diff --git a/.editorconfig b/.editorconfig
index 33ca8339e..4650be58f 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -21,6 +21,10 @@ root = true
 dotnet_diagnostic.ide0073.severity = suggestion
 file_header_template = Copyright 2024 Yubico AB\n\nLicensed under the Apache License, Version 2.0 (the "License").\nYou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an "AS IS" BASIS, \nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.
 
+# ReSharper properties
+resharper_csharp_wrap_after_declaration_lpar = true
+resharper_csharp_wrap_parameters_style = chop_always
+
 
 # C# files
 [*.cs]
@@ -357,4 +361,4 @@ dotnet_diagnostic.ca1014.severity = none
 # var preferences
 csharp_style_var_elsewhere = false:warning
 csharp_style_var_for_built_in_types = false:warning
-csharp_style_var_when_type_is_apparent = true:warning
\ No newline at end of file
+csharp_style_var_when_type_is_apparent = true:warning
diff --git a/Yubico.Core/src/Yubico/Core/Devices/SmartCard/DesktopSmartCardConnection.cs b/Yubico.Core/src/Yubico/Core/Devices/SmartCard/DesktopSmartCardConnection.cs
index cfd30ac68..28e507a8a 100644
--- a/Yubico.Core/src/Yubico/Core/Devices/SmartCard/DesktopSmartCardConnection.cs
+++ b/Yubico.Core/src/Yubico/Core/Devices/SmartCard/DesktopSmartCardConnection.cs
@@ -104,7 +104,7 @@ public IDisposable BeginTransaction(out bool cardWasReset)
             uint result = SCardBeginTransaction(_cardHandle);
             _log.SCardApiCall(nameof(SCardBeginTransaction), result);
 
-            // Sometime the smart card is left in a state where it needs to be reset prior to beginning
+            // Sometimes the smart card is left in a state where it needs to be reset prior to beginning
             // a transaction. We should automatically handle this case.
             if (result == ErrorCode.SCARD_W_RESET_CARD)
             {
diff --git a/Yubico.Core/src/Yubico/Core/Tlv/TlvObject.cs b/Yubico.Core/src/Yubico/Core/Tlv/TlvObject.cs
new file mode 100644
index 000000000..08f703258
--- /dev/null
+++ b/Yubico.Core/src/Yubico/Core/Tlv/TlvObject.cs
@@ -0,0 +1,198 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.IO;
+using System.Linq;
+
+namespace Yubico.Core.Tlv
+{
+    /// <summary>
+    /// Tag, length, Value structure that helps to parse APDU response data.
+    /// This class handles BER-TLV encoded data with determinate length.
+    /// </summary>
+    public class TlvObject
+    {
+        /// <summary>
+        /// Returns the tag.
+        /// </summary>
+        public int Tag { get; }
+
+        /// <summary>
+        /// Returns the value.
+        /// </summary>
+        public Memory<byte> Value => _bytes.Skip(_offset).Take(Length).ToArray();
+
+        /// <summary>
+        /// Returns the length of the value.
+        /// </summary>
+        public int Length { get; }
+
+        private readonly byte[] _bytes;
+        private readonly int _offset;
+
+        /// <summary>
+        /// Creates a new TLV (Tag-Length-Value) object with the specified tag and value.
+        /// </summary>
+        /// <param name="tag">The tag value, must be between 0x00 and 0xFFFF.</param>
+        /// <param name="value">The value data as a read-only span of bytes.</param>
+        /// <exception cref="TlvException">Thrown when the tag value is outside the supported range (0x00-0xFFFF).</exception>
+        /// <remarks>
+        /// This constructor creates a BER-TLV encoded structure where:
+        /// - The tag is encoded in the minimum number of bytes needed
+        /// - The length is encoded according to BER-TLV rules
+        /// - The value is stored as provided
+        /// </remarks>
+        public TlvObject(int tag, ReadOnlySpan<byte> value)
+        {
+            // Validate that the tag is within the supported range (0x00-0xFFFF)
+            if (tag < 0 || tag > 0xFFFF)
+            {
+                throw new TlvException(ExceptionMessages.TlvUnsupportedTag);
+            }
+
+            Tag = tag;
+            // Create a copy of the input value
+            byte[] valueBuffer = value.ToArray();
+            using var ms = new MemoryStream();
+
+            // Convert tag to bytes and remove leading zeros, maintaining BER-TLV format
+            byte[] tagBytes = BitConverter.GetBytes(tag).Reverse().SkipWhile(b => b == 0).ToArray();
+            ms.Write(tagBytes, 0, tagBytes.Length);
+
+            Length = valueBuffer.Length;
+            // For lengths < 128 (0x80), use single byte encoding
+            if (Length < 0x80)
+            {
+                ms.WriteByte((byte)Length);
+            }
+            // For lengths >= 128, use multi-byte encoding with length indicator
+            else
+            {
+                // Convert length to bytes and remove leading zeros
+                byte[] lnBytes = BitConverter.GetBytes(Length).Reverse().SkipWhile(b => b == 0).ToArray();
+                // Write number of length bytes with high bit set (0x80 | number of bytes)
+                ms.WriteByte((byte)(0x80 | lnBytes.Length));
+                // Write the actual length bytes
+                ms.Write(lnBytes, 0, lnBytes.Length);
+            }
+
+            // Store the position where the value begins
+            _offset = (int)ms.Position;
+
+            // Write the value bytes
+            ms.Write(valueBuffer, 0, Length);
+
+            // Store the complete TLV encoding
+            _bytes = ms.ToArray();
+        }
+
+        /// <summary>
+        /// Returns a copy ofthe Tlv as a BER-TLV encoded byte array.
+        /// </summary>
+        public Memory<byte> GetBytes() => _bytes.ToArray();
+
+        /// <summary>
+        /// Parse a Tlv from a BER-TLV encoded byte array.
+        /// </summary>
+        /// <param name="data">A byte array containing the TLV encoded data (and nothing more).</param>
+        /// <returns>The parsed Tlv</returns>
+        public static TlvObject Parse(ReadOnlySpan<byte> data)
+        {
+            ReadOnlySpan<byte> buffer = data;
+            return ParseFrom(ref buffer);
+        }
+
+        /// <summary>
+        /// Parses a TLV from a BER-TLV encoded byte array.
+        /// </summary>
+        /// <param name="buffer">A byte array containing the TLV encoded data.</param>
+        /// <returns>The parsed <see cref="TlvObject"/></returns>
+        /// <remarks>
+        /// This method will parse a TLV from the given buffer and return the parsed Tlv.
+        /// The method will consume the buffer as much as necessary to parse the TLV.
+        /// </remarks>
+        /// <exception cref="ArgumentException">Thrown if the buffer does not contain a valid TLV.</exception>
+        internal static TlvObject ParseFrom(ref ReadOnlySpan<byte> buffer)
+        {
+            // The first byte of the TLV is the tag.
+            int tag = buffer[0];
+
+            // Determine if the tag is in long form.
+            // Long form tags have more than one byte, starting with 0x1F.
+            if ((buffer[0] & 0x1F) == 0x1F)
+            {
+                // Ensure there is enough data for a long form tag.
+                if (buffer.Length < 2)
+                {
+                    throw new ArgumentException("Insufficient data for long form tag");
+                }
+                // Combine the first two bytes to form the tag.
+                tag = (buffer[0] << 8) | buffer[1];
+                buffer = buffer[2..]; // Skip the tag bytes
+            }
+            else
+            {
+                buffer = buffer[1..]; // Skip the tag byte
+            }
+
+            if (buffer.Length < 1)
+            {
+                throw new ArgumentException("Insufficient data for length");
+            }
+
+            // Read the length of the TLV value.
+            int length = buffer[0];
+            buffer = buffer[1..];
+
+            // If the length is more than one byte, process remaining bytes.
+            if (length > 0x80)
+            {
+                int lengthLn = length - 0x80;
+                length = 0;
+                for (int i = 0; i < lengthLn; i++)
+                {
+                    length = (length << 8) | buffer[0];
+                    buffer = buffer[1..];
+                }
+            }
+
+            ReadOnlySpan<byte> value = buffer[..length];
+            buffer = buffer[length..]; // Advance the buffer to the end of the value
+
+            return new TlvObject(tag, value);
+        }
+
+        /// <summary>
+        /// Returns a string that represents the current object.
+        /// </summary>
+        /// <returns>A string that represents the current object.</returns>
+        /// <remarks>
+        /// The string is of the form <c>Tlv(0xTAG, LENGTH, VALUE)</c>.
+        /// <para>
+        /// The tag is written out in hexadecimal, prefixed by 0x.
+        /// The length is written out in decimal.
+        /// The value is written out in hexadecimal.
+        /// </para>
+        /// </remarks>
+        public override string ToString()
+        {
+#if NETSTANDARD2_1_OR_GREATER
+            return $"Tlv(0x{Tag:X}, {Length}, {BitConverter.ToString(Value.ToArray()).Replace("-", "", StringComparison.Ordinal)})";
+#else
+            return $"Tlv(0x{Tag:X}, {Length}, {BitConverter.ToString(Value.ToArray()).Replace("-", "")})";
+#endif
+        }
+    }
+}
diff --git a/Yubico.Core/src/Yubico/Core/Tlv/TlvObjects.cs b/Yubico.Core/src/Yubico/Core/Tlv/TlvObjects.cs
new file mode 100644
index 000000000..aa75d1d23
--- /dev/null
+++ b/Yubico.Core/src/Yubico/Core/Tlv/TlvObjects.cs
@@ -0,0 +1,97 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+
+namespace Yubico.Core.Tlv
+{
+    /// <summary>
+    /// Utility methods to encode and decode BER-TLV data.
+    /// </summary>
+    public static class TlvObjects
+    {
+        /// <summary>
+        /// Decodes a sequence of BER-TLV encoded data into a list of Tlvs.
+        /// </summary>
+        /// <param name="data">Sequence of TLV encoded data</param>
+        /// <returns>List of <see cref="TlvObject"/></returns>
+        public static IReadOnlyList<TlvObject> DecodeList(ReadOnlySpan<byte> data)
+        {
+            var tlvs = new List<TlvObject>();
+            ReadOnlySpan<byte> buffer = data;
+            while (!buffer.IsEmpty)
+            {
+                var tlv = TlvObject.ParseFrom(ref buffer);
+                tlvs.Add(tlv);
+            }
+
+            return tlvs.AsReadOnly();
+        }
+
+        /// <summary>
+        /// Decodes a sequence of BER-TLV encoded data into a mapping of Tag-Value pairs.
+        /// Iteration order is preserved. If the same tag occurs more than once only the latest will be kept.
+        /// </summary>
+        /// <param name="data">Sequence of TLV encoded data</param>
+        /// <returns>Dictionary of Tag-Value pairs</returns>
+        public static IReadOnlyDictionary<int, ReadOnlyMemory<byte>> DecodeMap(ReadOnlySpan<byte> data)
+        {
+            var tlvs = new Dictionary<int, ReadOnlyMemory<byte>>();
+            ReadOnlySpan<byte> buffer = data;
+            while (!buffer.IsEmpty)
+            {
+                var tlv = TlvObject.ParseFrom(ref buffer);
+                tlvs[tlv.Tag] = tlv.Value;
+            }
+
+            return tlvs;
+        }
+
+        /// <summary>
+        /// Encodes a list of Tlvs into a sequence of BER-TLV encoded data.
+        /// </summary>
+        /// <param name="list">List of Tlvs to encode</param>
+        /// <returns>BER-TLV encoded list</returns>
+        public static byte[] EncodeList(IEnumerable<TlvObject> list)
+        {
+            if (list is null)
+            {
+                throw new ArgumentNullException(nameof(list));
+            }
+
+            using var stream = new MemoryStream();
+            using var writer = new BinaryWriter(stream);
+            foreach (TlvObject? tlv in list)
+            {
+                ReadOnlyMemory<byte> bytes = tlv.GetBytes();
+                writer.Write(bytes.Span.ToArray());
+            }
+
+            return stream.ToArray();
+        }
+
+        /// <summary>
+        /// Encodes an array of Tlvs into a sequence of BER-TLV encoded data.
+        /// </summary>
+        /// <param name="tlvs">Array of Tlvs to encode</param>
+        /// <returns>BER-TLV encoded array</returns>
+        public static byte[] EncodeMany(params TlvObject[] tlvs) => EncodeList(tlvs);
+
+        /// <summary>
+        /// Decode a single TLV encoded object, returning only the value.
+        /// </summary>
+        /// <param name="expectedTag">The expected tag value of the given TLV data</param>
+        /// <param name="tlvData">The TLV data</param>
+        /// <returns>The value of the TLV</returns>
+        /// <exception cref="InvalidOperationException">If the TLV tag differs from expectedTag</exception>
+        public static Memory<byte> UnpackValue(int expectedTag, ReadOnlySpan<byte> tlvData)
+        {
+            var tlv = TlvObject.Parse(tlvData);
+            if (tlv.Tag != expectedTag)
+            {
+                throw new InvalidOperationException($"Expected tag: {expectedTag:X2}, got {tlv.Tag:X2}");
+            }
+
+            return tlv.Value.ToArray();
+        }
+    }
+}
diff --git a/Yubico.Core/tests/Yubico/Core/Tlv/TlvObjectTests.cs b/Yubico.Core/tests/Yubico/Core/Tlv/TlvObjectTests.cs
new file mode 100644
index 000000000..3f6325405
--- /dev/null
+++ b/Yubico.Core/tests/Yubico/Core/Tlv/TlvObjectTests.cs
@@ -0,0 +1,164 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Xunit;
+
+namespace Yubico.Core.Tlv.UnitTests
+{
+    public class TlvObjectTests
+    {
+        [Fact]
+        public void TestDoubleByteTags()
+        {
+            var tlv = TlvObject.Parse(new byte[] { 0x7F, 0x49, 0 });
+            Assert.Equal(0x7F49, tlv.Tag);
+            Assert.Equal(0, tlv.Length);
+
+            tlv = TlvObject.Parse(new byte[] { 0x80, 0 });
+            Assert.Equal(0x80, tlv.Tag);
+            Assert.Equal(0, tlv.Length);
+
+            tlv = new TlvObject(0x7F49, null);
+            Assert.Equal(0x7F49, tlv.Tag);
+            Assert.Equal(0, tlv.Length);
+            Assert.Equal(new byte[] { 0x7F, 0x49, 0 }, tlv.GetBytes());
+
+            tlv = new TlvObject(0x80, null);
+            Assert.Equal(0x80, tlv.Tag);
+            Assert.Equal(0, tlv.Length);
+            Assert.Equal(new byte[] { 0x80, 0 }, tlv.GetBytes());
+        }
+
+
+        [Fact]
+        public void TlvObject_Encode_ReturnsCorrectBytes()
+        {
+            // Arrange
+            int tag = 0x1234;
+            byte[] value = { 0x01, 0x02, 0x03 };
+            TlvObject tlv = new TlvObject(tag, value);
+
+            // Act
+            byte[] encodedBytes = tlv.GetBytes().ToArray();
+
+            // Assert
+            byte[] expectedBytes = { 0x12, 0x34, 0x03, 0x01, 0x02, 0x03 };
+            Assert.True(encodedBytes.SequenceEqual(expectedBytes));
+        }
+
+        [Fact]
+        public void TestUnwrap()
+        {
+            TlvObjects.UnpackValue(0x80, new byte[] { 0x80, 0 });
+
+            TlvObjects.UnpackValue(0x7F49, new byte[] { 0x7F, 0x49, 0 });
+
+            var value = TlvObjects.UnpackValue(0x7F49, new byte[] { 0x7F, 0x49, 3, 1, 2, 3 });
+            Assert.Equal(new byte[] { 1, 2, 3 }, value);
+        }
+
+        [Fact]
+        public void TestUnwrapThrowsException()
+        {
+            Assert.Throws<InvalidOperationException>(() => TlvObjects.UnpackValue(0x7F48, new byte[] { 0x7F, 0x49, 0 }));
+        }
+
+        [Fact]
+        public void DecodeList_ValidInput_ReturnsCorrectTlvs()
+        {
+            var input = new byte[] { 0x01, 0x01, 0xFF, 0x02, 0x02, 0xAA, 0xBB };
+            var result = TlvObjects.DecodeList(input);
+
+            Assert.Equal(2, result.Count);
+            Assert.Equal(0x01, result[0].Tag);
+            Assert.Equal(new byte[] { 0xFF }, result[0].Value.ToArray());
+            Assert.Equal(0x02, result[1].Tag);
+            Assert.Equal(new byte[] { 0xAA, 0xBB }, result[1].Value.ToArray());
+        }
+
+        [Fact]
+        public void DecodeList_EmptyInput_ReturnsEmptyList()
+        {
+            var result = TlvObjects.DecodeList(Array.Empty<byte>());
+            Assert.Empty(result);
+        }
+
+        [Fact]
+        public void DecodeMap_ValidInput_ReturnsCorrectDictionary()
+        {
+            var input = new byte[] { 0x01, 0x01, 0xFF, 0x02, 0x02, 0xAA, 0xBB };
+            var result = TlvObjects.DecodeMap(input);
+
+            Assert.Equal(2, result.Count);
+            Assert.Equal(new byte[] { 0xFF }, result[0x01].ToArray());
+            Assert.Equal(new byte[] { 0xAA, 0xBB }, result[0x02].ToArray());
+        }
+
+        [Fact]
+        public void DecodeMap_DuplicateTags_KeepsLastValue()
+        {
+            var input = new byte[] { 0x01, 0x01, 0xFF, 0x01, 0x01, 0xEE };
+            var result = TlvObjects.DecodeMap(input);
+
+            Assert.Single(result);
+            Assert.Equal(new byte[] { 0xEE }, result[0x01].ToArray());
+        }
+
+        [Fact]
+        public void EncodeList_ValidInput_ReturnsCorrectBytes()
+        {
+            var tlvs = new List<TlvObject>
+            {
+                new TlvObject(0x01, new byte[] { 0xFF }),
+                new TlvObject(0x02, new byte[] { 0xAA, 0xBB })
+            };
+
+            var result = TlvObjects.EncodeList(tlvs);
+            Assert.Equal(new byte[] { 0x01, 0x01, 0xFF, 0x02, 0x02, 0xAA, 0xBB }, result.ToArray());
+        }
+
+        [Fact]
+        public void EncodeList_EmptyInput_ReturnsEmptyArray()
+        {
+            var result = TlvObjects.EncodeList(new List<TlvObject>());
+            Assert.Empty(result.ToArray());
+        }
+
+        [Fact]
+        public void UnpackValue_CorrectTag_ReturnsValue()
+        {
+            var input = new byte[] { 0x01, 0x02, 0xAA, 0xBB };
+            var result = TlvObjects.UnpackValue(0x01, input);
+            Assert.Equal(new byte[] { 0xAA, 0xBB }, result.ToArray());
+        }
+
+        [Fact]
+        public void UnpackValue_IncorrectTag_ThrowsBadResponseException()
+        {
+            var input = new byte[] { 0x01, 0x02, 0xAA, 0xBB };
+            Assert.Throws<InvalidOperationException>(() => TlvObjects.UnpackValue(0x02, input));
+        }
+
+        [Fact]
+        public void UnpackValue_EmptyValue_ReturnsEmptyArray()
+        {
+            var input = new byte[] { 0x01, 0x00 };
+            var result = TlvObjects.UnpackValue(0x01, input);
+            Assert.Empty(result.ToArray());
+        }
+    }
+}
diff --git a/Yubico.YubiKey/docs/users-manual/sdk-programming-guide/secure-channel-protocol-3.md b/Yubico.YubiKey/docs/users-manual/sdk-programming-guide/secure-channel-protocol-3.md
index d1e28e050..91ab0880f 100644
--- a/Yubico.YubiKey/docs/users-manual/sdk-programming-guide/secure-channel-protocol-3.md
+++ b/Yubico.YubiKey/docs/users-manual/sdk-programming-guide/secure-channel-protocol-3.md
@@ -32,7 +32,7 @@ as "SCP03"). This standard prescribes methods to encrypt and authenticate smart
 (CCID) messages. That is, APDUs and responses are encrypted and contain checksums. If
 executed properly, the only entities that can see the contents of the messages (and
 verify their correctness) will be the YubiKey itself and authorized applications. This
-protocol is produced by GlobalPlatform, an industry consortium of hardware security
+protocol is produced by <a href="https://globalplatform.org/">GlobalPlatform</a>, an industry consortium of hardware security
 vendors that produce standards.
 
 Think of SCP03 as wrapping or unwrapping commands and responses. Before sending the actual
@@ -51,7 +51,7 @@ specifies no method for distributing keys securely.
 
 This added layer of protection makes the most sense when the communication
 channel between the host machine and the device could feasibly be compromised.
-For example, if you tunnel YubiKey commands and resonses over the Internet, in
+For example, if you tunnel YubiKey commands and responses over the Internet, in
 addition to standard web security protocols like TLS, it could makes sense to
 leverage SCP03 as an added layer of defense. Additionally, several 'card
 management systems' use SCP03 to securely remotely manage devices.
diff --git a/Yubico.YubiKey/src/Resources/ExceptionMessages.Designer.cs b/Yubico.YubiKey/src/Resources/ExceptionMessages.Designer.cs
index cdc9dd487..aa7863731 100644
--- a/Yubico.YubiKey/src/Resources/ExceptionMessages.Designer.cs
+++ b/Yubico.YubiKey/src/Resources/ExceptionMessages.Designer.cs
@@ -1283,6 +1283,15 @@ internal static string InvalidVerifyUvArguments {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Key agreement receipts do not match.
+        /// </summary>
+        internal static string KeyAgreementReceiptMissmatch {
+            get {
+                return ResourceManager.GetString("KeyAgreementReceiptMissmatch", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to The keyboard connection does not support writing more than 64 bytes to the device..
         /// </summary>
@@ -1913,15 +1922,6 @@ internal static string PinTooShort {
             }
         }
         
-        /// <summary>
-        ///   Looks up a localized string similar to Exception caught when disposing PivSession: {0}, {1}.
-        /// </summary>
-        internal static string PivSessionDisposeUnknownError {
-            get {
-                return ResourceManager.GetString("PivSessionDisposeUnknownError", resourceCulture);
-            }
-        }
-        
         /// <summary>
         ///   Looks up a localized string similar to The private ID must be set either explicitly or by specifying that it should be generated before it can be read..
         /// </summary>
@@ -2003,6 +2003,15 @@ internal static string Scp03KeyMismatch {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Exception caught when disposing Session: {0}, {1}.
+        /// </summary>
+        internal static string SessionDisposeUnknownError {
+            get {
+                return ResourceManager.GetString("SessionDisposeUnknownError", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to The HMAC-SHA512 algorithm is not supported on YubiKeys with firmware version less than 4.3.1..
         /// </summary>
@@ -2175,11 +2184,11 @@ internal static string UnknownFidoError {
         }
         
         /// <summary>
-        ///   Looks up a localized string similar to An unknown SCP03 error has occurred..
+        ///   Looks up a localized string similar to An unknown SCP error has occurred.
         /// </summary>
-        internal static string UnknownScp03Error {
+        internal static string UnknownScpError {
             get {
-                return ResourceManager.GetString("UnknownScp03Error", resourceCulture);
+                return ResourceManager.GetString("UnknownScpError", resourceCulture);
             }
         }
         
diff --git a/Yubico.YubiKey/src/Resources/ExceptionMessages.resx b/Yubico.YubiKey/src/Resources/ExceptionMessages.resx
index 479c635b4..f73f2e6a9 100644
--- a/Yubico.YubiKey/src/Resources/ExceptionMessages.resx
+++ b/Yubico.YubiKey/src/Resources/ExceptionMessages.resx
@@ -266,7 +266,7 @@
   </data>
   <data name="PinComplexityViolation" xml:space="preserve">
     <value>The provided PIN or PUK value violates current complexity conditions.</value>
-  </data>  
+  </data>
   <data name="YubiKeyNotAuthenticatedInPiv" xml:space="preserve">
     <value>PIV management key mutual authentication failed because the YubiKey did not authenticate.</value>
   </data>
@@ -296,7 +296,7 @@
   </data>
   <data name="InvalidTemporaryPinLength" xml:space="preserve">
     <value>The temporary PIN length is invalid.</value>
-  </data>  
+  </data>
   <data name="InvalidPivPutDataLength" xml:space="preserve">
     <value>The length of input to a Put Data operation, {0}, was invalid, the maximum is {1}.</value>
   </data>
@@ -352,8 +352,8 @@
     <value>An unknown error has occurred.</value>
     <comment>Candidate for removal</comment>
   </data>
-  <data name="UnknownScp03Error" xml:space="preserve">
-    <value>An unknown SCP03 error has occurred.</value>
+  <data name="UnknownScpError" xml:space="preserve">
+    <value>An unknown SCP error has occurred</value>
   </data>
   <data name="ValueConversionFailed" xml:space="preserve">
     <value>Cannot convert the data to the requested type. Expected only {0} byte(s) of data, but {1} byte(s) were present.</value>
@@ -904,7 +904,10 @@
   <data name="InvalidUriQuery" xml:space="preserve">
     <value>The URI query cannot be null or empty.</value>
   </data>
-  <data name="PivSessionDisposeUnknownError" xml:space="preserve">
-    <value>Exception caught when disposing PivSession: {0}, {1}</value>
+  <data name="SessionDisposeUnknownError" xml:space="preserve">
+    <value>Exception caught when disposing Session: {0}, {1}</value>
+  </data>
+  <data name="KeyAgreementReceiptMissmatch" xml:space="preserve">
+    <value>Key agreement receipts do not match</value>
   </data>
 </root>
\ No newline at end of file
diff --git a/Yubico.YubiKey/src/Yubico.YubiKey.csproj b/Yubico.YubiKey/src/Yubico.YubiKey.csproj
index e5558830c..edba741b4 100644
--- a/Yubico.YubiKey/src/Yubico.YubiKey.csproj
+++ b/Yubico.YubiKey/src/Yubico.YubiKey.csproj
@@ -1,4 +1,4 @@
-<!-- Copyright 2021 Yubico AB
+<!-- Copyright 2021 Yubico AB
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/ApplicationSession.cs b/Yubico.YubiKey/src/Yubico/YubiKey/ApplicationSession.cs
new file mode 100644
index 000000000..8d91a6468
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/ApplicationSession.cs
@@ -0,0 +1,144 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Globalization;
+using Microsoft.Extensions.Logging;
+using Yubico.YubiKey.InterIndustry.Commands;
+using Yubico.YubiKey.Scp;
+
+namespace Yubico.YubiKey
+{
+    /// <summary>
+    /// Abstract base class for sessions with a YubiKey. This class is used
+    /// to wrap the <c>IYubiKeyConnection</c> and provide a way of
+    /// interacting with the connection that is more convenient for most
+    /// users.
+    /// </summary>
+    public abstract class ApplicationSession : IDisposable
+    {
+        /// <summary>
+        /// The object that represents the connection to the YubiKey. Most
+        /// applications will ignore this, but it can be used to call Commands
+        /// directly.
+        /// </summary>
+        public IYubiKeyConnection Connection { get; protected set; }
+
+        /// <summary>
+        /// Gets the parameters used for establishing a Secure Channel Protocol (SCP) connection.
+        /// </summary>
+        public ScpKeyParameters? KeyParameters { get; }
+
+        /// <summary>
+        /// The specific YubiKey application to connect to.
+        /// </summary>
+        public YubiKeyApplication Application { get; }
+        
+        /// <summary>
+        /// The logger instance used for logging information.
+        /// </summary>
+        protected ILogger Logger { get; }
+        /// <summary>
+        /// The YubiKey device to establish a session with.
+        /// </summary>
+        protected IYubiKeyDevice YubiKey { get; }
+
+        private bool _disposed;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ApplicationSession"/> class with logging, YubiKey device, application, and optional SCP key parameters.
+        /// </summary>
+        /// <param name="logger">The logger instance used for logging information.</param>
+        /// <param name="device">The YubiKey device to establish a session with.</param>
+        /// <param name="application">The specific YubiKey application to connect to.</param>
+        /// <param name="keyParameters">The optional parameters for an SCP connection.</param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="device"/> is null.</exception>
+        /// <exception cref="InvalidOperationException">Thrown when the Yubikey does not support the requested SCP connection.</exception>
+        protected ApplicationSession(
+            ILogger logger,
+            IYubiKeyDevice device,
+            YubiKeyApplication application,
+            ScpKeyParameters? keyParameters)
+        {
+            Logger = logger;
+            YubiKey = device ?? throw new ArgumentNullException(nameof(device));
+            Application = application;
+
+            KeyParameters = keyParameters;
+            Connection = GetConnection(YubiKey, Application, KeyParameters);
+        }
+
+        protected IYubiKeyConnection GetConnection(
+            IYubiKeyDevice yubiKey,
+            YubiKeyApplication application,
+            ScpKeyParameters? keyParameters)
+        {
+            string scpType = keyParameters switch
+            {
+                Scp03KeyParameters _ when application == YubiKeyApplication.Oath && yubiKey.HasFeature(YubiKeyFeature.Scp03Oath)
+                    => "SCP03",
+                Scp03KeyParameters _ when yubiKey.HasFeature(YubiKeyFeature.Scp03)
+                    => "SCP03",
+                Scp11KeyParameters _ when yubiKey.HasFeature(YubiKeyFeature.Scp11)
+                    => "SCP11",
+                null => string.Empty,
+                _ => throw new InvalidOperationException("The YubiKey does not support the requested SCP connection.")
+            };
+
+            string possibleScpDescription = string.IsNullOrEmpty(scpType) ? string.Empty : $" over {scpType}";
+            Logger.LogInformation($"Connecting to {GetApplicationFriendlyName(application)}{possibleScpDescription}");
+
+            var connection = keyParameters != null
+                ? yubiKey.Connect(application, keyParameters)
+                : yubiKey.Connect(application);
+
+            Logger.LogInformation($"Connected to {GetApplicationFriendlyName(application)}");
+            return connection;
+        }
+
+        private static string GetApplicationFriendlyName(YubiKeyApplication application) => Enum.GetName(typeof(YubiKeyApplication), application) ?? "Unknown";
+
+        /// <summary>
+        /// Clean up the resources used by the session.
+        /// </summary>
+        public virtual void Dispose()
+        {
+            if (_disposed)
+            {
+                return;
+            }
+
+            // At the moment, there is no "close session" method. So for now,
+            // just connect to the management application.
+            // This can fail, possibly resulting in a SCardException (or other), so we wrap it in a try catch-block to complete the disposal of the PivSession
+            try
+            {
+                _ = Connection.SendCommand(new SelectApplicationCommand(YubiKeyApplication.Management));
+            }
+            catch (Exception e)
+            {
+                string message = string.Format(
+                    CultureInfo.CurrentCulture,
+                    ExceptionMessages.SessionDisposeUnknownError, e.GetType(), e.Message);
+
+                Logger.LogWarning(message);
+            }
+
+            Connection.Dispose();
+            GC.SuppressFinalize(this);
+
+            _disposed = true;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/ConnectionFactory.cs b/Yubico.YubiKey/src/Yubico/YubiKey/ConnectionFactory.cs
new file mode 100644
index 000000000..9ba7e72b2
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/ConnectionFactory.cs
@@ -0,0 +1,230 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Threading;
+using Microsoft.Extensions.Logging;
+using Yubico.Core.Devices.Hid;
+using Yubico.Core.Devices.SmartCard;
+using Yubico.YubiKey.Scp;
+
+namespace Yubico.YubiKey
+{
+    /// <summary>
+    /// Factory class responsible for creating connections to YubiKey devices.
+    /// </summary>
+    /// <remarks>
+    /// The ConnectionFactory manages the creation of different types of connections to a YubiKey device,
+    /// including SmartCard and HID interfaces. It handles both secure channel protocol (SCP) and standard
+    /// connections based on the application requirements.
+    /// </remarks>
+    internal class ConnectionFactory
+    {
+        private readonly ILogger _log;
+        private readonly YubiKeyDevice _device;
+        private readonly ISmartCardDevice? _smartCardDevice;
+        private readonly IHidDevice? _hidKeyboardDevice;
+        private readonly IHidDevice? _hidFidoDevice;
+
+        /// <summary>
+        /// Initializes a new instance of the ConnectionFactory class.
+        /// </summary>
+        /// <param name="log">Logger instance for recording events and diagnostics.</param>
+        /// <param name="device">The YubiKey device to create connections for.</param>
+        /// <param name="smartCardDevice">The SmartCard interface of the YubiKey, if available.</param>
+        /// <param name="hidKeyboardDevice">The HID keyboard interface of the YubiKey, if available.</param>
+        /// <param name="hidFidoDevice">The HID FIDO interface of the YubiKey, if available.</param>
+        public ConnectionFactory(
+            ILogger log,
+            YubiKeyDevice device,
+            ISmartCardDevice? smartCardDevice,
+            IHidDevice? hidKeyboardDevice,
+            IHidDevice? hidFidoDevice)
+        {
+            _log = log;
+            _device = device;
+            _smartCardDevice = smartCardDevice;
+            _hidKeyboardDevice = hidKeyboardDevice;
+            _hidFidoDevice = hidFidoDevice;
+        }
+
+        [Obsolete("Obsolete")]
+        internal IScp03YubiKeyConnection CreateScpConnection(YubiKeyApplication application, Scp03.StaticKeys scp03Keys)
+        {
+
+            if (_smartCardDevice is null)
+            {
+                throw new InvalidOperationException("No smart card interface present. Unable to establish SCP connection to YubiKey.");
+            }
+
+            _log.LogDebug("Connecting via the SmartCard interface using SCP03.");
+            WaitForReclaimTimeout(Transport.SmartCard);
+
+            return new Scp03Connection(_smartCardDevice, application, scp03Keys);
+        }
+
+        /// <summary>
+        /// Creates a secure channel protocol (SCP) connection to a specific YubiKey application.
+        /// </summary>
+        /// <param name="application">The YubiKey application to connect to.</param>
+        /// <param name="keyParameters">The security parameters for establishing the SCP connection.</param>
+        /// <returns>A secure connection to the specified YubiKey application.</returns>
+        /// <exception cref="InvalidOperationException">Thrown when the SmartCard interface is not available on the YubiKey.</exception>
+        /// <remarks>
+        /// This method establishes a secure channel to the YubiKey using the SmartCard interface. The connection
+        /// is protected using the Secure Channel Protocol (SCP) with the provided key parameters.
+        /// </remarks>
+        public IScpYubiKeyConnection CreateScpConnection(YubiKeyApplication application, ScpKeyParameters keyParameters)
+        {
+            LogConnectionAttempt(application, keyParameters);
+
+            if (_smartCardDevice is null)
+            {
+                throw new InvalidOperationException("No smart card interface present. Unable to establish SCP connection to YubiKey.");
+            }
+
+            _log.LogDebug("Connecting via the SmartCard interface using SCP.");
+            WaitForReclaimTimeout(Transport.SmartCard);
+
+            return new ScpConnection(_smartCardDevice, application, keyParameters);
+        }
+
+        /// <summary>
+        /// Creates a standard (non-SCP) connection to a specific YubiKey application.
+        /// </summary>
+        /// <param name="application">The YubiKey application to connect to.</param>
+        /// <returns>A connection to the specified YubiKey application.</returns>
+        /// <exception cref="InvalidOperationException">Thrown when no suitable interface is available for the requested application.</exception>
+        /// <remarks>
+        /// This method creates a connection using the most appropriate interface available for the specified application.
+        /// It first attempts to use the SmartCard interface, then falls back to HID interfaces if necessary.
+        /// </remarks>
+        public IYubiKeyConnection CreateConnection(YubiKeyApplication application)
+        {
+            if (_smartCardDevice != null)
+            {
+                _log.LogDebug("Connecting via the SmartCard interface.");
+
+                WaitForReclaimTimeout(Transport.SmartCard);
+                return new SmartCardConnection(_smartCardDevice, application);
+            }
+
+            if (_hidKeyboardDevice != null && application == YubiKeyApplication.Otp)
+            {
+                _log.LogDebug("Connecting via the Keyboard interface.");
+
+                WaitForReclaimTimeout(Transport.HidKeyboard);
+                return new KeyboardConnection(_hidKeyboardDevice);
+            }
+
+            if (_hidFidoDevice != null && (application == YubiKeyApplication.Fido2 || application == YubiKeyApplication.FidoU2f))
+            {
+                _log.LogDebug("Connecting via the FIDO interface.");
+
+                WaitForReclaimTimeout(Transport.HidFido);
+                return new FidoConnection(_hidFidoDevice);
+            }
+
+            throw new InvalidOperationException("No suitable interface present. Unable to establish connection to YubiKey.");
+        }
+
+        // This function handles waiting for the reclaim timeout on the YubiKey to elapse. The reclaim timeout requires
+        // the SDK to wait 3 seconds since the last USB message to an interface before switching to a different interface.
+        // Failure to wait can result in very strange behavior from the USB devices ultimately resulting in communication
+        // failures (i.e. exceptions).
+        private void WaitForReclaimTimeout(Transport newTransport)
+        {
+            // Newer YubiKeys are able to switch interfaces much, much faster. Maybe this is being paranoid, but we
+            // should still probably wait a few milliseconds for things to stabilize. But definitely not the full
+            // three seconds! For older keys, we use a value of 3.01 seconds to give us a little wiggle room as the
+            // YubiKey's measurement for the reclaim timeout is likely not as accurate as our system clock.
+            var reclaimTimeout = CanFastReclaim()
+                ? TimeSpan.FromMilliseconds(100)
+                : TimeSpan.FromSeconds(3.01);
+
+            // We're only affected by the reclaim timeout if we're switching USB transports.
+            if (_device.LastActiveTransport == newTransport)
+            {
+                _log.LogDebug(
+                    "{Transport} transport is already active. No need to wait for reclaim.",
+                    _device.LastActiveTransport);
+
+                return;
+            }
+
+            _log.LogDebug(
+                "Switching USB transports from {OldTransport} to {NewTransport}.",
+                _device.LastActiveTransport,
+                newTransport);
+
+            var timeSinceLastActivation = DateTime.Now - GetLastActiveTime();
+
+            // If we haven't already waited the duration of the reclaim timeout, we need to do so.
+            // Otherwise, we've already waited and can immediately switch the transport.
+            if (timeSinceLastActivation < reclaimTimeout)
+            {
+                var waitNeeded = reclaimTimeout - timeSinceLastActivation;
+
+                _log.LogDebug(
+                    "Reclaim timeout still active. Need to wait {TimeMS} milliseconds.",
+                    waitNeeded.TotalMilliseconds);
+
+                Thread.Sleep(waitNeeded);
+            }
+
+            _device.LastActiveTransport = newTransport;
+
+            _log.LogDebug("Reclaim timeout has lapsed. It is safe to switch USB transports.");
+        }
+
+        private bool CanFastReclaim()
+        {
+            if (AppContext.TryGetSwitch(YubiKeyCompatSwitches.UseOldReclaimTimeoutBehavior, out bool useOldBehavior) &&
+                useOldBehavior)
+            {
+                return false;
+            }
+
+            return _device.HasFeature(YubiKeyFeature.FastUsbReclaim);
+        }
+
+        private DateTime GetLastActiveTime() =>
+            _device.LastActiveTransport switch
+            {
+                Transport.SmartCard when _smartCardDevice is { } => _smartCardDevice.LastAccessed,
+                Transport.HidFido when _hidFidoDevice is { } => _hidFidoDevice.LastAccessed,
+                Transport.HidKeyboard when _hidKeyboardDevice is { } => _hidKeyboardDevice.LastAccessed,
+                Transport.None => DateTime.Now,
+                _ => throw new InvalidOperationException(ExceptionMessages.DeviceTypeNotRecognized)
+            };
+
+        private void LogConnectionAttempt(
+            YubiKeyApplication application,
+            ScpKeyParameters keyParameters)
+        {
+            string applicationName = GetApplicationName(application);
+            string scpInfo = keyParameters switch
+            {
+                Scp03KeyParameters scp03KeyParameters => $"SCP03 ({scp03KeyParameters.KeyReference})",
+                Scp11KeyParameters scp11KeyParameters => $"SCP11 ({scp11KeyParameters.KeyReference})",
+                _ => "Unknown"
+            };
+
+            _log.LogDebug("YubiKey connecting to {Application} application over {ScpInfo}", applicationName, scpInfo);
+        }
+
+        private static string GetApplicationName(YubiKeyApplication application) =>
+            Enum.GetName(typeof(YubiKeyApplication), application) ?? "Unknown";
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/ConnectionManager.cs b/Yubico.YubiKey/src/Yubico/YubiKey/ConnectionManager.cs
index 07d5e9259..e2e8a5abf 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/ConnectionManager.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/ConnectionManager.cs
@@ -77,6 +77,7 @@ public static bool DeviceSupportsApplication(IDevice device, YubiKeyApplication
                 (ISmartCardDevice _, YubiKeyApplication.Piv) => true,
                 (ISmartCardDevice _, YubiKeyApplication.OpenPgp) => true,
                 (ISmartCardDevice _, YubiKeyApplication.InterIndustry) => true,
+                (ISmartCardDevice _, YubiKeyApplication.SecurityDomain) => true,
                 (ISmartCardDevice _, YubiKeyApplication.YubiHsmAuth) => true,
                 // NB: Certain past models of YK NEO and YK 4 supported these applications over CCID
                 (ISmartCardDevice _, YubiKeyApplication.FidoU2f) => true,
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AesUtilities.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AesUtilities.cs
index a4750999b..69aba1e4a 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AesUtilities.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AesUtilities.cs
@@ -29,19 +29,19 @@ internal static class AesUtilities
         /// <remarks>
         /// This is not a secure authenticated encryption scheme.
         /// </remarks>
-        /// <param name="key">16-byte AES128 key</param>
+        /// <param name="encryptionKey">16-byte AES128 key</param>
         /// <param name="plaintext">16-byte input block</param>
         /// <returns>The 16-byte AES128 ciphertext</returns>
-        public static byte[] BlockCipher(byte[] key, ReadOnlySpan<byte> plaintext)
+        public static Memory<byte> BlockCipher(ReadOnlySpan<byte> encryptionKey, ReadOnlySpan<byte> plaintext)
         {
-            if (key is null)
+            if (encryptionKey == null)
             {
-                throw new ArgumentNullException(nameof(key));
+                throw new ArgumentNullException(nameof(encryptionKey));
             }
 
