request.to_json }
+
     it do
       is_expected.to match_json_expression(
         version: String,
diff --git a/spec/lib/register_response_spec.rb b/spec/lib/register_response_spec.rb
index d8dad83..be27304 100644
--- a/spec/lib/register_response_spec.rb
+++ b/spec/lib/register_response_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper.rb'
 
 describe U2F::RegisterResponse do
@@ -9,76 +11,89 @@
   let(:certificate) { Base64.strict_encode64(device.cert_raw) }
   let(:registration_data_json) { device.register_response(challenge) }
   let(:registration_data_json_without_padding) do
-    device.register_response(challenge).gsub(" ", "")
+    device.register_response(challenge).delete(' ')
   end
-  let(:error_response) { device.register_response(challenge, error = true) }
+  let(:error_response) { device.register_response(challenge, true) }
   let(:registration_request) { U2F::RegisterRequest.new(challenge) }
-  let(:register_response) do
-    U2F::RegisterResponse.load_from_json(registration_data_json)
-  end
 
-  context 'with error response' do
-    let(:registration_data_json) { error_response }
-    it 'raises RegistrationError with code' do
-      expect {
-        register_response
-      }.to raise_error(U2F::RegistrationError) do |error|
-        expect(error.code).to eq(4)
+  shared_examples 'register response examples' do
+    context 'with error response' do
+      let(:registration_data_json) { error_response }
+      it 'raises RegistrationError with code' do
+        expect {
+          register_response
+        }.to raise_error(U2F::RegistrationError) do |error|
+          expect(error.code).to eq(4)
+        end
       end
     end
-  end
 
-  context 'with unpadded response' do
-    let(:registration_data_json) { registration_data_json_without_padding }
-    it 'does not raise "invalid base64" exception' do
-      expect {
-        register_response
-      }.not_to raise_error
+    context 'with unpadded response' do
+      let(:registration_data_json) { registration_data_json_without_padding }
+      it 'does not raise "invalid base64" exception' do
+        expect {
+          register_response
+        }.not_to raise_error
+      end
     end
-  end
 
-  describe '#certificate' do
-    subject { register_response.certificate }
-    it { is_expected.to eq certificate }
-  end
+    describe '#certificate' do
+      subject { register_response.certificate }
+      it { is_expected.to eq certificate }
+    end
 
-  describe '#client_data' do
-    context 'challenge' do
-      subject { register_response.client_data.challenge }
-      it { is_expected.to eq challenge }
+    describe '#client_data' do
+      context 'challenge' do
+        subject { register_response.client_data.challenge }
+        it { is_expected.to eq challenge }
+      end
     end
-  end
 
-  describe '#key_handle' do
-    subject { register_response.key_handle }
-    it { is_expected.to eq key_handle }
-  end
+    describe '#key_handle' do
+      subject { register_response.key_handle }
+      it { is_expected.to eq key_handle }
+    end
 
-  describe '#key_handle_length' do
-    subject { register_response.key_handle_length }
-    it { is_expected.to eq U2F.urlsafe_decode64(key_handle).length }
-  end
+    describe '#key_handle_length' do
+      subject { register_response.key_handle_length }
+      it { is_expected.to eq U2F.urlsafe_decode64(key_handle).length }
+    end
 
-  describe '#public_key' do
-    subject { register_response.public_key }
-    it { is_expected.to eq public_key }
-  end
+    describe '#public_key' do
+      subject { register_response.public_key }
+      it { is_expected.to eq public_key }
+    end
 
-  describe '#verify' do
-    subject { register_response.verify(app_id) }
-    it { is_expected.to be_truthy }
-  end
+    describe '#verify' do
+      subject { register_response.verify(app_id) }
+      it { is_expected.to be_truthy }
+    end
+
+    describe '#verify with wrong app_id' do
+      subject { register_response.verify("other app") }
+      it { is_expected.to be_falsey }
+    end
 
-  describe '#verify with wrong app_id' do
-    subject { register_response.verify("other app") }
-    it { is_expected.to be_falsey }
+    describe '#verify with corrupted signature' do
+      subject { register_response }
+      it "returns falsey" do
+        allow(subject).to receive(:signature).and_return("bad signature")
+        expect(subject.verify(app_id)).to be_falsey
+      end
+    end
   end
 