-            if (key.Length != BlockSizeBytes)
+            if (encryptionKey.Length != BlockSizeBytes)
             {
-                throw new ArgumentException(ExceptionMessages.IncorrectAesKeyLength, nameof(key));
+                throw new ArgumentException(ExceptionMessages.IncorrectAesKeyLength, nameof(encryptionKey));
             }
 
             if (plaintext.Length != BlockSizeBytes)
@@ -49,31 +49,26 @@ public static byte[] BlockCipher(byte[] key, ReadOnlySpan<byte> plaintext)
                 throw new ArgumentException(ExceptionMessages.IncorrectPlaintextLength, nameof(plaintext));
             }
 
-            byte[] ciphertext;
-
-            using (var aesObj = CryptographyProviders.AesCreator())
-            {
+            using var aesObj = CryptographyProviders.AesCreator();
+            byte[] aesObjKey = encryptionKey.ToArray();
 #pragma warning disable CA5358 // Allow the usage of cipher mode 'ECB'
-                aesObj.Mode = CipherMode.ECB;
+            aesObj.Mode = CipherMode.ECB;
 #pragma warning restore CA5358
-                aesObj.KeySize = BlockSizeBits;
-                aesObj.BlockSize = BlockSizeBits;
-                aesObj.Key = key;
-                aesObj.IV = new byte[BlockSizeBytes];
-                aesObj.Padding = PaddingMode.None;
+            aesObj.KeySize = BlockSizeBits;
+            aesObj.BlockSize = BlockSizeBits;
+            aesObj.Key = aesObjKey;
+            aesObj.IV = new byte[BlockSizeBytes];
+            aesObj.Padding = PaddingMode.None;
 #pragma warning disable CA5401 // Justification: Allow the symmetric encryption to use
-                // a non-default initialization vector
-                var encryptor = aesObj.CreateEncryptor();
+            // a non-default initialization vector
+            var encryptor = aesObj.CreateEncryptor();
 #pragma warning restore CA5401
-                using (var msEncrypt = new MemoryStream())
-                {
-                    using (var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
-                    {
-                        csEncrypt.Write(plaintext.ToArray(), 0, plaintext.Length);
-                        ciphertext = msEncrypt.ToArray();
-                    }
-                }
-            }
+
+            using var msEncrypt = new MemoryStream();
+            using var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write);
+
+            csEncrypt.Write(plaintext.ToArray(), 0, plaintext.Length);
+            byte[] ciphertext = msEncrypt.ToArray();
 
             return ciphertext;
         }
@@ -84,25 +79,25 @@ public static byte[] BlockCipher(byte[] key, ReadOnlySpan<byte> plaintext)
         /// <remarks>
         /// This is not a secure authenticated encryption scheme. No padding occurs.
         /// </remarks>
-        /// <param name="key">16-byte AES128 key</param>
+        /// <param name="encryptionKey">16-byte AES128 key</param>
         /// <param name="iv">16-byte initialization vector (IV)</param>
         /// <param name="plaintext">Input blocks; must be a non-zero multiple of 16 bytes long</param>
         /// <returns>Ciphertext of the same length as the plaintext</returns>
-        public static byte[] AesCbcEncrypt(byte[] key, byte[] iv, ReadOnlySpan<byte> plaintext)
+        public static ReadOnlyMemory<byte> AesCbcEncrypt(ReadOnlySpan<byte> encryptionKey, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> plaintext)
         {
-            if (key is null)
+            if (encryptionKey.IsEmpty)
             {
-                throw new ArgumentNullException(nameof(key));
+                throw new ArgumentNullException(nameof(encryptionKey));
             }
 
-            if (iv is null)
+            if (iv.IsEmpty)
             {
                 throw new ArgumentNullException(nameof(iv));
             }
 
-            if (key.Length != BlockSizeBytes)
+            if (encryptionKey.Length != BlockSizeBytes)
             {
-                throw new ArgumentException(ExceptionMessages.IncorrectAesKeyLength, nameof(key));
+                throw new ArgumentException(ExceptionMessages.IncorrectAesKeyLength, nameof(encryptionKey));
             }
 
             if (iv.Length != BlockSizeBytes)
@@ -116,14 +111,16 @@ public static byte[] AesCbcEncrypt(byte[] key, byte[] iv, ReadOnlySpan<byte> pla
             }
 
             byte[] ciphertext;
+            byte[] aesObjKey = encryptionKey.ToArray();
+            byte[] aesObjIv = iv.ToArray();
 
             using (var aesObj = CryptographyProviders.AesCreator())
             {
                 aesObj.Mode = CipherMode.CBC;
                 aesObj.KeySize = BlockSizeBits;
                 aesObj.BlockSize = BlockSizeBits;
-                aesObj.Key = key;
-                aesObj.IV = iv;
+                aesObj.Key = aesObjKey;
+                aesObj.IV = aesObjIv;
                 aesObj.Padding = PaddingMode.None;
 #pragma warning disable CA5401 // Justification: Allow the symmetric encryption to use
                 // a non-default initialization vector
@@ -139,6 +136,8 @@ public static byte[] AesCbcEncrypt(byte[] key, byte[] iv, ReadOnlySpan<byte> pla
                 }
             }
 
+            CryptographicOperations.ZeroMemory(aesObjKey);
+            CryptographicOperations.ZeroMemory(aesObjIv);
             return ciphertext;
         }
 
@@ -152,14 +151,14 @@ public static byte[] AesCbcEncrypt(byte[] key, byte[] iv, ReadOnlySpan<byte> pla
         /// <param name="iv">16-byte initialization vector (IV)</param>
         /// <param name="ciphertext">Input blocks; must be a non-zero multiple of 16 bytes long</param>
         /// <returns>Plaintext of the same length as the ciphertext</returns>
-        public static byte[] AesCbcDecrypt(byte[] key, byte[] iv, ReadOnlySpan<byte> ciphertext)
+        public static ReadOnlyMemory<byte> AesCbcDecrypt(ReadOnlySpan<byte> key, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> ciphertext)
         {
-            if (key is null)
+            if (key == null)
             {
                 throw new ArgumentNullException(nameof(key));
             }
 
-            if (iv is null)
+            if (iv == null)
             {
                 throw new ArgumentNullException(nameof(iv));
             }
@@ -179,29 +178,24 @@ public static byte[] AesCbcDecrypt(byte[] key, byte[] iv, ReadOnlySpan<byte> cip
                 throw new ArgumentException(ExceptionMessages.IncorrectCiphertextLength, nameof(ciphertext));
             }
 
-            byte[] plaintext;
+            using var aesObj = CryptographyProviders.AesCreator();
+            byte[] aesObjKey = key.ToArray();
+            byte[] aesObjIv = iv.ToArray();
+            aesObj.Mode = CipherMode.CBC;
+            aesObj.KeySize = BlockSizeBits;
+            aesObj.BlockSize = BlockSizeBits;
 
-            using (var aesObj = CryptographyProviders.AesCreator())
-            {
-                aesObj.Mode = CipherMode.CBC;
-                aesObj.KeySize = BlockSizeBits;
-                aesObj.BlockSize = BlockSizeBits;
-                aesObj.Key = key;
-                aesObj.IV = iv;
-                aesObj.Padding = PaddingMode.None;
+            aesObj.Key = aesObjKey;
+            aesObj.IV = aesObjIv;
+            aesObj.Padding = PaddingMode.None;
 
-                var decryptor = aesObj.CreateDecryptor();
+            var decryptor = aesObj.CreateDecryptor();
 
-                using (var msDecrypt = new MemoryStream())
-                {
-                    using (var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Write))
-                    {
-                        csDecrypt.Write(ciphertext.ToArray(), 0, ciphertext.Length);
-                        plaintext = msDecrypt.ToArray();
-                    }
-                }
-            }
+            using var msDecrypt = new MemoryStream();
+            using var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Write);
+            csDecrypt.Write(ciphertext.ToArray(), 0, ciphertext.Length);
 
+            byte[] plaintext = msDecrypt.ToArray();
             return plaintext;
         }
     }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECKeyParameters.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECKeyParameters.cs
new file mode 100644
index 000000000..94d4f54ff
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECKeyParameters.cs
@@ -0,0 +1,44 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Yubico.YubiKey.Cryptography
+{
+    /// <summary>
+    /// Base class for EC key parameters
+    /// </summary>
+    public abstract class ECKeyParameters
+    {
+        /// <summary>
+        /// Gets the EC parameters associated with this key.
+        /// </summary>
+        /// <remarks>
+        /// These parameters include the curve information and key data.
+        /// For NIST P-256 keys, this includes the curve definition and public point coordinates.
+        /// </remarks>
+        public ECParameters Parameters { get; }
+
+        protected ECKeyParameters(ECParameters parameters)
+        {
+            if (parameters.Curve.Oid.Value != ECCurve.NamedCurves.nistP256.Oid.Value)
+            {
+                throw new NotSupportedException("Key must be of type NIST P-256");
+            }
+
+            Parameters = parameters.DeepCopy();
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECParametersExtensions.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECParametersExtensions.cs
new file mode 100644
index 000000000..6525f2c35
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECParametersExtensions.cs
@@ -0,0 +1,88 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+
+namespace Yubico.YubiKey.Cryptography
+{
+
+    /// <summary>
+    /// Helper extensions for parameter copying
+    /// </summary>
+    public static class ECParametersExtensions
+    {
+        public static ECParameters DeepCopy(this ECParameters parameters)
+        {
+            if (parameters.Curve.Oid.Value != ECCurve.NamedCurves.nistP256.Oid.Value)
+            {
+                throw new NotSupportedException("Key must be of type NIST P-256");
+            }
+
+            var copy = new ECParameters
+            {
+                Curve = parameters.Curve,
+                Q = new ECPoint
+                {
+                    X = parameters.Q.X?.ToArray(),
+                    Y = parameters.Q.Y?.ToArray()
+                }
+            };
+
+            if (parameters.D != null)
+            {
+                copy.D = parameters.D.ToArray();
+            }
+
+            return copy;
+        }
+
+        /// <summary>
+        /// Creates an instance from a byte array.
+        /// </summary>
+        /// <remarks>
+        /// The byte array is expected to be in the format 0x04 || X || Y
+        /// where X and Y are the uncompressed (32 bit) coordinates of the point.
+        /// </remarks>
+        /// <param name="bytes">The byte array.</param>
+        /// <returns>An instance of EcPrivateKeyParameters with the nistP256 curve.</returns>
+        /// <exception cref="ArgumentException">Thrown when the byte array is not in the expected format.
+        /// Either the first byte is not 0x04, or the byte array is not 65 bytes long (Key must be of type NIST P-256).</exception>
+        public static ECPublicKeyParameters CreateECPublicKeyFromBytes(this ReadOnlySpan<byte> bytes)
+        {
+            if (bytes[0] != 0x04)
+            {
+                throw new ArgumentException("The byte array must start with 0x04", nameof(bytes));
+            }
+
+            if (bytes.Length != 65)
+            {
+                throw new ArgumentException("The byte array must be 65 bytes long (Key must be of type NIST P-256)", nameof(bytes));
+            }
+
+            var ecParameters = new ECParameters
+            {
+                Curve = ECCurve.NamedCurves.nistP256,
+                Q = new ECPoint
+                {
+                    X = bytes.Slice(1, 32).ToArray(), // Starts at 1 because the first byte is 0x04, indicating that it is an uncompressed point
+                    Y = bytes.Slice(33, 32).ToArray()
+                }
+            };
+
+            return new ECPublicKeyParameters(ecParameters);
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECPrivateKeyParameters.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECPrivateKeyParameters.cs
new file mode 100644
index 000000000..ea588ec9e
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECPrivateKeyParameters.cs
@@ -0,0 +1,63 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Yubico.YubiKey.Cryptography
+{
+    /// <summary>
+    /// Represents the parameters for an Elliptic Curve (EC) private key.
+    /// </summary>
+    /// <remarks>
+    /// This class encapsulates the parameters specific to EC private keys,
+    /// ensuring that the key is of type NIST P-256 and contains the necessary
+    /// private key data. It extends the base <see cref="ECKeyParameters"/> class
+    /// with additional validation for private key components.
+    /// </remarks>
+
+    public sealed class ECPrivateKeyParameters : ECKeyParameters
+    {
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ECPrivateKeyParameters"/> class. It is a wrapper for the <see cref="ECParameters"/> class.
+        /// </summary>
+        /// <remarks>
+        /// This constructor is used to create an instance from a <see cref="ECParameters"/> object. It will deep copy 
+        /// the parameters from the ECParameters object and ensure that the key is of type NIST P-256.
+        /// </remarks>
+        /// <param name="parameters">The EC parameters.</param>
+        public ECPrivateKeyParameters(ECParameters parameters) : base(parameters)
+        {
+
+            if (parameters.Curve.Oid.Value != ECCurve.NamedCurves.nistP256.Oid.Value)
+            {
+                throw new NotSupportedException("Key must be of type NIST P-256");
+            }
+
+            if (parameters.D == null)
+            {
+                throw new ArgumentException("Parameters must contain private key data (D value)", nameof(parameters));
+            }
+        }
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ECPrivateKeyParameters"/> class using a <see cref="ECDsa"/> object.
+        /// </summary>
+        /// <remarks>
+        /// It exports the parameters from the ECDsa object and deep copy the parameters from the ECParameters object and ensure that the key is of type NIST P-256.
+        /// </remarks>
+        /// <param name="ecdsaObject">The ECDsa object.</param>
+        public ECPrivateKeyParameters(ECDsa ecdsaObject) : base(ecdsaObject.ExportParameters(true)) { }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECPublicKeyParameters.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECPublicKeyParameters.cs
new file mode 100644
index 000000000..f6eab2fcc
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECPublicKeyParameters.cs
@@ -0,0 +1,74 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+
+namespace Yubico.YubiKey.Cryptography
+{
+    /// <summary>
+    /// Represents the parameters for an Elliptic Curve (EC) public key.
+    /// </summary>
+    /// <remarks>
+    /// This class encapsulates the parameters specific to EC public keys,
+    /// ensuring that the key is of type NIST P-256 and contains only the
+    /// necessary public key components. It extends the base <see cref="ECKeyParameters"/>
+    /// class with additional validation to prevent the inclusion of private key data.
+    /// <para>
+    /// This class currently only supports NIST P-256.
+    /// </para>
+    /// </remarks>
+    public sealed class ECPublicKeyParameters : ECKeyParameters
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ECPublicKeyParameters"/> class. It is a wrapper for the <see cref="ECParameters"/> class.
+        /// </summary>
+        /// <remarks>
+        /// This constructor is used to create an instance from a <see cref="ECParameters"/> object. It will deep copy 
+        /// the parameters from the ECParameters object and ensure that the key is of type NIST P-256.
+        /// </remarks>
+        /// <param name="parameters"></param>
+        /// <exception cref="ArgumentException">Thrown when the parameters contain private key data (D value).</exception>
+        public ECPublicKeyParameters(ECParameters parameters) : base(parameters)
+        {
+            if (parameters.D != null)
+            {
+                throw new ArgumentException(
+                    "Parameters must not contain private key data (D value)", nameof(parameters));
+            }
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ECPublicKeyParameters"/> class.
+        /// </summary>
+        /// <param name="ecdsa"></param>
+        public ECPublicKeyParameters(ECDsa ecdsa) : base(ecdsa.ExportParameters(false)) { }
+
+        /// <summary>
+        /// Gets the bytes representing the public key.
+        /// </summary>
+        /// <returns>A <see cref="Memory{T}"/> containing the public key bytes with the format 0x04 || X || Y.</returns>
+        public ReadOnlyMemory<byte> GetBytes()
+        {
+            byte[] publicKeyRawData =
+                new byte[] { 0x4 } // Format identifier (uncompressed point): 0x04
+                .Concat(Parameters.Q.X)
+                .Concat(Parameters.Q.Y)
+                .ToArray();
+
+            return publicKeyRawData;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/FirmwareVersion.cs b/Yubico.YubiKey/src/Yubico/YubiKey/FirmwareVersion.cs
index b6fe55228..dff6d9b13 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/FirmwareVersion.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/FirmwareVersion.cs
@@ -43,7 +43,10 @@ public class FirmwareVersion : IComparable<FirmwareVersion>, IComparable, IEquat
         internal static readonly FirmwareVersion V5_4_2 = new FirmwareVersion(5, 4, 2);
         internal static readonly FirmwareVersion V5_4_3 = new FirmwareVersion(5, 4, 3);
         internal static readonly FirmwareVersion V5_6_0 = new FirmwareVersion(5, 6, 0);
+        internal static readonly FirmwareVersion V5_6_3 = new FirmwareVersion(5, 6, 3);
         internal static readonly FirmwareVersion V5_7_0 = new FirmwareVersion(5, 7, 0);
+        internal static readonly FirmwareVersion V5_7_2 = new FirmwareVersion(5, 7, 2);
+
         #endregion
 
         public byte Major { get; set; }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/IScp03YubiKeyConnection.cs b/Yubico.YubiKey/src/Yubico/YubiKey/IScp03YubiKeyConnection.cs
index 5ca39f358..ed4385948 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/IScp03YubiKeyConnection.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/IScp03YubiKeyConnection.cs
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-using Yubico.YubiKey.Scp03;
+using System;
 
 namespace Yubico.YubiKey
 {
@@ -20,11 +20,12 @@ namespace Yubico.YubiKey
     /// The connection class that can perform SCP03 operations will implement not
     /// only <see cref="IYubiKeyConnection"/>, but this interface as well.
     /// </summary>
+    [Obsolete("Use new scp")]
     public interface IScp03YubiKeyConnection : IYubiKeyConnection
     {
         /// <summary>
         /// Return a reference to the SCP03 key set used to make the connection.
         /// </summary>
-        public StaticKeys GetScp03Keys();
+        public Yubico.YubiKey.Scp03.StaticKeys GetScp03Keys();
     }
 }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/IYubiKeyConnection.cs b/Yubico.YubiKey/src/Yubico/YubiKey/IYubiKeyConnection.cs
index 5fcf08f19..2629987cd 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/IYubiKeyConnection.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/IYubiKeyConnection.cs
@@ -16,9 +16,20 @@
 
 namespace Yubico.YubiKey
 {
+    /// <summary>
+    /// Represents a connection to a YubiKey device, enabling the sending of commands and retrieval of responses.
+    /// </summary>
     public interface IYubiKeyConnection : IDisposable
     {
-        TResponse SendCommand<TResponse>(IYubiKeyCommand<TResponse> yubiKeyCommand) where TResponse : IYubiKeyResponse;
+        /// <summary>
+        /// Sends a command to the YubiKey device and returns the response.
+        /// </summary>
+        /// <typeparam name="TResponse">The type of response expected from the YubiKey device.</typeparam>
+        /// <param name="yubiKeyCommand">The command to be sent to the YubiKey device.</param>
+        /// <returns>The response received from the YubiKey device.</returns>
+        TResponse SendCommand<TResponse>(IYubiKeyCommand<TResponse> yubiKeyCommand)
+            where TResponse : IYubiKeyResponse;
+
         /// <summary>
         /// An object representing the response received from the YubiKey after selecting the application.  
         /// </summary>
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/IYubiKeyDevice.cs b/Yubico.YubiKey/src/Yubico/YubiKey/IYubiKeyDevice.cs
index f862b9d22..9324df6fc 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/IYubiKeyDevice.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/IYubiKeyDevice.cs
@@ -15,9 +15,10 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
 using Yubico.Core.Devices;
-using Yubico.YubiKey.Scp03;
+using Yubico.YubiKey.Scp;
 using MgmtCmd = Yubico.YubiKey.Management.Commands;
 
+
 namespace Yubico.YubiKey
 {
     /// <summary>
@@ -48,42 +49,14 @@ public interface IYubiKeyDevice : IYubiKeyDeviceInfo, IEquatable<IYubiKeyDevice>
         /// Initiate a connection to the specified application on a YubiKey
         /// device.
         /// </summary>
-        /// <param name="yubikeyApplication">
+        /// <param name="application">
         /// The application to reference on the device.
         /// </param>
         /// <returns>
         /// An instance of a class that implements the
         /// <see cref="IYubiKeyConnection"/> interface.
         /// </returns>
-        IYubiKeyConnection Connect(YubiKeyApplication yubikeyApplication);
-
-        /// <summary>
-        /// Initiate a connection to the specified application on a YubiKey
-        /// device. The connection will be made over SCP03 (assuming the keys are
-        /// the ones loaded onto the YubiKey).
-        /// </summary>
-        /// <remarks>
-        /// Note that SCP03 works only with SmartCard applications, namely PIV, OATH,
-        /// and OpenPgp. However, SCP03 is supported only on series 5 YubiKeys with
-        /// firmware version 5.3 and later, and only the PIV application. If you
-        /// specify any other application, the connection will likely fail.
-        /// <para>
-        /// Note also that the return is an instance of a class that implements
-        /// <see cref="IScp03YubiKeyConnection"/> which is a "subclass" of
-        /// <see cref="IYubiKeyConnection"/>.
-        /// </para>
-        /// </remarks>
-        /// <param name="yubikeyApplication">
-        /// The application to reference on the device.
-        /// </param>
-        /// <param name="scp03Keys">
-        /// The SCP03 key set to use in making an SCP03 connection.
-        /// </param>
-        /// <returns>
-        /// An instance of a class that implements the
-        /// <see cref="IScp03YubiKeyConnection"/> interface.
-        /// </returns>
-        IScp03YubiKeyConnection ConnectScp03(YubiKeyApplication yubikeyApplication, StaticKeys scp03Keys);
+        IYubiKeyConnection Connect(YubiKeyApplication application);
 
         /// <summary>
         /// Initiate a connection to the specified application represented as an
@@ -100,125 +73,136 @@ public interface IYubiKeyDevice : IYubiKeyDeviceInfo, IEquatable<IYubiKeyDevice>
         IYubiKeyConnection Connect(byte[] applicationId);
 
         /// <summary>
-        /// Initiate a connection to the specified application represented as an
-        /// <c>applicationId</c> on a YubiKey device. The connection will be made
-        /// over SCP03 (assuming the keys are the ones loaded onto the YubiKey).
+        /// Initiate a connection to the specified application on a YubiKey device using SCP protocol.
         /// </summary>
+        /// <param name="application">
+        /// The <see cref="YubiKeyApplication"/> to reference on the device.
+        /// </param>
+        /// <param name="keyParameters">
+        /// The SCP key parameters to use in making an SCP connection.
+        /// </param>
         /// <remarks>
-        /// Note that SCP03 works only with SmartCard applications, namely PIV, OATH,
+        /// Note that SCP works only with SmartCard applications, namely PIV, OATH, OTP, Security Domain and YubiHsmAuth
         /// and OpenPgp. However, SCP03 is supported only on series 5 YubiKeys with
-        /// firmware version 5.3 and later, and only the PIV application. If you
-        /// specify any other application, the connection will likely fail.
+        /// firmware version on 5.3 and above. SCP 11 is supported only firmware version 5.7.2 and above.
         /// <para>
         /// Note also that the return is an instance of a class that implements
-        /// <see cref="IScp03YubiKeyConnection"/> which is a "subclass" of
+        /// <see cref="IScpYubiKeyConnection"/> which is a "subclass" of
         /// <see cref="IYubiKeyConnection"/>.
         /// </para>
         /// </remarks>
-        /// <param name="applicationId">
-        /// A byte array representing the smart card Application ID (AID) for the
+        /// <returns>
+        /// An instance of a class that implements the <see cref="IScpYubiKeyConnection"/> interface.
+        /// </returns>
+        IScpYubiKeyConnection Connect(YubiKeyApplication application, ScpKeyParameters keyParameters);
+
+        /// <summary>
+        /// Initiate a connection to the specified application on a YubiKey device using SCP protocol.
+        /// </summary>
+        /// <param name="applicationId">A byte array representing the smart card Application ID (AID) for the
         /// application to open.
         /// </param>
-        /// <param name="scp03Keys">
-        /// The SCP03 key set to use in making an SCP03 connection.
+        /// <param name="keyParameters">
+        /// The SCP key parameters to use in making an SCP connection.
         /// </param>
+        /// <remarks>
+        /// Note that SCP works only with SmartCard applications, namely PIV, OATH, OTP, Security Domain and YubiHsmAuth
+        /// and OpenPgp. However, SCP03 is supported only on series 5 YubiKeys with
+        /// firmware version on 5.3 and above. SCP 11 is supported only firmware version 5.7.2 and above.
+        /// <para>
+        /// Note also that the return is an instance of a class that implements
+        /// <see cref="IScpYubiKeyConnection"/> which is a "subclass" of
+        /// <see cref="IYubiKeyConnection"/>.
+        /// </para>
+        /// </remarks>
         /// <returns>
-        /// An instance of a class that implements the
-        /// <see cref="IYubiKeyConnection"/> interface.
+        /// An instance of a class that implements the <see cref="IScpYubiKeyConnection"/> interface.
         /// </returns>
-        IScp03YubiKeyConnection ConnectScp03(byte[] applicationId, StaticKeys scp03Keys);
+        IScpYubiKeyConnection Connect(byte[] applicationId, ScpKeyParameters keyParameters);
 
-        /// <summary>
-        /// Checks whether a IYubiKeyDevice instance contains a particular platform <see cref="IDevice" />.
-        /// </summary>
-        /// <param name="other">The device to check.</param>
-        /// <returns>True, if the IYubiKeyDevice contains the platform device.</returns>
-        internal bool Contains(IDevice other);
 
         /// <summary>
-        /// Checks whether a IYubiKeyDevice instance contains another <see cref="IDevice" /> with the same
-        /// <see cref="IDevice.ParentDeviceId" />.
+        /// Attempt to connect to the YubiKey device.
         /// </summary>
-        /// <param name="other">The device to check against.</param>
-        /// <returns>True, if the IYubiKeyDevice contains a platform device that shares the same parent.</returns>
-        internal bool HasSameParentDevice(IDevice other);
+        /// <param name="application">The application to reference on the device.</param>
+        /// <param name="connection">Out parameter containing the <see cref="IYubiKeyConnection"/> instance.</param>
+        /// <returns>Boolean indicating whether the call was successful.</returns>
+        bool TryConnect(
+            YubiKeyApplication application,
+            [MaybeNullWhen(returnValue: false)] out IYubiKeyConnection connection);
 
         /// <summary>
         /// Attempt to connect to the YubiKey device.
         /// </summary>
-        /// <param name="application">The application to reference on the device.</param>
+        /// <param name="applicationId">A byte array representing the smart card Application ID (AID) for the
+        /// application to open.</param>
         /// <param name="connection">Out parameter containing the <see cref="IYubiKeyConnection"/> instance.</param>
         /// <returns>Boolean indicating whether the call was successful.</returns>
         bool TryConnect(
-            YubiKeyApplication application,
-            [MaybeNullWhen(returnValue: false)]
-            out IYubiKeyConnection connection);
+            byte[] applicationId,
+            [MaybeNullWhen(returnValue: false)] out IYubiKeyConnection connection);
+
 
         /// <summary>
-        /// Attempt to connect to the YubiKey device. The connection will be made
-        /// over SCP03 (assuming the keys are the ones loaded onto the YubiKey).
+        /// Attempt to connect to the YubiKey device over SCP using the specified <see cref="ScpKeyParameters"/>
         /// </summary>
         /// <remarks>
-        /// Note that SCP03 works only with SmartCard applications, namely PIV, OATH,
+        /// Note that SCP works only with SmartCard applications, namely PIV, OATH, OTP, Security Domain and YubiHsmAuth
         /// and OpenPgp. However, SCP03 is supported only on series 5 YubiKeys with
-        /// firmware version 5.3 and later, and only the PIV application. If you
-        /// specify any other application, the connection will likely fail.
+        /// firmware version on 5.3 and above. SCP 11 is supported only firmware version 5.7.2 and above.
         /// <para>
         /// Note also that the return is an instance of a class that implements
-        /// <see cref="IScp03YubiKeyConnection"/> which is a "subclass" of
+        /// <see cref="IScpYubiKeyConnection"/> which is a "subclass" of
         /// <see cref="IYubiKeyConnection"/>.
         /// </para>
         /// </remarks>
         /// <param name="application">The application to reference on the device.</param>
-        /// <param name="scp03Keys">
-        /// The SCP03 key set to use in making an SCP03 connection.
+        /// <param name="keyParameters">
+        /// The <see cref="ScpKeyParameters"/> key set to use in making an SCP connection.
         /// </param>
         /// <param name="connection">Out parameter containing the <see cref="IYubiKeyConnection"/> instance.</param>
         /// <returns>Boolean indicating whether the call was successful.</returns>
-        bool TryConnectScp03(
-            YubiKeyApplication application,
-            StaticKeys scp03Keys,
-            [MaybeNullWhen(returnValue: false)]
-            out IScp03YubiKeyConnection connection);
-
-        /// <summary>
-        /// Attempt to connect to the YubiKey device.
-        /// </summary>
-        /// <param name="applicationId">A byte array representing the smart card Application ID (AID) for the
-        /// application to open.</param>
-        /// <param name="connection">Out parameter containing the <see cref="IYubiKeyConnection"/> instance.</param>
-        /// <returns>Boolean indicating whether the call was successful.</returns>
         bool TryConnect(
-            byte[] applicationId,
-            [MaybeNullWhen(returnValue: false)]
-            out IYubiKeyConnection connection);
+            YubiKeyApplication application,
+            ScpKeyParameters keyParameters,
+            [MaybeNullWhen(returnValue: false)] out IScpYubiKeyConnection connection);
 
         /// <summary>
-        /// Attempt to connect to the YubiKey device. The connection will be made
-        /// over SCP03 (assuming the keys are the ones loaded onto the YubiKey).
+        /// Attempt to connect to the YubiKey device over SCP using the specified <see cref="ScpKeyParameters"/>
         /// </summary>
         /// <remarks>
-        /// Note that SCP03 works only with SmartCard applications, namely PIV, OATH,
+        /// Note that SCP works only with SmartCard applications, namely PIV, OATH, OTP, Security Domain and YubiHsmAuth
         /// and OpenPgp. However, SCP03 is supported only on series 5 YubiKeys with
-        /// firmware version 5.3 and later, and only the PIV application. If you
-        /// specify any other application, the connection will likely fail.
+        /// firmware version on 5.3 and above. SCP 11 is supported only firmware version 5.7.2 and above.
         /// <para>
         /// Note also that the return is an instance of a class that implements
-        /// <see cref="IScp03YubiKeyConnection"/> which is a "subclass" of
+        /// <see cref="IScpYubiKeyConnection"/> which is a "subclass" of
         /// <see cref="IYubiKeyConnection"/>.
         /// </para>
         /// </remarks>
-        /// <param name="applicationId">A byte pattern representing the application to reference.</param>
-        /// <param name="scp03Keys">
-        /// The SCP03 key set to use in making an SCP03 connection.
-        /// </param>
-        /// <param name="connection">Out parameter containing the <see cref="IYubiKeyConnection"/> instance.</param>
-        /// <returns>Boolean indicating whether the call was successful.</returns>
-        bool TryConnectScp03(
+        /// <param name="applicationId">The Iso7816 application ID to use for the connection.</param>
+        /// <param name="keyParameters">The <see cref="ScpKeyParameters"/> parameters for the SCP connection.</param>
+        /// <param name="connection">The connection to the YubiKey, or null if unable to connect.</param>
+        /// <returns>True if the connection was successful, false otherwise.</returns>
+        bool TryConnect(
             byte[] applicationId,
-            StaticKeys scp03Keys,
-            [MaybeNullWhen(returnValue: false)]
-            out IScp03YubiKeyConnection connection);
+            ScpKeyParameters keyParameters,
+            [MaybeNullWhen(returnValue: false)] out IScpYubiKeyConnection connection);
+
+        /// <summary>
+        /// Checks whether a IYubiKeyDevice instance contains a particular platform <see cref="IDevice" />.
+        /// </summary>
+        /// <param name="other">The device to check.</param>
+        /// <returns>True, if the IYubiKeyDevice contains the platform device.</returns>
+        internal bool Contains(IDevice other);
+
+        /// <summary>
+        /// Checks whether a IYubiKeyDevice instance contains another <see cref="IDevice" /> with the same
+        /// <see cref="IDevice.ParentDeviceId" />.
+        /// </summary>
+        /// <param name="other">The device to check against.</param>
+        /// <returns>True, if the IYubiKeyDevice contains a platform device that shares the same parent.</returns>
+        internal bool HasSameParentDevice(IDevice other);
 
         /// <summary>
         /// Sets which NFC features are enabled (and disabled).
@@ -663,7 +647,6 @@ void SetLegacyDeviceConfiguration(
             bool touchEjectEnabled,
             int autoEjectTimeout = 0);
 
-
         /// <summary>
         /// Sets the <see cref="IYubiKeyDeviceInfo.IsNfcRestricted"/> on the <see cref="YubiKeyDeviceInfo"/>
         /// </summary>
@@ -706,5 +689,22 @@ void SetLegacyDeviceConfiguration(
         /// </para>
         /// </remarks>
         void DeviceReset();
+
+        [Obsolete("Use the new Scp methods")]
+        bool TryConnectScp03(
+            YubiKeyApplication application,
+            Yubico.YubiKey.Scp03.StaticKeys scp03Keys,
+            [MaybeNullWhen(returnValue: false)] out IScp03YubiKeyConnection connection);
+
+        [Obsolete("Use the new Scp methods")]
+        bool TryConnectScp03(
+            byte[] applicationId,
+            Yubico.YubiKey.Scp03.StaticKeys scp03Keys,
+            [MaybeNullWhen(returnValue: false)] out IScp03YubiKeyConnection connection);
+
+        [Obsolete("Use the new Scp methods")]
+        IScp03YubiKeyConnection ConnectScp03(YubiKeyApplication application, Yubico.YubiKey.Scp03.StaticKeys scp03Keys);
+        [Obsolete("Use the new Scp methods")]
+        IScp03YubiKeyConnection ConnectScp03(byte[] applicationId, Yubico.YubiKey.Scp03.StaticKeys scp03Keys);
     }
 }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.Credential.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.Credential.cs
index 262fdbb1a..5a3caf2af 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.Credential.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.Credential.cs
@@ -217,13 +217,13 @@ public void AddCredential(Credential credential)
             }
 
             if (credential.RequiresTouch == true &&
-                !_yubiKeyDevice.HasFeature(YubiKeyFeature.OathTouchCredential))
+                !YubiKey.HasFeature(YubiKeyFeature.OathTouchCredential))
             {
                 throw new InvalidOperationException(ExceptionMessages.TouchNotSupported);
             }
 
             if (credential.Algorithm == HashAlgorithm.Sha512 &&
-                !_yubiKeyDevice.HasFeature(YubiKeyFeature.OathSha512))
+                !YubiKey.HasFeature(YubiKeyFeature.OathSha512))
             {
                 throw new InvalidOperationException(ExceptionMessages.SHA512NotSupported);
             }
@@ -446,7 +446,7 @@ public Credential RemoveCredential(
         /// </exception>
         public void RenameCredential(Credential credential, string? newIssuer, string newAccount)
         {
-            if (!_yubiKeyDevice.HasFeature(YubiKeyFeature.OathRenameCredential))
+            if (!YubiKey.HasFeature(YubiKeyFeature.OathRenameCredential))
             {
                 throw new InvalidOperationException(ExceptionMessages.RenameCommandNotSupported);
             }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.Password.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.Password.cs
index dd96dd792..59ac81b7f 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.Password.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.Password.cs
@@ -52,7 +52,7 @@ public bool TryVerifyPassword()
                 {
                     var password = keyEntryData.GetCurrentValue();
                     var command = new ValidateCommand(password, _oathData);
-                    
+
                     var response = Connection.SendCommand(command);
                     if (response.Status == ResponseStatus.Success)
                     {
@@ -322,8 +322,7 @@ public bool TrySetPassword(ReadOnlyMemory<byte> currentPassword, ReadOnlyMemory<
                 }
             }
 
-            var setPasswordCommand = new SetPasswordCommand(newPassword, _oathData);
-            var setPasswordResponse = Connection.SendCommand(setPasswordCommand);
+            var setPasswordResponse = Connection.SendCommand(new SetPasswordCommand(newPassword, _oathData));
             if (setPasswordResponse.Status == ResponseStatus.Success)
             {
                 var selectOathResponse = Connection.SendCommand(new SelectOathCommand());
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.cs
index 97d9c4cdc..b70b1d0fa 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Oath/OathSession.cs
@@ -14,19 +14,22 @@
 
 using System;
 using System.Globalization;
+using Microsoft.Extensions.Logging;
+using Yubico.Core.Logging;
 using Yubico.YubiKey.InterIndustry.Commands;
 using Yubico.YubiKey.Oath.Commands;
+using Yubico.YubiKey.Scp;
 
 namespace Yubico.YubiKey.Oath
 {
     /// <summary>
     /// The main entry-point for all OATH related operations.
     /// </summary>
-    public sealed partial class OathSession : IDisposable
+    public sealed partial class OathSession : ApplicationSession
     {
         private bool _disposed;
-        private readonly IYubiKeyDevice _yubiKeyDevice;
-        internal OathApplicationData _oathData;
+        // ReSharper disable once InconsistentNaming
+        internal OathApplicationData _oathData; // Internal for testing
 
         /// <summary>
         /// Indicates whether the OATH application on the YubiKey is
@@ -35,11 +38,6 @@ public sealed partial class OathSession : IDisposable
         /// </summary>
         public bool IsPasswordProtected => !_oathData.Challenge.IsEmpty;
 
-        /// <summary>
-        /// The object that represents the connection to the YubiKey.
-        /// </summary>
-        public IYubiKeyConnection Connection { get; private set; }
-
         /// <summary>
         /// The Delegate this class will call when it needs a password to unlock the OATH application.
         /// </summary>
@@ -57,12 +55,6 @@ public sealed partial class OathSession : IDisposable
         /// </remarks>
         public Func<KeyEntryData, bool>? KeyCollector { get; set; }
 
-        // The default constructor explicitly defined. We don't want it to be used.
-        private OathSession()
-        {
-            throw new NotImplementedException();
-        }
-
         /// <summary>
         /// Create an instance of <c>OathSession</c> class, the object that represents
         /// the OATH application on the YubiKey.
@@ -81,34 +73,25 @@ private OathSession()
         /// <param name="yubiKey">
         /// The object that represents the actual YubiKey which will perform the operations.
         /// </param>
+        /// <param name="keyParameters">If supplied, the parameters used open the SCP connection.</param>
         /// <exception cref="ArgumentNullException">
         /// The <c>yubiKey</c> argument is null.
         /// </exception>
         /// <exception cref="InvalidOperationException">
-        /// The <c>SelectApplicationData</c> recived from the <c>yubiKey</c> is null.
+        /// The <c>SelectApplicationData</c> received from the <c>yubiKey</c> is null.
         /// </exception>
-        public OathSession(IYubiKeyDevice yubiKey)
+        public OathSession(IYubiKeyDevice yubiKey, ScpKeyParameters? keyParameters = null)
+            : base(Log.GetLogger<OathSession>(), yubiKey, YubiKeyApplication.Oath, keyParameters)
         {
-            if (yubiKey is null)
-            {
-                throw new ArgumentNullException(nameof(yubiKey));
-            }
-
-            _yubiKeyDevice = yubiKey;
 
-            Connection = yubiKey.Connect(YubiKeyApplication.Oath);
-
-            if (!(Connection.SelectApplicationData is OathApplicationData))
+            if (!(Connection.SelectApplicationData is OathApplicationData data))
             {
                 throw new InvalidOperationException(nameof(Connection.SelectApplicationData));
             }
 
-            _oathData = (Connection.SelectApplicationData as OathApplicationData)!;
-
-            _disposed = false;
+            _oathData = data;
         }
 
-
         /// <summary>
         /// Resets the YubiKey's OATH application back to a factory default state.
         /// </summary>
@@ -130,7 +113,6 @@ public void ResetApplication()
             _oathData = selectOathResponse.GetData();
         }
 
-        // Checks if the KeyCollector delegate is null
         private void EnsureKeyCollector()
         {
             if (KeyCollector is null)
@@ -150,18 +132,15 @@ private void EnsureKeyCollector()
         //
         // However, that does not apply to sealed classes. So the Dispose method will simply perform the
         // "closing" process, no call to Dispose(bool) or GC.
-        public void Dispose()
+        public override void Dispose()
         {
             if (_disposed)
             {
                 return;
             }
 
-            // At the moment, there is no "close session" method. So for now,
-            // just connect to the management application.
-            _ = Connection.SendCommand(new SelectApplicationCommand(YubiKeyApplication.Management));
             KeyCollector = null;
-            Connection.Dispose();
+            base.Dispose();
             _disposed = true;
         }
     }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Otp/OtpSession.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Otp/OtpSession.cs
index 54fb532aa..0ae469a78 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Otp/OtpSession.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Otp/OtpSession.cs
@@ -14,8 +14,11 @@
 
 using System;
 using System.Globalization;
+using Yubico.Core.Logging;
+using Yubico.YubiKey.Oath;
 using Yubico.YubiKey.Otp.Commands;
 using Yubico.YubiKey.Otp.Operations;
+using Yubico.YubiKey.Scp;
 
 namespace Yubico.YubiKey.Otp
 {
@@ -60,18 +63,24 @@ namespace Yubico.YubiKey.Otp
     /// and finally, <c>Execute()</c> tells the operation class to perform the
     /// configuration on the YubiKey.
     /// </example>
-    public sealed class OtpSession : IOtpSession
+    public sealed class OtpSession : ApplicationSession, IOtpSession
     {
         /// <summary>
         /// Constructs a <see cref="OtpSession"/> instance for high-level OTP operations.
         /// </summary>
-        /// <param name="yubiKey">Instance of class implementing <see cref="IYubiKeyDevice"/>.</param>
-        public OtpSession(IYubiKeyDevice yubiKey)
+        /// <remarks>
+        /// This constructor should be used to obtain an instance of this class for
+        /// performing operations on the YubiKey OTP application. The instance of
+        /// <see cref="IYubiKeyDevice"/> passed in should be a connected YubiKey.
+        /// </remarks>
+        /// <param name="yubiKey">An instance of a class that implements <see cref="IYubiKeyDevice"/>.</param>
+        /// <param name="keyParameters">An instance of <see cref="Scp03KeyParameters"/> containing the
+        /// parameters for the SCP03 key. If <see langword="null"/>, the default parameters will be used. </param>
+        public OtpSession(IYubiKeyDevice yubiKey, ScpKeyParameters? keyParameters = null)
+            : base(Log.GetLogger<OathSession>(), yubiKey, YubiKeyApplication.Otp, keyParameters)
         {
-            if (yubiKey is null) { throw new ArgumentNullException(nameof(yubiKey)); }
-            YubiKey = yubiKey;
-            _connection = yubiKey.Connect(YubiKeyApplication.Otp);
-            _otpStatus = _connection.SendCommand(new ReadStatusCommand()).GetData();
+            // Getting the OTP status allows the user to read the OTP status on the OtpSession object.
+            _otpStatus = Connection.SendCommand(new ReadStatusCommand()).GetData();
         }
 
         #region OTP Operation Object Factory
@@ -81,7 +90,7 @@ public OtpSession(IYubiKeyDevice yubiKey)
         /// <param name="slot">The identifier for the OTP application slot to configure.</param>
         /// <returns>An instance of <see cref="Operations.CalculateChallengeResponse"/>.</returns>
         public CalculateChallengeResponse CalculateChallengeResponse(Slot slot) =>
-            new CalculateChallengeResponse(_connection, this, slot);
+            new CalculateChallengeResponse(Connection, this, slot);
 
         /// <summary>
         /// Configures one of the OTP application slots to act as a Yubico OTP device.
@@ -89,7 +98,7 @@ public CalculateChallengeResponse CalculateChallengeResponse(Slot slot) =>
         /// <param name="slot">The identifier for the OTP application slot to configure.</param>
         /// <returns>Instance of <see cref="Operations.ConfigureYubicoOtp"/>.</returns>
         public ConfigureYubicoOtp ConfigureYubicoOtp(Slot slot) =>
-            new ConfigureYubicoOtp(_connection, this, slot);
+            new ConfigureYubicoOtp(Connection, this, slot);
 
         /// <summary>
         /// Removes a slot configuration in the YubiKey's OTP application.
@@ -97,7 +106,7 @@ public ConfigureYubicoOtp ConfigureYubicoOtp(Slot slot) =>
         /// <param name="slot">The identifier for the OTP application slot configuration to delete.</param>
         /// <returns>An instance of <see cref="Operations.DeleteSlotConfiguration"/>.</returns>
         public DeleteSlotConfiguration DeleteSlotConfiguration(Slot slot) =>
-            new DeleteSlotConfiguration(_connection, this, slot);
+            new DeleteSlotConfiguration(Connection, this, slot);
 
         /// <summary>
         /// Configures one of the OTP application slots to respond to challenges.
@@ -105,17 +114,17 @@ public DeleteSlotConfiguration DeleteSlotConfiguration(Slot slot) =>
         /// <param name="slot">The identifier for the OTP application slot to configure.</param>
         /// <returns>Instance of <see cref="Operations.ConfigureChallengeResponse"/>.</returns>
         public ConfigureChallengeResponse ConfigureChallengeResponse(Slot slot) =>
-            new ConfigureChallengeResponse(_connection, this, slot);
+            new ConfigureChallengeResponse(Connection, this, slot);
 
         /// <inheritdoc cref="Operations.ConfigureHotp"/>
         /// <param name="slot">OTP Slot to configure.</param>
         public ConfigureHotp ConfigureHotp(Slot slot) =>
-            new ConfigureHotp(_connection, this, slot);
+            new ConfigureHotp(Connection, this, slot);
 
         /// <inheritdoc cref="Operations.ConfigureNdef"/>
         /// <param name="slot">OTP Slot to configure.</param>
         public ConfigureNdef ConfigureNdef(Slot slot) =>
-            new ConfigureNdef(_connection, this, slot);
+            new ConfigureNdef(Connection, this, slot);
 
         /// <summary>
         /// Sets a static password for an OTP application slot on a YubiKey.
@@ -131,7 +140,7 @@ public ConfigureNdef ConfigureNdef(Slot slot) =>
         /// <param name="slot">The identifier for the OTP application slot to configure.</param>
         /// <returns>Instance of <see cref="Operations.ConfigureStaticPassword"/>.</returns>
         public ConfigureStaticPassword ConfigureStaticPassword(Slot slot) =>
-            new ConfigureStaticPassword(_connection, this, slot);
+            new ConfigureStaticPassword(Connection, this, slot);
 
         /// <summary>
         /// Updates the settings of an OTP application slot on a YubiKey without removing
@@ -140,7 +149,7 @@ public ConfigureStaticPassword ConfigureStaticPassword(Slot slot) =>
         /// <param name="slot">The identifier for the OTP application slot to configure.</param>
         /// <inheritdoc cref="OtpSettings{T}.AllowUpdate(bool)" path="/remarks"/>
         public UpdateSlot UpdateSlot(Slot slot) =>
-            new UpdateSlot(_connection, this, slot);
+            new UpdateSlot(Connection, this, slot);
         #endregion
 
         #region Non-Builder Implementations
@@ -180,7 +189,7 @@ public void SwapSlots()
                 throw new InvalidOperationException(ExceptionMessages.OtpSlotsNotConfigured);
             }
 
-            var swapResponse = _connection.SendCommand(new SwapSlotsCommand());
+            var swapResponse = Connection.SendCommand(new SwapSlotsCommand());
             if (swapResponse.Status != ResponseStatus.Success)
             {
                 throw new InvalidOperationException(swapResponse.StatusMessage);
@@ -239,12 +248,12 @@ public NdefDataReader ReadNdefTag()
 
             // NDEF is actually a separate application that we need to connect to. Disconnect from OTP, run the NDEF
             // command, and then reconnect to OTP.
-            _connection.Dispose();
+            Connection.Dispose();
 
             ReadNdefDataResponse response;
-            using (_connection = YubiKey.Connect(YubiKeyApplication.OtpNdef))
+            using (Connection = YubiKey.Connect(YubiKeyApplication.OtpNdef))
             {
-                var selectResponse = _connection.SendCommand(new SelectNdefDataCommand() { FileID = NdefFileId.Ndef });
+                var selectResponse = Connection.SendCommand(new SelectNdefDataCommand() { FileID = NdefFileId.Ndef });
                 if (selectResponse.Status != ResponseStatus.Success)
                 {
                     throw new InvalidOperationException(
@@ -254,11 +263,10 @@ public NdefDataReader ReadNdefTag()
                             selectResponse.StatusMessage));
                 }
 
-                response = _connection.SendCommand(new ReadNdefDataCommand());
+                response = Connection.SendCommand(new ReadNdefDataCommand());
             }
 
-            _connection = YubiKey.Connect(YubiKeyApplication.Otp);
-
+            Connection = GetConnection(YubiKey, YubiKeyApplication.Otp, KeyParameters);
             return new NdefDataReader(response.GetData().Span);
         }
 
@@ -279,18 +287,15 @@ public NdefDataReader ReadNdefTag()
 
         internal FirmwareVersion FirmwareVersion => _otpStatus.FirmwareVersion;
 
-        internal IYubiKeyDevice YubiKey { get; private set; }
-
         FirmwareVersion IOtpSession.FirmwareVersion => FirmwareVersion;
 
         IYubiKeyDevice IOtpSession.YubiKey => YubiKey;
         #endregion
 
-        /// <inheritdoc />
-        public void Dispose() => _connection.Dispose();
+        // /// <inheritdoc />
+        // public void Dispose() => Connection.Dispose();
 
         #region Private Fields
-        private IYubiKeyConnection _connection;
         private readonly OtpStatus _otpStatus;
         #endregion
     }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Otp/OtpSettings.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Otp/OtpSettings.cs
index fe0a8a0c4..4318a6791 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Otp/OtpSettings.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Otp/OtpSettings.cs
@@ -66,7 +66,7 @@ public YubiKeyFlags YubiKeyFlags
                     foreach (var flag in FlagsSet.Where(k => k != Flag.None))
                     {
                         var flagItem = _flagDefinitions[flag];
-                        
+
                         // Doing this here makes the RequiredOr check easier.
                         var requiredOr =
                             flagItem.RequiredOrFlags == Flag.None
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/OathResponseChainingTransform.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/OathResponseChainingTransform.cs
index 98dd37413..1d21c2871 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/OathResponseChainingTransform.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/OathResponseChainingTransform.cs
@@ -24,10 +24,11 @@ internal class OathResponseChainingTransform : ResponseChainingTransform
     {
         public OathResponseChainingTransform(IApduTransform pipeline) : base(pipeline)
         {
-
         }
 
-        protected override IYubiKeyCommand<YubiKeyResponse> CreateGetResponseCommand(CommandApdu originatingCommand, short SW2) =>
+        protected override IYubiKeyCommand<YubiKeyResponse> CreateGetResponseCommand(
+            CommandApdu originatingCommand,
+            short SW2) =>
             new Oath.Commands.GetResponseCommand(originatingCommand, SW2);
     }
 }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/ResponseChainingTransform.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/ResponseChainingTransform.cs
index 8ebb18842..a69db2b7c 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/ResponseChainingTransform.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/ResponseChainingTransform.cs
@@ -78,7 +78,8 @@ public ResponseApdu Invoke(CommandApdu command, Type commandType, Type responseT
             return new ResponseApdu(tempBuffer.ToArray(), responseApdu.SW);
         }
 
-        protected virtual IYubiKeyCommand<YubiKeyResponse> CreateGetResponseCommand(CommandApdu originatingCommand, short SW2) =>
+        protected virtual IYubiKeyCommand<YubiKeyResponse>
+            CreateGetResponseCommand(CommandApdu originatingCommand, short SW2) =>
             new InterIndustry.Commands.GetResponseCommand(originatingCommand, SW2);
 
         public void Setup() => _pipeline.Setup();
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/Scp03ApduTransform.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/Scp03ApduTransform.cs
index 2b5ce88d3..85a29ce7f 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/Scp03ApduTransform.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/Scp03ApduTransform.cs
@@ -31,6 +31,7 @@ namespace Yubico.YubiKey.Pipelines
     ///
     /// Requires pre-shared <see cref="StaticKeys"/>.
     /// </remarks>
+    [Obsolete("Use ScpApduTransform instead.")]
     internal class Scp03ApduTransform : IApduTransform, IDisposable
     {
         private readonly IApduTransform _pipeline;
@@ -88,7 +89,7 @@ public ResponseApdu Invoke(CommandApdu command, Type commandType, Type responseT
         {
             // Encode command
             var encodedCommand = _session.EncodeCommand(command);
-            
+
             // Pass along the encoded command
             var response = _pipeline.Invoke(encodedCommand, commandType, responseType);
 
@@ -97,7 +98,7 @@ public ResponseApdu Invoke(CommandApdu command, Type commandType, Type responseT
             {
                 return response;
             }
-            
+
             // Decode response and return it
             return _session.DecodeResponse(response);
         }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/ScpApduTransform.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/ScpApduTransform.cs
new file mode 100644
index 000000000..d2e734c1a
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/ScpApduTransform.cs
@@ -0,0 +1,175 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Diagnostics.CodeAnalysis;
+using System.Linq;
+using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Cryptography;
+using Yubico.YubiKey.Scp;
+
+namespace Yubico.YubiKey.Pipelines
+{
+    /// <summary>
+    /// Constructs the shared state for SCP communication over SCP03, SCP11a/b/c.
+    /// Performs SCP encrypt-then-MAC on commands and verify-then-decrypt on responses.
+    /// </summary>
+    /// <remarks>
+    /// Does an SCP Initialize Update / External Authenticate handshake at setup.
+    /// Commands and responses sent through this pipeline are confidential and authenticated.
+    /// </remarks>
+    internal class ScpApduTransform : IApduTransform, IDisposable
+    {
+        /// <summary>
+        /// The <see cref="ScpKeyParameters"/> for the SCP connection
+        /// </summary>
+        public ScpKeyParameters KeyParameters { get; }
+
+        /// <summary>
+        /// The <see cref="EncryptDataFunc"/> which encrypts any data using the session key
+        /// </summary>
+        /// <exception cref="InvalidOperationException">Thrown when the <see cref="ScpState"/> has not been initialized.</exception>
+        public EncryptDataFunc EncryptDataFunc => _dataEncryptor ?? ThrowIfUninitialized<EncryptDataFunc>();
+        private ScpState ScpState => _scpState ?? ThrowIfUninitialized<ScpState>();
+        private EncryptDataFunc? _dataEncryptor;
+        private readonly IApduTransform _pipeline;
+        private ScpState? _scpState;
+        private bool _disposed;
+
+        /// <summary>
+        /// Constructs a new pipeline from the given one.
+        /// </summary>
+        /// <param name="pipeline">Underlying pipeline to send and receive encoded APDUs with</param>
+        /// <param name="keyParameters">The <see cref="ScpKeyParameters"/> for the SCP connection</param>
+        public ScpApduTransform(IApduTransform pipeline, ScpKeyParameters keyParameters)
+        {
+            _pipeline = pipeline ?? throw new ArgumentNullException(nameof(pipeline));
+            KeyParameters = keyParameters ?? throw new ArgumentNullException(nameof(keyParameters));
+        }
+
+        /// <summary>
+        /// Performs SCP handshake. Must be called after SELECT.
+        /// </summary>
+        /// <exception cref="ArgumentException">Thrown if the instance <see cref="KeyParameters"/> is invalid.</exception>
+        public void Setup()
+        {
+            _pipeline.Setup();
+
+            switch (KeyParameters)
+            {
+                case Scp03KeyParameters scp03KeyParameters:
+                    InitializeScp03(scp03KeyParameters);
+                    break;
+                case Scp11KeyParameters scp11KeyParameters:
+                    InitializeScp11(scp11KeyParameters);
+                    break;
+                default:
+                    throw new ArgumentException($"Type of {nameof(KeyParameters)} is not recognized", nameof(KeyParameters));
+            }
+        }
+
+        /// <summary>
+        /// Passes the supplied command into the pipeline, and returns the final response.
+        /// </summary>
+        /// <remarks>
+        /// Encodes the command using the SCP state, sends it to the underlying pipeline, and then decodes the response.
+        /// <para>
+        /// Note: Some commands should not be encoded. For those, the pipeline is invoked directly without encoding.
+        /// </para>
+        /// </remarks>
+        public ResponseApdu Invoke(CommandApdu command, Type commandType, Type responseType)
+        {
+            if (ShouldNotEncode(commandType))
+            {
+                // Invoke the pipeline without encoding the command
+                return _pipeline.Invoke(command, commandType, responseType);
+            }
+            
+            // Encode command
+            var encodedCommand = ScpState.EncodeCommand(command);
+            var response = _pipeline.Invoke(encodedCommand, commandType, responseType);
+
+            // Decode response
+            return ScpState.DecodeResponse(response);
+        }
+
+        private void InitializeScp03(Scp03KeyParameters keyParams)
+        {
+            // Generate host challenge
+            using var rng = CryptographyProviders.RngCreator();
+            
+            byte[] hostChallenge = new byte[8];
+            rng.GetBytes(hostChallenge);
+            
+            // Create the state object that manages keys, mac chaining, etc.
+            _scpState = Scp03State.CreateScpState(_pipeline, keyParams, hostChallenge);
+            
+            // Set the data encryptor for later use
+            _dataEncryptor = _scpState.GetDataEncryptor();
+        }
+
+        private void InitializeScp11(Scp11KeyParameters keyParameters)
+        {
+            // Create the state object that manages keys, mac chaining, etc.
+            _scpState = Scp11State.CreateScpState(_pipeline, keyParameters);
+            
+            // Set the data encryptor for later use
+            _dataEncryptor = _scpState.GetDataEncryptor();
+        }
+
+        [DoesNotReturn]
+        private T ThrowIfUninitialized<T>() => throw new InvalidOperationException($"{nameof(Scp.ScpState)} has not been initialized. The Setup method must be called.");
+
+        private static bool ShouldNotEncode(Type commandType)
+        {
+            // This method introduces some coupling between the SCP pipeline and the applications.
+            // The applications should not have to know about the SCP pipeline, or they should be able to
+            // send the commands without the pipeline.
+            var exemptionList = new[]
+            {
+                typeof(InterIndustry.Commands.SelectApplicationCommand),
+                typeof(Oath.Commands.SelectOathCommand),
+                typeof(Scp.Commands.ResetCommand),
+            };
+
+            return exemptionList.Contains(commandType);
+        }
+
+        // There is a call to cleanup and a call to Dispose. The cleanup only
+        // needs to call the cleanup on the local APDU Pipeline object.
+        public void Cleanup() => _pipeline.Cleanup();
+
+        public void Dispose()
+        {
+            Dispose(disposing: true);
+            GC.SuppressFinalize(this);
+        }
+
+        protected virtual void Dispose(bool disposing)
+        {
+            if (_disposed)
+            {
+                return;
+            }
+
+            if (!disposing)
+            {
+                return;
+            }
+
+            _scpState?.Dispose();
+            _disposed = true;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/AuthenticateDecryptCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/AuthenticateDecryptCommand.cs
index 7afe62fd4..c26734b38 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/AuthenticateDecryptCommand.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/AuthenticateDecryptCommand.cs
@@ -57,7 +57,8 @@ namespace Yubico.YubiKey.Piv.Commands
     /// </para>
     /// <para>
     /// The caller supplies the data to decrypt. It must be a block the same size
-    /// as the key. For an RSA-1024/RSA-2048/RSA-3072/RSA-4096 key, the block must be 128/256/384/512 bytes. If the actual data to decrypt
+    /// as the key. For an RSA-1024 key, the block must be 128 bytes, for an
+    /// RSA-2048 key, the block must be 256 bytes, for an RSA-3072 key, the block must be 384 bytes, and for an RSA-4096 key, the block must be 512 bytes. If the actual data to decrypt
     /// is shorter, it must be provided with as many prepended 00 bytes as needed
     /// to make sure the block is the appropriate length.
     /// </para>
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Attestation.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Attestation.cs
index a59f67f24..3b99f9fea 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Attestation.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Attestation.cs
@@ -114,7 +114,7 @@ public sealed partial class PivSession : IDisposable
         /// </exception>
         public X509Certificate2 CreateAttestationStatement(byte slotNumber)
         {
-            if (_yubiKeyDevice.HasFeature(YubiKeyFeature.PivAttestation))
+            if (YubiKey.HasFeature(YubiKeyFeature.PivAttestation))
             {
                 // This call will throw an exception if the slot number is incorrect.
                 var command = new CreateAttestationStatementCommand(slotNumber);
@@ -181,7 +181,7 @@ public X509Certificate2 CreateAttestationStatement(byte slotNumber)
         /// </exception>
         public X509Certificate2 GetAttestationCertificate()
         {
-            if (_yubiKeyDevice.HasFeature(YubiKeyFeature.PivAttestation))
+            if (YubiKey.HasFeature(YubiKeyFeature.PivAttestation))
             {
                 var command = new GetDataCommand(AttestationCertTag);
                 var response = Connection.SendCommand(command);
@@ -364,7 +364,7 @@ public void ReplaceAttestationKeyAndCertificate(PivPrivateKey privateKey, X509Ce
         // Return the DER encoding of the certificate.
         private byte[] CheckVersionKeyAndCertRequirements(PivPrivateKey privateKey, X509Certificate2 certificate)
         {
-            if (!_yubiKeyDevice.HasFeature(YubiKeyFeature.PivAttestation))
+            if (!YubiKey.HasFeature(YubiKeyFeature.PivAttestation))
             {
                 throw new NotSupportedException(
                     string.Format(
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Crypto.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Crypto.cs
index 2e94aae64..bf282abd2 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Crypto.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Crypto.cs
@@ -147,7 +147,7 @@ public byte[] Sign(byte slotNumber, ReadOnlyMemory<byte> dataToSign)
             // This will verify the slot number and dataToSign length. If one or
             // both are incorrect, the call will throw an exception.
             var signCommand = new AuthenticateSignCommand(dataToSign, slotNumber);
-            _yubiKeyDevice.ThrowIfUnsupportedAlgorithm(signCommand.Algorithm);
+            YubiKey.ThrowIfUnsupportedAlgorithm(signCommand.Algorithm);
 
             return PerformPrivateKeyOperation(
                 slotNumber,
@@ -386,7 +386,7 @@ public byte[] KeyAgree(byte slotNumber, PivPublicKey correspondentPublicKey)
         // other information.
         private byte[] PerformPrivateKeyOperation(
             byte slotNumber, IYubiKeyCommand<IYubiKeyResponseWithData<byte[]>> commandToPerform,
-            PivAlgorithm algorithm,string algorithmExceptionMessage)
+            PivAlgorithm algorithm, string algorithmExceptionMessage)
         {
             bool pinRequired = true;
 
@@ -399,7 +399,7 @@ private byte[] PerformPrivateKeyOperation(
 
             // Metadata will give us our answer, but that feature is
             // available only on YubiKeys beginning with version 5.3.
-            if (_yubiKeyDevice.HasFeature(YubiKeyFeature.PivMetadata))
+            if (YubiKey.HasFeature(YubiKeyFeature.PivMetadata))
             {
                 var metadataCommand = new GetMetadataCommand(slotNumber);
                 var metadataResponse = Connection.SendCommand(metadataCommand);
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.KeyPairs.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.KeyPairs.cs
index 1d520b0d1..56cd763fa 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.KeyPairs.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.KeyPairs.cs
@@ -132,7 +132,7 @@ public PivPublicKey GenerateKeyPair(byte slotNumber,
                                             PivPinPolicy pinPolicy = PivPinPolicy.Default,
                                             PivTouchPolicy touchPolicy = PivTouchPolicy.Default)
         {
-            _yubiKeyDevice.ThrowIfUnsupportedAlgorithm(algorithm);
+            YubiKey.ThrowIfUnsupportedAlgorithm(algorithm);
 
             if (ManagementKeyAuthenticated == false)
             {
@@ -247,7 +247,7 @@ public void ImportPrivateKey(byte slotNumber,
                 throw new ArgumentNullException(nameof(privateKey));
             }
 
-            _yubiKeyDevice.ThrowIfUnsupportedAlgorithm(privateKey.Algorithm);
+            YubiKey.ThrowIfUnsupportedAlgorithm(privateKey.Algorithm);
 
             if (ManagementKeyAuthenticated == false)
             {
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.ManagementKey.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.ManagementKey.cs
index 34d3bab64..df13bf733 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.ManagementKey.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.ManagementKey.cs
@@ -72,8 +72,8 @@ public sealed partial class PivSession : IDisposable
         public AuthenticateManagementKeyResult ManagementKeyAuthenticationResult { get; private set; }
 
         private PivAlgorithm DefaultManagementKeyAlgorithm =>
-            _yubiKeyDevice.HasFeature(YubiKeyFeature.PivAesManagementKey) &&
-            _yubiKeyDevice.FirmwareVersion >= FirmwareVersion.V5_7_0
+            YubiKey.HasFeature(YubiKeyFeature.PivAesManagementKey) &&
+            YubiKey.FirmwareVersion >= FirmwareVersion.V5_7_0
                 ? PivAlgorithm.Aes192
                 : PivAlgorithm.TripleDes;
 
@@ -244,7 +244,7 @@ public sealed partial class PivSession : IDisposable
         /// </exception>
         public bool TryAuthenticateManagementKey(bool mutualAuthentication = true)
         {
-            _log.LogInformation(
+            Logger.LogInformation(
                 $"Try to authenticate the management key: {(mutualAuthentication ? "mutual" : "single")} auth.");
 
             var currentPinOnlyMode = TryAuthenticatePinOnly(true);
@@ -316,7 +316,7 @@ private bool TryAuthenticateWithKeyCollector(bool mutualAuthentication)
         /// </exception>
         public void AuthenticateManagementKey(bool mutualAuthentication = true)
         {
-            _log.LogInformation(
+            Logger.LogInformation(
                 $"Authenticate the management key: {(mutualAuthentication ? "mutual" : "single")} auth.");
 
             if (TryAuthenticateManagementKey(mutualAuthentication) == false)
@@ -657,8 +657,7 @@ public bool TryChangeManagementKey(PivTouchPolicy touchPolicy = PivTouchPolicy.D
         /// </exception>
         public bool TryChangeManagementKey(PivTouchPolicy touchPolicy, PivAlgorithm newKeyAlgorithm)
         {
-            _log.LogInformation(
-                "Try to change the management key, touch policy = {TouchPolicy}, algorithm = {PivALgorithm}.",
+            Logger.LogInformation("Try to change the management key, touch policy = {TouchPolicy}, algorithm = {PivALgorithm}.",
                 touchPolicy.ToString(), newKeyAlgorithm.ToString());
 
             CheckManagementKeyAlgorithm(newKeyAlgorithm, true);
@@ -768,8 +767,7 @@ public void ChangeManagementKey(PivTouchPolicy touchPolicy = PivTouchPolicy.Defa
         /// </exception>
         public void ChangeManagementKey(PivTouchPolicy touchPolicy, PivAlgorithm newKeyAlgorithm)
         {
-            _log.LogInformation(
-                "Change the management key, touch policy = {TouchPolicy}, algorithm = {PivAlgorithm}.",
+            Logger.LogInformation("Change the management key, touch policy = {TouchPolicy}, algorithm = {PivAlgorithm}.",
                 touchPolicy.ToString(), newKeyAlgorithm.ToString());
 
             if (TryChangeManagementKey(touchPolicy, newKeyAlgorithm) == false)
@@ -922,7 +920,7 @@ private bool TryForcedChangeManagementKey(ReadOnlyMemory<byte> currentKey,
                     return true;
                 }
 
-                _log.LogInformation($"Failed to set management key. Message: {response.StatusMessage}");
+                Logger.LogInformation($"Failed to set management key. Message: {response.StatusMessage}");
             }
 
             return false;
@@ -1009,7 +1007,7 @@ private bool TryAuthenticateManagementKey(bool mutualAuthentication,
                 ManagementKeyAuthenticated = true;
             }
 
-            _log.LogInformation($"Failed to authenticate management key. Message: {completeResponse.StatusMessage}");
+            Logger.LogInformation($"Failed to authenticate management key. Message: {completeResponse.StatusMessage}");
 
             return ManagementKeyAuthenticated;
         }
@@ -1018,7 +1016,7 @@ private bool TryAuthenticateManagementKey(bool mutualAuthentication,
 
         private PivAlgorithm GetManagementKeyAlgorithm()
         {
-            if (!_yubiKeyDevice.HasFeature(YubiKeyFeature.PivMetadata))
+            if (!YubiKey.HasFeature(YubiKeyFeature.PivMetadata))
             {
                 // Assume default for version
                 return DefaultManagementKeyAlgorithm;
@@ -1077,9 +1075,9 @@ bool IsValid(PivAlgorithm pa) =>
                 pa switch
                 {
                     PivAlgorithm.TripleDes => true, // Default for keys below fw version 5.7
-                    PivAlgorithm.Aes128 => _yubiKeyDevice.HasFeature(YubiKeyFeature.PivAesManagementKey),
-                    PivAlgorithm.Aes192 => _yubiKeyDevice.HasFeature(YubiKeyFeature.PivAesManagementKey),
-                    PivAlgorithm.Aes256 => _yubiKeyDevice.HasFeature(YubiKeyFeature.PivAesManagementKey),
+                    PivAlgorithm.Aes128 => YubiKey.HasFeature(YubiKeyFeature.PivAesManagementKey),
+                    PivAlgorithm.Aes192 => YubiKey.HasFeature(YubiKeyFeature.PivAesManagementKey),
+                    PivAlgorithm.Aes256 => YubiKey.HasFeature(YubiKeyFeature.PivAesManagementKey),
                     _ => false
                 };
         }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Msroots.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Msroots.cs
index 472ca4c47..7bd60af95 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Msroots.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Msroots.cs
@@ -325,7 +325,7 @@ private Span<byte> GetSpanFromStream(Stream contents, out int maxLength)
         private int CheckWriteLength(string contentsName, long length)
         {
             int maxLength = OldMaximumObjectLength;
-            if (_yubiKeyDevice.FirmwareVersion.Major >= 4)
+            if (YubiKey.FirmwareVersion.Major >= 4)
             {
                 maxLength = NewMaximumObjectLength;
             }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Objects.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Objects.cs
index f0645e045..7471e2259 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Objects.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Objects.cs
@@ -69,7 +69,7 @@ public sealed partial class PivSession : IDisposable
         /// </exception>
         public T ReadObject<T>() where T : PivDataObject, new()
         {
-            _log.LogInformation("Read PivObject " + typeof(T) + ".");
+            Logger.LogInformation("Read PivObject " + typeof(T) + ".");
             var returnValue = new T();
 
             if (TryReadObject(returnValue))
@@ -152,7 +152,7 @@ public sealed partial class PivSession : IDisposable
         /// </returns>
         public bool TryReadObject<T>(out T pivDataObject) where T : PivDataObject, new()
         {
-            _log.LogInformation("Try to read PivObject " + typeof(T) + ".");
+            Logger.LogInformation("Try to read PivObject " + typeof(T) + ".");
             pivDataObject = new T();
 
             return TryReadObject(pivDataObject);
@@ -207,7 +207,7 @@ public sealed partial class PivSession : IDisposable
         /// </exception>
         public T ReadObject<T>(int dataTag) where T : PivDataObject, new()
         {
-            _log.LogInformation("Read PivObject " + typeof(T) + " using dataTag 0x{0:X8}.", dataTag);
+            Logger.LogInformation("Read PivObject " + typeof(T) + " using dataTag 0x{0:X8}.", dataTag);
             var returnValue = new T
             {
                 DataTag = dataTag
@@ -299,7 +299,7 @@ public sealed partial class PivSession : IDisposable
         /// </exception>
         public bool TryReadObject<T>(int dataTag, out T pivDataObject) where T : PivDataObject, new()
         {
-            _log.LogInformation("Try to read PivObject " + typeof(T) + ".");
+            Logger.LogInformation("Try to read PivObject " + typeof(T) + ".");
             pivDataObject = new T
             {
                 DataTag = dataTag
@@ -384,7 +384,7 @@ public void WriteObject(PivDataObject pivDataObject)
             {
                 throw new ArgumentNullException(nameof(pivDataObject));
             }
-            _log.LogInformation("Write PivObject " + pivDataObject.GetType() + " to data tag 0x{0:X8}.");
+            Logger.LogInformation("Write PivObject " + pivDataObject.GetType() + " to data tag 0x{0:X8}.");
 
             byte[] dataToStore = Array.Empty<byte>();
 
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pin.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pin.cs
index ddc647f95..4a18037a3 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pin.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pin.cs
@@ -119,7 +119,7 @@ public sealed partial class PivSession : IDisposable
         /// </exception>
         public bool TryVerifyPin()
         {
-            _log.LogInformation("Try to verify the PIV PIN with KeyCollector.");
+            Logger.LogInformation("Try to verify the PIV PIN with KeyCollector.");
 
             if (KeyCollector is null)
             {
@@ -184,7 +184,7 @@ public bool TryVerifyPin()
         /// </exception>
         public void VerifyPin()
         {
-            _log.LogInformation("Verify the PIV PIN.");
+            Logger.LogInformation("Verify the PIV PIN.");
 
             if (TryVerifyPin() == false)
             {
@@ -279,7 +279,7 @@ public void VerifyPin()
         /// </exception>
         public bool TryVerifyPin(ReadOnlyMemory<byte> pin, out int? retriesRemaining)
         {
-            _log.LogInformation("Try to verify the PIV PIN with supplied PIN.");
+            Logger.LogInformation("Try to verify the PIV PIN with supplied PIN.");
             
             retriesRemaining = null;
             PinVerified = false;
@@ -404,7 +404,7 @@ public bool TryVerifyPin(ReadOnlyMemory<byte> pin, out int? retriesRemaining)
         /// </exception>
         public void ChangePinAndPukRetryCounts(byte newRetryCountPin, byte newRetryCountPuk)
         {
-            _log.LogInformation("Change the PIV PIN and PUK retry counts: {PinCount}, {PukCount}.", newRetryCountPin,
+            Logger.LogInformation("Change the PIV PIN and PUK retry counts: {PinCount}, {PukCount}.", newRetryCountPin,
                 newRetryCountPuk);
 
             // This will validate the input.
@@ -525,7 +525,7 @@ public bool TryChangePinAndPukRetryCounts(ReadOnlyMemory<byte> managementKey,
                                                   byte newRetryCountPuk,
                                                   out int? retriesRemaining)
         {
-            _log.LogInformation(
+            Logger.LogInformation(
                 "Try to change the PIV PIN and PUK retry counts: {PinCount}, {PukCount} with supplied mgmt key and PIN.",
                 newRetryCountPin, newRetryCountPuk);
 
@@ -665,7 +665,7 @@ public bool TryChangePinAndPukRetryCounts(ReadOnlyMemory<byte> managementKey,
         /// </exception>
         public bool TryChangePin()
         {
-            _log.LogInformation("Try to change the PIV PIN with KeyCollector.");
+            Logger.LogInformation("Try to change the PIV PIN with KeyCollector.");
 
             if (TryGetChangePinMode(ReadOnlyMemory<byte>.Empty, out var mode, out _))
             {
@@ -699,7 +699,7 @@ public bool TryChangePin()
         /// </exception>
         public void ChangePin()
         {
-            _log.LogInformation("Change the PIV PIN.");
+            Logger.LogInformation("Change the PIV PIN.");
 
             if (!TryChangePin())
             {
@@ -779,7 +779,7 @@ public void ChangePin()
         public bool TryChangePin(ReadOnlyMemory<byte> currentPin, ReadOnlyMemory<byte> newPin,
                                  out int? retriesRemaining)
         {
-            _log.LogInformation("Try to change the PIV PIN with supplied PINs.");
+            Logger.LogInformation("Try to change the PIV PIN with supplied PINs.");
 
             if (TryGetChangePinMode(currentPin, out var mode, out retriesRemaining))
             {
@@ -905,7 +905,7 @@ public bool TryChangePin(ReadOnlyMemory<byte> currentPin, ReadOnlyMemory<byte> n
         /// </exception>
         public bool TryChangePuk()
         {
-            _log.LogInformation("Try to change the PIV PUK with KeyCollector.");
+            Logger.LogInformation("Try to change the PIV PUK with KeyCollector.");
 
             return TryChangeReference(KeyEntryRequest.ChangePivPuk, ChangePinOrPuk, PivPinOnlyMode.None);
         }
@@ -934,7 +934,7 @@ public bool TryChangePuk()
         /// </exception>
         public void ChangePuk()
         {
-            _log.LogInformation("Change the PIV PUK.");
+            Logger.LogInformation("Change the PIV PUK.");
 
             if (TryChangeReference(KeyEntryRequest.ChangePivPuk, ChangePinOrPuk, PivPinOnlyMode.None) == false)
             {
@@ -990,7 +990,7 @@ public void ChangePuk()
         public bool TryChangePuk(ReadOnlyMemory<byte> currentPuk, ReadOnlyMemory<byte> newPuk,
                                  out int? retriesRemaining)
         {
-            _log.LogInformation("Try to change the PIV PUK with supplied PUKs.");
+            Logger.LogInformation("Try to change the PIV PUK with supplied PUKs.");
             
             var command = new ChangeReferenceDataCommand(PivSlot.Puk, currentPuk, newPuk);
             var response = Connection.SendCommand(command);
@@ -1116,7 +1116,7 @@ public bool TryChangePuk(ReadOnlyMemory<byte> currentPuk, ReadOnlyMemory<byte> n
         /// </exception>
         public bool TryResetPin()
         {
-            _log.LogInformation("Try to reset the PIV PIN using the PIV PUK with KeyCollector.");
+            Logger.LogInformation("Try to reset the PIV PIN using the PIV PUK with KeyCollector.");
 
             if (TryGetChangePinMode(ReadOnlyMemory<byte>.Empty, out var pinOnlyMode, out _))
             {
@@ -1155,7 +1155,7 @@ public bool TryResetPin()
         /// </exception>
         public void ResetPin()
         {
-            _log.LogInformation("Reset the PIV PIN using the PIV PUK.");
+            Logger.LogInformation("Reset the PIV PIN using the PIV PUK.");
 
             if (TryChangeReference(KeyEntryRequest.ResetPivPinWithPuk, ResetPin, PivPinOnlyMode.None) == false)
             {
@@ -1225,7 +1225,7 @@ public void ResetPin()
         /// </exception>
         public bool TryResetPin(ReadOnlyMemory<byte> puk, ReadOnlyMemory<byte> newPin, out int? retriesRemaining)
         {
-            _log.LogInformation("Try to reset the PIV PIN using the PIV PUK with supplied PUK and PIN.");
+            Logger.LogInformation("Try to reset the PIV PIN using the PIV PUK with supplied PUK and PIN.");
             
             var command = new ResetRetryCommand(puk, newPin);
             var response = Connection.SendCommand(command);
@@ -1383,7 +1383,7 @@ private void UpdateAdminData()
         {
             if (!ManagementKeyAuthenticated)
             {
-                _log.LogDebug("Unauthenticated attempt to update AdminData failed.");
+                Logger.LogDebug("Unauthenticated attempt to update AdminData failed.");
                 return;
             }
 
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pinonly.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pinonly.cs
index 1bbc20e9b..de76782f4 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pinonly.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pinonly.cs
@@ -86,7 +86,7 @@ public sealed partial class PivSession : IDisposable
         /// </exception>
         public PivPinOnlyMode GetPinOnlyMode()
         {
-            _log.LogInformation("Get the PIV PIN-only mode of a YubiKey based on AdminData.");
+            Logger.LogInformation("Get the PIV PIN-only mode of a YubiKey based on AdminData.");
 
             var pinOnlyMode = PivPinOnlyMode.PinProtectedUnavailable | PivPinOnlyMode.PinDerivedUnavailable;
 
@@ -189,7 +189,7 @@ public PivPinOnlyMode GetPinOnlyMode()
         /// </returns>
         public PivPinOnlyMode TryRecoverPinOnlyMode()
         {
-            _log.LogInformation("Try to authenticate using PIN-only.");
+            Logger.LogInformation("Try to authenticate using PIN-only.");
 
             var pinOnlyMode = TryAuthenticatePinOnly(false);
 
@@ -746,7 +746,7 @@ private PivPinOnlyMode GetPinDerivedStatus(
         /// </exception>
         public void SetPinOnlyMode(PivPinOnlyMode pinOnlyMode, PivAlgorithm mgmtKeyAlgorithm)
         {
-            _log.LogInformation(
+            Logger.LogInformation(
                 "Set a YubiKey to PIV PIN-only mode: {PivPinOnlyMode}, mgmt key alg = {PivAlgorithm}.",
                 pinOnlyMode.ToString(), mgmtKeyAlgorithm.ToString());
 
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.cs
index dc62ba6fe..4b870e81c 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.cs
@@ -19,9 +19,8 @@
 using Yubico.Core.Iso7816;
 using Yubico.Core.Logging;
 using Yubico.YubiKey.Cryptography;
-using Yubico.YubiKey.InterIndustry.Commands;
 using Yubico.YubiKey.Piv.Commands;
-using Yubico.YubiKey.Scp03;
+using Yubico.YubiKey.Scp;
 
 namespace Yubico.YubiKey.Piv
 {
@@ -150,43 +149,13 @@ namespace Yubico.YubiKey.Piv
     ///         to learn how to do so.
     ///     </para>
     /// </remarks>
-    public sealed partial class PivSession : IDisposable
+    public sealed partial class PivSession : ApplicationSession
     {
-        private readonly ILogger _log = Log.GetLogger<PivSession>();
-        private readonly IYubiKeyDevice _yubiKeyDevice;
         private bool _disposed;
 
-        // The default constructor explicitly defined. We don't want it to be
-        // used.
-        private PivSession()
-        {
-            throw new NotImplementedException();
-        }
-
-        /// <summary>
-        ///     Create an instance of <c>PivSession</c>, the object that represents
-        ///     the PIV application on the YubiKey.
-        /// </summary>
-        /// <remarks>
-        ///     Because this class implements <c>IDisposable</c>, use the <c>using</c>
-        ///     keyword. For example,
-        ///     <code language="csharp">
-        ///         IYubiKeyDevice yubiKeyToUse = SelectYubiKey();
-        ///         using (var piv = new PivSession(yubiKeyToUse))
-        ///         {
-        ///             /* Perform PIV operations. */
-        ///         }
-        ///     </code>
-        /// </remarks>
-        /// <param name="yubiKey">
-        ///     The object that represents the actual YubiKey which will perform the
-        ///     operations.
-        /// </param>
-        /// <exception cref="ArgumentNullException">
-        ///     The <c>yubiKey</c> argument is null.
-        /// </exception>
-        public PivSession(IYubiKeyDevice yubiKey)
-            : this(scp03Keys: null, yubiKey)
+        [Obsolete("Use new Scp")]
+        public PivSession(IYubiKeyDevice yubiKey, Yubico.YubiKey.Scp03.StaticKeys scp03Keys)
+            : this(yubiKey, scp03Keys.ConvertToScp03KeyParameters())
         {
         }
 
@@ -218,8 +187,8 @@ public PivSession(IYubiKeyDevice yubiKey)
         ///     The object that represents the actual YubiKey which will perform the
         ///     operations.
         /// </param>
-        /// <param name="scp03Keys">
-        ///     The SCP03 key set to use in establishing the connection.
+        /// <param name="keyParameters">
+        ///     The SCP key parameters, if any, to use in establishing the SCP connection.
         /// </param>
         /// <exception cref="ArgumentNullException">
         ///     The <c>yubiKey</c> argument is null.
@@ -227,40 +196,13 @@ public PivSession(IYubiKeyDevice yubiKey)
         /// <exception cref="InvalidOperationException">
         ///     This exception is thrown when unable to determine the management key type.
         /// </exception>
-        public PivSession(IYubiKeyDevice yubiKey, StaticKeys scp03Keys)
-            : this(scp03Keys, yubiKey)
-        {
-        }
-
-        private PivSession(StaticKeys? scp03Keys, IYubiKeyDevice yubiKey)
+        public PivSession(IYubiKeyDevice yubiKey, ScpKeyParameters? keyParameters = null)
+            : base(Log.GetLogger<PivSession>(), yubiKey, YubiKeyApplication.Piv, keyParameters)
         {
-            _log.LogInformation(
-                "Create a new instance of PivSession" + (scp03Keys is null
-                    ? "."
-                    : " over SCP03"));
-
-            if (yubiKey is null)
-            {
-                throw new ArgumentNullException(nameof(yubiKey));
-            }
-
-            _yubiKeyDevice = yubiKey;
-
-            Connection = scp03Keys is null
-                ? _yubiKeyDevice.Connect(YubiKeyApplication.Piv)
-                : _yubiKeyDevice.ConnectScp03(YubiKeyApplication.Piv, scp03Keys);
-
             ResetAuthenticationStatus();
             RefreshManagementKeyAlgorithm();
         }
 