-  describe '#verify with corrupted signature' do
-    subject { register_response }
-    it "returns falsey" do
-      allow(subject).to receive(:signature).and_return("bad signature")
-      expect(subject.verify(app_id)).to be_falsey
+  context 'instantiated via #load_from_json' do
+    let(:register_response) do
+      U2F::RegisterResponse.load_from_json(registration_data_json)
     end
+    include_examples 'register response examples'
   end
+
+  context 'instantiated via #from_hash' do
+    let(:register_response) do
+      U2F::RegisterResponse.from_hash(JSON.parse registration_data_json)
+  end
+  include_examples 'register response examples'
+end
 end
diff --git a/spec/lib/sign_request_spec.rb b/spec/lib/sign_request_spec.rb
index e3bc79b..a4a5e73 100644
--- a/spec/lib/sign_request_spec.rb
+++ b/spec/lib/sign_request_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe U2F::SignRequest do
@@ -5,11 +7,12 @@
     'CTUayZo8hCBeC-sGQJChC0wW-bBg99bmOlGCgw8XGq4dLsxO3yWh9mRYArZxocP5hBB1pEGB3bbJYiM-5acc5w=='
   end
   let(:sign_request) do
-    U2F::SignRequest.new(key_handle)
+    described_class.new(key_handle)
   end
 
   describe '#to_json' do
     subject { sign_request.to_json }
+
     it do
       is_expected.to match_json_expression(
         version: String,
diff --git a/spec/lib/sign_response_spec.rb b/spec/lib/sign_response_spec.rb
index f804d37..08c8e30 100644
--- a/spec/lib/sign_response_spec.rb
+++ b/spec/lib/sign_response_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper.rb'
 
 describe U2F::SignResponse do
@@ -5,34 +7,45 @@
   let(:challenge) { U2F.urlsafe_encode64(SecureRandom.random_bytes(32)) }
   let(:device) { U2F::FakeU2F.new(app_id) }
   let(:json_response) { device.sign_response(challenge) }
-  let(:sign_response) { U2F::SignResponse.load_from_json json_response }
   let(:public_key_pem) { U2F::U2F.public_key_pem(device.origin_public_key_raw) }
 
-  describe '#counter' do
-    subject { sign_response.counter }
-    it { is_expected.to be device.counter }
-  end
+  shared_examples 'sign response examples' do
+    describe '#counter' do
+      subject { sign_response.counter }
+      it { is_expected.to be device.counter }
+    end
 
-  describe '#user_present?' do
-    subject { sign_response.user_present? }
-    it { is_expected.to be true }
-  end
+    describe '#user_present?' do
+      subject { sign_response.user_present? }
+      it { is_expected.to be true }
+    end
 
-  describe '#verify with correct app id' do
-    subject { sign_response.verify(app_id, public_key_pem) }
-    it { is_expected.to be_truthy}
+    describe '#verify with correct app id' do
+      subject { sign_response.verify(app_id, public_key_pem) }
+      it { is_expected.to be_truthy}
+    end
+
+    describe '#verify with wrong app id' do
+      subject { sign_response.verify("other app", public_key_pem) }
+      it { is_expected.to be_falsey }
+    end
+
+    describe '#verify with corrupted signature' do
+      subject { sign_response }
+      it "returns falsey" do
+        allow(subject).to receive(:signature).and_return("bad signature")
+        expect(subject.verify(app_id, public_key_pem)).to be_falsey
+      end
+    end
   end
 
-  describe '#verify with wrong app id' do
-    subject { sign_response.verify("other app", public_key_pem) }
-    it { is_expected.to be_falsey }
+  context 'instantiated via #load_from_json' do
+    let(:sign_response) { described_class.load_from_json json_response }
+    include_examples 'sign response examples'
   end
 
-  describe '#verify with corrupted signature' do
-    subject { sign_response }
-    it "returns falsey" do
-      allow(subject).to receive(:signature).and_return("bad signature")
-      expect(subject.verify(app_id, public_key_pem)).to be_falsey
-    end
+  context 'instantiated via #from_hash' do
+    let(:sign_response) { described_class.from_hash(JSON.parse json_response) }
+    include_examples 'sign response examples'
   end
 end
diff --git a/spec/lib/u2f_spec.rb b/spec/lib/u2f_spec.rb
index a736fab..5a8585b 100644
--- a/spec/lib/u2f_spec.rb
+++ b/spec/lib/u2f_spec.rb
@@ -1,100 +1,109 @@
- require 'spec_helper'
+# frozen_string_literal: true
+
+require 'spec_helper'
 