-        /// <summary>
-        ///     The object that represents the connection to the YubiKey. Most
-        ///     applications will ignore this, but it can be used to call Commands
-        ///     directly.
-        /// </summary>
-        public IYubiKeyConnection Connection { get; }
-
         /// <summary>
         ///     The Delegate this class will call when it needs a PIN, PUK, or
         ///     management key.
@@ -290,59 +232,26 @@ private PivSession(StaticKeys? scp03Keys, IYubiKeyDevice yubiKey)
         ///     session is to "un-authenticate" the management key and "un-verify"
         ///     the PIN.
         /// </summary>
-
         // Note that .NET recommends a Dispose method call Dispose(true) and
         // GC.SuppressFinalize(this). The actual disposal is in the
         // Dispose(bool) method.
-        //
         // However, that does not apply to sealed classes.
         // So the Dispose method will simply perform the
         // "closing" process, no call to Dispose(bool) or GC.
-        public void Dispose()
+        public override void Dispose()
         {
             if (_disposed)
             {
                 return;
             }
 
-            // At the moment, there is no "close session" method. So for now,
-            // just connect to the management application.
-            // This can fail, possibly resulting in a SCardException (or other), so we wrap it in a try catch-block to complete the disposal of the PivSession
-            try
-            {
-                _ = Connection.SendCommand(new SelectApplicationCommand(YubiKeyApplication.Management));
-            }
-            #pragma warning disable CA1031
-            catch (Exception e)
-                #pragma warning restore CA1031
-            {
-                string message = string.Format(
-                    CultureInfo.CurrentCulture,
-                    ExceptionMessages.PivSessionDisposeUnknownError, e.GetType(), e.Message);
-
-                // Example:
-                // Exception caught when disposing PivSession: Yubico.PlatformInterop.SCardException,
-                // Unable to begin a transaction with the given smart card. SCARD_E_SERVICE_STOPPED: The smart card resource manager has shut down.
-
-                _log.LogWarning(message);
-            }
-
             KeyCollector = null;
             ResetAuthenticationStatus();
-            Connection.Dispose();
 
+            base.Dispose();
             _disposed = true;
         }
 
-        // Reset any fields and properties related to authentication or
-        // verification to the initial state: not authenticated, verified, etc.
-        private void ResetAuthenticationStatus()
-        {
-            ManagementKeyAuthenticated = false;
-            ManagementKeyAuthenticationResult = AuthenticateManagementKeyResult.Unauthenticated;
-            PinVerified = false;
-        }
-
         /// <summary>
         ///     Get information about the specified slot.
         /// </summary>
@@ -387,9 +296,9 @@ private void ResetAuthenticationStatus()
         /// </exception>
         public PivMetadata GetMetadata(byte slotNumber)
         {
-            _log.LogInformation("GetMetadata for slot number {SlotNumber:X2}.", slotNumber);
+            Logger.LogInformation("GetMetadata for slot number {SlotNumber:X2}.", slotNumber);
 
-            if (!_yubiKeyDevice.HasFeature(YubiKeyFeature.PivMetadata))
+            if (!YubiKey.HasFeature(YubiKeyFeature.PivMetadata))
             {
                 throw new NotSupportedException(
                     string.Format(
@@ -441,7 +350,7 @@ public PivMetadata GetMetadata(byte slotNumber)
         /// </exception>
         public PivBioMetadata GetBioMetadata()
         {
-            _log.LogInformation("GetBioMetadata");
+            Logger.LogInformation("GetBioMetadata");
             return Connection.SendCommand(new GetBioMetadataCommand()).GetData();
         }
 
@@ -488,7 +397,7 @@ public PivBioMetadata GetBioMetadata()
         /// </exception>
         public void ResetApplication()
         {
-            _log.LogInformation("Resetting the PIV application.");
+            Logger.LogInformation("Resetting the PIV application.");
 
             // To reset, both the PIN and PUK must be blocked.
             TryBlock(PivSlot.Pin);
@@ -540,14 +449,14 @@ public void ResetApplication()
         /// <exception cref="NotSupportedException">Thrown when the Yubikey doesn't support the Move-operation.</exception>
         public void MoveKey(byte sourceSlot, byte destinationSlot)
         {
-            _yubiKeyDevice.ThrowOnMissingFeature(YubiKeyFeature.PivMoveOrDeleteKey);
+            YubiKey.ThrowOnMissingFeature(YubiKeyFeature.PivMoveOrDeleteKey);
 
             if (!ManagementKeyAuthenticated)
             {
                 AuthenticateManagementKey();
             }
 
-            _log.LogDebug("Moving key from {SourceSlot} to {DestinationSlot}", sourceSlot, destinationSlot);
+            Logger.LogDebug("Moving key from {SourceSlot} to {DestinationSlot}", sourceSlot, destinationSlot);
 
             var command = new MoveKeyCommand(sourceSlot, destinationSlot);
             var response = Connection.SendCommand(command);
@@ -556,7 +465,7 @@ public void MoveKey(byte sourceSlot, byte destinationSlot)
                 throw new InvalidOperationException(response.StatusMessage);
             }
 
-            _log.LogInformation(
+            Logger.LogInformation(
                 "Successfully moved key from {SourceSlot} to {DestinationSlot}", sourceSlot, destinationSlot);
         }
 
@@ -588,14 +497,14 @@ public void MoveKey(byte sourceSlot, byte destinationSlot)
         /// <seealso cref="AuthenticateManagementKey" />
         public void DeleteKey(byte slotToClear)
         {
-            _yubiKeyDevice.ThrowOnMissingFeature(YubiKeyFeature.PivMoveOrDeleteKey);
+            YubiKey.ThrowOnMissingFeature(YubiKeyFeature.PivMoveOrDeleteKey);
 
             if (!ManagementKeyAuthenticated)
             {
                 AuthenticateManagementKey();
             }
 
-            _log.LogDebug("Deleting key at slot {TargetSlot}", slotToClear);
+            Logger.LogDebug("Deleting key at slot {TargetSlot}", slotToClear);
 
             var command = new DeleteKeyCommand(slotToClear);
             var response = Connection.SendCommand(command);
@@ -613,7 +522,7 @@ public void DeleteKey(byte slotToClear)
                 ? "Successfully deleted key at slot {targetSlot}."
                 : "No data received from Yubikey after attempted delete on slot {targetSlot}, indicating that was likely empty to begin with.";
 
-            _log.LogInformation(logMessage, slotToClear);
+            Logger.LogInformation(logMessage, slotToClear);
         }
 
         // Block the PIN or PUK
@@ -629,7 +538,7 @@ public void DeleteKey(byte slotToClear)
         // PivSlot.Puk, block the PUK.
         private bool BlockPinOrPuk(byte slotNumber)
         {
-            _log.LogInformation($"Block the {(slotNumber == 0x80 ? "PIN" : "PUK")}.");
+            Logger.LogInformation($"Block the {(slotNumber == 0x80 ? "PIN" : "PUK")}.");
             int retriesRemaining;
 
             do
@@ -657,6 +566,15 @@ private bool BlockPinOrPuk(byte slotNumber)
 
             return true;
         }
+        
+        // Reset any fields and properties related to authentication or
+        // verification to the initial state: not authenticated, verified, etc.
+        private void ResetAuthenticationStatus()
+        {
+            ManagementKeyAuthenticated = false;
+            ManagementKeyAuthenticationResult = AuthenticateManagementKeyResult.Unauthenticated;
+            PinVerified = false;
+        }
 
         private void TryBlock(byte slot)
         {
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/DeleteKeyCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/DeleteKeyCommand.cs
new file mode 100644
index 000000000..f804d485f
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/DeleteKeyCommand.cs
@@ -0,0 +1,96 @@
+// Copyright 2023 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    /// <summary>
+    /// Use this command to delete one of the SCP03 key sets on the YubiKey.
+    /// </summary>
+    /// <remarks>
+    /// See the <xref href="UsersManualScp03">User's Manual entry</xref> on SCP03.
+    /// <para>
+    /// This will execute the Delete Command. That is, there is a general purpose
+    /// command that can delete various elements, including keys. However, this
+    /// class can build the general purpose delete command in a way that it will
+    /// only be able to delete keys.
+    /// </para>
+    /// <para>
+    /// Note that if all three key sets are deleted, then the first key set (the
+    /// key set with a KeyVersionNumber of 1) will be the default key set.
+    /// </para>
+    /// </remarks>
+    internal class DeleteKeyCommand : IYubiKeyCommand<ScpResponse>
+    {
+        private const byte GpDeleteKeyCla = 0x84;
+        private const byte GpDeleteKeyIns = 0xE4;
+        private const byte GpDeleteKeyP1 = 0;
+        private const byte GpDeleteKeyP2 = 0;
+        private const byte GpDeleteLastKeyP2 = 1;
+        private const byte KvnTag = 0xD2;
+        private const byte KvnLength = 1;
+
+        private readonly byte[] _data;
+        private readonly byte _p2Value;
+
+        public YubiKeyApplication Application => YubiKeyApplication.InterIndustry;
+
+        // The default constructor explicitly defined. We don't want it to be
+        // used.
+        private DeleteKeyCommand()
+        {
+            throw new NotImplementedException();
+        }
+
+        /// <summary>
+        /// Create a new instance of the command. When this command is executed,
+        /// the key set represented by the given <c>keyVersionNumber</c> will be
+        /// deleted. If there is no such key set, this command will do nothing
+        /// and the return <c>Status</c> will be <c>ResponseStatus.NoData</c>.
+        /// </summary>
+        /// <remarks>
+        /// The key set used to make the connection cannot be the key set to be
+        /// deleted, unless both of the other key sets have been deleted, and you
+        /// pass <c>true</c> for <c>isLastKey</c>. In this case, the key will be
+        /// deleted but the SCP03 application on the YubiKey will be reset with
+        /// the default key.
+        /// </remarks>
+        public DeleteKeyCommand(int keyVersionNumber, bool isLastKey)
+        {
+            _data = new byte[3] { KvnTag, KvnLength, (byte)keyVersionNumber };
+            _p2Value = isLastKey ? GpDeleteLastKeyP2 : GpDeleteKeyP2;
+        }
+
+        internal DeleteKeyCommand(ReadOnlyMemory<byte> data, bool isLastKey)
+        {
+            _data = data.ToArray();
+            _p2Value = isLastKey ? GpDeleteLastKeyP2 : GpDeleteKeyP2;
+        }
+
+        public CommandApdu CreateCommandApdu() => new CommandApdu()
+        {
+            Cla = GpDeleteKeyCla,
+            Ins = GpDeleteKeyIns,
+            P1 = GpDeleteKeyP1,
+            P2 = _p2Value,
+            Data = _data
+        };
+
+
+        public ScpResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
+            new ScpResponse(responseApdu);
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ExternalAuthenticateCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ExternalAuthenticateCommand.cs
new file mode 100644
index 000000000..0cb89629c
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ExternalAuthenticateCommand.cs
@@ -0,0 +1,71 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    /// <summary>
+    /// Represents the second command in the SCP03 and SCP11a/c authentication handshakes, 'EXTERNAL_AUTHENTICATE'
+    /// </summary>
+    internal class ExternalAuthenticateCommand : IYubiKeyCommand<ExternalAuthenticateResponse>
+    {
+        public YubiKeyApplication Application => YubiKeyApplication.InterIndustry;
+        internal const byte GpExternalAuthenticateIns = 0x82;
+
+        private const byte GpExternalAuthenticateCla = 0x80;
+        private const byte GpHighestSecurityLevel = 0x33;
+        private readonly ReadOnlyMemory<byte> _data;
+        private readonly byte _keyVersionNumber;
+        private readonly byte _keyId;
+
+        /// <summary>
+        /// Constructs an EXTERNAL_AUTHENTICATE command, containing the provided data.
+        /// </summary>
+        /// <remarks>
+        /// Clients should not generally build this manually. See <see cref="Pipelines.ScpApduTransform"/> for more.
+        /// </remarks>
+        /// <param name="data">Data for the command. E.g. a host cryptogram when authenticating with SCP03</param>
+        public ExternalAuthenticateCommand(ReadOnlyMemory<byte> data)
+        {
+            _data = data;
+        }
+
+        /// <summary>
+        /// Constructs an EXTERNAL_AUTHENTICATE command, containing the provided data. This is used to create an SCP11a/c command.
+        /// </summary>
+        /// <param name="keyVersionNumber"></param>
+        /// <param name="keyId"></param>
+        /// <param name="data"></param>
+        public ExternalAuthenticateCommand(byte keyVersionNumber, byte keyId, ReadOnlyMemory<byte> data)
+        {
+            _keyVersionNumber = keyVersionNumber;
+            _keyId = keyId;
+            _data = data;
+        }
+
+        public CommandApdu CreateCommandApdu() => new CommandApdu
+        {
+            Cla = GpExternalAuthenticateCla,
+            Ins = GpExternalAuthenticateIns,
+            P1 = _keyVersionNumber > 0 ? _keyVersionNumber : GpHighestSecurityLevel,
+            P2 = _keyId > 0 ? _keyId : default,
+            Data = _data
+        };
+
+        public ExternalAuthenticateResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
+            new ExternalAuthenticateResponse(responseApdu);
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ExternalAuthenticateResponse.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ExternalAuthenticateResponse.cs
new file mode 100644
index 000000000..87c9e1678
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ExternalAuthenticateResponse.cs
@@ -0,0 +1,50 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Globalization;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    internal class ExternalAuthenticateResponse : ScpResponse
+    {
+        /// <summary>
+        /// Constructs an ExternalAuthenticateResponse based on a ResponseApdu received from the YubiKey.
+        /// </summary>
+        /// <param name="responseApdu">The ResponseApdu that corresponds to the issuance of
+        /// this command.</param>
+        public ExternalAuthenticateResponse(ResponseApdu responseApdu) :
+            base(responseApdu)
+        {
+            if (responseApdu is null)
+            {
+                throw new ArgumentNullException(nameof(responseApdu));
+            }
+
+            if (responseApdu.SW == SWConstants.Success)
+            {
+                return;
+            }
+
+            string message = string.Format(
+                CultureInfo.CurrentCulture,
+                $"{ExceptionMessages.IncorrectExternalAuthenticateData}" + " " +
+                $"SW: 0x{responseApdu.SW.ToString("X4", CultureInfo.InvariantCulture)}");
+
+            // Example output: IncorrectExternalAuthenticateData SW: 0x6300
+            throw new ArgumentException(message, nameof(responseApdu));
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/GenerateEcKeyCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/GenerateEcKeyCommand.cs
new file mode 100644
index 000000000..2236d2997
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/GenerateEcKeyCommand.cs
@@ -0,0 +1,58 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    internal class GenerateEcKeyCommand : IYubiKeyCommand<GenerateEcKeyResponse>
+    {
+        public YubiKeyApplication Application => YubiKeyApplication.SecurityDomain;
+        internal const byte GpGenerateKeyIns = 0xF1;
+
+        private readonly ReadOnlyMemory<byte> _data;
+        private readonly byte _keyVersionNumber;
+        private readonly byte _keyId;
+
+        public GenerateEcKeyCommand(byte keyVersionNumber, byte keyId, ReadOnlyMemory<byte> data)
+        {
+            _data = data;
+            _keyVersionNumber = keyVersionNumber;
+            _keyId = keyId;
+        }
+
+        public CommandApdu CreateCommandApdu() =>
+            new CommandApdu
+            {
+                Cla = 0x80,
+                Ins = GpGenerateKeyIns,
+                P1 = _keyVersionNumber,
+                P2 = _keyId,
+                Data = _data
+            };
+
+        public GenerateEcKeyResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
+            new GenerateEcKeyResponse(responseApdu);
+    }
+
+    internal class GenerateEcKeyResponse : ScpResponse, IYubiKeyResponseWithData<ReadOnlyMemory<byte>>
+    {
+        public GenerateEcKeyResponse(ResponseApdu responseApdu) : base(responseApdu)
+        {
+        }
+
+        public ReadOnlyMemory<byte> GetData() => ResponseApdu.Data;
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/GetDataCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/GetDataCommand.cs
new file mode 100644
index 000000000..858d9ae5b
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/GetDataCommand.cs
@@ -0,0 +1,94 @@
+// Copyright 2023 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    /// <summary>
+    /// This class is used to get data from the YubiKey associated with the given tag.
+    /// <para>For getting data in the Security Domain, it is recommended to use the methods provided by <see cref="SecurityDomainSession"/> instead, such as
+    /// <see cref="SecurityDomainSession.GetData"/>, <see cref="SecurityDomainSession.GetCertificates"/>, <see cref="SecurityDomainSession.GetSupportedCaIdentifiers"/>, and <see cref="SecurityDomainSession.GetKeyInformation"/>.
+    /// </para>
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.
+    /// </para>
+    /// </remarks>
+    /// <returns>The encoded tlv data retrieved from the YubiKey.</returns>
+    /// <exception cref="SecureChannelException">Thrown when there was an SCP error, described in the exception message.</exception>
+    internal class GetDataCommand : IYubiKeyCommand<GetDataCommandResponse>
+    {
+        internal const byte GetDataIns = 0xCA;
+        private readonly int _tag;
+        private readonly ReadOnlyMemory<byte> _data;
+
+        public YubiKeyApplication Application => YubiKeyApplication.InterIndustry;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="GetDataCommand"/> class.
+        /// </summary>
+        /// <param name="tag">The tag of the data to retrieve from the YubiKey.</param>
+        /// <param name="data">
+        /// Optional data to be used in the GetData command. This might be used for
+        /// certain YubiKey applications, such as the OpenPGP application.
+        /// </param>
+        /// <remarks>
+        /// <para>For getting data in the Security Domain,
+        /// it is recommended to use the methods provided by <see cref="SecurityDomainSession"/> instead, such as
+        /// <see cref="SecurityDomainSession.GetData"/>, <see cref="SecurityDomainSession.GetCertificates"/>, <see cref="SecurityDomainSession.GetSupportedCaIdentifiers"/>, and <see cref="SecurityDomainSession.GetKeyInformation"/>.
+        /// </para>
+        /// <para>
+        /// See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.
+        /// </para>
+        /// </remarks>
+        public GetDataCommand(int tag, ReadOnlyMemory<byte>? data = null)
+        {
+            _tag = tag;
+            _data = data ?? ReadOnlyMemory<byte>.Empty;
+        }
+
+        public CommandApdu CreateCommandApdu() =>
+            new CommandApdu
+            {
+                Cla = 0,
+                Ins = GetDataIns,
+                P1 = (byte)(_tag >> 8),
+                P2 = (byte)(_tag & 0xFF),
+                Data = _data
+            };
+
+        public GetDataCommandResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
+            new GetDataCommandResponse(responseApdu);
+    }
+
+    internal class GetDataCommandResponse : ScpResponse, IYubiKeyResponseWithData<ReadOnlyMemory<byte>>
+    {
+        /// <summary>
+        /// The response to the GetData command.
+        /// </summary>
+        /// <param name="responseApdu">The response APDU from the YubiKey.</param>
+        public GetDataCommandResponse(ResponseApdu responseApdu) : base(responseApdu)
+        {
+        }
+
+        /// <summary>
+        /// Gets the data retrieved from the YubiKey.
+        /// </summary>
+        /// <returns>The data retrieved from the YubiKey.</returns>
+        public ReadOnlyMemory<byte> GetData() => ResponseApdu.Data;
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/InitializeUpdateCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/InitializeUpdateCommand.cs
new file mode 100644
index 000000000..9b81315d2
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/InitializeUpdateCommand.cs
@@ -0,0 +1,60 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    /// <summary>
+    /// Represents the first command in the SCP03 authentication handshake, 'INITIALIZE_UPDATE'
+    /// </summary>
+    internal class InitializeUpdateCommand : IYubiKeyCommand<InitializeUpdateResponse>
+    {
+        public YubiKeyApplication Application => YubiKeyApplication.SecurityDomain;
+        internal const byte GpInitializeUpdateIns = 0x50;
+        private const byte GpInitializeUpdateCla = 0x84;
+        private readonly ReadOnlyMemory<byte> _hostChallenge;
+        private readonly int _keyVersionNumber;
+
+        /// <summary>
+        /// Constructs an INITIALIZE_UPDATE command, containing the provided data.
+        /// </summary>
+        /// <remarks>
+        /// Clients should not generally build this manually. See <see cref="YubiKey.Pipelines.Scp03ApduTransform"/> for more.
+        /// </remarks>
+        /// <param name="keyVersionNumber">Which key set to use.</param>
+        /// <param name="hostChallenge">An 8-byte randomly-generated challenge from the host to the device.</param>
+        public InitializeUpdateCommand(int keyVersionNumber, ReadOnlyMemory<byte> hostChallenge)
+        {
+            if (hostChallenge.Length != 8)
+            {
+                throw new ArgumentException("Invalid size, must be 8 bytes", nameof(_hostChallenge));
+            }
+
+            _hostChallenge = hostChallenge;
+            _keyVersionNumber = keyVersionNumber;
+        }
+
+        public CommandApdu CreateCommandApdu() => new CommandApdu()
+        {
+            Cla = GpInitializeUpdateCla,
+            Ins = GpInitializeUpdateIns,
+            P1 = (byte)_keyVersionNumber,
+            Data = _hostChallenge
+        };
+        
+        public InitializeUpdateResponse CreateResponseForApdu(ResponseApdu responseApdu) => new InitializeUpdateResponse(responseApdu);
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/InitializeUpdateResponse.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/InitializeUpdateResponse.cs
new file mode 100644
index 000000000..c4559eb54
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/InitializeUpdateResponse.cs
@@ -0,0 +1,60 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Collections.Generic;
+using System.Collections.ObjectModel;
+using System.Globalization;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    internal class InitializeUpdateResponse : ScpResponse
+    {
+        public IReadOnlyCollection<byte> DiversificationData { get; protected set; }
+        public IReadOnlyCollection<byte> KeyInfo { get; protected set; }
+        public IReadOnlyCollection<byte> CardChallenge { get; protected set; }
+        public IReadOnlyCollection<byte> CardCryptogram { get; protected set; }
+
+        /// <summary>
+        /// Constructs an InitializeUpdateResponse based on a ResponseApdu received from the YubiKey after an SCP handshake ('INITIALIZE_UPDATE'). 
+        /// </summary>
+        /// <param name="responseApdu">The ResponseApdu that corresponds to the issuance of
+        /// this command.</param>
+        public InitializeUpdateResponse(ResponseApdu responseApdu) :
+            base(responseApdu)
+        {
+            if (responseApdu is null)
+            {
+                throw new ArgumentNullException(nameof(responseApdu));
+            }
+
+            if (responseApdu.Data.Length != 29)
+            {
+                // This can indicate that the authentication was not successful due to incorrect authentication data, such as keys the keys being used
+                string message = string.Format(
+                    CultureInfo.CurrentCulture,
+                    $"{ExceptionMessages.IncorrectInitializeUpdateResponseData}" + " " +
+                    $"SW: 0x{responseApdu.SW.ToString("X4", CultureInfo.InvariantCulture)}");
+                throw new ArgumentException(message, nameof(responseApdu));
+            }
+
+            var responseData = responseApdu.Data.Span;
+            DiversificationData = new ReadOnlyCollection<byte>(responseData[0..10].ToArray());
+            KeyInfo = new ReadOnlyCollection<byte>(responseData[10..13].ToArray());
+            CardChallenge = new ReadOnlyCollection<byte>(responseData[13..21].ToArray());
+            CardCryptogram = new ReadOnlyCollection<byte>(responseData[21..29].ToArray());
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/InternalAuthenticateCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/InternalAuthenticateCommand.cs
new file mode 100644
index 000000000..18b323da2
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/InternalAuthenticateCommand.cs
@@ -0,0 +1,71 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    /// <summary>
+    /// Represents the second command in the SCP03 and SCP11a/c authentication handshakes, 'INTERNAL_AUTHENTICATE'
+    /// </summary>
+    /// <remarks>
+    /// Clients should not generally build this manually. See <see cref="Pipelines.ScpApduTransform"/> for more.
+    /// </remarks>
+    internal class InternalAuthenticateCommand : IYubiKeyCommand<InternalAuthenticateResponse>
+    {
+        public YubiKeyApplication Application => YubiKeyApplication.SecurityDomain;
+        internal const byte GpInternalAuthenticateIns = 0x88;
+        private readonly byte _keyReferenceVersionNumber;
+        private readonly byte _keyReferenceId;
+        private readonly byte[] _data;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="InternalAuthenticateCommand"/> class.
+        /// </summary>
+        /// <param name="keyReferenceVersionNumber">The version number of the key reference.</param>
+        /// <param name="keyReferenceId">The ID of the key reference.</param>
+        /// <param name="data">The data to be used for internal authentication.</param>
+        public InternalAuthenticateCommand(byte keyReferenceVersionNumber, byte keyReferenceId, byte[] data)
+        {
+            _keyReferenceVersionNumber = keyReferenceVersionNumber;
+            _keyReferenceId = keyReferenceId;
+            _data = data;
+        }
+
+        public CommandApdu CreateCommandApdu() =>
+            new CommandApdu
+            {
+                Cla = 0x80,
+                Ins = GpInternalAuthenticateIns,
+                P1 = _keyReferenceVersionNumber,
+                P2 = _keyReferenceId,
+                Data = _data
+            };
+
+        public InternalAuthenticateResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
+            new InternalAuthenticateResponse(responseApdu);
+    }
+
+    internal class InternalAuthenticateResponse : ScpResponse
+    {
+        /// <summary>
+        /// Creates a new <see cref="InternalAuthenticateResponse"/> from the provided <see cref="ResponseApdu"/>.
+        /// </summary>
+        /// <param name="responseApdu">The <see cref="ResponseApdu"/> to create the response from.</param>
+        /// <returns>A new <see cref="InternalAuthenticateResponse"/>.</returns>
+        public InternalAuthenticateResponse(ResponseApdu responseApdu) : base(responseApdu)
+        {
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/PutKeyCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/PutKeyCommand.cs
new file mode 100644
index 000000000..bd7930bfd
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/PutKeyCommand.cs
@@ -0,0 +1,140 @@
+// Copyright 2023 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    /// <summary>
+    /// Use this command to put or replace SCP03 keys on the YubiKey.
+    /// </summary>
+    /// <remarks>
+    /// See the <xref href="UsersManualScp03">User's Manual entry</xref> on SCP03.
+    /// <para>
+    /// On each YubiKey that supports SCP03, there is space for three sets of
+    /// keys. Each set contains three keys: "ENC", "MAC", and "DEK" (Channel
+    /// Encryption, Channel MAC, and Data Encryption).
+    /// <code language="adoc">
+    ///    slot 1:   ENC   MAC   DEK
+    ///    slot 2:   ENC   MAC   DEK
+    ///    slot 3:   ENC   MAC   DEK
+    /// </code>
+    /// Each key is 16 bytes. YubiKeys do not support any other key size.
+    /// </para>
+    /// <para>
+    /// Note that the standard allows changing one key in a key set. However,
+    /// YubiKeys only allow calling this command with all three keys. That is,
+    /// with a YubiKey, it is possible only to set or change all three keys of a
+    /// set with this command.
+    /// </para>
+    /// <para>
+    /// Standard YubiKeys are manufactured with one key set, and each key in that
+    /// set is the default value.
+    /// <code language="adoc">
+    ///    slot 1:   ENC(default)  MAC(default)  DEK(default)
+    ///    slot 2:   --empty--
+    ///    slot 3:   --empty--
+    /// </code>
+    /// The default value is 0x40 41 42 ... 4F.
+    /// </para>
+    /// <para>
+    /// The key sets are not specified using a "slot number", rather, each key
+    /// set is given a Key Version Number (KVN). Each key in the set is given a
+    /// Key Identifier (KeyId). If the YubiKey contains the default key, the KVN
+    /// is 255 (0xFF) and the KeyIds are 1, 2, and 3.
+    /// <code language="adoc">
+    ///    slot 1: KVN=0xff  KeyId=1:ENC(default)  KeyId=2:MAC(default)  KeyId=3:DEK(default)
+    ///    slot 2:   --empty--
+    ///    slot 3:   --empty--
+    /// </code>
+    /// </para>
+    /// <para>
+    /// It is possible to use this command to replace or add a key set. However,
+    /// if the YubiKey contains only the initial, default keys, then it is only
+    /// possible to replace that set. For example, suppose you have a YubiKey
+    /// with the default keys and you try to set the keys in slot 2. The YubiKey
+    /// will not allow that and will return an error.
+    /// </para>
+    /// <para>
+    /// When you replace the initial, default keys, you must specify the KVN of
+    /// the new keys, and the KeyId of the ENC key. The KeyId(MAC) is, per the
+    /// standard, KeyId(ENC) + 1, and the KeyId(DEK) is KeyId(ENC) + 2. For the
+    /// YubiKey, the KVN must be 1. Also, the YubiKey only allows the number 1 as
+    /// the KeyId of the ENC key. If you supply any other values for the KVN or
+    /// KeyId, the YubiKey will return an error. Hence, after replacing the
+    /// initial, default keys, your three sets of keys will be the following:
+    /// <code language="adoc">
+    ///    slot 1: KVN=1  KeyId=1:ENC  KeyId=2:MAC  KeyId=3:DEK
+    ///    slot 2:   --empty--
+    ///    slot 3:   --empty--
+    /// </code>
+    /// </para>
+    /// <para>
+    /// In order to add or change the keys, you must supply one of the existing
+    /// key sets in order to build the SCP03 command and to encrypt and
+    /// authenticate the new keys. When replacing the initial, default keys, you
+    /// only have the choice to supply the keys with the KVN of 0xFF.
+    /// </para>
+    /// <para>
+    /// Once you have replaced the original key set, you can use that set to add
+    /// a second set to slot 2. It's KVN must be 2 and the KeyId of the ENC key
+    /// must be 1.
+    /// <code language="adoc">
+    ///    slot 1: KVN=1  KeyId=1:ENC  KeyId=2:MAC  KeyId=3:DEK
+    ///    slot 2: KVN=2  KeyId=1:ENC  KeyId=2:MAC  KeyId=3:DEK
+    ///    slot 3:   --empty--
+    /// </code>
+    /// </para>
+    /// <para>
+    /// You can use either key set to add a set to slot 3. You can use a key set
+    /// to replace itself.
+    /// </para>
+    /// </remarks>
+    internal class PutKeyCommand : IYubiKeyCommand<PutKeyResponse>
+    {
+        private const byte GpPutKeyCla = 0x80;
+        private const byte GpPutKeyIns = 0xD8;
+        private readonly byte[] _data;
+        private readonly byte _p1;
+        private readonly byte _p2;
+
+        public YubiKeyApplication Application => YubiKeyApplication.SecurityDomain;
+
+        /// <summary>
+        /// This is used internally by the <see cref="SecurityDomainSession"/>. Clients should not have to build this manually.
+        /// </summary>
+        /// <param name="p1">The P1 parameter for the PutKey Apdu command</param>
+        /// <param name="p2">The P2 parameter for the PutKey Apdu command</param>
+        /// <param name="data">The data to use for the PutKey Apdu command</param>
+        public PutKeyCommand(byte p1, byte p2, ReadOnlyMemory<byte> data)
+        {
+            _p1 = p1;
+            _p2 = p2;
+            _data = data.ToArray();
+        }
+
+        public CommandApdu CreateCommandApdu() =>
+            new CommandApdu
+            {
+                Cla = GpPutKeyCla,
+                Ins = GpPutKeyIns,
+                P1 = _p1,
+                P2 = _p2,
+                Data = _data
+            };
+
+        public PutKeyResponse CreateResponseForApdu(ResponseApdu responseApdu) => new PutKeyResponse(responseApdu);
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/PutKeyResponse.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/PutKeyResponse.cs
new file mode 100644
index 000000000..b85da7831
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/PutKeyResponse.cs
@@ -0,0 +1,44 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    /// <summary>
+    /// The response to putting or replacing SCP keys on the YubiKey.
+    /// </summary>
+    internal class PutKeyResponse : ScpResponse, IYubiKeyResponseWithData<ReadOnlyMemory<byte>>
+    {
+        private readonly byte[] _checksum;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="PutKeyResponse"/> class.
+        /// </summary>
+        /// <param name="responseApdu">The <see cref="ResponseApdu"/> response from the YubiKey.</param>
+        public PutKeyResponse(ResponseApdu responseApdu)
+            : base(responseApdu)
+        {
+            _checksum = new byte[responseApdu.Data.Length];
+            responseApdu.Data.CopyTo(_checksum);
+        }
+
+        /// <summary>
+        /// Gets the checksum of the stored key.
+        /// </summary>
+        /// <returns>The checksum of the stored key.</returns>
+        public ReadOnlyMemory<byte> GetData() => _checksum;
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ResetCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ResetCommand.cs
new file mode 100644
index 000000000..0e94e64c6
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ResetCommand.cs
@@ -0,0 +1,66 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+
+    /// <summary>
+    /// This command is used to reset the SCP keys on the YubiKey device back to its factory default state
+    /// In order to reset the YubiKey to its factory default state, one must issue the reset command to the Yubikey
+    /// with incorrect parameters 65 times. This will block the keys and reset the YubiKey to its factory default state.
+    /// </summary>
+    internal class ResetCommand : IYubiKeyCommand<YubiKeyResponse>
+    {
+        public YubiKeyApplication Application => YubiKeyApplication.SecurityDomain;
+        private readonly byte[] _data;
+        private readonly byte _keyVersionNumber;
+        private readonly byte _kid;
+        private readonly byte _ins;
+
+        /// <summary>
+        /// Initialize a new instance of the <see cref="ResetCommand"/>
+        /// Clients should not generally build this manually. Instead, use the 
+        /// <see cref="SecurityDomainSession.Reset"/> to build commands.
+        /// </summary>
+        /// <param name="ins">The instruction byte for the command
+        /// the instruction bytes that are valid are, 
+        /// <see cref="InitializeUpdateCommand.GpInitializeUpdateIns"/>, 
+        /// <see cref="ExternalAuthenticateCommand.GpExternalAuthenticateIns"/>, 
+        /// <see cref="InternalAuthenticateCommand.GpInternalAuthenticateIns"/>, 
+        /// <see cref="SecurityOperationCommand.GpPerformSecurityOperationIns"/>
+        /// </param>
+        /// <param name="keyVersionNumber">The version number of the key</param>
+        /// <param name="kid">The Key id</param>
+        /// <param name="data">The data to be reset</param>
+        public ResetCommand(byte ins, byte keyVersionNumber, byte kid, byte[] data)
+        {
+            _ins = ins;
+            _data = data;
+            _keyVersionNumber = keyVersionNumber;
+            _kid = kid;
+        }
+
+        public CommandApdu CreateCommandApdu() => new CommandApdu
+        {
+            Cla = 0x80,
+            Ins = _ins,
+            P1 = _keyVersionNumber,
+            P2 = _kid,
+            Data = _data,
+        };
+        public YubiKeyResponse CreateResponseForApdu(ResponseApdu responseApdu) => new YubiKeyResponse(responseApdu);
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ScpResponse.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ScpResponse.cs
new file mode 100644
index 000000000..0ef2c5475
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/ScpResponse.cs
@@ -0,0 +1,55 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Diagnostics;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    internal class ScpResponse : YubiKeyResponse
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ScpResponse"/> class.
+        /// </summary>
+        /// <param name="responseApdu">The ResponseApdu from the YubiKey.</param>
+        /// <exception cref="ArgumentNullException">responseApdu</exception>  
+        public ScpResponse(ResponseApdu responseApdu) :
+            base(responseApdu)
+        {
+        }
+
+        public void ThrowIfFailed(string? message = null, bool includeStatusWord = true)
+        {
+            switch (Status)
+            {
+                case ResponseStatus.Success:
+                    Debug.Assert(Status == ResponseStatus.Success);
+                    return;
+                case ResponseStatus.Failed:
+                case ResponseStatus.RetryWithTouch:
+                case ResponseStatus.AuthenticationRequired:
+                case ResponseStatus.ConditionsNotSatisfied:
+                case ResponseStatus.NoData:
+                default:
+                    throw new SecureChannelException(
+                        includeStatusWord
+                            ? AddStatusWord(message ?? StatusMessage)
+                            : message ?? StatusMessage);
+            }
+
+            string AddStatusWord(string originalMessage) => $"{originalMessage} (StatusWord: {StatusWord})";
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/SecurityOperationCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/SecurityOperationCommand.cs
new file mode 100644
index 000000000..7f70d88fb
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/SecurityOperationCommand.cs
@@ -0,0 +1,81 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    /// <summary>
+    /// Implements the PERFORM SECURITY OPERATION command for SCP (Secure Channel Protocol) operations.
+    /// This command is used to perform security-related operations such as certificate verification
+    /// and key agreement during SCP11a/b/c authentication.
+    /// </summary>
+    /// <remarks>
+    /// The PERFORM SECURITY OPERATION command is part of the SCP protocol suite and is used
+    /// specifically for operations that involve certificate handling and key establishment.
+    /// It is typically used in conjunction with other SCP commands like Initialize Update
+    /// and External/Internal Authenticate to establish a secure channel.
+    /// </remarks>
+    internal class SecurityOperationCommand : IYubiKeyCommand<SecurityOperationResponse>
+    {
+        public YubiKeyApplication Application => YubiKeyApplication.SecurityDomain;
+        internal const byte GpPerformSecurityOperationIns = 0x2A;
+        private readonly ReadOnlyMemory<byte> _oceCertificates;
+        private readonly byte _oceRefVersionNumber;
+        private readonly byte _oceKeyId;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SecurityOperationCommand"/> class.
+        /// </summary>
+        /// <param name="oceKeyVersionNumer">The Off-Card Entity key version number.</param>
+        /// <param name="oceKeyId">The Off-Card Entity key ID.</param>
+        /// <param name="oceCertificates">The certificate chain for the off-card entity</param>
+        /// <remarks>
+        /// This command is used as part of the SCP11 protocol suite for presenting the off-card entity's certificate chain to the YubiKey.
+        /// </remarks>
+        public SecurityOperationCommand(byte oceKeyVersionNumer, byte oceKeyId, ReadOnlyMemory<byte> oceCertificates)
+        {
+            _oceRefVersionNumber = oceKeyVersionNumer;
+            _oceKeyId = oceKeyId;
+            _oceCertificates = oceCertificates;
+        }
+
+        /// <summary>
+        /// Creates the APDU for the PERFORM SECURITY OPERATION command.
+        /// </summary>
+        /// <returns>
+        /// A <see cref="CommandApdu"/> object containing the formatted command APDU.
+        /// </returns>
+        public CommandApdu CreateCommandApdu() =>
+            new CommandApdu
+            {
+                Cla = 0x80,
+                Ins = GpPerformSecurityOperationIns,
+                P1 = _oceRefVersionNumber,
+                P2 = _oceKeyId,
+                Data = _oceCertificates
+            };
+
+        public SecurityOperationResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
+            new SecurityOperationResponse(responseApdu);
+    }
+
+    internal class SecurityOperationResponse : ScpResponse
+    {
+        public SecurityOperationResponse(ResponseApdu responseApdu) : base(responseApdu)
+        {
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/StoreDataCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/StoreDataCommand.cs
new file mode 100644
index 000000000..acc236d12
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/StoreDataCommand.cs
@@ -0,0 +1,80 @@
+// Copyright 2023 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Yubico.Core.Iso7816;
+
+namespace Yubico.YubiKey.Scp.Commands
+{
+    /// <summary>
+    /// Implements the GlobalPlatform STORE DATA command for transferring data to the Security Domain or Applications.
+    /// </summary>
+    /// <remarks>
+    /// This is an internal implementation of the STORE DATA command. For storing data in the Security Domain,
+    /// it is recommended to use the methods provided by <see cref="SecurityDomainSession"/> instead, such as
+    /// <see cref="SecurityDomainSession.StoreData"/>, <see cref="SecurityDomainSession.StoreCaIssuer"/>, <see cref="SecurityDomainSession.StoreCertificates"/>, and <see cref="SecurityDomainSession.StoreAllowlist"/>.
+    /// This command supports single block transfer with BER-TLV formatted data according to ISO 8825.
+    /// </remarks>
+    internal class StoreDataCommand : IYubiKeyCommand<StoreDataCommandResponse>
+    {
+        public YubiKeyApplication Application => YubiKeyApplication.SecurityDomain;
+        private const byte GpStoreDataIns = 0xE2;
+        private readonly ReadOnlyMemory<byte> _data;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="StoreDataCommand"/> class, with the given data to be stored.
+        /// </summary>
+        /// <remarks>
+        /// This command supports single block transfer with BER-TLV formatted data according to ISO 8825.
+        /// <para>For storing data in the Security Domain,
+        /// it is recommended to use the methods provided by <see cref="SecurityDomainSession"/> instead, such as
+        /// <see cref="SecurityDomainSession.StoreData"/>, <see cref="SecurityDomainSession.StoreCaIssuer"/>, <see cref="SecurityDomainSession.StoreCertificates"/>, and <see cref="SecurityDomainSession.StoreAllowlist"/>.
+        /// </para>
+        /// </remarks>
+        /// <param name="data">The data to store, which must be formatted as BER-TLV structures according to ISO 8825.</param>
+        public StoreDataCommand(ReadOnlyMemory<byte> data)
+        {
+            _data = data;
+        }
+
+        // The default constructor explicitly defined. We don't want it to be
+        // used.
+        private StoreDataCommand()
+        {
+            throw new NotImplementedException();
+        }
+
+        public CommandApdu CreateCommandApdu() =>
+            new CommandApdu
+            {
+                Cla = 0,
+                Ins = GpStoreDataIns,
+                P1 = 0x90,
+                P2 = 0x00,
+                Data = _data
+            };
+
+        public StoreDataCommandResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
+            new StoreDataCommandResponse(responseApdu);
+    }
+
+    internal class StoreDataCommandResponse : ScpResponse, IYubiKeyResponseWithData<ReadOnlyMemory<byte>>
+    {
+        public StoreDataCommandResponse(ResponseApdu responseApdu) : base(responseApdu)
+        {
+        }
+
+        public ReadOnlyMemory<byte> GetData() => ResponseApdu.Data;
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelEncryption.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelEncryption.cs
new file mode 100644
index 000000000..5fbaa976f
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelEncryption.cs
@@ -0,0 +1,87 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Buffers.Binary;
+using Yubico.YubiKey.Cryptography;
+
+namespace Yubico.YubiKey.Scp.Helpers
+{
+    internal static class ChannelEncryption
+    {
+        /// <summary>
+        /// Encrypts the provided data using AES CBC mode with the given key and encryption counter.
+        /// </summary>
+        /// <param name="plainText">The data to be encrypted.</param>
+        /// <param name="encryptionKey">The AES key to use for encryption.</param>
+        /// <param name="encryptionCounter">
+        /// A counter used to generate the initialization vector (IV) for encryption.
+        /// </param>
+        /// <returns>
+        /// A <see cref="Memory{T}"/> containing the encrypted data.
+        /// </returns>
+        public static ReadOnlyMemory<byte> EncryptData(
+            ReadOnlySpan<byte> plainText,
+            ReadOnlySpan<byte> encryptionKey,
+            int encryptionCounter)
+        {
+            Span<byte> countBytes = stackalloc byte[sizeof(int)];
+            BinaryPrimitives.WriteInt32BigEndian(countBytes, encryptionCounter);
+
+            Span<byte> ivInput = stackalloc byte[16];
+            int offset = 16 - countBytes.Length;
+            countBytes.CopyTo(ivInput[offset..]);
+
+            var iv = AesUtilities.BlockCipher(encryptionKey, ivInput);
+            var paddedPlaintext = Padding.PadToBlockSize(plainText);
+            var encryptedData = AesUtilities.AesCbcEncrypt(
+                encryptionKey,
+                iv.Span,
+                paddedPlaintext.Span);
+
+            return encryptedData;
+        }
+
+        /// <summary>
+        /// Decrypts the provided data using AES CBC mode with the given key and encryption counter.
+        /// </summary>
+        /// <param name="encryptedData">The encrypted data to be decrypted.</param>
+        /// <param name="key">The AES key to use for decryption.</param>
+        /// <param name="encryptionCounter">
+        /// A counter used to generate the initialization vector (IV) for decryption.
+        /// </param>
+        /// <returns>
+        /// A <see cref="Memory{T}"/> containing the decrypted data with padding removed.
+        /// </returns>
+        public static ReadOnlyMemory<byte> DecryptData(
+            ReadOnlySpan<byte> encryptedData,
+            ReadOnlySpan<byte> key,
+            int encryptionCounter)
+        {
+            Span<byte> countBytes = stackalloc byte[sizeof(int)];
+            BinaryPrimitives.WriteInt32BigEndian(countBytes, encryptionCounter);
+
+            Span<byte> ivInput = stackalloc byte[16];
+            int offset = 16 - countBytes.Length;
+            ivInput[0] = 0x80; // to mark as RMAC calculation
+            countBytes.CopyTo(ivInput[offset..]);
+
+            var iv = AesUtilities.BlockCipher(key, ivInput);
+            var decryptedData = AesUtilities.AesCbcDecrypt(key, iv.Span, encryptedData);
+            var plainText = Padding.RemovePadding(decryptedData.Span);
+            
+            return plainText;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelMac.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelMac.cs
new file mode 100644
index 000000000..62af3b8f3
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelMac.cs
@@ -0,0 +1,160 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Security.Cryptography;
+using Yubico.Core.Cryptography;
+using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Cryptography;
+
+namespace Yubico.YubiKey.Scp.Helpers
+{
+    /// <summary>
+    /// Provides functionality for MAC (Message Authentication Code) operations in secure channel communications.
+    /// This class handles the MAC generation and verification for APDUs in a secure channel.
+    /// </summary>
+    internal static class ChannelMac
+    {
+        /// <summary>
+        /// Generates a MAC for a command APDU using the provided MAC key and chaining value.
+        /// </summary>
+        /// <param name="apdu">The command APDU to be MACed.</param>
+        /// <param name="macKey">The key used for MAC generation.</param>
+        /// <param name="macChainingValue">The MAC chaining value from previous operations (must be 16 bytes).</param>
+        /// <returns>
+        /// A tuple containing:
+        /// - The command APDU with the generated MAC appended
+        /// - The new MAC chaining value for use in subsequent operations
+        /// </returns>
+        /// <exception cref="ArgumentException">Thrown when the MAC chaining value is not 16 bytes long.</exception>
+        public static (CommandApdu macdApdu, ReadOnlyMemory<byte> newMacChainingValue) MacApdu(
+            CommandApdu apdu,
+            ReadOnlySpan<byte> macKey,
+            ReadOnlySpan<byte> macChainingValue)
+        {
+            // MAC chaining value must be 16 bytes to match AES block size
+            if (macChainingValue.Length != 16)
+            {
+                throw new ArgumentException(ExceptionMessages.UnknownScpError, nameof(macChainingValue));
+            }
+
+            // Add 8 bytes of space for the MAC that will be calculated
+            var apduWithLongerLen = AddDataToApdu(apdu, stackalloc byte[8]);
+            Span<byte> apduBytesWithZeroMac = apduWithLongerLen.AsByteArray();
+
+            // Prepare input for MAC calculation:
+            // - First 16 bytes: MAC chaining value from previous operation
+            // - Remaining bytes: APDU bytes (excluding the 8 zero bytes we added)
+            Span<byte> macInputBuffer = stackalloc byte[16 + apduBytesWithZeroMac.Length - 8];
+            macChainingValue.CopyTo(macInputBuffer);
+            apduBytesWithZeroMac[..^8].CopyTo(macInputBuffer[16..]);
+
+            // Calculate MAC using AES-CMAC (16 bytes)
+            using var cmacObj = CryptographyProviders.CmacPrimitivesCreator(CmacBlockCipherAlgorithm.Aes128);
+
+            Span<byte> newMacChainingValue = stackalloc byte[16];
+            cmacObj.CmacInit(macKey);
+            cmacObj.CmacUpdate(macInputBuffer);
+            cmacObj.CmacFinal(newMacChainingValue);
+
+            // Create final APDU with the first 8 bytes of the MAC appended
+            var macdApdu = AddDataToApdu(apdu, newMacChainingValue[..8]);
+
+            return (macdApdu, newMacChainingValue.ToArray());
+        }
+
+        /// <summary>
+        /// Verifies the Response MAC (RMAC) of a response message using the provided RMAC key and chaining value.
+        /// </summary>
+        /// <param name="response">The response data containing the RMAC to verify.</param>
+        /// <param name="rmacKey">The key used for RMAC verification.</param>
+        /// <param name="macChainingValue">The MAC chaining value from previous operations.</param>
+        /// <exception cref="SecureChannelException">
+        /// Thrown when:
+        /// - The response length is insufficient (less than 8 bytes)
+        /// - The response length is incorrect for decryption
+        /// - The RMAC verification fails
+        /// </exception>
+        public static void VerifyRmac(
+            ReadOnlySpan<byte> response,
+            ReadOnlySpan<byte> rmacKey,
+            ReadOnlySpan<byte> macChainingValue)
+        {
+            // Response must be at least 8 bytes (minimum length for MAC)
+            if (response.Length < 8)
+            {
+                throw new SecureChannelException(ExceptionMessages.InsufficientResponseLengthToVerifyRmac);
+            }
+
+            // Response length (excluding MAC) must be multiple of 16 for AES block alignment
+            if ((response.Length - 8) % 16 != 0)
+            {
+                throw new SecureChannelException(ExceptionMessages.IncorrectResponseLengthToDecrypt);
+            }
+
+            // Extract the received MAC (last 8 bytes of response)
+            var recvdRmac = response[^8..];
+
+            // Prepare input for MAC verification:
+            // - First 16 bytes: MAC chaining value
+            // - Next bytes: Response data (excluding MAC)
+            // - Last 2 bytes: Success status words (90 00)
+            int respDataLen = response.Length - 8;
+            Span<byte> macInput = stackalloc byte[16 + respDataLen + 2];
+            macChainingValue.CopyTo(macInput);
+            response[..respDataLen].CopyTo(macInput[16..]);
+
+            macInput[16 + respDataLen] = SW1Constants.Success;
+            macInput[16 + respDataLen + 1] = SWConstants.Success & 0xFF;
+
+            // Calculate expected MAC using AES-CMAC
+            using var cmacObj = CryptographyProviders.CmacPrimitivesCreator(CmacBlockCipherAlgorithm.Aes128);
+            
+            Span<byte> cmac = stackalloc byte[16];
+            cmacObj.CmacInit(rmacKey);
+            cmacObj.CmacUpdate(macInput);
+            cmacObj.CmacFinal(cmac);
+    
+            // Use constant-time comparison to prevent timing attacks
+            if (!CryptographicOperations.FixedTimeEquals(recvdRmac, cmac[..8]))
+            {
+                throw new SecureChannelException(ExceptionMessages.IncorrectRmac);
+            }
+        }
+
+        private static CommandApdu AddDataToApdu(CommandApdu apdu, ReadOnlySpan<byte> data)
+        {
+            var newApdu = new CommandApdu
+            {
+                Cla = apdu.Cla,
+                Ins = apdu.Ins,
+                P1 = apdu.P1,
+                P2 = apdu.P2
+            };
+
+            int currentDataLength = apdu.Data.Length;
+            byte[] newData = new byte[currentDataLength + data.Length];
+
+            if (!apdu.Data.IsEmpty)
+            {
+                apdu.Data.Span.CopyTo(newData);
+            }
+
+            data.CopyTo(newData.AsSpan(currentDataLength));
+            newApdu.Data = newData;
+            
+            return newApdu;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/Derivation.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/Derivation.cs
new file mode 100644
index 000000000..eea8504b7
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/Derivation.cs
@@ -0,0 +1,183 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Security.Cryptography;
+using Yubico.Core.Cryptography;
+using Yubico.YubiKey.Cryptography;
+
+namespace Yubico.YubiKey.Scp.Helpers
+{
+    /// <summary>
+    /// Provides key derivation functionality for Secure Channel Protocol (SCP) operations.
+    /// This class implements the key derivation functions used in SCP03 protocol for
+    /// generating session keys and cryptograms.
+    /// </summary>
+    internal static class Derivation
+    {
+        /// <summary>
+        /// Data Derivation Constant for Session Encryption Key
+        /// </summary>
+        internal const byte DDC_SENC = 0x04;
+
+        /// <summary>
+        /// Data Derivation Constant for Session MAC Key
+        /// </summary>
+        internal const byte DDC_SMAC = 0x06;
+
+        /// <summary>
+        /// Data Derivation Constant for Session RMAC Key
+        /// </summary>
+        internal const byte DDC_SRMAC = 0x07;
+
+        /// <summary>
+        /// Data Derivation Constant for Card Cryptogram
+        /// </summary>
+        internal const byte DDC_CARD_CRYPTOGRAM = 0x00;
+
+        /// <summary>
+        /// Data Derivation Constant for Host Cryptogram
+        /// </summary>
+        internal const byte DDC_HOST_CRYPTOGRAM = 0x01;
+
+        /// <summary>
+        /// Derives a key or cryptogram from the host and card challenges using the specified derivation parameters.
+        /// </summary>
+        /// <param name="dataDerivationConstant">The derivation constant indicating the type of key being derived (e.g., SENC, SMAC).</param>
+        /// <param name="outputLenBits">The desired output length in bits (must be either 64 or 128).</param>
+        /// <param name="kdfKey">The key derivation function key.</param>
+        /// <param name="hostChallenge">The 8-byte challenge from the host.</param>
+        /// <param name="cardChallenge">The 8-byte challenge from the card.</param>
+        /// <returns>A derived key or cryptogram as a Memory{byte}.</returns>
+        /// <exception cref="SecureChannelException">
+        /// Thrown when:
+        /// - The output length is not 64 or 128 bits
+        /// - Either challenge is not exactly 8 bytes
+        /// </exception>
+        public static Memory<byte> Derive(
+            byte dataDerivationConstant,
+            byte outputLenBits,
+            ReadOnlySpan<byte> kdfKey,
+            ReadOnlySpan<byte> hostChallenge,
+            ReadOnlySpan<byte> cardChallenge)
+        {
+            // Validate output length
+            if (outputLenBits != 64 && outputLenBits != 128)
+            {
+                throw new SecureChannelException(ExceptionMessages.IncorrectDerivationLength);
+            }
+
+            // Validate challenge lengths
+            if (hostChallenge.Length != 8 || cardChallenge.Length != 8)
+            {
+                throw new SecureChannelException(ExceptionMessages.InvalidChallengeLength);
+            }
+
+            // Initialize MAC input buffer with zeros
+            // Format according to GP spec 2.3.1:
+            // [padding(11) || derivation constant || padding(2) || output length || counter=1 || host challenge || card challenge]
+            Span<byte> macInputBuffer = stackalloc byte[32];
+            macInputBuffer[11] = dataDerivationConstant;
+
+            // Set output length and counter
+            macInputBuffer[14] = outputLenBits;
+            macInputBuffer[15] = 1; // Counter is always 1 for our use case
+
+            // Copy host and cardchallenges to the end of the input buffer
+            hostChallenge.CopyTo(macInputBuffer.Slice(16, 8));
+            cardChallenge.CopyTo(macInputBuffer.Slice(24, 8));
+
+            // Calculate CMAC using AES-128
+            Span<byte> cmac = stackalloc byte[16];
+
+            using var cmacObj = CryptographyProviders.CmacPrimitivesCreator(CmacBlockCipherAlgorithm.Aes128);
+            cmacObj.CmacInit(kdfKey);
+            cmacObj.CmacUpdate(macInputBuffer);
+            cmacObj.CmacFinal(cmac);
+
+            return outputLenBits == 128
+                ? cmac.ToArray() // If output length is 128 bits, return the full CMAC
+                : cmac[..8].ToArray(); // For 64-bit output (cryptograms), use only the first 8 bytes
+        }
+
+        /// <summary>
+        /// Derives a cryptogram using the specified derivation constant and challenges.
+        /// This is a convenience method that calls Derive with a 64-bit output length.
+        /// </summary>
+        /// <param name="dataDerivationConstant">The derivation constant (<see cref="DDC_CARD_CRYPTOGRAM"/> or <see cref="DDC_HOST_CRYPTOGRAM"/>.</param>
+        /// <param name="key">The key used for cryptogram derivation.</param>
+        /// <param name="hostChallenge">The 8-byte host challenge.</param>
+        /// <param name="cardChallenge">The 8-byte card challenge.</param>
+        /// <returns>A 64-bit (8-byte) cryptogram.</returns>
+        public static Memory<byte> DeriveCryptogram(
+            byte dataDerivationConstant,
+            ReadOnlySpan<byte> key,
+            ReadOnlySpan<byte> hostChallenge,
+            ReadOnlySpan<byte> cardChallenge) =>
+            Derive(dataDerivationConstant, 64, key, hostChallenge, cardChallenge);
+
+        /// <summary>
+        /// Derives session keys from the static keys using host and card challenges.
+        /// This method generates three session keys (SMAC, SENC, SRMAC) and includes the static DEK.
+        /// </summary>
+        /// <param name="staticKeys">The static key set containing channel MAC, encryption, and data encryption keys.</param>
+        /// <param name="hostChallenge">The 8-byte host challenge.</param>
+        /// <param name="cardChallenge">The 8-byte card challenge.</param>
+        /// <returns>A SessionKeys object containing all derived session keys.</returns>
+        /// <remarks>
+        /// This method implements secure memory handling:
+        /// - Uses stackalloc for temporary buffers
+        /// - Securely clears sensitive data after use
+        /// - Properly handles exceptions to ensure no sensitive data leaks
+        /// </remarks>
+        public static SessionKeys DeriveSessionKeysFromStaticKeys(
+            StaticKeys staticKeys,
+            ReadOnlySpan<byte> hostChallenge,
+            ReadOnlySpan<byte> cardChallenge)
+        {
+            Span<byte> macKey = stackalloc byte[staticKeys.ChannelMacKey.Length];
+            Span<byte> encKey = stackalloc byte[staticKeys.ChannelEncryptionKey.Length];
+            Span<byte> dekKey = stackalloc byte[staticKeys.DataEncryptionKey.Length];
+
+            staticKeys.ChannelMacKey.Span.CopyTo(macKey);
+            staticKeys.ChannelEncryptionKey.Span.CopyTo(encKey);
+            staticKeys.DataEncryptionKey.Span.CopyTo(dekKey);
+
+            try
+            {
+                // If these calls succeed, then control of the created buffers
+                // will be given to the new SessionKeys object created. That is,
+                // if these succeed, don't overwrite the returned sensitive data.
+                // The Derive call can throw an exception. Normally, we would
+                // want to catch that exception just in case at least one call
+                // succeeded and we have some sensitive data to overwrite. But
+                // the Derive call fails if either the host or card challenge
+                // is not exactly 8 bytes. In that case, the first call would
+                // fail before generating a result, so there will be no data to
+                // overwrite.
+                var SMAC = Derive(DDC_SMAC, 128, macKey, hostChallenge, cardChallenge);
+                var SENC = Derive(DDC_SENC, 128, encKey, hostChallenge, cardChallenge);
+                var SRMAC = Derive(DDC_SRMAC, 128, macKey, hostChallenge, cardChallenge);
+
+                return new SessionKeys(SMAC, SENC, SRMAC, dekKey.ToArray());
+            }
+            finally
+            {
+                CryptographicOperations.ZeroMemory(macKey);
+                CryptographicOperations.ZeroMemory(encKey);
+                CryptographicOperations.ZeroMemory(dekKey);
+            }
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/Padding.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/Padding.cs
new file mode 100644
index 000000000..cdea0b945
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/Padding.cs
@@ -0,0 +1,62 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+
+namespace Yubico.YubiKey.Scp.Helpers
+{
+    internal static class Padding
+    {
+        /// <summary>
+        /// Pad the given <paramref name="payload"/> to the next multiple of 16 bytes by adding a 0x80 byte followed by zero bytes.
+        /// </summary>
+        /// <param name="payload">The payload to pad.</param>
+        /// <returns>The padded payload.</returns>
+        public static Memory<byte> PadToBlockSize(ReadOnlySpan<byte> payload)
+        {
+            int paddedLen = ((payload.Length / 16) + 1) * 16;
+
+            Span<byte> padded = stackalloc byte[paddedLen];
+            payload.CopyTo(padded);
+            padded[payload.Length] = 0x80;
+
+            return padded.ToArray();
+        }
+
+        /// <summary>
+        /// Remove the padding from the given <paramref name="paddedPayload"/>.
+        /// </summary>
+        /// <param name="paddedPayload">The padded payload.</param>
+        /// <returns>The unpadded payload.</returns>
+        /// <exception cref="ArgumentNullException"><paramref name="paddedPayload"/> is <c>null</c>.</exception>
+        /// <exception cref="SecureChannelException">The padding is invalid.</exception>
+        public static Memory<byte> RemovePadding(ReadOnlySpan<byte> paddedPayload)
+        {
+            for (int i = paddedPayload.Length - 1; i >= 0; i--)
+            {
+                if (paddedPayload[i] == 0x80)
+                {
+                    return paddedPayload[..i].ToArray();
+                }
+
+                if (paddedPayload[i] != 0x00)
+                {
+                    throw new SecureChannelException(ExceptionMessages.InvalidPadding);
+                }
+            }
+
+            throw new SecureChannelException(ExceptionMessages.InvalidPadding);
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/IScpYubiKeyConnection.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/IScpYubiKeyConnection.cs
new file mode 100644
index 000000000..dccc28d6f
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/IScpYubiKeyConnection.cs
@@ -0,0 +1,36 @@
+// Copyright 2023 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// The connection class that can perform SCP03 operations will implement not
+    /// only <see cref="IYubiKeyConnection"/>, but this interface as well.
+    /// </summary>
+    public interface IScpYubiKeyConnection : IYubiKeyConnection
+    {
+        /// <summary>
+        /// Return a reference to the SCP key set used to make the connection.
+        /// </summary>
+        public ScpKeyParameters KeyParameters { get; }
+
+        /// <summary>
+        /// Get the encryptor function to encrypt any data for a SCP command using the current session keys.
+        /// </summary>
+        internal EncryptDataFunc EncryptDataFunc
+        {
+            get;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/KeyReference.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/KeyReference.cs
new file mode 100644
index 000000000..db9a6b48c
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/KeyReference.cs
@@ -0,0 +1,78 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Globalization;
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// Represents a reference to a cryptographic key stored on the YubiKey.
+    /// </summary>
+    public class KeyReference
+    {
+        /// <summary>
+        /// The Key Id (KID) of the key.
+        /// </summary>
+        public byte Id { get; }
+
+        /// <summary>
+        /// The Key Version Number (KVN) of the key.
+        /// </summary>
+        public byte VersionNumber { get; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="KeyReference"/> class.
+        /// </summary>
+        /// <param name="id">The ID of the key (KID).</param>
+        /// <param name="versionNumber">The version number of the key (KVN).</param>
+        /// <remarks>See the GlobalPlatform Technology Card Specification v2.3 Amendment F §5.1 Cryptographic Keys for more information on the available KIDs.</remarks>
+        public KeyReference(
+            byte id,
+            byte versionNumber)
+        {
+            Id = id;
+            VersionNumber = versionNumber;
+        }
+
+        /// <summary>
+        /// Returns a span of bytes that represent the key reference.
+        /// </summary>
+        public ReadOnlyMemory<byte> GetBytes => new[] { Id, VersionNumber };
+
+        /// <summary>
+        /// Returns a string that represents the current object.
+        /// </summary>
+        /// <returns>
+        /// A string that represents the current object in the format
+        /// <para>"KeyRef[Kid=0x{Id:X2}, Kvn=0x{VersionNumber:X2}]"
+        /// </para>
+        /// </returns>
+        /// <example>"KeyRef[Kid=0x01, Kvn=0x02]"</example>
+        public override string ToString() => $"KeyRef[Kid=0x{Id:X2}, Kvn=0x{VersionNumber:X2}]";
+
+        public override bool Equals(object? obj)
+        {
+            if (obj == null || GetType() != obj.GetType())
+            {
+                return false;
+            }
+
+            var other = (KeyReference)obj;
+            return Id == other.Id && VersionNumber == other.VersionNumber;
+        }
+
+        public override int GetHashCode() => HashCode.Combine(Id, VersionNumber);
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp03KeyParameters.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp03KeyParameters.cs
new file mode 100644
index 000000000..f9e011971
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp03KeyParameters.cs
@@ -0,0 +1,92 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// Represents the parameters for a Secure Channel Protocol 03 (SCP03) key.
+    /// </summary>
+    public sealed class Scp03KeyParameters : ScpKeyParameters, IDisposable
+    {
+        private const int DefaultKvn = 0xFF;
+
+        /// <summary>
+        /// The static keys shared with the device when initiating the connection.
+        /// </summary>        
+        public StaticKeys StaticKeys { get; }
+
+        /// <summary>
+        /// Creates a new instance of <see cref="Scp03KeyParameters"/>, representing the parameters for
+        /// a Secure Channel Protocol 03 (SCP03) key.
+        /// </summary>
+        /// <param name="keyReference">A reference to the key.</param>
+        /// <param name="staticKeys">The static keys shared with the device when initiating the connection.</param>
+        /// <exception cref="ArgumentException">
+        /// Thrown if <paramref name="keyReference.Id"/> is not between 1 and 3, which are the only valid Key IDs
+        /// for SCP03
+        /// </exception>
+        public Scp03KeyParameters(
+            KeyReference keyReference,
+            StaticKeys staticKeys) : base(keyReference)
+        {
+            if (keyReference.Id < 1 || keyReference.Id > 3)
+            {
+                throw new ArgumentException("Invalid KID for SCP03. Kid must be between 1 and 3", nameof(keyReference.Id));
+            }
+
+            StaticKeys = staticKeys.GetCopy();
+        }
+
+        /// <summary>
+        /// Creates a new instance of <see cref="Scp03KeyParameters"/>, representing the parameters for
+        /// a Secure Channel Protocol 03 (SCP03) key.
+        /// </summary>
+        /// <param name="keyId">The ID of the key. Must be between 1 and 3 for SCP03.</param>
+        /// <param name="keyVersionNumber">The version number of the key.</param>
+        /// <param name="staticKeys">The static keys shared with the device.</param>
+        /// <exception cref="ArgumentException">
+        /// Thrown if <paramref name="keyId"/> is not between 1 and 3, which are the only valid Key IDs
+        /// for SCP03
+        /// </exception>
+        public Scp03KeyParameters(
+            byte keyId,
+            byte keyVersionNumber,
+            StaticKeys staticKeys) : this(new KeyReference(keyId, keyVersionNumber), staticKeys)
+        {
+        }
+        
+        /// <summary>
+        /// Gets the default SCP03 key parameters using the default key identifier and static keys.
+        /// </summary>
+        /// <remarks>
+        /// This property provides a convenient way to access default SCP03 key parameters,
+        /// using the standard SCP03 key identifier (0x03) and default static keys with version number 0xFF.
+        /// </remarks>
+        public static Scp03KeyParameters DefaultKey => new Scp03KeyParameters(ScpKeyIds.Scp03, DefaultKvn, new StaticKeys());
+
+        /// <summary>
+        /// Creates a new instance of <see cref="Scp03KeyParameters"/>, representing the parameters for
+        /// a Secure Channel Protocol 03 (SCP03) key, using the standard SCP03 key identifier and
+        /// the given static keys.
+        /// </summary>
+        /// <param name="staticKeys">The static keys shared with the device.</param>
+        /// <returns>An instance of <see cref="Scp03KeyParameters"/> with key ID 0x03 and version number 0x01.</returns>
+        public static Scp03KeyParameters FromStaticKeys(StaticKeys staticKeys) =>
+            new Scp03KeyParameters(ScpKeyIds.Scp03, 0x01, staticKeys);
+
+        public void Dispose() => StaticKeys.Dispose();
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp03State.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp03State.cs
new file mode 100644
index 000000000..b6ac164fb
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp03State.cs
@@ -0,0 +1,187 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Scp.Commands;
+using Yubico.YubiKey.Scp.Helpers;
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// Manages the state for Secure Channel Protocol 03 (SCP03) communication with a YubiKey.
+    /// This class handles key agreement, authentication, and secure messaging between the host
+    /// and the YubiKey using AES encryption and MAC operations. It supports the establishment
+    /// of secure channels with PIV and other smart card applications by deriving session keys
+    /// and performing mutual authentication.
+    /// </summary>
+    internal class Scp03State : ScpState
+    {
+        private readonly Memory<byte> _hostCryptogram;
+        private bool _disposed;
+        /// <summary>
+        /// Creates a new SCP03 secure channel state using the provided session keys and host cryptogram.
+        /// </summary>
+        /// <param name="sessionKeys">The session keys generated by the SCP03 key agreement.</param>
+        /// <param name="hostCryptogram">The host cryptogram used to authenticate the host and establish the secure channel.</param>
+        public Scp03State(
+            SessionKeys sessionKeys,
+            ReadOnlyMemory<byte> hostCryptogram)
+            : base(sessionKeys, new byte[16])
+        {
+            _hostCryptogram = hostCryptogram.ToArray();
+        }
+
+        /// <summary>
+        /// Creates a new SCP03 secure channel state by performing key agreement and authentication with the YubiKey.
+        /// </summary>
+        /// <param name="pipeline">The APDU pipeline for communication with the YubiKey.</param>
+        /// <param name="keyParameters">The key parameters required for SCP03 authentication.</param>
+        /// <param name="hostChallenge">The host challenge to use for the key agreement.</param>
+        /// <returns>A new instance of <see cref="Scp03State"/> configured for secure channel communication.</returns>
+        /// <exception cref="ArgumentException">Thrown when host challenge or key parameters are invalid or incompatible.</exception>
+        /// <exception cref="SecureChannelException">Thrown when secure channel establishment fails.</exception>
+        internal static Scp03State CreateScpState(
+            IApduTransform pipeline,
+            Scp03KeyParameters keyParameters,
+            ReadOnlyMemory<byte> hostChallenge)
+        {
+            if (hostChallenge.Length != 8)
+            {
+                throw new ArgumentException("Invalid size, must be 8 bytes", nameof(hostChallenge));
+            }
+
+            if (keyParameters is null)
+            {
+                throw new ArgumentNullException(nameof(keyParameters));
+            }
+            
+            if (pipeline is null)
+            {
+                throw new ArgumentNullException(nameof(pipeline));
+            }
+
+            var (cardChallenge, cardCryptogram) = PerformInitializeUpdate(pipeline, keyParameters, hostChallenge);
+            
+            var state = CreateScpState(keyParameters, hostChallenge, cardChallenge, cardCryptogram);
+            state.PerformExternalAuthenticate(pipeline);
+            return state;
+        }
+
+        private static Scp03State CreateScpState(
+            Scp03KeyParameters keyParameters,
+            ReadOnlyMemory<byte> hostChallenge,
+            ReadOnlyMemory<byte> cardChallenge,
+            ReadOnlyMemory<byte> cardCryptogram)
+        {
+            // Derive session keys
+            var sessionKeys = Derivation.DeriveSessionKeysFromStaticKeys(
+                keyParameters.StaticKeys,
+                hostChallenge.Span,
+                cardChallenge.Span);
+
+            // Check supplied card cryptogram
+            var calculatedCardCryptogram = Derivation.DeriveCryptogram(
+                Derivation.DDC_CARD_CRYPTOGRAM,
+                sessionKeys.MacKey.Span,
+                hostChallenge.Span,
+                cardChallenge.Span);
+
+            if (!CryptographicOperations.FixedTimeEquals(cardCryptogram.Span, calculatedCardCryptogram.Span))
+            {
+                throw new SecureChannelException(ExceptionMessages.IncorrectCardCryptogram);
+            }
+
+            // Calculate host cryptogram
+            var hostCryptogram = Derivation.DeriveCryptogram(
+                Derivation.DDC_HOST_CRYPTOGRAM,
+                sessionKeys.MacKey.Span,
+                hostChallenge.Span,
+                cardChallenge.Span);
+
+            return new Scp03State(sessionKeys, hostCryptogram);
+        }
+
+        private static (ReadOnlyMemory<byte> cardChallenge, ReadOnlyMemory<byte> cardCryptogram) PerformInitializeUpdate(
+            IApduTransform pipeline,
+            Scp03KeyParameters keyParameters,
+            ReadOnlyMemory<byte> hostChallenge)
+        {
+            var initializeUpdateCommand = new InitializeUpdateCommand(
+                keyParameters.KeyReference.VersionNumber, hostChallenge);
+
+            var initializeUpdateResponseApdu = pipeline.Invoke(
+                initializeUpdateCommand.CreateCommandApdu(),
+                typeof(InitializeUpdateCommand),
+                typeof(InitializeUpdateResponse));
+
+            var initializeUpdateResponse = initializeUpdateCommand.CreateResponseForApdu(initializeUpdateResponseApdu);
+            initializeUpdateResponse.ThrowIfFailed($"Error when performing {initializeUpdateCommand.GetType().Name}: {initializeUpdateResponse.StatusMessage}");
+
+            byte[] cardChallenge = initializeUpdateResponse.CardChallenge.ToArray();
+            byte[] cardCryptogram = initializeUpdateResponse.CardCryptogram.ToArray();
+
+            return (cardChallenge, cardCryptogram);
+        }
+
+        private void PerformExternalAuthenticate(IApduTransform pipeline)
+        {
+            // Create a MAC:ed APDU
+            var (commandExtAuth, newMacChainingValue) = GetMacedExternalAuthenticateCommand(
+                new ExternalAuthenticateCommand(_hostCryptogram));
+
+            // Update the states MacChainingValue
+            MacChainingValue = newMacChainingValue;
+
+            // Send command
+            var responseExtAuth = pipeline.Invoke(
+                commandExtAuth.CreateCommandApdu(),
+                typeof(ExternalAuthenticateCommand),
+                typeof(ExternalAuthenticateResponse));
+
+            commandExtAuth.CreateResponseForApdu(responseExtAuth).ThrowIfFailed();
+        }
+
+        private (ExternalAuthenticateCommand, ReadOnlyMemory<byte> macChainingValue) GetMacedExternalAuthenticateCommand(ExternalAuthenticateCommand externalAuthenticateCommand)
+        {
+            var (commandDataMaced, newMacChainingValue) = GetMacdCommandData(externalAuthenticateCommand.CreateCommandApdu());
+            return (new ExternalAuthenticateCommand(commandDataMaced), newMacChainingValue);
+        }
+
+        private (ReadOnlyMemory<byte> commandDataMaced, ReadOnlyMemory<byte> newMacChainingValue) GetMacdCommandData(CommandApdu commandApdu)
+        {
+            var (macedApdu, newMacChainingValue) = MacApdu(
+                commandApdu,
+                SessionKeys.MacKey.Span,
+                MacChainingValue.Span
+                );
+
+            return (macedApdu.Data, newMacChainingValue);
+        }
+
+        public override void Dispose()
+        {
+            if (_disposed)
+            {
+                return;
+            }
+                
+            CryptographicOperations.ZeroMemory(_hostCryptogram.Span);
+            base.Dispose();
+            _disposed = true;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp11KeyParameters.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp11KeyParameters.cs
new file mode 100644
index 000000000..774e4ec3e
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp11KeyParameters.cs
@@ -0,0 +1,148 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Yubico.YubiKey.Cryptography;
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// SCP key parameters for performing SCP11 authentication.
+    /// For SCP11b only keyRef and pkSdEcka are required. Note that this does not authenticate the off-card entity.
+    /// For SCP11a and SCP11c the off-card entity CA key reference must be provided, as well as the off-card entity secret key and certificate chain.
+    /// </summary>
+    public sealed class Scp11KeyParameters : ScpKeyParameters, IDisposable
+    {
+        private X509Certificate2[]? _oceCertificates;
+        private bool _disposed;
+
+        /// <summary>
+        /// The public key of the Security Domain Elliptic Curve Key Agreement (ECKA) key (SCP11a/b/c). Required.
+        /// <remarks>'pkSdEcka' is short for PublicKey SecurityDomain Elliptic Curve KeyAgreement (Key)</remarks>
+        /// </summary>
+        public ECPublicKeyParameters PkSdEcka { get; private set; }
+
+        /// <summary>
+        /// The key reference of the off-card entity (SCP11a/c). Optional.
+        /// <remarks>'oceKeyReference' is short for Off-Card Entity Key Reference</remarks>
+        /// </summary>
+        public KeyReference? OceKeyReference { get; private set; }
+
+        /// <summary>
+        /// The private key of the off-card entity Elliptic Curve Key Agreement (ECKA) key (SCP11a/c). Optional.
+        /// <remarks>'skOceEcka' is short for Secret Key Off-Card Entity Elliptic Curve KeyAgreement (Key)</remarks>
+        /// </summary>
+        public ECPrivateKeyParameters? SkOceEcka { get; private set; }
+
+        /// <summary>
+        /// The certificate chain, containing the public key for the off-card entity (SCP11a/c).
+        /// </summary>
+        public IReadOnlyList<X509Certificate2>? OceCertificates => _oceCertificates;
+
+        /// <summary>
+        /// Creates a new <see cref="Scp11KeyParameters"/> instance.
+        /// This is used to initiate SCP11A and SCP11C connections.
+        /// </summary>
+        /// <param name="keyReference">The key reference.</param>
+        /// <param name="pkSdEcka">The security domain elliptic curve key agreement key public key.</param>
+        /// <param name="oceKeyReference">The off-card entity key reference. Optional.</param>
+        /// <param name="skOceEcka">The off-card entity elliptic curve key agreement key private key. Optional.</param>
+        /// <param name="certificates">The off-card entity certificate chain. Optional.</param>
+        public Scp11KeyParameters(
+            KeyReference keyReference,
+            ECPublicKeyParameters pkSdEcka,
+            KeyReference? oceKeyReference = null,
+            ECPrivateKeyParameters? skOceEcka = null,
+            IEnumerable<X509Certificate2>? certificates = null)
+            : base(keyReference)
+        {
+            PkSdEcka = pkSdEcka;
+            OceKeyReference = oceKeyReference;
+            SkOceEcka = skOceEcka;
+            _oceCertificates = certificates?.ToArray();
+
+            ValidateParameters();
+        }
+
+        /// <summary>
+        /// Creates a new <see cref="Scp11KeyParameters"/> instance for SCP11b.
+        /// </summary>
+        /// <param name="keyReference">The key reference.</param>
+        /// <param name="pkSdEcka">The security domain elliptic curve key agreement key public key.</param>
+        public Scp11KeyParameters(
+            KeyReference keyReference,
+            ECPublicKeyParameters pkSdEcka)
+            : base(keyReference)
+        {
+            PkSdEcka = pkSdEcka;
+
+            ValidateParameters();
+        }
+
+
+        private void ValidateParameters()
+        {
+            switch (KeyReference.Id)
+            {
+                case ScpKeyIds.Scp11B:
+                    if (
+                        OceKeyReference != null ||
+                        SkOceEcka != null ||
+                        OceCertificates?.Count > 0
+                        )
+                    {
+                        throw new ArgumentException($"Cannot provide {nameof(OceKeyReference)}, {nameof(SkOceEcka)} or {nameof(OceCertificates)} for SCP11b");
+                    }
+
+                    break;
+                case ScpKeyIds.Scp11A:
+                case ScpKeyIds.Scp11C:
+                    if (
+                        OceKeyReference == null ||
+                        SkOceEcka == null ||
+                        OceCertificates?.Count == 0
+                        )
+                    {
+                        throw new ArgumentException($"Must provide {nameof(OceKeyReference)}, {nameof(SkOceEcka)} or {nameof(OceCertificates)} for SCP11a/c");
+                    }
+
+                    break;
+                default:
+                    throw new ArgumentException("KID must be 0x11, 0x13, or 0x15 for SCP11");
+            }
+        }
+
+        /// <summary>
+        /// This will clear all references and empty  
+        /// </summary>
+        public void Dispose()
+        {
+            if (_disposed)
+            {
+                return;
+            }
+
+            CryptographicOperations.ZeroMemory(SkOceEcka?.Parameters.D);
+            PkSdEcka = null!;
+            OceKeyReference = null;
+            SkOceEcka = null;
+            _oceCertificates = null;
+            _disposed = true;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp11State.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp11State.cs
new file mode 100644
index 000000000..d66956328
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Scp11State.cs
@@ -0,0 +1,363 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using Yubico.Core.Cryptography;
+using Yubico.Core.Iso7816;
+using Yubico.Core.Tlv;
+using Yubico.YubiKey.Cryptography;
+using Yubico.YubiKey.Scp.Commands;
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// Manages the state for Secure Channel Protocol 11 (SCP11) communication with a YubiKey.
+    /// This class handles key agreement, authentication, and secure messaging between the host
+    /// and the YubiKey using AES-128 encryption and MAC operations. It supports different SCP11
+    /// variants (11a, 11b, 11c) for establishing secure channels with PIV and other smart card
+    /// applications.
+    /// </summary>
+    internal class Scp11State : ScpState
+    {
+        private const int ReceiptTag = 0x86;
+        private const int EckaTag = 0x5F49;
+        private const int KeyAgreementTag = 0xA6;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="Scp11State"/> class with the specified session keys and receipt.
+        /// </summary>
+        /// <param name="sessionKeys">The session keys for secure channel communication.</param>
+        /// <param name="receipt">The receipt data used for verification.</param>
+        public Scp11State(SessionKeys sessionKeys, Memory<byte> receipt)
+            : base(sessionKeys, receipt)
+        {
+        }
+
+        /// <summary>
+        /// Creates a new SCP11 secure channel state by performing key agreement and authentication with the YubiKey.
+        /// </summary>
+        /// <param name="pipeline">The APDU pipeline for communication with the YubiKey.</param>
+        /// <param name="keyParameters">The key parameters required for SCP11 authentication.</param>
+        /// <returns>A new instance of <see cref="Scp11State"/> configured for secure channel communication.</returns>
+        /// <exception cref="ArgumentException">Thrown when key parameters are invalid or incompatible.</exception>
+        /// <exception cref="SecureChannelException">Thrown when secure channel establishment fails.</exception>