 describe U2F do
   let(:app_id) { 'http://demo.example.com' }
-  let(:device_challenge) { U2F.urlsafe_encode64(SecureRandom.random_bytes(32)) }
+  let(:device_challenge) { described_class.urlsafe_encode64(SecureRandom.random_bytes(32)) }
   let(:auth_challenge) { device_challenge }
-  let(:u2f) { U2F::U2F.new(app_id) }
-  let(:device) { U2F::FakeU2F.new(app_id) }
-  let(:key_handle) { U2F.urlsafe_encode64(device.key_handle_raw) }
+  let(:u2f) { described_class::U2F.new(app_id) }
+  let(:device) { described_class::FakeU2F.new(app_id) }
+  let(:key_handle) { described_class.urlsafe_encode64(device.key_handle_raw) }
   let(:certificate) { Base64.strict_encode64(device.cert_raw) }
   let(:public_key) { device.origin_public_key_raw }
   let(:register_response_json) { device.register_response(device_challenge) }
   let(:sign_response_json) { device.sign_response(device_challenge) }
   let(:registration) do
-    U2F::Registration.new(key_handle, public_key, certificate)
+    described_class::Registration.new(key_handle, public_key, certificate)
   end
   let(:register_response) do
-    U2F::RegisterResponse.load_from_json(register_response_json)
+    described_class::RegisterResponse.load_from_json(register_response_json)
   end
   let(:sign_response) do
-    U2F::SignResponse.load_from_json sign_response_json
+    described_class::SignResponse.load_from_json sign_response_json
   end
   let(:sign_request) do
-    U2F::SignRequest.new(key_handle)
+    described_class::SignRequest.new(key_handle)
   end
 
   describe '#authentication_requests' do
     let(:requests) { u2f.authentication_requests(key_handle) }
+
     it 'returns an array of requests' do
       expect(requests).to be_an Array
-      requests.each { |r| expect(r).to be_a U2F::SignRequest }
+      requests.each { |r| expect(r).to be_a described_class::SignRequest }
     end
   end
 
   describe '#authenticate!' do
     let(:counter) { registration.counter }
     let(:reg_public_key) { registration.public_key }
-    let (:u2f_authenticate) do
-      u2f.authenticate!(auth_challenge, sign_response, reg_public_key, counter)
+    let(:u2f_authenticate) do
+      u2f.authenticate!(sign_response, reg_public_key, counter) do |c|
+        expect(c).to eq(sign_response.client_data.challenge)
+        auth_challenge
+      end
     end
+
     context 'with correct parameters' do
       it 'does not raise an error' do
-        expect { u2f_authenticate }.to_not raise_error
+        expect { u2f_authenticate }.not_to raise_error
       end
     end
 
     context 'with incorrect challenge' do
       let(:auth_challenge) { 'incorrect' }
+
       it 'raises NoMatchingRequestError' do
-        expect { u2f_authenticate }.to raise_error(U2F::NoMatchingRequestError)
+        expect { u2f_authenticate }.to raise_error(described_class::NoMatchingRequestError)
       end
     end
 
     context 'with incorrect counter' do
       let(:counter) { 1000 }
+
       it 'raises CounterTooLowError' do
-        expect { u2f_authenticate }.to raise_error(U2F::CounterTooLowError)
+        expect { u2f_authenticate }.to raise_error(described_class::CounterTooLowError)
       end
     end
+
     context 'with incorrect counter' do
       let(:reg_public_key) { "\x00" }
+
       it 'raises CounterToLowError' do
-        expect { u2f_authenticate }.to raise_error(U2F::PublicKeyDecodeError)
+        expect { u2f_authenticate }.to raise_error(described_class::PublicKeyDecodeError)
       end
     end
   end
 
   describe '#registration_requests' do
     let(:requests) { u2f.registration_requests }
+
     it 'returns an array of requests' do
       expect(requests).to be_an Array
-      requests.each { |r| expect(r).to be_a U2F::RegisterRequest }
+      requests.each { |r| expect(r).to be_a described_class::RegisterRequest }
     end
   end
 
   describe '#register!' do
-    context 'with correct registration data' do
-      it 'returns a registration' do
-        reg = nil
-        expect {
-          reg = u2f.register!(auth_challenge, register_response)
-        }.to_not raise_error
-        expect(reg.key_handle).to eq key_handle
+    def register
+      u2f.register!(register_response) do |c|
+        expect(c).to eq(register_response.client_data.challenge)
+        auth_challenge
       end
+    end
 