+        internal static Scp11State CreateScpState(
+            IApduTransform pipeline,
+            Scp11KeyParameters keyParameters)
+        {
+            // Perform Security Operation, if needed (for Scp11a and Scp11c)
+            if (keyParameters.KeyReference.Id == ScpKeyIds.Scp11A || keyParameters.KeyReference.Id == ScpKeyIds.Scp11C)
+            {
+                PerformSecurityOperation(pipeline, keyParameters);
+            }
+
+            var sdEckaPkParams = keyParameters.PkSdEcka.Parameters;
+
+            // Generate a public and private key using the supplied curve
+            var ekpOceEcka = CryptographyProviders.EcdhPrimitivesCreator()
+                .GenerateKeyPair(sdEckaPkParams.Curve);
+
+            // Create an encoded point of the ephemeral public key to send to the Yubikey
+            byte[] epkOceEckaEncodedPoint = new byte[65];
+            epkOceEckaEncodedPoint[0] = 0x04; // Format identifier byte
+            ekpOceEcka.Q.X.CopyTo(epkOceEckaEncodedPoint, 1);
+            ekpOceEcka.Q.Y.CopyTo(epkOceEckaEncodedPoint, 33);
+
+            // GPC v2.3 Amendment F (SCP11) v1.4 §7.6.2.3
+            byte[] keyUsage = { 0x3C }; // AUTHENTICATED | C_MAC | C_DECRYPTION | R_MAC | R_ENCRYPTION
+            byte[] keyType = { 0x88 }; // AES
+            byte[] keyLen = { 16 }; // 128-bit
+            byte[] keyIdentifier = { 0x11, GetScpIdentifierByte(keyParameters.KeyReference) };
+
+            // Construct the host authentication data (payload)
+            byte[] hostAuthenticateTlvEncodedData = TlvObjects.EncodeMany(
+                new TlvObject(
+                    KeyAgreementTag,
+                    TlvObjects.EncodeMany(
+                        new TlvObject(0x90, keyIdentifier),
+                        new TlvObject(0x95, keyUsage),
+                        new TlvObject(0x80, keyType),
+                        new TlvObject(0x81, keyLen)
+                        )),
+                new TlvObject(EckaTag, epkOceEckaEncodedPoint)
+                );
+
+            // Construct the host authentication command
+            var authenticateCommand = keyParameters.KeyReference.Id == ScpKeyIds.Scp11B
+                ? new InternalAuthenticateCommand(
+                    keyParameters.KeyReference.VersionNumber, keyParameters.KeyReference.Id,
+                    hostAuthenticateTlvEncodedData) as IYubiKeyCommand<ScpResponse>
+                : new ExternalAuthenticateCommand(
+                    keyParameters.KeyReference.VersionNumber, keyParameters.KeyReference.Id,
+                    hostAuthenticateTlvEncodedData) as IYubiKeyCommand<ScpResponse>;
+            
+            // Issue the host authentication command
+            var authenticateResponseApdu = pipeline.Invoke(
+                authenticateCommand.CreateCommandApdu(), authenticateCommand.GetType(), typeof(ScpResponse));
+
+            var authenticateResponse = authenticateCommand.CreateResponseForApdu(authenticateResponseApdu);
+            authenticateResponse.ThrowIfFailed(
+                $"Error when performing {authenticateCommand.GetType().Name}: {authenticateResponse.StatusMessage}");
+
+            // Decode the response as a TLV list
+            var authenticateResponseTlvs = TlvObjects.DecodeList(authenticateResponseApdu.Data.Span);
+
+            // Extract the ephemeral public key from the response
+            var epkSdEckaTlv = authenticateResponseTlvs[0];
+            var epkSdEckaTlvEncodedData = epkSdEckaTlv.GetBytes();
+            var sdReceipt = TlvObjects.UnpackValue(
+                ReceiptTag,
+                authenticateResponseTlvs[1].GetBytes().Span); // Yubikey X963KDF Receipt to match with our own X963KDF
+
+            // Decide which key to use for key agreement
+            var skOceEcka =
+                keyParameters.SkOceEcka?.Parameters ?? // If set, we will use this for SCP11A and SCP11C. 
+                ekpOceEcka; // Otherwise, just use the newly created ephemeral key for SCP11b.
+
+            // Perform key agreement
+            var (encryptionKey, macKey, rMacKey, dekKey)
+                = GetX963KdfKeyAgreementKeys(
+                    skOceEcka.Curve,
+                    sdEckaPkParams,
+                    ekpOceEcka,
+                    skOceEcka,
+                    sdReceipt,
+                    epkSdEckaTlvEncodedData,
+                    hostAuthenticateTlvEncodedData,
+                    keyUsage,
+                    keyType,
+                    keyLen);
+                    
+            // Create the session keys
+            var sessionKeys = new SessionKeys(
+                macKey,
+                encryptionKey,
+                rMacKey,
+                dekKey
+                );
+
+            return new Scp11State(sessionKeys, sdReceipt.ToArray());
+        }
+
+        /// <summary>
+        /// Performs X9.63 Key Derivation Function (KDF) to generate session keys for the secure channel.
+        /// </summary>
+        /// <param name="curve">The elliptic curve used for key agreement.</param>
+        /// <param name="pkSdEcka">The YubiKey's public key parameters.</param>
+        /// <param name="eskOceEcka">The host's ephemeral key pair parameters.</param>
+        /// <param name="skOceEcka">The host's static key pair parameters.</param>
+        /// <param name="sdReceipt">The receipt computed by the YubiKey.</param>
+        /// <param name="epkSdEckaTlvEncodedData">The YubiKey's ephemeral public key in TLV format.</param>
+        /// <param name="hostAuthenticateTlvEncodedData">The host authentication data in TLV format.</param>
+        /// <param name="keyUsage">The intended usage of the derived keys.</param>
+        /// <param name="keyType">The type of keys to be derived.</param>
+        /// <param name="keyLen">The length of keys to be derived.</param>
+        /// <returns>A tuple containing the encryption, MAC, R-MAC, and DEK keys.</returns>
+        /// <exception cref="ArgumentException">Thrown when the curves of the provided keys do not match.</exception>
+        /// <exception cref="SecureChannelException">Thrown when key agreement receipt verification fails.</exception>
+        private static (Memory<byte> encryptionKey, Memory<byte> macKey, Memory<byte> rMacKey, Memory<byte> dekKey)
+            GetX963KdfKeyAgreementKeys(
+            ECCurve curve, // The curve being used for the key agreement
+            ECParameters pkSdEcka, // Yubikey Public Key
+            ECParameters eskOceEcka, // Host Ephemeral Private Key
+            ECParameters skOceEcka, // Host Private Key
+            ReadOnlyMemory<byte> sdReceipt, // The receipt computed on the Yubikey
+            ReadOnlyMemory<byte> epkSdEckaTlvEncodedData, // Yubikey Ephemeral Public Key as Tlv Raw Data
+            ReadOnlyMemory<byte> hostAuthenticateTlvEncodedData,
+            ReadOnlyMemory<byte> keyUsage, // The shared key usage
+            ReadOnlyMemory<byte> keyType, // The shared key type
+            ReadOnlyMemory<byte> keyLen) // The shared key length
+        {
+            bool allKeysAreSameCurve = new[]
+            {
+                pkSdEcka.Curve, // Yubikey Public Key
+                eskOceEcka.Curve, // Host Ephemeral Private Key
+                skOceEcka.Curve // Host Private Key
+            }.All(c => c.Oid.Value == curve.Oid.Value);
+
+            if (!allKeysAreSameCurve)
+            {
+                throw new ArgumentException("All curves must be the same");
+            }
+
+            // Compute key agreement for:
+            // Yubikey Ephemeral Public Key + Host Ephemeral Private Key
+            var ecdhObject = CryptographyProviders.EcdhPrimitivesCreator();
+            var epkSdEcka = ExtractPublicKeyEcParameters(
+                epkSdEckaTlvEncodedData, skOceEcka.Curve); // Yubikey Ephemeral Public Key 
+
+            byte[] keyAgreementFirst = ecdhObject.ComputeSharedSecret(epkSdEcka, eskOceEcka.D);
+
+            // Compute key agreement for:
+            // Yubikey Public Key + Host Private Key
+            byte[] keyAgreementSecond = ecdhObject.ComputeSharedSecret(pkSdEcka, skOceEcka.D);
+
+            byte[] keyMaterial = MergeArrays(keyAgreementFirst, keyAgreementSecond);
+            byte[] keyAgreementData = MergeArrays(hostAuthenticateTlvEncodedData, epkSdEckaTlvEncodedData);
+            byte[] sharedInfo = MergeArrays(keyUsage, keyType, keyLen);
+
+            const int keyCount = 4;
+            var keys = new List<byte[]>(keyCount);
+            byte counter = 1;
+            for (int i = 0; i <= keyCount; i++)
+            {
+                using var hash = CryptographyProviders.Sha256Creator();
+
+                _ = hash.TransformBlock(keyMaterial, 0, keyMaterial.Length, null, 0);
+                _ = hash.TransformBlock(new byte[] { 0, 0, 0, counter }, 0, 4, null, 0);
+                _ = hash.TransformFinalBlock(sharedInfo, 0, sharedInfo.Length);
+
+                Span<byte> digest = hash.Hash;
+                keys.Add(digest[..16].ToArray());
+                keys.Add(digest[16..].ToArray());
+
+                ++counter;
+                CryptographicOperations.ZeroMemory(digest);
+            }
+
+            // Get keys
+            byte[] receiptVerificationKey = keys[0];
+            byte[] encryptionKey = keys[1];
+            byte[] macKey = keys[2];
+            byte[] rmacKey = keys[3];
+            byte[] dekKey = keys[4];
+
+            // Do AES CMAC 
+            using var cmacObj = CryptographyProviders.CmacPrimitivesCreator(CmacBlockCipherAlgorithm.Aes128);
+            
+            Span<byte> oceReceipt = stackalloc byte[16]; 
+            cmacObj.CmacInit(receiptVerificationKey);
+            cmacObj.CmacUpdate(keyAgreementData);
+            cmacObj.CmacFinal(oceReceipt); // Our generated receipt
+
+            if (!CryptographicOperations.FixedTimeEquals(
+                    oceReceipt, sdReceipt.Span)) // Needs to match with the receipt generated by the Yubikey
+            {
+                throw new SecureChannelException(ExceptionMessages.KeyAgreementReceiptMissmatch);
+            }
+
+            return (encryptionKey, macKey, rmacKey, dekKey);
+        }
+
+        /// <summary>
+        /// Extracts EC public key parameters from TLV-encoded data.
+        /// </summary>
+        /// <param name="epkSdEckaTlv">The TLV-encoded public key data.</param>
+        /// <param name="curve">The elliptic curve parameters.</param>
+        /// <returns>The extracted EC parameters containing the public key coordinates.</returns>
+        private static ECParameters ExtractPublicKeyEcParameters(ReadOnlyMemory<byte> epkSdEckaTlv, ECCurve curve)
+        {
+            var epkSdEckaEncodedPoint = TlvObjects.UnpackValue(EckaTag, epkSdEckaTlv.Span);
+            var epkSdEcka = new ECParameters
+            {
+                Curve = curve,
+                Q = new ECPoint
+                {
+                    X = epkSdEckaEncodedPoint.Span[1..33].ToArray(),
+                    Y = epkSdEckaEncodedPoint.Span[33..].ToArray()
+                }
+            };
+
+            return epkSdEcka;
+        }
+
+        /// <summary>
+        /// Gets the standardized SCP identifier for the given key reference.
+        /// As defined in Global Platform Secure Channel Protocol 11 Card Specification v2.3 – Amendment F § 7.1.1
+        /// </summary>
+        /// <param name="keyReference">The key reference to get the identifier for.</param>
+        /// <returns>The SCP identifier byte.</returns>
+        /// <exception cref="ArgumentException">Thrown when the key reference ID is not a valid SCP11 KID.</exception>
+        private static byte GetScpIdentifierByte(KeyReference keyReference) =>
+            keyReference.Id switch
+            {
+                ScpKeyIds.Scp11A => 0b01,
+                ScpKeyIds.Scp11B => 0b00,
+                ScpKeyIds.Scp11C => 0b11,
+                _ => throw new ArgumentException("Invalid SCP11 KID")
+            };
+
+        /// <summary>
+        /// Performs the Security Operation command sequence required for SCP11a and SCP11c authentication.
+        /// </summary>
+        /// <param name="pipeline">The APDU pipeline for communication with the YubiKey.</param>
+        /// <param name="keyParams">The key parameters containing certificates and references.</param>
+        /// <exception cref="ArgumentNullException">Thrown when required key parameters are missing.</exception>
+        /// <exception cref="ArgumentException">Thrown when required certificates are missing.</exception>
+        /// <exception cref="SecureChannelException">Thrown when the security operation fails.</exception>
+        private static void PerformSecurityOperation(IApduTransform pipeline, Scp11KeyParameters keyParams)
+        {
+            // GPC v2.3 Amendment F (SCP11) v1.4 §7.5
+            if (keyParams.SkOceEcka == null)
+            {
+                throw new ArgumentNullException(
+                    nameof(keyParams.SkOceEcka),
+                    "SCP11a and SCP11c require a private key");
+            }
+
+            if (keyParams.OceCertificates == null || keyParams.OceCertificates.Count == 0)
+            {
+                throw new ArgumentException(
+                    "SCP11a and SCP11c require a certificate chain", nameof(keyParams.OceCertificates));
+            }
+
+            int n = keyParams.OceCertificates.Count - 1;
+            var oceRef = keyParams.OceKeyReference ?? new KeyReference(0, 0);
+            for (int i = 0; i <= n; i++)
+            {
+                byte[] certificates = keyParams.OceCertificates[i].RawData;
+                byte oceRefInput = (byte)(oceRef.Id | (i < n
+                    ? 0x80
+                    : 0x00)); // Append 0x80 if more certificates remain to be sent
+
+                var securityOperationCommand = new SecurityOperationCommand(
+                    oceRef.VersionNumber,
+                    oceRefInput,
+                    certificates);
+
+                // Send payload
+                var responseSecurityOperation = pipeline.Invoke(
+                    securityOperationCommand.CreateCommandApdu(),
+                    typeof(SecurityOperationCommand),
+                    typeof(SecurityOperationResponse));
+
+                if (responseSecurityOperation.SW != SWConstants.Success)
+                {
+                    throw new SecureChannelException(
+                        $"Security operation failed. Status: {responseSecurityOperation.SW:X4}");
+                }
+            }
+        }
+
+        /// <summary>
+        /// Combines multiple byte arrays into a single array.
+        /// </summary>
+        /// <param name="values">The arrays to merge.</param>
+        /// <returns>A new array containing all input arrays concatenated in sequence.</returns>
+        private static byte[] MergeArrays(params ReadOnlyMemory<byte>[] values)
+        {
+            using var memoryStream = new MemoryStream();
+            foreach (var bytes in values)
+            {
+                memoryStream.Write(bytes.Span.ToArray(), 0, bytes.Length);
+            }
+
+            return memoryStream.ToArray();
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpConnection.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpConnection.cs
new file mode 100644
index 000000000..29d14dbdb
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpConnection.cs
@@ -0,0 +1,88 @@
+// Copyright 2023 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Yubico.Core.Devices.SmartCard;
+using Yubico.YubiKey.Pipelines;
+
+namespace Yubico.YubiKey.Scp
+{
+    internal class ScpConnection : SmartCardConnection, IScpYubiKeyConnection
+    {
+        public ScpKeyParameters KeyParameters => _scpApduTransform.KeyParameters;
+
+        EncryptDataFunc IScpYubiKeyConnection.EncryptDataFunc => _scpApduTransform.EncryptDataFunc;
+
+        private bool _disposed;
+        private readonly ScpApduTransform _scpApduTransform;
+
+        public ScpConnection(
+            ISmartCardDevice smartCardDevice,
+            YubiKeyApplication application,
+            ScpKeyParameters keyParameters)
+            : base(smartCardDevice, application, null)
+        {
+            var scpPipeline = CreateScpPipeline(keyParameters);
+            var withErrorHandling = CreateParentPipeline(scpPipeline, application);
+
+            // Have the base class use the new error augmented pipeline
+            SetPipeline(withErrorHandling);
+
+            // Setup the full pipeline
+            withErrorHandling.Setup();
+            _scpApduTransform = scpPipeline;
+        }
+
+        private static IApduTransform CreateParentPipeline(IApduTransform pipeline, YubiKeyApplication application)
+        {
+            // Wrap the pipeline with error handling if needed
+            if (application == YubiKeyApplication.Fido2)
+            {
+                return new FidoErrorTransform(pipeline);
+            }
+
+            if (application == YubiKeyApplication.Otp)
+            {
+                return new OtpErrorTransform(pipeline);
+            }
+
+            return pipeline;
+        }
+
+        private ScpApduTransform CreateScpPipeline(ScpKeyParameters keyParameters)
+        {
+            // Get the current pipeline
+            var previousPipeline = GetPipeline();
+
+            // Wrap the pipeline in ScpApduTransform
+            var scpApduTransform = new ScpApduTransform(previousPipeline, keyParameters);
+
+            // Return both pipeline
+            return scpApduTransform;
+        }
+
+        protected override void Dispose(bool disposing)
+        {
+            if (!_disposed)
+            {
+                if (disposing)
+                {
+                    _scpApduTransform.Dispose();
+                    _disposed = true;
+                }
+            }
+
+            base.Dispose(disposing);
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpKeyIds.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpKeyIds.cs
new file mode 100644
index 000000000..5034e741c
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpKeyIds.cs
@@ -0,0 +1,68 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// Represents common key IDs for Secure Channel Protocol (SCP) keys.
+    /// <para><br/>
+    /// KID '10' for PK.CA-KLOC.ECDSA<br/>
+    /// KID '11' for SK.SD.ECKA used for SCP11a<br/>
+    /// KID '12' for the optional static Key-DEK used with SCP11a only<br/>
+    /// KID '13' for SK.SD.ECKA used for SCP11b<br/>
+    /// KID '14' for the optional static Key-DEK used with SCP11b only<br/>
+    /// KID '15' for SK.SD.ECKA used for SCP11c<br/>
+    /// KID '16' for the optional static Key-DEK used with SCP11c only<br/>
+    /// KID from '20' to '2F' for additional PK.CA-KLOC.ECDSA<br/>
+    /// </para>
+    /// </summary>
+    /// <remarks>See the GlobalPlatform Technology Card Specification v2.3 Amendment F §5.1 Cryptographic Keys for more information on the available KIDs.</remarks>
+    public static class ScpKeyIds
+    {
+        /// <summary>
+        /// Key ID for SCP03 protocol
+        /// </summary>
+        public const byte Scp03 = 0x01;
+
+        /// <summary>
+        /// Key ID '10' for the public key of the certificate authority, also known as 'PK.CA-KLOC.ECDSA'. Needs to be an ECDSA key.
+        /// </summary>
+        public const byte ScpCaPublicKey = 0x10;
+
+        /// <summary>
+        /// Key ID '11' for SK.SD.ECKA used for SCP11a
+        /// </summary>
+        public const byte Scp11A = 0x11;
+
+        /// <summary>
+        /// Key ID '13' for SK.SD.ECKA used for SCP11b
+        /// </summary>
+        public const byte Scp11B = 0x13;
+
+        /// <summary>
+        /// Key ID '14' for the optional static Key-DEK (data encryption key) used with SCP11b only
+        /// </summary>
+        public const byte Scp11BOptionalDek = 0x14;
+
+        /// <summary>
+        /// Key ID '15' for SK.SD.ECKA used for SCP11c
+        /// </summary>
+        public const byte Scp11C = 0x15;
+
+        /// <summary>
+        /// Key ID '16' for the optional static Key-DEK (data encryption key) used with SCP11c only
+        /// </summary>
+        public const byte Scp11COptionalDek = 0x16;
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpKeyParameters.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpKeyParameters.cs
new file mode 100644
index 000000000..ac9406651
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpKeyParameters.cs
@@ -0,0 +1,36 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// Abstract base class for parameters for a Secure Channel Protocol (SCP) key.
+    /// </summary>
+    public abstract class ScpKeyParameters
+    {
+        /// <summary>
+        /// The key reference associated with the key parameters.
+        /// </summary>
+        public KeyReference KeyReference { get; }
+
+        /// <summary>
+        /// Creates a new instance of <see cref="ScpKeyParameters"/>.
+        /// </summary>
+        /// <param name="keyReference"></param>
+        protected ScpKeyParameters(KeyReference keyReference)
+        {
+            KeyReference = keyReference;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpState.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpState.cs
new file mode 100644
index 000000000..0f26700ae
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpState.cs
@@ -0,0 +1,196 @@
+using System;
+using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Cryptography;
+using Yubico.YubiKey.Scp.Helpers;
+
+namespace Yubico.YubiKey.Scp
+{
+    internal abstract class ScpState : IDisposable
+    {
+        /// <summary>
+        /// The session keys for secure channel communication.
+        /// </summary>
+        protected readonly SessionKeys SessionKeys;
+
+        /// <summary>
+        /// The chaining value for the MAC.
+        /// </summary>
+        protected ReadOnlyMemory<byte> MacChainingValue;
+
+        private int _encryptionCounter = 1;
+        private bool _disposed;
+
+        /// <summary>
+        /// Initializes the host-side state for an SCP session.
+        /// </summary>
+        protected ScpState(SessionKeys sessionKeys, ReadOnlyMemory<byte> macChain)
+        {
+            MacChainingValue = macChain;
+            SessionKeys = sessionKeys;
+        }
+
+        /// <summary>
+        /// Encodes (encrypt then MAC) a command using SCP03. Modifies state,
+        /// and must be sent in-order. Must be called after LoadInitializeUpdate.
+        /// </summary>
+        /// <returns></returns>
+        public CommandApdu EncodeCommand(CommandApdu command)
+        {
+            if (SessionKeys == null)
+            {
+                throw new InvalidOperationException(ExceptionMessages.UnknownScpError);
+            }
+
+            if (command is null)
+            {
+                throw new ArgumentNullException(nameof(command));
+            }
+
+            // Create an encrypted APDU
+            var encodedCommand = new CommandApdu
+            {
+                Cla = (byte)(command.Cla | 0x04), //0x04 is for secure-messaging
+                Ins = command.Ins,
+                P1 = command.P1,
+                P2 = command.P2
+            };
+
+            // Encrypt the data
+            var encryptedData = ChannelEncryption.EncryptData(
+                command.Data.Span, SessionKeys.EncKey.Span, _encryptionCounter);
+
+            // Update the encryption counter
+            _encryptionCounter++;
+            encodedCommand.Data = encryptedData;
+
+            // Create a MAC:ed APDU
+            var (macdApdu, newMacChainingValue) = MacApdu(
+                encodedCommand,
+                SessionKeys.MacKey.Span,
+                MacChainingValue.Span);
+
+            // Update the sessions MacChainingValue
+            MacChainingValue = newMacChainingValue;
+
+            return macdApdu;
+        }
+
+        /// <summary>
+        /// Decodes (verify RMAC then decrypt) a raw response from the device.
+        /// </summary>
+        /// <param name="response"></param>
+        /// <returns></returns>
+        public ResponseApdu DecodeResponse(ResponseApdu response)
+        {
+            if (SessionKeys is null)
+            {
+                throw new InvalidOperationException(ExceptionMessages.UnknownScpError);
+            }
+
+            if (response is null)
+            {
+                throw new ArgumentNullException(nameof(response));
+            }
+
+            // If the response is not Success, just return the response. The
+            // standard says, "No R-MAC shall be generated and no protection
+            // shall be applied to a response that includes an error status word:
+            // in this case only the status word shall be returned in the
+            // response."
+            if (response.SW != SWConstants.Success)
+            {
+                return response;
+            }
+
+            // ALWAYS check RMAC before decryption
+            var responseData = response.Data;
+            VerifyRmac(responseData.Span, SessionKeys.RmacKey.Span, MacChainingValue.Span);
+
+            // Initialize decryptedData as an empty array
+            ReadOnlyMemory<byte> decryptedData = Array.Empty<byte>();
+            if (responseData.Length > 8)
+            {
+                // Decrypt the response data if it's longer than 8 bytes
+                int previousEncryptionCounter = _encryptionCounter - 1;
+                decryptedData = ChannelEncryption.DecryptData(
+                    responseData[..^8].Span,
+                    SessionKeys.EncKey.Span,
+                    previousEncryptionCounter
+                    );
+            }
+
+            // Create a new array to hold the decrypted data and status words
+            byte[] fullDecryptedResponse = new byte[decryptedData.Length + 2];
+            decryptedData.CopyTo(fullDecryptedResponse);
+
+            // Append the status words to the decrypted data
+            fullDecryptedResponse[decryptedData.Length] = response.SW1;
+            fullDecryptedResponse[decryptedData.Length + 1] = response.SW2;
+
+            // Return a new ResponseApdu with the decrypted data and status words
+            return new ResponseApdu(fullDecryptedResponse);
+        }
+
+        /// <summary>
+        /// Get the encryptor to encrypt any data for a SCP command.
+        /// </summary>
+        /// <returns>
+        /// An encryptor function that takes the plaintext as a parameter and
+        /// returns the encrypted data.
+        /// </returns>
+        /// <exception cref="InvalidOperationException">
+        /// If the data encryption key has not been set on the session keys.
+        /// </exception>
+        public EncryptDataFunc GetDataEncryptor()
+        {
+            if (!SessionKeys.DataEncryptionKey.HasValue)
+            {
+                throw new InvalidOperationException(ExceptionMessages.UnknownScpError);
+            }
+
+            return plainText => AesUtilities.AesCbcEncrypt(
+                SessionKeys.DataEncryptionKey.Value.Span,
+                new byte[16],
+                plainText.Span);
+        }
+
+        /// <summary>
+        /// Performs the MAC on the APDU
+        /// </summary>
+        /// <param name="commandApdu"></param>
+        /// <param name="macKey"></param>
+        /// <param name="macChainingValue"></param>
+        /// <returns></returns>
+        protected static (CommandApdu macdApdu, ReadOnlyMemory<byte> newMacChainingValue) MacApdu(
+            CommandApdu commandApdu,
+            ReadOnlySpan<byte> macKey,
+            ReadOnlySpan<byte> macChainingValue) =>
+            ChannelMac.MacApdu(commandApdu, macKey, macChainingValue);
+
+        private static void VerifyRmac(
+            ReadOnlySpan<byte> responseData,
+            ReadOnlySpan<byte> rmacKey,
+            ReadOnlySpan<byte> macChainingValue) =>
+            ChannelMac.VerifyRmac(responseData, rmacKey, macChainingValue);
+
+        public virtual void Dispose()
+        {
+            if (_disposed)
+            {
+                return;
+            }
+
+            SessionKeys.Dispose();
+            MacChainingValue = Array.Empty<byte>();
+
+            GC.SuppressFinalize(this);
+            _disposed = true;
+        }
+    }
+
+    /// <summary>
+    /// This delegate is used to encrypt data with the session keys
+    /// <seealso cref="ScpState.GetDataEncryptor"/>
+    /// </summary>
+    internal delegate ReadOnlyMemory<byte> EncryptDataFunc(ReadOnlyMemory<byte> data);
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/SecureChannelException.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/SecureChannelException.cs
new file mode 100644
index 000000000..712aa2eb7
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/SecureChannelException.cs
@@ -0,0 +1,41 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// Represents errors that occur during encoding or decoding data for SCP.
+    /// </summary>
+    public class SecureChannelException : Exception
+    {
+        public SecureChannelException()
+        {
+
+        }
+
+        public SecureChannelException(string message) :
+            base($"SCP CardDataException: {message}")
+        {
+
+        }
+
+        public SecureChannelException(string message, Exception e) :
+            base($"SCP CardDataException: {message}", e)
+        {
+
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/SecurityDomainSession.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/SecurityDomainSession.cs
new file mode 100644
index 000000000..453c56a53
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/SecurityDomainSession.cs
@@ -0,0 +1,901 @@
+// Copyright 2023 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Logging;
+using Yubico.Core.Buffers;
+using Yubico.Core.Iso7816;
+using Yubico.Core.Logging;
+using Yubico.Core.Tlv;
+using Yubico.YubiKey.Cryptography;
+using Yubico.YubiKey.Scp.Commands;
+using DeleteKeyCommand = Yubico.YubiKey.Scp.Commands.DeleteKeyCommand;
+using GetDataCommand = Yubico.YubiKey.Scp.Commands.GetDataCommand;
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// Create a session for managing the SCP configuration of a YubiKey.
+    /// </summary>
+    /// <remarks>
+    /// See the <xref href="UsersManualScp">User's Manual entry</xref> on SCP.
+    /// <para>
+    /// Usually, you use SCP "in the background" to secure the communication
+    /// with another application. For example, when you want to perform PIV
+    /// operations, but need to send the commands to and get the responses from
+    /// the YubiKey securely (such as sending commands remotely where
+    /// authenticity and confidentiality are required), you use SCP.
+    /// <code language="csharp">
+    ///   if (YubiKeyDevice.TryGetYubiKey(serialNumber, out IYubiKeyDevice yubiKeyDevice))
+    ///   {
+    ///       using (var pivSession = new PivSession(scpDevice, scpKeys))
+    ///       {
+    ///         . . .
+    ///       }
+    ///   }
+    /// </code>
+    /// </para>
+    /// <para>
+    /// However, there are times you need to manage the configuration of SCP
+    /// directly, not as simply the security layer for a PIV or other
+    /// applications. The most common operations are loading and deleting SCP
+    /// key sets on the YubiKey.
+    /// </para>
+    /// <para>
+    /// For the SCP configuration management operations, use the
+    /// <c>ScpSession</c> class.
+    /// </para>
+    /// <para>
+    /// Once you have the YubiKey to use, you will build an instance of this
+    /// <c>ScpSession</c> class to represent the SCP on the hardware.
+    /// Because this class implements <c>IDisposable</c>, use the <c>using</c>
+    /// keyword. For example,
+    /// <code language="csharp">
+    ///   if (YubiKeyDevice.TryGetYubiKey(serialNumber, out IYubiKeyDevice yubiKeyDevice))
+    ///   {
+    ///       var scpKeys = new StaticKeys();
+    ///       using (var scp = new ScpSession(yubiKeyDevice, scpKeys))
+    ///       {
+    ///           // Perform SCP operations.
+    ///       }
+    ///   }
+    /// </code>
+    /// </para>
+    /// <para>
+    /// If the YubiKey does not support SCP, the constructor will throw an
+    /// exception.
+    /// </para>
+    /// <para>
+    /// If the StaticKeys provided are not correct, the constructor will throw an
+    /// exception.
+    /// </para>
+    /// </remarks>
+    public sealed class SecurityDomainSession : ApplicationSession
+    {
+        #region Tags
+
+        private const byte EcKeyType = 0xF0;
+        private const byte EcPublicKeyKeyType = 0xB0;
+        private const byte EcPrivateKeyKeyType = 0xB1;
+        private const byte AesKeyType = 0x88;
+        private const byte ControlReferenceTag = 0xA6;
+        private const byte KidKvnTag = 0x83;
+        private const byte KeyInformationTag = 0xE0;
+        private const byte SerialsAllowListTag = 0x70;
+        private const byte SerialTag = 0x93;
+        private const byte CardDataTag = 0x66;
+        private const byte CardRecognitionDataTag = 0x73;
+        private const ushort CertificateStoreTag = 0xBF21;
+        private const ushort CaKlocIdentifiersTag = 0xFF33; // Key Loading OCE Certificate
+        private const ushort CaKlccIdentifiersTag = 0xFF34; // Key Loading Card Certificate
+
+        #endregion
+
+        /// <summary>
+        /// Get the encryptor to encrypt any data for an SCP command.
+        /// <seealso cref="EncryptDataFunc"/>
+        /// </summary>
+        /// <returns>
+        /// An encryptor function that takes the plaintext as a parameter and
+        /// returns the encrypted data.
+        /// </returns>
+        /// <exception cref="InvalidOperationException">
+        /// If the data encryption key has not been set on the session keys.
+        /// </exception>
+        private EncryptDataFunc EncryptData
+        {
+            get
+            {
+                if (Connection is IScpYubiKeyConnection scpConnection)
+                {
+                    return scpConnection.EncryptDataFunc;
+                }
+
+                throw new InvalidOperationException("No secure connection initialized.");
+            }
+        }
+
+        /// <summary>
+        /// Create an unauthenticated instance of <see cref="SecurityDomainSession"/>, the object that
+        /// represents SCP on the YubiKey.
+        /// </summary>
+        /// <remarks>Sessions created from this constructor will not be able to perform operations which require authentication
+        /// <para>See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.</para>
+        /// </remarks>
+        /// <param name="yubiKey">
+        /// The object that represents the actual YubiKey which will perform the
+        /// operations.
+        /// </param>
+        /// <exception cref="ArgumentNullException">
+        /// The <c>yubiKey</c> argument is null.
+        /// </exception>
+        public SecurityDomainSession(IYubiKeyDevice yubiKey)
+            : base(Log.GetLogger<SecurityDomainSession>(), yubiKey, YubiKeyApplication.SecurityDomain, null)
+        {
+        }
+
+        /// <summary>
+        /// Create an instance of <see cref="SecurityDomainSession"/>, the object that
+        /// represents SCP on the YubiKey.
+        /// </summary>
+        /// <remarks>
+        /// See the <xref href="UsersManualScp">User's Manual entry</xref> on SCP.
+        /// <para>See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information on SCP.</para>
+        /// <para>
+        /// Because this class implements <c>IDisposable</c>, use the <c>using</c>
+        /// keyword. For example,
+        /// <code language="csharp">
+        ///   if (YubiKeyDevice.TryGetYubiKey(serialNumber, out IYubiKeyDevice yubiKeyDevice))
+        ///   {
+        ///       using (var scp = new SecurityDomainSession(yubiKeyDevice, Scp03KeyParameters.DefaultKey))
+        ///       {
+        ///           // Perform SCP operations while authenticated with SCP03
+        ///       }
+        ///   }
+        /// </code>
+        /// </para>
+        /// </remarks>
+        /// <param name="yubiKey">
+        /// The object that represents the actual YubiKey which will perform the
+        /// operations.
+        /// </param>
+        /// <param name="scpKeyParameters">
+        /// The shared secret keys that will be used to authenticate the caller
+        /// and encrypt the communications.
+        /// </param>
+        /// <exception cref="ArgumentNullException">
+        /// The <c>yubiKey</c> or <c>scpKeys</c> argument is null.
+        /// </exception>
+        public SecurityDomainSession(IYubiKeyDevice yubiKey, ScpKeyParameters scpKeyParameters)
+            : base(Log.GetLogger<SecurityDomainSession>(), yubiKey, YubiKeyApplication.SecurityDomain, scpKeyParameters)
+        {
+        }
+
+        /// <summary>
+        /// Puts an SCP03 key set onto the YubiKey using the Security Domain.
+        /// </summary>
+        /// <param name="keyReference">The key reference identifying where to store the key.</param>
+        /// <param name="staticKeys">The new SCP03 key set to store.</param>
+        /// <param name="replaceKvn">The key version number to replace, or 0 for a new key.</param>
+        /// <exception cref="ArgumentException">Thrown when the KID is not 0x01 for SCP03 key sets.</exception>
+        /// <exception cref="SecureChannelException">Thrown when the new key set's checksum failed to verify, or some other SCP related error
+        /// described in the exception message.</exception>
+        public void PutKey(KeyReference keyReference, StaticKeys staticKeys, int replaceKvn)
+        {
+            Logger.LogInformation("Importing SCP03 key set into KeyReference {KeyReference}", keyReference);
+
+            if (keyReference.Id != ScpKeyIds.Scp03)
+            {
+                throw new ArgumentException("Key ID (KID) must be 0x01 for SCP03 key sets");
+            }
+
+            using var dataStream = new MemoryStream();
+            using var dataWriter = new BinaryWriter(dataStream);
+            using var expectedKcvStream = new MemoryStream();
+            using var expectedKcvWriter = new BinaryWriter(expectedKcvStream);
+
+            // Write KVN
+            dataWriter.Write(keyReference.VersionNumber);
+            expectedKcvWriter.Write(keyReference.VersionNumber);
+
+            Span<byte> kcvInput = stackalloc byte[16];
+            ReadOnlySpan<byte> kvcZeroIv = stackalloc byte[16];
+            kcvInput.Fill(1);
+
+            // Process all keys
+            foreach (var key in new[]
+                     {
+                         staticKeys.ChannelEncryptionKey,
+                         staticKeys.ChannelMacKey,
+                         staticKeys.DataEncryptionKey
+                     })
+            {
+                // Key check value (KCV) is first 3 bytes of encrypted test vector
+                var kcv = AesUtilities.AesCbcEncrypt(
+                    key.Span,
+                    kvcZeroIv,
+                    kcvInput)[..3];
+
+                // Encrypt the key using session encryptor
+                var encryptedKey = EncryptData(key);
+
+                // Write key structure
+                var tlvData = new TlvObject(AesKeyType, encryptedKey.Span.ToArray()).GetBytes();
+                dataWriter.Write(tlvData.ToArray());
+
+                // Write KCV
+                byte[] kcvData = kcv.ToArray();
+                dataWriter.Write((byte)kcvData.Length);
+                dataWriter.Write(kcvData);
+
+                // Add KCV to expected response
+                expectedKcvWriter.Write(kcvData);
+            }
+
+            ReadOnlyMemory<byte> commandData = dataStream.ToArray().AsMemory();
+            byte p2 = (byte)(0x80 | keyReference.Id); // OR with 0x80 indicates that we're sending multiple keys
+
+            var command = new PutKeyCommand((byte)replaceKvn, p2, commandData);
+            var response = Connection.SendCommand(command);
+            response.ThrowIfFailed("Error when importing key");
+
+            var responseKcvData = response.GetData().Span;
+            ReadOnlySpan<byte> expectedKcvData = expectedKcvStream.ToArray().AsSpan();
+            ValidateCheckSum(expectedKcvData, responseKcvData);
+
+            Logger.LogInformation("Successfully put static keys for Key Reference: {KeyReference}", keyReference);
+        }
+
+        /// <summary>
+        /// Puts an EC private key onto the YubiKey using the Security Domain.
+        /// </summary>
+        /// <param name="keyReference">The key reference identifying where to store the key.</param>
+        /// <param name="privateKeyParameters">The EC private key parameters to store.</param>
+        /// <param name="replaceKvn">The key version number to replace, or 0 for a new key.</param>
+        /// <exception cref="ArgumentException">Thrown when the private key is not of type NIST P-256.</exception>
+        /// <exception cref="InvalidOperationException">Thrown when no secure session is established.</exception>
+        /// <exception cref="SecureChannelException">Thrown when the new key set's checksum failed to verify,
+        /// or some other SCP related error described in the exception message.
+        /// </exception>
+        public void PutKey(KeyReference keyReference, ECPrivateKeyParameters privateKeyParameters, int replaceKvn)
+        {
+            Logger.LogInformation("Importing SCP11 private key into Key Reference: {KeyReference}", keyReference);
+
+            var privateKey = privateKeyParameters.Parameters;
+            if (privateKey.Curve.Oid.Value != ECCurve.NamedCurves.nistP256.Oid.Value)
+            {
+                throw new ArgumentException("Private key must be of type NIST P-256");
+            }
+
+            try
+            {
+                // Prepare the command data
+                using var commandDataStream = new MemoryStream();
+                using var commandDataWriter = new BinaryWriter(commandDataStream);
+
+                // Write the key version number
+                commandDataWriter.Write(keyReference.VersionNumber);
+
+                // Convert the private key to bytes and encrypt it
+                var privateKeyBytes = privateKey.D.AsMemory();
+                try
+                {
+                    // Must be encrypted with the active sessions data encryption key
+                    var encryptedKey = EncryptData(privateKeyBytes);
+                    var privateKeyTlv = new TlvObject(EcPrivateKeyKeyType, encryptedKey.Span).GetBytes();
+                    commandDataWriter.Write(privateKeyTlv.ToArray());
+                }
+                finally
+                {
+                    CryptographicOperations.ZeroMemory(privateKeyBytes.Span);
+                }
+
+                // Write the EC parameters
+                var paramsTlv = new TlvObject(EcKeyType, new byte[] { 0x00 }).GetBytes();
+                commandDataWriter.Write(paramsTlv.ToArray());
+                commandDataWriter.Write((byte)0);
+
+                // Create and send the command
+                var command = new PutKeyCommand((byte)replaceKvn, keyReference.Id, commandDataStream.ToArray());
+                var response = Connection.SendCommand(command);
+                response.ThrowIfFailed("Error when importing key");
+
+                // Get and validate the response
+                var responseData = response.GetData();
+                Span<byte> expectedResponseData = new[] { keyReference.VersionNumber };
+                ValidateCheckSum(responseData.Span, expectedResponseData);
+
+                Logger.LogInformation("Successfully put private key for Key Reference: {KeyReference}", keyReference);
+            }
+            catch (Exception ex)
+            {
+                Logger.LogError(ex, "Failed to put private key for Key Reference: {KeyReference}", keyReference);
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Puts an EC public key onto the YubiKey using the Security Domain.
+        /// </summary>
+        /// <param name="keyReference">The key reference identifying where to store the key.</param>
+        /// <param name="publicKeyParameters">The EC public key parameters to store.</param>
+        /// <param name="replaceKvn">The key version number to replace, or 0 for a new key.</param>
+        /// <exception cref="ArgumentException">Thrown when the public key is not of type SECP256R1.</exception>
+        /// <exception cref="InvalidOperationException">Thrown when no secure session is established.</exception>
+        /// <exception cref="SecureChannelException">Thrown when the new key set's checksum failed to verify, or some other SCP related error
+        /// described in the exception message.</exception>
+        public void PutKey(KeyReference keyReference, ECPublicKeyParameters publicKeyParameters, int replaceKvn)
+        {
+            Logger.LogInformation("Importing SCP11 public key into KeyReference: {KeyReference}", keyReference);
+
+            var pkParams = publicKeyParameters.Parameters;
+            if (pkParams.Curve.Oid.Value != ECCurve.NamedCurves.nistP256.Oid.Value)
+            {
+                throw new ArgumentException("Public key must be of type NIST P-256");
+            }
+
+            try
+            {
+                using var commandDataMs = new MemoryStream();
+                using var commandDataWriter = new BinaryWriter(commandDataMs);
+
+                // Write the key version number
+                commandDataWriter.Write(keyReference.VersionNumber);
+
+                // Write the EC public key
+                var publicKeyTlvData =
+                    new TlvObject(EcPublicKeyKeyType, publicKeyParameters.GetBytes().Span).GetBytes();
+
+                commandDataWriter.Write(publicKeyTlvData.ToArray());
+
+                // Write the EC parameters
+                var paramsTlv = new TlvObject(EcKeyType, new byte[1]).GetBytes();
+                commandDataWriter.Write(paramsTlv.ToArray());
+                commandDataWriter.Write((byte)0);
+
+                // Create and send the command
+                byte[] commandData = commandDataMs.ToArray();
+                var command = new PutKeyCommand((byte)replaceKvn, keyReference.Id, commandData);
+                var response = Connection.SendCommand(command);
+                response.ThrowIfFailed("Error when importing key");
+
+                // Get and validate the response
+                var responseData = response.GetData();
+                Span<byte> expectedResponseData = new[] { keyReference.VersionNumber };
+
+                ValidateCheckSum(responseData.Span, expectedResponseData);
+
+                Logger.LogInformation("Successfully put public key for KeyReference: {KeyReference}", keyReference);
+            }
+            catch (Exception ex)
+            {
+                Logger.LogError(ex, "Failed to put public key for KeyReference: {KeyReference}", keyReference);
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Delete one (or more) keys matching the specified criteria.
+        /// </summary>
+        /// <remarks>
+        /// All keys matching the given KID (Key ID) and/or KVN (Key Version Number) will be deleted,
+        /// where 0 is treated as a wildcard. For SCP03 keys, they can only be deleted by KVN.
+        /// </remarks>
+        /// <param name="keyReference">A reference to the key(s) to delete.</param>
+        /// <param name="deleteLast">Must be true if deleting the final key, false otherwise.</param>
+        /// <exception cref="ArgumentException">
+        /// Thrown when both KID and KVN are 0, or when attempting to delete SCP03 keys by KID.
+        /// </exception>
+        /// <exception cref="SecureChannelException">
+        /// Thrown when the delete operation fails.
+        /// </exception>
+        public void DeleteKey(KeyReference keyReference, bool deleteLast = false)
+        {
+            if (keyReference.Id == 0 && keyReference.VersionNumber == 0)
+            {
+                throw new ArgumentException("At least one of KID, KVN must be nonzero");
+            }
+
+            Logger.LogInformation("Deleting keys (KeyReference: {KeyReference})", keyReference);
+
+            byte kid = keyReference.Id;
+            byte kvn = keyReference.VersionNumber;
+
+            // Special handling for SCP03 keys (1, 2, 3)
+            if (kid == 1 || kid == 2 || kid == 3)
+            {
+                if (kvn != 0)
+                {
+                    kid = 0;
+                }
+                else
+                {
+                    throw new ArgumentException("SCP03 keys can only be deleted by KVN");
+                }
+            }
+
+            Logger.LogDebug("Deleting keys matching keys (KeyReference: {KeyReference})", keyReference);
+
+            // Build TLV list for command data
+            var tlvList = new List<TlvObject>();
+            if (kid != 0)
+            {
+                tlvList.Add(new TlvObject(0xD0, new[] { kid }));
+            }
+
+            if (kvn != 0)
+            {
+                tlvList.Add(new TlvObject(0xD2, new[] { kvn }));
+            }
+
+            byte[] data = TlvObjects.EncodeList(tlvList);
+            var command = new DeleteKeyCommand(data, deleteLast);
+            var response = Connection.SendCommand(command);
+            response.ThrowIfFailed("Error deleting key");
+
+            Logger.LogInformation("Keys deleted (KeyReference: {KeyReference})", keyReference);
+        }
+
+        /// <summary>
+        /// Generate a new EC key pair for the given key reference.
+        /// </summary>
+        /// <remarks>
+        /// GlobalPlatform has no command to generate key pairs on the card itself. This is a
+        /// Yubico extension that tries to mimic the format of the GPC PUT KEY
+        /// command.
+        /// </remarks>
+        /// <param name="keyReference">The KID-KVN pair of the key that should be generated.</param>
+        /// <param name="replaceKvn">The key version number of the key set that should be replaced, or 0 to generate a new key pair.</param>
+        /// <returns>The parameters of the generated key, including the curve and the public point.</returns>
+        /// <exception cref="SecureChannelException">Thrown when there was an SCP error, described in the exception message.</exception>
+        public ECPublicKeyParameters GenerateEcKey(KeyReference keyReference, byte replaceKvn)
+        {
+            Logger.LogInformation(
+                "Generating new key for {KeyReference}{ReplaceMessage}",
+                keyReference,
+                replaceKvn == 0
+                    ? string.Empty
+                    : $", replacing KVN=0x{replaceKvn:X2}");
+
+            // Create tlv data for the command
+            var ecParamsTlv = new TlvObject(EcKeyType, new byte[1]).GetBytes();
+            byte[] generateEcCommandData = new byte[ecParamsTlv.Length + 1];
+            generateEcCommandData[0] = keyReference.VersionNumber;
+            ecParamsTlv.CopyTo(generateEcCommandData.AsMemory(1));
+
+            // Create and send the command
+            var command = new GenerateEcKeyCommand(replaceKvn, keyReference.Id, generateEcCommandData);
+            var response = Connection.SendCommand(command);
+            response.ThrowIfFailed("Error generating key");
+
+            // Parse the response, extract the public point
+            var tlvReader = new TlvReader(response.GetData());
+            var encodedPoint = tlvReader.ReadValue(EcPublicKeyKeyType).Span;
+
+            // Create the ECParameters with the public point
+            var ecPublicKey = encodedPoint.CreateECPublicKeyFromBytes();
+
+            Logger.LogInformation("Key generated (KeyReference: {KeyReference})", keyReference);
+            return ecPublicKey;
+        }
+
+        /// <summary>
+        /// Store the SKI (Subject Key Identifier) for the CA of a given key.
+        /// Requires off-card entity verification.
+        /// </summary>
+        /// <param name="keyReference">A reference to the key for which to store the CA issuer.</param>
+        /// <param name="ski">The Subject Key Identifier to store.</param>
+        public void StoreCaIssuer(KeyReference keyReference, ReadOnlyMemory<byte> ski)
+        {
+            Logger.LogDebug("Storing CA issuer SKI (KeyReference: {KeyReference})", keyReference);
+
+            byte klcc = 0; // Key Loading Card Certificate
+            switch (keyReference.Id)
+            {
+                case ScpKeyIds.Scp11A:
+                case ScpKeyIds.Scp11B:
+                case ScpKeyIds.Scp11C:
+                    klcc = 1;
+                    break;
+            }
+
+            // Create and serialize data
+            var caIssuerData = new TlvObject(
+                ControlReferenceTag, TlvObjects.EncodeList(
+                    new List<TlvObject>
+                    {
+                        new TlvObject(0x80, new[] { klcc }),
+                        new TlvObject(0x42, ski.Span),
+                        new TlvObject(KidKvnTag, keyReference.GetBytes.Span)
+                    }
+                    )).GetBytes();
+
+            // Send store data command
+            StoreData(caIssuerData);
+
+            Logger.LogInformation("CA issuer SKI stored (KeyReference: {KeyReference})", keyReference);
+        }
+
+        /// <summary>
+        /// Store a list of certificates associated with the given key reference using the GlobalPlatform STORE DATA command.
+        /// </summary>
+        /// <param name="keyReference">The key reference associated with the certificates.</param>
+        /// <param name="certificates">The certificates to store.</param>
+        /// <remarks>
+        /// The certificates will be stored in the order they are provided in the list.
+        /// <para>See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.</para>
+        /// </remarks>
+        /// <exception cref="ArgumentException">Thrown when certificatedata</exception>
+        /// <exception cref="SecureChannelException">Thrown when there was an SCP error, described in the exception message.</exception>
+        public void StoreCertificates(KeyReference keyReference, IReadOnlyList<X509Certificate2> certificates)
+        {
+            Logger.LogDebug("Storing certificate bundle (KeyReference: {KeyReference})", keyReference);
+
+            // Write each certificate to a memory stream
+            using var ms = new MemoryStream();
+            foreach (var cert in certificates)
+            {
+                try
+                {
+                    byte[] certTlvEncoded = cert.GetRawCertData(); // ASN.1 DER (TLV) encoded certificate
+                    ms.Write(certTlvEncoded, 0, certTlvEncoded.Length);
+                }
+                catch (CryptographicException e)
+                {
+                    throw new ArgumentException("Failed to get encoded version of certificate", e);
+                }
+            }
+
+            // Create and serialize data
+            Memory<byte> certDataEncoded = TlvObjects.EncodeMany(
+                new TlvObject(ControlReferenceTag, new TlvObject(KidKvnTag, keyReference.GetBytes.Span).GetBytes().Span),
+                new TlvObject(CertificateStoreTag, ms.ToArray())
+                );
+
+            StoreData(certDataEncoded);
+
+            Logger.LogInformation("Certificate bundle stored (KeyReference: {KeyReference})", keyReference);
+        }
+
+        /// <summary>
+        /// Stores an allowlist of certificate serial numbers for a specified key reference using the GlobalPlatform STORE DATA command.
+        /// </summary>
+        /// <remarks>
+        /// This method requires off-card entity verification. If an allowlist is not stored, any
+        /// certificate signed by the CA can be used.
+        /// <para>See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.</para>
+        /// </remarks>
+        /// <param name="keyReference">A reference to the key for which the allowlist will be stored.</param>
+        /// <param name="serials">The list of certificate serial numbers (in hexadecimal string format) to be stored in the allowlist for the given <see cref="KeyReference"/>.</param>
+        /// <exception cref="ArgumentException">Thrown when a serial number cannot be encoded properly.</exception>
+        /// <exception cref="SecureChannelException">Thrown when there was an SCP error, described in the exception message.</exception>
+        public void StoreAllowlist(KeyReference keyReference, IReadOnlyCollection<string> serials)
+        {
+            Logger.LogDebug("Storing allow list (KeyReference: {KeyReference})", keyReference);
+
+            using var ms = new MemoryStream();
+            foreach (string? serial in serials)
+            {
+                try
+                {
+                    byte[] serialAsBytes = Base16.DecodeText(serial);
+                    byte[] serialTlvEncoded = new TlvObject(SerialTag, serialAsBytes).GetBytes().ToArray();
+                    ms.Write(serialTlvEncoded, 0, serialTlvEncoded.Length);
+                }
+                catch (CryptographicException e)
+                {
+                    throw new ArgumentException("Failed to get encoded version of certificate", e);
+                }
+            }
+
+            Memory<byte> serialsDataEncoded = TlvObjects.EncodeMany(
+                new TlvObject(ControlReferenceTag, new TlvObject(KidKvnTag, keyReference.GetBytes.Span).GetBytes().Span),
+                new TlvObject(SerialsAllowListTag, ms.ToArray())
+                );
+
+            StoreData(serialsDataEncoded);
+
+            Logger.LogInformation("Allow list stored (KeyReference: {KeyReference})", keyReference);
+        }
+
+        /// <summary>
+        /// Clears the allow list for the given <see cref="KeyReference"/>
+        /// </summary>
+        /// <seealso cref="StoreAllowlist"/>
+        /// <param name="keyReference">The key reference that holds the allow list</param>
+        public void ClearAllowList(KeyReference keyReference) => StoreAllowlist(keyReference, Array.Empty<string>());
+
+        /// <summary>
+        /// Stores data in the Security Domain or targeted Application on the YubiKey using the GlobalPlatform STORE DATA command.
+        /// </summary>
+        /// <remarks>
+        /// The STORE DATA command is used to transfer data to either the Security Domain itself or to an Application 
+        /// being personalized. The data must be formatted as BER-TLV structures according to ISO 8825.
+        /// <para>
+        /// This implementation:
+        /// - Uses a single block transfer (P1.b8=1 indicating last block)
+        /// - Requires BER-TLV formatted data (P1.b5-b4=10)
+        /// - Does not provide encryption information (P1.b7-b6=00)
+        /// </para>
+        /// <para>See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.</para>
+        /// The <see cref="SecurityDomainSession"/> makes use of this method to store data in the Security Domain. Such as the <see cref="StoreCaIssuer"/>, <see cref="StoreCertificates"/>, <see cref="StoreAllowlist"/>, and other data.
+        /// </remarks>
+        /// <param name="data">
+        /// The data to be stored, which must be formatted as BER-TLV structures according to ISO 8825.
+        /// </param>
+        /// <exception cref="InvalidOperationException">
+        /// Thrown when no secure connection is available or the security context is invalid.
+        /// </exception>
+        /// <exception cref="SecureChannelException">Thrown when there was an SCP error, described in the exception message.</exception>
+        public void StoreData(ReadOnlyMemory<byte> data)
+        {
+            Logger.LogInformation("Storing data with length:{Length}", data.Length);
+
+            var command = new StoreDataCommand(data);
+            var response = Connection.SendCommand(command);
+            response.ThrowIfFailed("Error storing data");
+        }
+
+        /// <summary>
+        /// Retrieves the key information stored in the YubiKey and returns it in a dictionary format.
+        /// </summary>
+        /// <returns>A read only dictionary containing the KeyReference as the key and a dictionary of key components as the value.</returns>
+        /// <exception cref="SecureChannelException">Thrown when there was an SCP error, described in the exception message.</exception>
+        public IReadOnlyDictionary<KeyReference, Dictionary<byte, byte>> GetKeyInformation()
+        {
+            Logger.LogInformation("Getting key information");
+
+            var keyInformation = new Dictionary<KeyReference, Dictionary<byte, byte>>();
+
+            var getDataResult = GetData(KeyInformationTag);
+            var tlvList = TlvObjects.DecodeList(getDataResult.Span);
+            foreach (var tlvObject in tlvList)
+            {
+                var value = TlvObjects.UnpackValue(0xC0, tlvObject.GetBytes().Span);
+                var keyReference = new KeyReference(value.Span[0], value.Span[1]);
+                var keyComponents = new Dictionary<byte, byte>();
+
+                var currentValue = value.Span[2..];
+                while (!currentValue.IsEmpty)
+                {
+                    keyComponents.Add(currentValue[0], currentValue[1]);
+                    currentValue = currentValue[2..];
+                }
+
+                keyInformation.Add(keyReference, keyComponents);
+            }
+
+            Logger.LogInformation("Key information retrieved");
+
+            return keyInformation;
+        }
+
+        /// <summary>
+        /// Retrieves the certificates associated with the given <paramref name="keyReference"/>.
+        /// </summary>
+        /// <param name="keyReference">The key reference for which the certificates should be retrieved.</param>
+        /// <returns>A list of X.509 certificates associated with the key reference. The leaf certificate is the last certificate in the list</returns>
+        /// <exception cref="SecureChannelException">Thrown when there was an SCP error, described in the exception message.</exception>
+        public IReadOnlyList<X509Certificate2> GetCertificates(KeyReference keyReference)
+        {
+            Logger.LogInformation("Getting certificates for key={KeyReference}", keyReference);
+
+            var nestedTlv = new TlvObject(
+                ControlReferenceTag,
+                new TlvObject(KidKvnTag, keyReference.GetBytes.Span).GetBytes().Span
+                ).GetBytes();
+
+            var certificateTlvData = GetData(CertificateStoreTag, nestedTlv);
+            var certificateTlvList = TlvObjects.DecodeList(certificateTlvData.Span);
+
+            Logger.LogInformation("Certificates retrieved (KeyReference: {KeyReference})", keyReference);
+            return certificateTlvList
+                .Select(tlv => new X509Certificate2(tlv.GetBytes().ToArray()))
+                .ToList();
+        }
+
+        /// <summary>
+        /// Gets the supported CA identifiers for KLOC and/or KLCC.
+        /// </summary>
+        /// <param name="kloc">Whether to retrieve Key Loading OCE Certificate (KLOC) identifiers.</param>
+        /// <param name="klcc">Whether to retrieve Key Loading Card Certificate (KLCC) identifiers.</param>
+        /// <returns>A dictionary of KeyReference and byte arrays representing the CA identifiers.</returns>
+        /// <exception cref="ArgumentException">Thrown when both kloc and klcc are false.</exception>
+        /// <exception cref="SecureChannelException">Thrown when there was an SCP error, described in the exception message.</exception>
+        public IReadOnlyDictionary<KeyReference, ReadOnlyMemory<byte>> GetSupportedCaIdentifiers(bool kloc, bool klcc)
+        {
+            if (!kloc && !klcc)
+            {
+                throw new ArgumentException("At least one of kloc and klcc must be true");
+            }
+
+            Logger.LogDebug("Getting CA identifiers KLOC={Kloc}, KLCC={Klcc}", kloc, klcc);
+
+            var ms = new MemoryStream();
+            if (kloc)
+            {
+                var response = ExecuteGetDataCommand(CaKlocIdentifiersTag);
+                switch (response.Status)
+                {
+                    case ResponseStatus.Success:
+                        var klocData = response.GetData();
+                        ms.Write(klocData.Span.ToArray(), 0, klocData.Length);
+                        break;
+                    case ResponseStatus.NoData: // A kloc might not be present
+                        break;
+                    default:
+                        response.ThrowIfFailed("Error getting kloc data");
+                        break;
+                }
+            }
+
+            if (klcc)
+            {
+                var response = ExecuteGetDataCommand(CaKlccIdentifiersTag);
+                switch (response.Status)
+                {
+                    case ResponseStatus.Success:
+                        var klccData = response.GetData();
+                        ms.Write(klccData.Span.ToArray(), 0, klccData.Length);
+                        break;
+                    case ResponseStatus.NoData: // A klcc might not be present
+                        break;
+                    default:
+                        response.ThrowIfFailed("Error getting klcc data");
+                        break;
+                }
+            }
+
+            var caIdentifiers = new Dictionary<KeyReference, ReadOnlyMemory<byte>>();
+            var caTlvObjects = TlvObjects.DecodeList(ms.ToArray()).ToArray().AsSpan();
+            while (!caTlvObjects.IsEmpty)
+            {
+                var caIdentifierTlv = caTlvObjects[0];
+                var keyReferenceTlv = caTlvObjects[1];
+
+                var keyReferenceData = keyReferenceTlv.GetBytes().Span;
+                var keyReference = new KeyReference(keyReferenceData[0], keyReferenceData[1]);
+                caIdentifiers.Add(keyReference, caIdentifierTlv.GetBytes());
+
+                caTlvObjects = caTlvObjects[2..];
+            }
+
+            Logger.LogInformation("CA identifiers retrieved");
+            return caIdentifiers;
+        }
+
+        /// <summary>
+        /// Retrieves the card recognition data from the YubiKey device.
+        /// </summary>
+        /// <returns>The card recognition data as a byte array.</returns>
+        /// <remarks>
+        /// The card recognition data is a TLV (Tag-Length-Value) encoded structure that contains information about the card.
+        /// See GlobalPlatform Technology Card Specification v2.3.1 §H.2 Structure of Card Recognition Data for more information.
+        /// </remarks>
+        public ReadOnlyMemory<byte> GetCardRecognitionData()
+        {
+            Logger.LogInformation("Getting card recognition data");
+
+            var tlvData = GetData(CardDataTag).Span;
+            var cardRecognitionData = TlvObjects.UnpackValue(CardRecognitionDataTag, tlvData);
+
+            Logger.LogInformation("Card recognition data retrieved");
+
+            return cardRecognitionData;
+        }
+
+        /// <summary>
+        /// Gets data from the YubiKey associated with the given tag.
+        /// </summary>
+        /// <param name="tag">The tag of the data to retrieve.</param>
+        /// <param name="data">Optional data to send with the command.</param>
+        /// <remarks>Sessions created from this constructor will not be able to perform operations which require authentication
+        /// <para>See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.</para>
+        /// </remarks>
+        /// <returns>The encoded tlv data retrieved from the YubiKey.</returns>
+        /// <exception cref="SecureChannelException">Thrown when there was an SCP error, described in the exception message.</exception>
+        public ReadOnlyMemory<byte> GetData(int tag, ReadOnlyMemory<byte>? data = null)
+        {
+            Logger.LogInformation("Getting data for tag {Tag}", tag);
+
+            var response = ExecuteGetDataCommand(tag, data);
+            response.ThrowIfFailed("Error getting data");
+
+            Logger.LogDebug("Data for tag {Tag} retrieved", tag);
+            return response.GetData();
+        }
+
+        /// <summary>
+        /// Perform a factory reset of the Security Domain.
+        /// This will remove all keys and associated data, as well as restore the default SCP03 static keys,
+        /// and generate a new (attestable) SCP11b key.
+        /// </summary>
+        public void Reset()
+        {
+            Logger.LogInformation("Resetting all SCP keys");
+
+            var keys = GetKeyInformation().Keys;
+            foreach (var keyReference in keys) // Reset is done by blocking all available keys
+            {
+                byte ins;
+                var overridenKeyRef = keyReference;
+
+                switch (keyReference.Id)
+                {
+                    case ScpKeyIds.Scp03:
+                        // SCP03 uses KID=0, we use KVN=0 to allow deleting the default keys
+                        // which have an invalid KVN (0xFF).
+                        overridenKeyRef = new KeyReference(0, 0);
+                        ins = InitializeUpdateCommand.GpInitializeUpdateIns;
+                        break;
+                    case 0x02: 
+                    case 0x03:
+                        continue; // Skip these as they are deleted by 0x01
+                    case ScpKeyIds.Scp11A:
+                    case ScpKeyIds.Scp11C:
+                        ins = ExternalAuthenticateCommand.GpExternalAuthenticateIns;
+                        break;
+                    case ScpKeyIds.Scp11B:
+                        ins = InternalAuthenticateCommand.GpInternalAuthenticateIns;
+                        break;
+                    default: // 0x10, 0x20-0x2F
+                        ins = SecurityOperationCommand.GpPerformSecurityOperationIns;
+                        break;
+                }
+
+                // Keys have 65 attempts before blocking (and thus removal)
+                for (int i = 0; i < 65; i++)
+                {
+                    var result = Connection.SendCommand(
+                        new ResetCommand(ins, overridenKeyRef.VersionNumber, overridenKeyRef.Id, new byte[8]));
+
+                    switch (result.StatusWord)
+                    {
+                        case SWConstants.AuthenticationMethodBlocked:
+                        case SWConstants.SecurityStatusNotSatisfied:
+                            i = 65;
+                            break;
+                        case SWConstants.InvalidCommandDataParameter:
+                            continue;
+                        case SWConstants.Success:
+                            continue;
+
+                        default: continue;
+                    }
+                }
+            }
+
+            Logger.LogInformation("SCP keys reset");
+        }
+
+        private GetDataCommandResponse ExecuteGetDataCommand(int tag, ReadOnlyMemory<byte>? data = null)
+        {
+            var command = new GetDataCommand(tag, data);
+            return Connection.SendCommand(command);
+        }
+
+        private static void ValidateCheckSum(ReadOnlySpan<byte> responseData, ReadOnlySpan<byte> expectedResponseData)
+        {
+            if (!CryptographicOperations.FixedTimeEquals(responseData, expectedResponseData))
+            {
+                throw new SecureChannelException(ExceptionMessages.ChecksumError);
+            }
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/SessionKeys.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/SessionKeys.cs
new file mode 100644
index 000000000..e19c3c503
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/SessionKeys.cs
@@ -0,0 +1,108 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Yubico.YubiKey.Scp
+{
+    internal class SessionKeys : IDisposable
+    {
+        /// <summary>
+        /// Gets the session MAC key.
+        /// </summary>
+        public ReadOnlyMemory<byte> MacKey => _macKey;
+
+        /// <summary>
+        /// Gets the session encryption key.    
+        /// </summary>
+        public ReadOnlyMemory<byte> EncKey => _encryptionKey;
+
+        /// <summary>
+        /// Gets the session RMAC key.
+        /// </summary>
+        public ReadOnlyMemory<byte> RmacKey => _rmacKey;
+
+        /// <summary>
+        /// Gets the session data encryption key (DEK).
+        /// </summary>
+        public ReadOnlyMemory<byte>? DataEncryptionKey => _dataEncryptionKey;
+
+        private const byte KeySizeBytes = 16;
+        private readonly Memory<byte> _macKey = new byte[KeySizeBytes];
+        private readonly Memory<byte> _encryptionKey = new byte[KeySizeBytes];
+        private readonly Memory<byte> _rmacKey = new byte[KeySizeBytes];
+        private readonly Memory<byte> _dataEncryptionKey = new byte[KeySizeBytes];
+        private bool _disposed;
+
+        /// <summary>
+        /// Session keys for Secure Channel Protocol (SCP).
+        /// </summary>
+        /// <param name="macKey">The session MAC key.</param>
+        /// <param name="encryptionKey">The session encryption key.</param>
+        /// <param name="rmacKey">The session RMAC key.</param>
+        /// <param name="dataEncryptionKey">The session data encryption key. Optional.</param>
+        public SessionKeys(
+            ReadOnlyMemory<byte> macKey,
+            ReadOnlyMemory<byte> encryptionKey,
+            ReadOnlyMemory<byte> rmacKey,
+            ReadOnlyMemory<byte> dataEncryptionKey)
+        {
+            ValidateKeyLength(macKey, nameof(macKey));
+            ValidateKeyLength(encryptionKey, nameof(encryptionKey));
+            ValidateKeyLength(rmacKey, nameof(rmacKey));
+            ValidateKeyLength(dataEncryptionKey, nameof(dataEncryptionKey));
+            
+            macKey.CopyTo(_macKey);
+            encryptionKey.CopyTo(_encryptionKey);
+            rmacKey.CopyTo(_rmacKey);
+            dataEncryptionKey.CopyTo(_dataEncryptionKey);
+        }
+        
+        private static void ValidateKeyLength(ReadOnlyMemory<byte> key, string paramName)
+        {
+            if (key.Length != KeySizeBytes)
+            {
+                throw new ArgumentException("Incorrect session key length. Must be 16.", paramName);
+            }
+        }
+
+        public void Dispose()
+        {
+            Dispose(disposing: true);
+            GC.SuppressFinalize(this);
+        }
+
+        // Overwrite the memory of the keys
+        private void Dispose(bool disposing)
+        {
+            if (_disposed)
+            {
+                return;
+            }
+
+            if (!disposing)
+            {
+                return;
+            }
+
+            CryptographicOperations.ZeroMemory(_macKey.Span);
+            CryptographicOperations.ZeroMemory(_encryptionKey.Span);
+            CryptographicOperations.ZeroMemory(_rmacKey.Span);
+            CryptographicOperations.ZeroMemory(_dataEncryptionKey.Span);
+
+            _disposed = true;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/StaticKeys.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/StaticKeys.cs
new file mode 100644
index 000000000..195b5ed20
--- /dev/null
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/StaticKeys.cs
@@ -0,0 +1,172 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Yubico.YubiKey.Scp
+{
+    /// <summary>
+    /// Represents a triple of SCP03 static keys shared with the device.
+    /// </summary>
+    /// <remarks>
+    /// See also the <xref href="UsersManualScp03">User's Manual entry</xref> on
+    /// SCP03.
+    /// <para>
+    /// These are the three secret keys that only the device and remote user
+    /// know. Clients must supply these to communicate securely with a remote
+    /// device.
+    /// </para>
+    /// <para>
+    /// Systems often derive and assign these keys using a diversification
+    /// function keyed with a 'master key' and run on the 'DivData' of each
+    /// device.
+    /// </para>
+    /// </remarks>
+    public class StaticKeys : IDisposable
+    {
+        private const int KeySizeBytes = 16;
+
+        private readonly byte[] _macKey = new byte[KeySizeBytes];
+        private readonly byte[] _encKey = new byte[KeySizeBytes];
+        private readonly byte[] _dekKey = new byte[KeySizeBytes];
+
+        private bool _disposed;
+
+        /// <summary>
+        /// AES128 shared secret key used to calculate the Session-MAC key. Also
+        /// called the 'DMK' or 'Key-MAC' in some specifications.
+        /// </summary>
+        public ReadOnlyMemory<byte> ChannelMacKey => _macKey;
+
+        /// <summary>
+        /// AES128 shared secret key used to calculate the Session-ENC key. Also
+        /// called the 'DAK' or 'Key-ENC' in some specifications.
+        /// </summary>
+        public ReadOnlyMemory<byte> ChannelEncryptionKey => _encKey;
+
+        /// <summary>
+        /// AES128 shared secret key used to wrap secrets. Also called the 'DEK'
+        /// in some specifications.
+        /// </summary>
+        public ReadOnlyMemory<byte> DataEncryptionKey => _dekKey;
+
+        /// <summary>
+        /// Constructs an instance given the supplied keys. This class will
+        /// consider these keys to be the key set with the Key Version Number of
+        /// <remarks>
+        /// This class will copy the input key data, not just a reference. You
+        /// can overwrite the input buffers as soon as the <c>StaticKeys</c>
+        /// object is created.
+        /// </remarks>
+        /// <param name="channelMacKey">16-byte AES128 shared secret key</param>
+        /// <param name="channelEncryptionKey">16-byte AES128 shared secret key</param>
+        /// <param name="dataEncryptionKey">16-byte AES128 shared secret key</param>
+        /// </summary>
+        public StaticKeys(ReadOnlyMemory<byte> channelMacKey,
+                          ReadOnlyMemory<byte> channelEncryptionKey,
+                          ReadOnlyMemory<byte> dataEncryptionKey)
+        {
+            if (channelMacKey.Length != KeySizeBytes)
+            {
+                throw new ArgumentException(ExceptionMessages.IncorrectStaticKeyLength, nameof(channelMacKey));
+            }
+
+            if (channelEncryptionKey.Length != KeySizeBytes)
+            {
+                throw new ArgumentException(ExceptionMessages.IncorrectStaticKeyLength, nameof(channelEncryptionKey));
+            }
+
+            if (dataEncryptionKey.Length != KeySizeBytes)
+            {
+                throw new ArgumentException(ExceptionMessages.IncorrectStaticKeyLength, nameof(dataEncryptionKey));
+            }
+
+            SetKeys(channelMacKey, channelEncryptionKey, dataEncryptionKey);
+        }
+
+        /// <summary>
+        /// Constructs an instance using the well-known default values; using
+        /// these provides no security.  This class will consider these keys to
+        /// be the key set with the Key Version Number of 255 (0xFF).
+        /// </summary>
+        public StaticKeys()
+        {
+            var defaultKey = new ReadOnlyMemory<byte>(
+                new byte[]
+                {
+                    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
+                });
+
+            SetKeys(defaultKey, defaultKey, defaultKey);
+        }
+        
+        private void SetKeys(ReadOnlyMemory<byte> channelMacKey,
+                             ReadOnlyMemory<byte> channelEncryptionKey,
+                             ReadOnlyMemory<byte> dataEncryptionKey)
+        {
+            channelMacKey.CopyTo(_macKey.AsMemory());
+            channelEncryptionKey.CopyTo(_encKey.AsMemory());
+            dataEncryptionKey.CopyTo(_dekKey.AsMemory());
+        }
+
+        // Get a copy (deep clone) of this object.
+        internal StaticKeys GetCopy() =>
+            new StaticKeys(ChannelMacKey, ChannelEncryptionKey, DataEncryptionKey)
+            {
+            };
+
+        /// <summary>
+        /// Determine if the contents of each key is the same for both objects.
+        /// If so, this method will return <c>true</c>.
+        /// </summary>
+        public bool AreKeysSame(StaticKeys? compareKeys)
+        {
+            if (compareKeys is null)
+            {
+                return false;
+            }
+
+            return
+                ChannelEncryptionKey.Span.SequenceEqual(compareKeys.ChannelEncryptionKey.Span) &&
+                ChannelMacKey.Span.SequenceEqual(compareKeys.ChannelMacKey.Span) &&
+                DataEncryptionKey.Span.SequenceEqual(compareKeys.DataEncryptionKey.Span);
+        }
+
+        public void Dispose()
+        {
+            Dispose(disposing: true);
+            GC.SuppressFinalize(this);
+        }
+
+        protected virtual void Dispose(bool disposing)
+        {
+            if (_disposed)
+            {
+                return;
+            }
+
+            if (!disposing)
+            {
+                return;
+            }
+
+            CryptographicOperations.ZeroMemory(_macKey.AsSpan());
+            CryptographicOperations.ZeroMemory(_encKey.AsSpan());
+            CryptographicOperations.ZeroMemory(_dekKey.AsSpan());
+
+            _disposed = true;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/ChannelEncryption.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/ChannelEncryption.cs
index b4b9d9a6d..80f3a89cf 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/ChannelEncryption.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/ChannelEncryption.cs
@@ -12,11 +12,14 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+using System;
 using System.Buffers.Binary;
+using System.Linq;
 using Yubico.YubiKey.Cryptography;
 
 namespace Yubico.YubiKey.Scp03
 {
+    [Obsolete("Use new ChannelEncryption instead")]
     internal static class ChannelEncryption
     {
         public static byte[] EncryptData(byte[] payload, byte[] key, int encryptionCounter)
@@ -27,12 +30,12 @@ public static byte[] EncryptData(byte[] payload, byte[] key, int encryptionCount
 
             byte[] ivInput = new byte[16];
             countBytes.CopyTo(ivInput, 16 - countBytes.Length); // copy to rightmost part of block
-            byte[] iv = AesUtilities.BlockCipher(key, ivInput);
+            var iv = AesUtilities.BlockCipher(key, ivInput);
 
             byte[] paddedPayload = Padding.PadToBlockSize(payload);
-            byte[] encryptedData = AesUtilities.AesCbcEncrypt(key, iv, paddedPayload);
+            var encryptedData = AesUtilities.AesCbcEncrypt(key.AsSpan(), iv.Span, paddedPayload.AsSpan());
 
-            return encryptedData;
+            return encryptedData.ToArray();
         }
 
         public static byte[] DecryptData(byte[] payload, byte[] key, int encryptionCounter)
@@ -43,11 +46,11 @@ public static byte[] DecryptData(byte[] payload, byte[] key, int encryptionCount
             byte[] ivInput = new byte[16];
             countBytes.CopyTo(ivInput, 16 - countBytes.Length); // copy to rightmost part of block
             ivInput[0] = 0x80; // to mark as RMAC calculation
-            byte[] iv = AesUtilities.BlockCipher(key, ivInput);
+            var iv = AesUtilities.BlockCipher(key, ivInput);
 
-            byte[] decryptedData = AesUtilities.AesCbcDecrypt(key, iv, payload);
+            var decryptedData = AesUtilities.AesCbcDecrypt(key.AsSpan(), iv.Span, payload);
 
-            return Padding.RemovePadding(decryptedData);
+            return Padding.RemovePadding(decryptedData.ToArray()).ToArray();
         }
     }
 }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/ChannelMac.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/ChannelMac.cs
index 384154a78..551fd174f 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/ChannelMac.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/ChannelMac.cs
@@ -22,13 +22,14 @@
 
 namespace Yubico.YubiKey.Scp03
 {
+    [Obsolete("Use new ChannelMac instead")]
     internal static class ChannelMac
     {
         public static (CommandApdu macdApdu, byte[] newMacChainingValue) MacApdu(CommandApdu apdu, byte[] macKey, byte[] macChainingValue)
         {
             if (macChainingValue.Length != 16)
             {
-                throw new ArgumentException(ExceptionMessages.UnknownScp03Error, nameof(macChainingValue));
+                throw new ArgumentException(ExceptionMessages.UnknownScpError, nameof(macChainingValue));
             }
 
             var apduWithLongerLen = AddDataToApdu(apdu, new byte[8]);
@@ -73,7 +74,7 @@ public static void VerifyRmac(byte[] response, byte[] rmacKey, byte[] macChainin
             cmacObj.CmacInit(rmacKey);
             cmacObj.CmacUpdate(macInp);
             cmacObj.CmacFinal(cmac);
-            
+
             var calculatedRmac = cmac.AsSpan(0, 8);
             if (!CryptographicOperations.FixedTimeEquals(recvdRmac, calculatedRmac))
             {
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/DeleteKeyCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/DeleteKeyCommand.cs
index 4aca9fdad..af552cc2a 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/DeleteKeyCommand.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/DeleteKeyCommand.cs
@@ -33,6 +33,7 @@ namespace Yubico.YubiKey.Scp03.Commands
     /// key set with a KeyVersionNumber of 1) will be the default key set.
     /// </para>
     /// </remarks>
+    [Obsolete("Use new DeleteKeyCommand instead")]
     internal class DeleteKeyCommand : IYubiKeyCommand<Scp03Response>
     {
         private const byte GpDeleteKeyCla = 0x84;
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateCommand.cs
index 5b7a63576..8a18c5545 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateCommand.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateCommand.cs
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+using System;
 using Yubico.Core.Iso7816;
 
 namespace Yubico.YubiKey.Scp03.Commands
@@ -19,6 +20,7 @@ namespace Yubico.YubiKey.Scp03.Commands
     /// <summary>
     /// Represents the second command in the SCP03 authentication handshake, 'EXTERNAL_AUTHENTICATE'
     /// </summary>
+    [Obsolete("Use new ExternalAuthenticateCommand instead")]
     internal class ExternalAuthenticateCommand : IYubiKeyCommand<ExternalAuthenticateResponse>
     {
         public YubiKeyApplication Application => YubiKeyApplication.InterIndustry;
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateResponse.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateResponse.cs
index 270b1d811..2ab1421a5 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateResponse.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateResponse.cs
@@ -17,6 +17,7 @@
 
 namespace Yubico.YubiKey.Scp03.Commands
 {
+    [Obsolete("Use new ExternalAuthenticateResponse instead")]
     internal class ExternalAuthenticateResponse : Scp03Response
     {
         /// <summary>
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/InitializeUpdateCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/InitializeUpdateCommand.cs
index c83e74a13..0decc4f95 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/InitializeUpdateCommand.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/InitializeUpdateCommand.cs
@@ -20,11 +20,12 @@ namespace Yubico.YubiKey.Scp03.Commands
     /// <summary>
     /// Represents the first command in the SCP03 authentication handshake, 'INITIALIZE_UPDATE'
     /// </summary>
+    [Obsolete("Use new InitializeUpdateCommand instead")]
     internal class InitializeUpdateCommand : IYubiKeyCommand<InitializeUpdateResponse>
     {
         public YubiKeyApplication Application => YubiKeyApplication.InterIndustry;
-        const byte GpInitializeUpdateCla = 0b1000_0000;
-        const byte GpInitializeUpdateIns = 0x50;
+        private const byte GpInitializeUpdateCla = 0x80;
+        private const byte GpInitializeUpdateIns = 0x50;
         private readonly byte[] _challenge;
         private readonly int _keyVersionNumber;
 
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/InitializeUpdateResponse.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/InitializeUpdateResponse.cs
index bc62e79eb..19ee5e979 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/InitializeUpdateResponse.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/InitializeUpdateResponse.cs
@@ -19,6 +19,7 @@
 
 namespace Yubico.YubiKey.Scp03.Commands
 {
+    [Obsolete("Use new InitializeUpdateResponse instead")]
     internal class InitializeUpdateResponse : Scp03Response
     {
         public IReadOnlyCollection<byte> DiversificationData { get; protected set; }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/PutKeyCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/PutKeyCommand.cs
index b94fdd92b..5b3abab7e 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/PutKeyCommand.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/PutKeyCommand.cs
@@ -105,6 +105,7 @@ namespace Yubico.YubiKey.Scp03.Commands
     /// to replace itself.
     /// </para>
     /// </remarks>
+    [Obsolete("Use new PutKeyCommand instead")]
     internal class PutKeyCommand : IYubiKeyCommand<PutKeyResponse>
     {
         private const byte GpPutKeyCla = 0x84;
@@ -228,16 +229,17 @@ private void BuildKeyDataField(
                 byte[] dataToEncrypt = new byte[AesBlockSize] {
                     1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
                 };
-                byte[] checkBlock = AesUtilities.BlockCipher(keyData, dataToEncrypt.AsSpan());
-                byte[] encryptedKey = AesUtilities.BlockCipher(encryptionKey, keyToBlock.Span);
+                
+                var checkBlock = AesUtilities.BlockCipher(keyData, dataToEncrypt.AsSpan());
+                var encryptedKey = AesUtilities.BlockCipher(encryptionKey, keyToBlock.Span);
 
                 binaryWriter.Write(KeyType);
                 binaryWriter.Write(BlockSize);
                 binaryWriter.Write(AesBlockSize);
-                binaryWriter.Write(encryptedKey);
+                binaryWriter.Write(encryptedKey.ToArray());
                 binaryWriter.Write(KeyCheckSize);
-                binaryWriter.Write(checkBlock, 0, KeyCheckSize);
-                Array.Copy(checkBlock, 0, _checksum, checksumOffset, KeyCheckSize);
+                binaryWriter.Write(checkBlock.ToArray(), 0, KeyCheckSize);
+                Array.Copy(checkBlock.ToArray(), 0, _checksum, checksumOffset, KeyCheckSize);
             }
             finally
             {
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/PutKeyResponse.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/PutKeyResponse.cs
index 00b3b2244..e75243c30 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/PutKeyResponse.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/PutKeyResponse.cs
@@ -20,6 +20,7 @@ namespace Yubico.YubiKey.Scp03.Commands
     /// <summary>
     /// The response to putting or replacing SCP03 keys on the YubiKey.
     /// </summary>
+    [Obsolete("Use new PutKeyResponse instead")]
     internal class PutKeyResponse : Scp03Response, IYubiKeyResponseWithData<ReadOnlyMemory<byte>>
     {
         private readonly byte[] _checksum;
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/Scp03Response.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/Scp03Response.cs
index e6073e18c..88f6beae5 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/Scp03Response.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Commands/Scp03Response.cs
@@ -18,6 +18,7 @@
 
 namespace Yubico.YubiKey.Scp03.Commands
 {
+    [Obsolete("Use new ScpResponse instead")]
     internal class Scp03Response : YubiKeyResponse
     {
         public Scp03Response(ResponseApdu responseApdu) :
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Derivation.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Derivation.cs
index cf3c5a76d..15711dfae 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Derivation.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Derivation.cs
@@ -19,6 +19,7 @@
 
 namespace Yubico.YubiKey.Scp03
 {
+    [Obsolete("Use new Derivation class in Yubico.YubiKey.Scp namespace instead. This will be removed in a future release.")]
     internal static class Derivation
     {
         public const byte DDC_SENC = 0x04;
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Padding.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Padding.cs
index 00136ed79..dbb62b3de 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Padding.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Padding.cs
@@ -17,6 +17,7 @@
 
 namespace Yubico.YubiKey.Scp03
 {
+    [Obsolete("Use new Padding class instead")]
     internal static class Padding
     {
         public static byte[] PadToBlockSize(byte[] payload)
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03Connection.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03Connection.cs
index 6e2cb1b69..c459f8338 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03Connection.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03Connection.cs
@@ -12,13 +12,16 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+using System;
 using System.Linq;
 using Yubico.Core.Devices.SmartCard;
 using Yubico.YubiKey.Pipelines;
+using Yubico.YubiKey.Scp;
 using Yubico.YubiKey.Scp03;
 
 namespace Yubico.YubiKey
 {
+    [Obsolete("Obsolete")]
     internal class Scp03Connection : SmartCardConnection, IScp03YubiKeyConnection
     {
         private bool _disposed;
@@ -29,13 +32,13 @@ internal class Scp03Connection : SmartCardConnection, IScp03YubiKeyConnection
         public Scp03Connection(
             ISmartCardDevice smartCardDevice,
             YubiKeyApplication yubiKeyApplication,
-            StaticKeys scp03Keys)
+            Scp03.StaticKeys scp03Keys)
             : base(smartCardDevice, yubiKeyApplication, null)
         {
             _scp03ApduTransform = SetObject(yubiKeyApplication, scp03Keys);
         }
 
-        public Scp03Connection(ISmartCardDevice smartCardDevice, byte[] applicationId, StaticKeys scp03Keys)
+        public Scp03Connection(ISmartCardDevice smartCardDevice, byte[] applicationId, Scp03.StaticKeys scp03Keys)
             : base(smartCardDevice, YubiKeyApplication.Unknown, applicationId)
         {
             var setError = YubiKeyApplication.Unknown;
@@ -53,7 +56,7 @@ public Scp03Connection(ISmartCardDevice smartCardDevice, byte[] applicationId, S
 
         private Scp03ApduTransform SetObject(
             YubiKeyApplication setError,
-            StaticKeys scp03Keys)
+            Yubico.YubiKey.Scp03.StaticKeys scp03Keys)
         {
             var scp03ApduTransform = new Scp03ApduTransform(GetPipeline(), scp03Keys);
             IApduTransform apduPipeline = scp03ApduTransform;
@@ -76,7 +79,7 @@ private Scp03ApduTransform SetObject(
             return scp03ApduTransform;
         }
 
-        public StaticKeys GetScp03Keys() => _scp03ApduTransform.Scp03Keys;
+        public Scp03.StaticKeys GetScp03Keys() => _scp03ApduTransform.Scp03Keys;
 
         protected override void Dispose(bool disposing)
         {
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03Session.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03Session.cs
index a29447877..5613ffa8d 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03Session.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03Session.cs
@@ -77,6 +77,7 @@ namespace Yubico.YubiKey.Scp03
     /// exception.
     /// </para>
     /// </remarks>
+    [Obsolete("Use new SecurityDomainSession")]
     public sealed class Scp03Session : IDisposable
     {
         private bool _disposed;
@@ -250,7 +251,7 @@ public void PutKeySet(StaticKeys newKeySet)
             {
                 throw new ArgumentNullException(nameof(newKeySet));
             }
-            
+
             var command = new PutKeyCommand(Connection.GetScp03Keys(), newKeySet);
             var response = Connection.SendCommand(command);
             if (response.Status != ResponseStatus.Success)
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03YubiKeyDevice.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03YubiKeyDevice.cs
index 14b5e0451..a4f427007 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03YubiKeyDevice.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Scp03YubiKeyDevice.cs
@@ -12,20 +12,29 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+using System;
 using Yubico.YubiKey.Scp03;
 
 namespace Yubico.YubiKey
 {
+    [Obsolete("This class is obsolete and will be removed in a future release.")]
     internal class Scp03YubiKeyDevice : YubiKeyDevice
     {
         public StaticKeys StaticKeys { get; private set; }
 