-      it 'accepts an array of challenges' do
-        reg = u2f.register!(['another-challenge', auth_challenge], register_response)
-        expect(reg).to be_a U2F::Registration
+    context 'with correct registration data' do
+      it 'returns a registration' do
+        expect(register.key_handle).to eq key_handle
       end
     end
 
     context 'with unknown challenge' do
       let(:auth_challenge) { 'non-matching' }
+
       it 'raises an UnmatchedChallengeError' do
-        expect {
-          u2f.register!(auth_challenge, register_response)
-        }.to raise_error(U2F::UnmatchedChallengeError)
+        expect { register }.to raise_error(U2F::UnmatchedChallengeError)
       end
     end
   end
@@ -102,27 +111,33 @@
   describe '::public_key_pem' do
     context 'with correct key' do
       it 'wraps the result' do
-        pem = U2F::U2F.public_key_pem public_key
+        pem = described_class::U2F.public_key_pem public_key
         expect(pem).to start_with '-----BEGIN PUBLIC KEY-----'
         expect(pem).to end_with '-----END PUBLIC KEY-----'
       end
     end
 
     context 'with invalid key' do
-      let(:public_key) { U2F.urlsafe_decode64('YV6FVSmH0ObY1cBRCsYJZ/CXF1gKsL+DW46rMfpeymtDZted2Ut2BraszUK1wg1+YJ4Bxt6r24WHNUYqKgeaSq8=') }
+      let(:public_key) do
+        described_class.urlsafe_decode64(
+          'YV6FVSmH0ObY1cBRCsYJZ/CXF1gKsL+DW46rMfpeymtDZted2Ut2BraszUK1wg1+YJ4Bxt6r24WHNUYqKgeaSq8='
+        )
+      end
+
       it 'fails when first byte of the key is not 0x04' do
-        expect {
-          U2F::U2F.public_key_pem public_key
-        }.to raise_error(U2F::PublicKeyDecodeError)
+        expect do
+          described_class::U2F.public_key_pem public_key
+        end.to raise_error(described_class::PublicKeyDecodeError)
       end
     end
 
     context 'with truncated key' do
-      let(:public_key) { U2F.urlsafe_decode64('BJhSPkR3Rmgl') }
+      let(:public_key) { described_class.urlsafe_decode64('BJhSPkR3Rmgl') }
+
       it 'fails when key is to short' do
-        expect {
-          U2F::U2F.public_key_pem public_key
-        }.to raise_error(U2F::PublicKeyDecodeError)
+        expect do
+          described_class::U2F.public_key_pem public_key
+        end.to raise_error(described_class::PublicKeyDecodeError)
       end
     end
   end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 9bafaec..85c1290 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,10 +1,11 @@
+# frozen_string_literal: true
+
 require 'simplecov'
 require 'coveralls'
 
-SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[
-  SimpleCov::Formatter::HTMLFormatter,
-  Coveralls::SimpleCov::Formatter
-]
+SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter.new(
+  [SimpleCov::Formatter::HTMLFormatter, Coveralls::SimpleCov::Formatter]
+)
 SimpleCov.start do
   add_filter 'spec'
 end
diff --git a/u2f.gemspec b/u2f.gemspec
index 51947b4..0e77747 100644
--- a/u2f.gemspec
+++ b/u2f.gemspec
@@ -1,6 +1,8 @@
-$:.push File.expand_path("../lib", __FILE__)
+# frozen_string_literal: true
 
-require 'version'
+$LOAD_PATH.push File.expand_path('lib', __dir__)
+
+require 'u2f/version'
 
 Gem::Specification.new do |s|
   s.name        = 'u2f'
@@ -11,15 +13,8 @@ Gem::Specification.new do |s|
   s.email       = ['brissmyr@gmail.com', 'sebastian.wallin@gmail.com']
   s.homepage    = 'https://github.com/castle/ruby-u2f'
   s.license     = 'MIT'
-  s.required_ruby_version = '>= 2.0.0'
+  s.required_ruby_version = '>= 2.4'
 
   s.files       = Dir['{lib}/**/*'] + ['README.md', 'LICENSE']
   s.test_files  = Dir['spec/**/*']
-
-  s.add_development_dependency 'rake', '~> 10.3'
-  s.add_development_dependency 'rspec', '~> 3.1'
-  s.add_development_dependency 'json_expressions', '~> 0.8.3'
-  s.add_development_dependency 'rubocop', '~> 0.27.1'
-  s.add_development_dependency 'coveralls', '~> 0.8.10'
-  s.add_development_dependency 'simplecov', '~> 0.11.1'
 end