-        public Scp03YubiKeyDevice(YubiKeyDevice device, StaticKeys staticKeys)
-            : base(device.GetSmartCardDevice(), null, null, device)
+        public Scp03YubiKeyDevice(
+            YubiKeyDevice device,
+            StaticKeys staticKeys)
+            : base(
+                device.GetSmartCardDevice(),
+                null,
+                null,
+                device)
         {
             StaticKeys = staticKeys.GetCopy();
         }
 
+        [Obsolete("Obsolete")]
         internal override IYubiKeyConnection? Connect(
             YubiKeyApplication? application,
             byte[]? applicationId,
@@ -36,7 +45,7 @@ public Scp03YubiKeyDevice(YubiKeyDevice device, StaticKeys staticKeys)
                 return null;
             }
 
-            if (!(scp03Keys is null) && !StaticKeys.AreKeysSame(scp03Keys))
+            if (scp03Keys != null && !StaticKeys.AreKeysSame(scp03Keys))
             {
                 return null;
             }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/SecureChannelException.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/SecureChannelException.cs
index 6ce5e8c9f..ec02a2893 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/SecureChannelException.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/SecureChannelException.cs
@@ -20,6 +20,7 @@ namespace Yubico.YubiKey.Scp03
     /// Represents errors that occur during encoding or decoding data for SCP03.
     /// </summary>
 #pragma warning disable CA1064 // Exceptions should be public
+    [Obsolete("Use new ChannelEncryption instead")]
     internal class SecureChannelException : Exception
 #pragma warning restore CA1064 // Exceptions should be public
     {
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Session.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Session.cs
index 246476971..afeba966a 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Session.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/Session.cs
@@ -20,6 +20,7 @@
 
 namespace Yubico.YubiKey.Scp03
 {
+    [Obsolete("Use new SecurityDomainSesion class in Yubico.YubiKey.Scp namespace instead. This will be removed in a future release.")]
     internal class Session : IDisposable
     {
         private SessionKeys? _sessionKeys;
@@ -171,7 +172,7 @@ public CommandApdu EncodeCommand(CommandApdu command)
         {
             if (_sessionKeys == null)
             {
-                throw new InvalidOperationException(ExceptionMessages.UnknownScp03Error);
+                throw new InvalidOperationException(ExceptionMessages.UnknownScpError);
             }
 
             if (command is null)
@@ -206,7 +207,7 @@ public ResponseApdu DecodeResponse(ResponseApdu response)
         {
             if (_sessionKeys is null)
             {
-                throw new InvalidOperationException(ExceptionMessages.UnknownScp03Error);
+                throw new InvalidOperationException(ExceptionMessages.UnknownScpError);
             }
 
             if (response is null)
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/SessionKeys.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/SessionKeys.cs
index aac94e39d..73de9d2fa 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/SessionKeys.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/SessionKeys.cs
@@ -17,6 +17,7 @@
 
 namespace Yubico.YubiKey.Scp03
 {
+    [Obsolete("Use new SessionKeys class instead.")]
     internal class SessionKeys : IDisposable
     {
         private readonly byte[] _sessionMacKey;
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/StaticKeys.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/StaticKeys.cs
index 5f4f9cbe2..56a6be1ee 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/StaticKeys.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp03/StaticKeys.cs
@@ -14,6 +14,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Yubico.YubiKey.Scp;
 
 namespace Yubico.YubiKey.Scp03
 {
@@ -34,6 +35,7 @@ namespace Yubico.YubiKey.Scp03
     /// device.
     /// </para>
     /// </remarks>
+    [Obsolete("Use new Static Keys")]
     public class StaticKeys : IDisposable
     {
         private const int KeySizeBytes = 16;
@@ -127,10 +129,9 @@ public byte KeyVersionNumber
         /// <param name="channelMacKey">16-byte AES128 shared secret key</param>
         /// <param name="channelEncryptionKey">16-byte AES128 shared secret key</param>
         /// <param name="dataEncryptionKey">16-byte AES128 shared secret key</param>
-        public StaticKeys(
-            ReadOnlyMemory<byte> channelMacKey,
-            ReadOnlyMemory<byte> channelEncryptionKey,
-            ReadOnlyMemory<byte> dataEncryptionKey)
+        public StaticKeys(ReadOnlyMemory<byte> channelMacKey,
+                          ReadOnlyMemory<byte> channelEncryptionKey,
+                          ReadOnlyMemory<byte> dataEncryptionKey)
         {
             if (channelMacKey.Length != KeySizeBytes)
             {
@@ -160,9 +161,11 @@ public StaticKeys(
         /// </summary>
         public StaticKeys()
         {
-            var DefaultKey = new ReadOnlyMemory<byte>(new byte[] {
-                0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
-            });
+            var DefaultKey = new ReadOnlyMemory<byte>(
+                new byte[]
+                {
+                    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
+                });
 
             SetKeys(DefaultKey, DefaultKey, DefaultKey);
             KeyVersionNumber = 255;
@@ -170,10 +173,9 @@ public StaticKeys()
             _disposed = false;
         }
 
-        private void SetKeys(
-            ReadOnlyMemory<byte> channelMacKey,
-            ReadOnlyMemory<byte> channelEncryptionKey,
-            ReadOnlyMemory<byte> dataEncryptionKey)
+        private void SetKeys(ReadOnlyMemory<byte> channelMacKey,
+                             ReadOnlyMemory<byte> channelEncryptionKey,
+                             ReadOnlyMemory<byte> dataEncryptionKey)
         {
             channelMacKey.CopyTo(_macKey.AsMemory());
             channelEncryptionKey.CopyTo(_encKey.AsMemory());
@@ -181,32 +183,36 @@ private void SetKeys(
         }
 
         // Get a copy (deep clone) of this object.
-        internal StaticKeys GetCopy()
-        {
-            return new StaticKeys(ChannelMacKey, ChannelEncryptionKey, DataEncryptionKey)
+        internal StaticKeys GetCopy() =>
+            new StaticKeys(ChannelMacKey, ChannelEncryptionKey, DataEncryptionKey)
             {
                 KeyVersionNumber = KeyVersionNumber
             };
-        }
+        
+        internal Scp03KeyParameters ConvertToScp03KeyParameters() =>
+                new Scp03KeyParameters(ScpKeyIds.Scp03, 0xFF, ConvertFromLegacy());
 
         /// <summary>
         /// Determine if the contents of each key is the same for both objects.
         /// If so, this method will return <c>true</c>.
         /// </summary>
-        public bool AreKeysSame(StaticKeys compareKeys)
+        public bool AreKeysSame(StaticKeys? compareKeys)
         {
-            if (!(compareKeys is null))
+            if (compareKeys is null)
             {
-                if (ChannelEncryptionKey.Span.SequenceEqual(compareKeys.ChannelEncryptionKey.Span)
-                    && ChannelMacKey.Span.SequenceEqual(compareKeys.ChannelMacKey.Span)
-                    && DataEncryptionKey.Span.SequenceEqual(compareKeys.DataEncryptionKey.Span))
-                {
-                    return true;
-                }
+                return false;
             }
 
-            return false;
+            return ChannelEncryptionKey.Span.SequenceEqual(compareKeys.ChannelEncryptionKey.Span) &&
+                ChannelMacKey.Span.SequenceEqual(compareKeys.ChannelMacKey.Span) &&
+                DataEncryptionKey.Span.SequenceEqual(compareKeys.DataEncryptionKey.Span);
         }
+        
+        private Scp.StaticKeys ConvertFromLegacy() =>
+            new Scp.StaticKeys(ChannelMacKey, ChannelEncryptionKey, DataEncryptionKey)
+            {
+                // KeyVersionNumber = KeyVersionNumber
+            };
 
         /// <summary>
         /// Releases any unmanaged resources and overwrites any sensitive data.
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/SmartCardConnection.cs b/Yubico.YubiKey/src/Yubico/YubiKey/SmartCardConnection.cs
index e0c5d7787..53dffcfcd 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/SmartCardConnection.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/SmartCardConnection.cs
@@ -29,6 +29,7 @@ internal class SmartCardConnection : IYubiKeyConnection
     {
         private readonly ILogger _log = Log.GetLogger<SmartCardConnection>();
 
+        // The application can be set either by using the YubikeyApplication enum or the Iso7816ApplicationId
         private readonly YubiKeyApplication _yubiKeyApplication;
         private readonly byte[]? _applicationId;
         private readonly ISmartCardConnection _smartCardConnection;
@@ -37,24 +38,15 @@ internal class SmartCardConnection : IYubiKeyConnection
 
         public ISelectApplicationData? SelectApplicationData { get; set; }
 
-        protected SmartCardConnection(ISmartCardDevice smartCardDevice, YubiKeyApplication application, byte[]? applicationId)
-        {
-            if (applicationId is null && application == YubiKeyApplication.Unknown)
-            {
-                throw new NotSupportedException();
-            }
-
-            _yubiKeyApplication = application;
-            _applicationId = applicationId;
-
-            _smartCardConnection = smartCardDevice.Connect();
-
-            _apduPipeline = new SmartCardTransform(_smartCardConnection);
-            _apduPipeline = AddResponseChainingTransform(_apduPipeline);
-            _apduPipeline = new CommandChainingTransform(_apduPipeline);
-        }
-
-        public SmartCardConnection(ISmartCardDevice smartCardDevice, YubiKeyApplication yubiKeyApplication)
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SmartCardConnection"/> class with the specified
+        /// smart card device and YubiKey application.
+        /// </summary>
+        /// <param name="smartCardDevice">The smart card device to connect to.</param>
+        /// <param name="yubiKeyApplication">The YubiKey application to be used for the connection.</param>
+        public SmartCardConnection(
+            ISmartCardDevice smartCardDevice,
+            YubiKeyApplication yubiKeyApplication)
             : this(smartCardDevice, yubiKeyApplication, null)
         {
             if (yubiKeyApplication == YubiKeyApplication.Fido2)
@@ -68,8 +60,19 @@ public SmartCardConnection(ISmartCardDevice smartCardDevice, YubiKeyApplication
             SelectApplication();
         }
 
-        public SmartCardConnection(ISmartCardDevice smartCardDevice, byte[] applicationId)
-            : this(smartCardDevice, YubiKeyApplication.Unknown, applicationId)
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SmartCardConnection"/> class with the specified
+        /// smart card device and application id.
+        /// </summary>
+        /// <param name="smartCardDevice">The smart card device to connect to.</param>
+        /// <param name="applicationId">The application id of the YubiKey application to be used for the connection.</param>
+        public SmartCardConnection(
+            ISmartCardDevice smartCardDevice,
+            byte[] applicationId)
+            : this(
+                smartCardDevice,
+                YubiKeyApplication.Unknown,
+                applicationId)
         {
             if (applicationId.SequenceEqual(YubiKeyApplication.Fido2.GetIso7816ApplicationId()))
             {
@@ -86,12 +89,43 @@ public SmartCardConnection(ISmartCardDevice smartCardDevice, byte[] applicationI
             SelectApplication();
         }
 
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SmartCardConnection"/> class with the specified
+        /// smart card device, YubiKey application, and application id.
+        /// </summary>
+        /// <param name="smartCardDevice">The smart card device to connect to.</param>
+        /// <param name="application">The YubiKey application to be used for the connection.</param>
+        /// <param name="applicationId">The application id of the YubiKey application to be used for the connection.</param>
+        protected SmartCardConnection(
+            ISmartCardDevice smartCardDevice,
+            YubiKeyApplication application,
+            byte[]? applicationId)
+        {
+            if (applicationId is null && application == YubiKeyApplication.Unknown)
+            {
+                throw new NotSupportedException();
+            }
+
+            _yubiKeyApplication = application;
+            _applicationId = applicationId;
+
+            _smartCardConnection = smartCardDevice.Connect();
+
+            _apduPipeline = new SmartCardTransform(_smartCardConnection);
+            _apduPipeline = AddResponseChainingTransform(_apduPipeline);
+            _apduPipeline = new CommandChainingTransform(_apduPipeline);
+        }
+
         // Allow subclasses to build a different pipeline, which means they need
         // to get the current one.
         protected IApduTransform GetPipeline() => _apduPipeline;
 
-        // Allow subclasses to build a different pipeline and set it here in the
-        // base class.
+        /// <summary>
+        /// This method is protected thus allows subclasses to build a different pipeline and set it here in the
+        /// base class.
+        /// It also issues a call to SelectApplication() 
+        /// </summary>
+        /// <param name="apduPipeline"></param>
         protected void SetPipeline(IApduTransform apduPipeline)
         {
             _apduPipeline = apduPipeline;
@@ -99,43 +133,55 @@ protected void SetPipeline(IApduTransform apduPipeline)
             SelectApplication();
         }
 
-        private bool IsOath => _yubiKeyApplication == YubiKeyApplication.Oath
-            || (_applicationId != null && _applicationId.SequenceEqual(YubiKeyApplicationExtensions.GetIso7816ApplicationId(YubiKeyApplication.Oath)));
+        // The application is set to Oath by enum or by application id
+        private bool IsOath =>
+            _yubiKeyApplication == YubiKeyApplication.Oath ||
+            (_applicationId != null &&
+            _applicationId.SequenceEqual(
+                YubiKeyApplication.Oath.GetIso7816ApplicationId()));
 
         private IApduTransform AddResponseChainingTransform(IApduTransform pipeline) =>
             IsOath
-            ? new OathResponseChainingTransform(pipeline)
-            : new ResponseChainingTransform(pipeline);
+                ? new OathResponseChainingTransform(pipeline)
+                : new ResponseChainingTransform(pipeline);
 
         private void SelectApplication()
         {
-            IYubiKeyCommand<ISelectApplicationResponse<ISelectApplicationData>> selectApplicationCommand = _yubiKeyApplication switch
-            {
-                YubiKeyApplication.Oath => new Oath.Commands.SelectOathCommand(),
-                YubiKeyApplication.Unknown => new SelectApplicationCommand(_applicationId!),
-                _ => new SelectApplicationCommand(_yubiKeyApplication),
-            };
+            // Gets the correct select application command.
+            // Note that Oath is special and has a different command than the generic SelectApplication command
+            IYubiKeyCommand<ISelectApplicationResponse<ISelectApplicationData>> selectApplicationCommand =
+                _yubiKeyApplication switch
+                {
+                    YubiKeyApplication.Oath => new Oath.Commands.SelectOathCommand(),
+                    YubiKeyApplication.Unknown => new SelectApplicationCommand(_applicationId!),
+                    _ => new SelectApplicationCommand(_yubiKeyApplication),
+                };
+
+            _log.LogInformation(
+                "Selecting smart card application [{AID}]",
+                Base16.EncodeBytes(_applicationId ?? _yubiKeyApplication.GetIso7816ApplicationId()));
 
-            _log.LogInformation("Selecting smart card application [{AID}]", Hex.BytesToHex(_applicationId ?? _yubiKeyApplication.GetIso7816ApplicationId()));
-            
+            // Transmit command
             var responseApdu = _smartCardConnection.Transmit(selectApplicationCommand.CreateCommandApdu());
             if (responseApdu.SW != SWConstants.Success)
             {
                 throw new ApduException(
-                      string.Format(
-                          CultureInfo.CurrentCulture,
-                          ExceptionMessages.SmartCardPipelineSetupFailed,
-                          responseApdu.SW))
+                    string.Format(
+                        CultureInfo.CurrentCulture,
+                        ExceptionMessages.SmartCardPipelineSetupFailed,
+                        responseApdu.SW))
                 {
                     SW = responseApdu.SW
                 };
             }
 
+            // Set the instance property SelectApplicationData
             var response = selectApplicationCommand.CreateResponseForApdu(responseApdu);
             SelectApplicationData = response.GetData();
         }
 
-        public TResponse SendCommand<TResponse>(IYubiKeyCommand<TResponse> yubiKeyCommand) where TResponse : IYubiKeyResponse
+        public virtual TResponse SendCommand<TResponse>(IYubiKeyCommand<TResponse> yubiKeyCommand)
+            where TResponse : IYubiKeyResponse
         {
             using (var _ = _smartCardConnection.BeginTransaction(out bool cardWasReset))
             {
@@ -147,7 +193,8 @@ public TResponse SendCommand<TResponse>(IYubiKeyCommand<TResponse> yubiKeyComman
                 var responseApdu = _apduPipeline.Invoke(
                     yubiKeyCommand.CreateCommandApdu(),
                     yubiKeyCommand.GetType(),
-                    typeof(TResponse));
+                    typeof(TResponse)
+                    );
 
                 return yubiKeyCommand.CreateResponseForApdu(responseApdu);
             }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/YubiHsmAuth/YubiHsmAuthSession.cs b/Yubico.YubiKey/src/Yubico/YubiKey/YubiHsmAuth/YubiHsmAuthSession.cs
index 3e8d7d266..5126a2ced 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/YubiHsmAuth/YubiHsmAuthSession.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/YubiHsmAuth/YubiHsmAuthSession.cs
@@ -14,7 +14,9 @@
 
 using System;
 using System.Globalization;
-using Yubico.YubiKey.InterIndustry.Commands;
+using Yubico.Core.Logging;
+using Yubico.YubiKey.Oath;
+using Yubico.YubiKey.Scp;
 using Yubico.YubiKey.YubiHsmAuth.Commands;
 
 namespace Yubico.YubiKey.YubiHsmAuth
@@ -22,15 +24,8 @@ namespace Yubico.YubiKey.YubiHsmAuth
     /// <summary>
     /// The main entry-point for all YubiHSM Auth related operations.
     /// </summary>
-    public sealed partial class YubiHsmAuthSession : IDisposable
+    public sealed partial class YubiHsmAuthSession : ApplicationSession
     {
-        private bool _disposed;
-
-        /// <summary>
-        /// The object that represents the connection to the YubiKey.
-        /// </summary>
-        public IYubiKeyConnection Connection { get; private set; }
-
         /// <summary>
         /// The delegate this class will call when it needs a management key or
         /// credential password.
@@ -55,12 +50,6 @@ public sealed partial class YubiHsmAuthSession : IDisposable
         /// </remarks>
         public Func<KeyEntryData, bool>? KeyCollector { get; set; }
 
-        // The default constructor explicitly defined. We don't want it to be used.
-        private YubiHsmAuthSession()
-        {
-            throw new NotImplementedException();
-        }
-
         /// <summary>
         /// Create an instance of <c>YubiHsmAuthSession</c> class, the object
         /// that represents the YubiHSM Auth application on the YubiKey.
@@ -90,22 +79,16 @@ private YubiHsmAuthSession()
         /// <param name="yubiKey">
         /// The object that represents the actual YubiKey which will perform the operations.
         /// </param>
+        /// <param name="keyParameters">If supplied, the parameters used open the SCP connection.</param>
         /// <exception cref="ArgumentNullException">
         /// The <c>yubiKey</c> argument is null.
         /// </exception>
         /// <exception cref="NotSupportedException">
         /// Failed to connect to the YubiHSM Auth application.
         /// </exception>
-        public YubiHsmAuthSession(IYubiKeyDevice yubiKey)
+        public YubiHsmAuthSession(IYubiKeyDevice yubiKey, ScpKeyParameters? keyParameters = null)
+            : base(Log.GetLogger<YubiHsmAuthSession>(), yubiKey, YubiKeyApplication.YubiHsmAuth, keyParameters)
         {
-            if (yubiKey is null)
-            {
-                throw new ArgumentNullException(nameof(yubiKey));
-            }
-
-            Connection = yubiKey.Connect(YubiKeyApplication.YubiHsmAuth);
-
-            _disposed = false;
         }
 
         /// <summary>
@@ -159,27 +142,5 @@ private Func<KeyEntryData, bool> GetKeyCollector()
 
             return KeyCollector;
         }
-
-        /// <summary>
-        /// When the YubiHsmAuthSession object goes out of scope, this method is called. It will close the session.
-        /// </summary>
-        // Note that .NET recommends a Dispose method call Dispose(true) and GC.SuppressFinalize(this).
-        // The actual disposal is in the Dispose(bool) method.
-        //
-        // However, that does not apply to sealed classes. So the Dispose method will simply perform the
-        // "closing" process, no call to Dispose(bool) or GC.
-        public void Dispose()
-        {
-            if (_disposed)
-            {
-                return;
-            }
-
-            // At the moment, there is no "close session" method. So for now,
-            // just connect to the management application.
-            _ = Connection.SendCommand(new SelectApplicationCommand(YubiKeyApplication.Management));
-            Connection.Dispose();
-            _disposed = true;
-        }
     }
 }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyApplication.cs b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyApplication.cs
index 7cc409858..3376d18a8 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyApplication.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyApplication.cs
@@ -13,6 +13,8 @@
 // limitations under the License.
 
 using System;
+using System.Collections.Generic;
+using Yubico.Core.Buffers;
 
 namespace Yubico.YubiKey
 {
@@ -29,36 +31,70 @@ public enum YubiKeyApplication
         InterIndustry = 8,
         OtpNdef = 9,
         YubiHsmAuth = 10,
+        [Obsolete("Use SecurityDomain instead")]
         Scp03 = 11,
+        SecurityDomain = 12
     }
 
     internal static class YubiKeyApplicationExtensions
     {
-        private static readonly byte[] ManagementAppId = new byte[] { 0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17 };
-        private static readonly byte[] OtpAppId = new byte[] { 0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01 };
-        private static readonly byte[] FidoU2fAppId = new byte[] { 0xa0, 0x00, 0x00, 0x06, 0x47, 0x2f, 0x00, 0x01 };
-        private static readonly byte[] Fido2AppId = new byte[] { 0xa0, 0x00, 0x00, 0x06, 0x47, 0x2f, 0x00, 0x01 };
-        private static readonly byte[] OathAppId = new byte[] { 0xa0, 0x00, 0x00, 0x05, 0x27, 0x21, 0x01 };
-        private static readonly byte[] OpenPgpAppId = new byte[] { 0xd2, 0x76, 0x00, 0x01, 0x24, 0x01 };
-        private static readonly byte[] PivAppId = new byte[] { 0xa0, 0x00, 0x00, 0x03, 0x08 };
-        private static readonly byte[] OtpNdef = new byte[] { 0xd2, 0x76, 0x00, 0x00, 0x85, 0x01, 0x01 };
-        private static readonly byte[] YubiHsmAuthId = new byte[] { 0xa0, 0x00, 0x00, 0x05, 0x27, 0x21, 0x07, 0x01 };
-        private static readonly byte[] Scp03AuthId = new byte[] { 0xA0, 0x00, 0x00, 0x01, 0x51, 0x00, 0x00, 0x00 };
+        private static readonly byte[] ManagementAppId = { 0xA0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17 };
+        private static readonly byte[] OtpAppId = { 0xA0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01 };
+        private static readonly byte[] FidoU2fAppId = { 0xA0, 0x00, 0x00, 0x06, 0x47, 0x2F, 0x00, 0x01 };
+        private static readonly byte[] Fido2AppId = { 0xA0, 0x00, 0x00, 0x06, 0x47, 0x2F, 0x00, 0x01 };
+        private static readonly byte[] OathAppId = { 0xA0, 0x00, 0x00, 0x05, 0x27, 0x21, 0x01 };
+        private static readonly byte[] OpenPgpAppId = { 0xD2, 0x76, 0x00, 0x01, 0x24, 0x01 };
+        private static readonly byte[] PivAppId = { 0xA0, 0x00, 0x00, 0x03, 0x08 };
+        private static readonly byte[] OtpNdef = { 0xD2, 0x76, 0x00, 0x00, 0x85, 0x01, 0x01 };
+        private static readonly byte[] YubiHsmAuthId = { 0xA0, 0x00, 0x00, 0x05, 0x27, 0x21, 0x07, 0x01 };
+        private static readonly byte[] SecurityDomainAppId = { 0xA0, 0x00, 0x00, 0x01, 0x51, 0x00, 0x00, 0x00 };
 
         public static byte[] GetIso7816ApplicationId(this YubiKeyApplication application) =>
-            application switch
+            Iso7816ApplicationIds.ContainsKey(application)
+                ? Iso7816ApplicationIds[application].ToArray()
+                : throw new NotSupportedException(ExceptionMessages.ApplicationIdNotFound);
+
+        public static IReadOnlyDictionary<YubiKeyApplication, ReadOnlyMemory<byte>> Iso7816ApplicationIds =>
+            new Dictionary<YubiKeyApplication, ReadOnlyMemory<byte>>
             {
-                YubiKeyApplication.Management => ManagementAppId,
-                YubiKeyApplication.Otp => OtpAppId,
-                YubiKeyApplication.FidoU2f => FidoU2fAppId,
-                YubiKeyApplication.Fido2 => Fido2AppId,
-                YubiKeyApplication.Oath => OathAppId,
-                YubiKeyApplication.OpenPgp => OpenPgpAppId,
-                YubiKeyApplication.Piv => PivAppId,
-                YubiKeyApplication.OtpNdef => OtpNdef,
-                YubiKeyApplication.YubiHsmAuth => YubiHsmAuthId,
-                YubiKeyApplication.Scp03 => Scp03AuthId,
-                _ => throw new NotSupportedException(ExceptionMessages.ApplicationIdNotFound),
+                { YubiKeyApplication.Management, ManagementAppId },
+                { YubiKeyApplication.Otp, OtpAppId },
+                { YubiKeyApplication.FidoU2f, FidoU2fAppId },
+                { YubiKeyApplication.Fido2, Fido2AppId },
+                { YubiKeyApplication.Oath, OathAppId },
+                { YubiKeyApplication.OpenPgp, OpenPgpAppId },
+                { YubiKeyApplication.Piv, PivAppId },
+                { YubiKeyApplication.OtpNdef, OtpNdef },
+                { YubiKeyApplication.YubiHsmAuth, YubiHsmAuthId },
+                #pragma warning disable CS0618 // Type or member is obsolete // Remove in next major release
+                { YubiKeyApplication.Scp03, SecurityDomainAppId },
+                #pragma warning restore CS0618 // Type or member is obsolete // Remove in next major release
+                { YubiKeyApplication.SecurityDomain, SecurityDomainAppId }
             };
+
+        /// <summary>
+        /// Gets the <see cref="YubiKeyApplication"/> associated with the given applicationId.
+        /// </summary>
+        /// <param name="applicationId">The application id as a byte array.</param>
+        /// <returns>The associated <see cref="YubiKeyApplication"/>.</returns>
+        /// <exception cref="ArgumentException">No YubiKey application found with the given application id.</exception>
+        public static YubiKeyApplication GetYubiKeyApplication(this ReadOnlySpan<byte> applicationId)
+        {
+            foreach (var kvp in Iso7816ApplicationIds)
+            {
+                if (kvp.Value.Span.SequenceEqual(applicationId))
+                {
+                    return kvp.Key;
+                }
+            }
+
+            throw new ArgumentException(
+                $"No YubiKey application found with application id: {Base16.EncodeBytes(applicationId)}",
+                nameof(applicationId));
+        }
+
+        /// <inheritdoc cref="GetYubiKeyApplication(ReadOnlySpan{byte})"/>
+        public static YubiKeyApplication GetYubiKeyApplication(this byte[] applicationId) =>
+            GetYubiKeyApplication(applicationId.AsSpan());
     }
 }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDevice.Instance.cs b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDevice.Instance.cs
index 16a952835..093b7254d 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDevice.Instance.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDevice.Instance.cs
@@ -15,14 +15,13 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
-using System.Threading;
 using Microsoft.Extensions.Logging;
 using Yubico.Core.Devices;
 using Yubico.Core.Devices.Hid;
 using Yubico.Core.Devices.SmartCard;
 using Yubico.Core.Logging;
 using Yubico.YubiKey.DeviceExtensions;
-using Yubico.YubiKey.Scp03;
+using Yubico.YubiKey.Scp;
 using MgmtCmd = Yubico.YubiKey.Management.Commands;
 
 namespace Yubico.YubiKey
@@ -30,6 +29,7 @@ namespace Yubico.YubiKey
     public partial class YubiKeyDevice : IYubiKeyDevice
     {
         #region IYubiKeyDeviceInfo
+
         /// <inheritdoc />
         public YubiKeyCapabilities AvailableUsbCapabilities => _yubiKeyInfo.AvailableUsbCapabilities;
 
@@ -92,26 +92,30 @@ public partial class YubiKeyDevice : IYubiKeyDevice
 
         /// <inheritdoc />
         public bool ConfigurationLocked => _yubiKeyInfo.ConfigurationLocked;
+
         #endregion
 
-        private const int _lockCodeLength = MgmtCmd.SetDeviceInfoBaseCommand.LockCodeLength;
+        private const int LockCodeLength = MgmtCmd.SetDeviceInfoBaseCommand.LockCodeLength;
 
-        private static readonly ReadOnlyMemory<byte> _lockCodeAllZeros = new byte[_lockCodeLength];
+        private static readonly ReadOnlyMemory<byte> _lockCodeAllZeros = new byte[LockCodeLength];
 
         internal bool HasSmartCard => !(_smartCardDevice is null);
         internal bool HasHidFido => !(_hidFidoDevice is null);
         internal bool HasHidKeyboard => !(_hidKeyboardDevice is null);
         internal bool IsNfcDevice { get; private set; }
+        internal Transport LastActiveTransport;
+        internal ISmartCardDevice GetSmartCardDevice() => _smartCardDevice!;
 
         private ISmartCardDevice? _smartCardDevice;
         private IHidDevice? _hidFidoDevice;
         private IHidDevice? _hidKeyboardDevice;
         private IYubiKeyDeviceInfo _yubiKeyInfo;
-        private Transport _lastActiveTransport;
 
-        private readonly ILogger _log = Log.GetLogger<YubiKeyDevice>();
+        private ConnectionFactory ConnectionFactory =>
+            new ConnectionFactory(
+                Log.GetLogger<ConnectionFactory>(), this, _smartCardDevice, _hidKeyboardDevice, _hidFidoDevice);
 
-        internal ISmartCardDevice GetSmartCardDevice() => _smartCardDevice!;
+        private readonly ILogger _log = Log.GetLogger<YubiKeyDevice>();
 
         /// <inheritdoc />
         public Transport AvailableTransports
@@ -132,7 +136,9 @@ public Transport AvailableTransports
 
                 if (HasSmartCard)
                 {
-                    transports |= IsNfcDevice ? Transport.NfcSmartCard : Transport.UsbSmartCard;
+                    transports |= IsNfcDevice
+                        ? Transport.NfcSmartCard
+                        : Transport.UsbSmartCard;
                 }
 
                 return transports;
@@ -162,11 +168,11 @@ public YubiKeyDevice(IDevice device, IYubiKeyDeviceInfo info)
                     throw new ArgumentException(ExceptionMessages.DeviceTypeNotRecognized, nameof(device));
             }
 
-            _log.LogInformation("Created a YubiKeyDevice based on the {Transport} transport.", _lastActiveTransport);
+            _log.LogInformation("Created a YubiKeyDevice based on the {Transport} transport.", LastActiveTransport);
 
             _yubiKeyInfo = info;
             IsNfcDevice = _smartCardDevice?.IsNfcTransport() ?? false;
-            _lastActiveTransport = GetTransportIfOnlyDevice();
+            LastActiveTransport = GetTransportIfOnlyDevice();
         }
 
         /// <summary>
@@ -185,9 +191,10 @@ public YubiKeyDevice(
             _smartCardDevice = smartCardDevice;
             _hidFidoDevice = hidFidoDevice;
             _hidKeyboardDevice = hidKeyboardDevice;
+
             _yubiKeyInfo = yubiKeyDeviceInfo;
             IsNfcDevice = smartCardDevice?.IsNfcTransport() ?? false;
-            _lastActiveTransport = GetTransportIfOnlyDevice(); // Must be after setting the three device fields.
+            LastActiveTransport = GetTransportIfOnlyDevice(); // Must be after setting the three device fields.
         }
 
         /// <summary>
@@ -200,7 +207,7 @@ public YubiKeyDevice(
         /// The device does not have the same ParentDeviceId, or
         /// The device is not of a recognizable type.
         /// </exception>
-        public void Merge(IDevice device)
+        internal void Merge(IDevice device)
         {
             if (!((IYubiKeyDevice)this).HasSameParentDevice(device))
             {
@@ -215,7 +222,7 @@ public void Merge(IDevice device)
         /// </summary>
         /// <param name="device"></param>
         /// <param name="info"></param>
-        public void Merge(IDevice device, IYubiKeyDeviceInfo info)
+        internal void Merge(IDevice device, IYubiKeyDeviceInfo info)
         {
             // First merge the devices
             MergeDevice(device);
@@ -231,222 +238,75 @@ public void Merge(IDevice device, IYubiKeyDeviceInfo info)
             }
         }
 
-        private void MergeDevice(IDevice device)
-        {
-            switch (device)
-            {
-                case ISmartCardDevice scardDevice:
-                    _smartCardDevice = scardDevice;
-                    IsNfcDevice = scardDevice.IsNfcTransport();
-                    break;
-                case IHidDevice hidDevice when hidDevice.IsKeyboard():
-                    _hidKeyboardDevice = hidDevice;
-                    break;
-                case IHidDevice hidDevice when hidDevice.IsFido():
-                    _hidFidoDevice = hidDevice;
-                    break;
-                default:
-                    throw new ArgumentException(ExceptionMessages.DeviceTypeNotRecognized, nameof(device));
-            }
-
-            _lastActiveTransport = GetTransportIfOnlyDevice();
-        }
-
-        bool IYubiKeyDevice.HasSameParentDevice(IDevice device) => HasSameParentDevice(device);
-
-        internal protected bool HasSameParentDevice(IDevice device)
-        {
-            if (device is null)
-            {
-                throw new ArgumentNullException(nameof(device));
-            }
-
-            // Never match on a missing parent ID
-            if (device.ParentDeviceId is null)
-            {
-                return false;
-            }
-
-            return _smartCardDevice?.ParentDeviceId == device.ParentDeviceId
-                || _hidFidoDevice?.ParentDeviceId == device.ParentDeviceId
-                || _hidKeyboardDevice?.ParentDeviceId == device.ParentDeviceId;
-        }
-
         /// <inheritdoc />
-        public IYubiKeyConnection Connect(YubiKeyApplication yubikeyApplication)
-        {
-            _ = TryConnect(yubikeyApplication, null, true, out var returnValue);
-            return returnValue!;
-        }
+        public IYubiKeyConnection Connect(byte[] applicationId) => Connect(applicationId.GetYubiKeyApplication());
 
         /// <inheritdoc />
-        public IScp03YubiKeyConnection ConnectScp03(YubiKeyApplication yubikeyApplication, StaticKeys scp03Keys)
-        {
-            _ = TryConnectScp03(yubikeyApplication, null, scp03Keys, true, out var returnValue);
-            return returnValue!;
-        }
+        public virtual IYubiKeyConnection Connect(YubiKeyApplication application) =>
+            ConnectionFactory.CreateConnection(application);
 
         /// <inheritdoc />
-        public IYubiKeyConnection Connect(byte[] applicationId)
-        {
-            _ = TryConnect(null, applicationId, true, out var returnValue);
-            return returnValue!;
-        }
-
-        /// <inheritdoc />
-        public IScp03YubiKeyConnection ConnectScp03(byte[] applicationId, StaticKeys scp03Keys)
-        {
-            _ = TryConnectScp03(null, applicationId, scp03Keys, true, out var returnValue);
-            return returnValue!;
-        }
-
-        /// <inheritdoc />
-        public bool TryConnect(
-            YubiKeyApplication application,
-            [MaybeNullWhen(returnValue: false)]
-            out IYubiKeyConnection connection) =>
-        TryConnect(application, null, false, out connection);
+        public virtual IScpYubiKeyConnection Connect(
+            byte[] applicationId,
+            ScpKeyParameters keyParameters) =>
+            Connect(applicationId.GetYubiKeyApplication(), keyParameters);
 
         /// <inheritdoc />
-        public bool TryConnectScp03(
+        public virtual IScpYubiKeyConnection Connect(
             YubiKeyApplication application,
-            StaticKeys scp03Keys,
-            [MaybeNullWhen(returnValue: false)]
-            out IScp03YubiKeyConnection connection) =>
-        TryConnectScp03(application, null, scp03Keys, false, out connection);
+            ScpKeyParameters keyParameters) =>
+            ConnectionFactory.CreateScpConnection(application, keyParameters);
 
         /// <inheritdoc />
         public bool TryConnect(
             byte[] applicationId,
-            [MaybeNullWhen(returnValue: false)]
-            out IYubiKeyConnection connection) =>
-        TryConnect(null, applicationId, false, out connection);
+            [MaybeNullWhen(returnValue: false)] out IYubiKeyConnection connection) =>
+            TryConnect(applicationId.GetYubiKeyApplication(), out connection);
 
         /// <inheritdoc />
-        public bool TryConnectScp03(
-            byte[] applicationId,
-            StaticKeys scp03Keys,
-            [MaybeNullWhen(returnValue: false)]
-            out IScp03YubiKeyConnection connection) =>
-        TryConnectScp03(null, applicationId, scp03Keys, false, out connection);
-
-        // Calls the common code and throws an exception if there is a problem
-        // and throwOnFail is true.
-        private bool TryConnect(
-            YubiKeyApplication? application,
-            byte[]? applicationId,
-            bool throwOnFail,
-            [MaybeNullWhen(returnValue: false)]
-            out IYubiKeyConnection connection)
-        {
-            var returnValue = Connect(application, applicationId, null);
-            if (!(returnValue is null) || !throwOnFail)
-            {
-                connection = returnValue;
-                return !(returnValue is null);
-            }
-
-            throw new NotSupportedException(ExceptionMessages.NoInterfaceAvailable);
-        }
-
-        private bool TryConnectScp03(
-            YubiKeyApplication? application,
-            byte[]? applicationId,
-            StaticKeys scp03Keys,
-            bool throwOnFail,
-            [MaybeNullWhen(returnValue: false)]
-            out IScp03YubiKeyConnection connection)
+        public bool TryConnect(
+            YubiKeyApplication application,
+            [MaybeNullWhen(returnValue: false)] out IYubiKeyConnection connection)
         {
-            var returnValue = Connect(application, applicationId, scp03Keys);
-            if (!(returnValue is null) && returnValue is IScp03YubiKeyConnection scp03Connection)
+            try
             {
-                connection = scp03Connection;
+                connection = ConnectionFactory.CreateConnection(application);
                 return true;
             }
-
-            if (!throwOnFail)
+            catch (Exception ex)
             {
-                connection = null;
-                return false;
+                _log.LogError(ex, "Failed to connect to YubiKey");
             }
 
-            throw new NotSupportedException(ExceptionMessages.NoInterfaceAvailable);
+            connection = null;
+            return false;
         }
 
-        // Common to all Connect methods.
-        // If application is given, use it. If not, use applicationId.
-        // If scp03Keys are given, make an SCP03 connection. If not, normal
-        // connection.
-        // If a connection is made, return it, if there's an error, return null.
-        internal virtual IYubiKeyConnection? Connect(
-            YubiKeyApplication? application,
-            byte[]? applicationId,
-            StaticKeys? scp03Keys)
-        {
-            _log.LogInformation(
-                "YubiKey {Serial} connecting to {Application} application" + (scp03Keys is null ? "." : " over SCP03."),
-                SerialNumber,
-                application is null ? applicationId is null ? "Unknown" : applicationId.ToString()
-                : Enum.GetName(typeof(YubiKeyApplication), application));
-
-            if (application is null)
-            {
-                if (!(applicationId is null) && HasSmartCard && !(_smartCardDevice is null))
-                {
-                    _log.LogInformation("Connecting via the SmartCard interface.");
-                    WaitForReclaimTimeout(Transport.SmartCard);
-                    return scp03Keys is null
-                        ? new SmartCardConnection(_smartCardDevice, applicationId)
-                        : new Scp03Connection(_smartCardDevice, applicationId, scp03Keys);
-                }
-
-                _log.LogInformation(
-                    (applicationId is null ? "No application given." : "No smart card interface present.") +
-                    "Unable to establish connection to YubiKey.");
-
-                return null;
-            }
-
-            if (!(scp03Keys is null))
-            {
-                if (HasSmartCard && !(_smartCardDevice is null))
-                {
-                    _log.LogInformation("Connecting via the SmartCard interface.");
-                    WaitForReclaimTimeout(Transport.SmartCard);
-                    return new Scp03Connection(_smartCardDevice, (YubiKeyApplication)application, scp03Keys);
-                }
-
-                return null;
-            }
-
-            // OTP application should prefer the HIDKeyboard transport, but fall back on smart card
-            // if unavailable.
-            if (application == YubiKeyApplication.Otp && HasHidKeyboard)
-            {
-                _log.LogInformation("Connecting via the Keyboard interface.");
-                WaitForReclaimTimeout(Transport.HidKeyboard);
-                return new KeyboardConnection(_hidKeyboardDevice!);
-            }
+        /// <inheritdoc/>
+        public bool TryConnect(
+            byte[] applicationId,
+            ScpKeyParameters keyParameters,
+            [MaybeNullWhen(returnValue: false)] out IScpYubiKeyConnection connection) =>
+            TryConnect(applicationId.GetYubiKeyApplication(), keyParameters, out connection);
 
-            // FIDO applications should prefer the HIDFido transport, but fall back on smart card
-            // if unavailable.
-            if ((application == YubiKeyApplication.Fido2 || application == YubiKeyApplication.FidoU2f)
-                && HasHidFido)
+        /// <inheritdoc />
+        public bool TryConnect(
+            YubiKeyApplication application,
+            ScpKeyParameters keyParameters,
+            [MaybeNullWhen(returnValue: false)] out IScpYubiKeyConnection connection)
+        {
+            try
             {
-                _log.LogInformation("Connecting via the FIDO interface.");
-                WaitForReclaimTimeout(Transport.HidFido);
-                return new FidoConnection(_hidFidoDevice!);
+                connection = ConnectionFactory.CreateScpConnection(application, keyParameters);
+                return true;
             }
-
-            if (HasSmartCard && !(_smartCardDevice is null))
+            catch (Exception ex)
             {
-                _log.LogInformation("Connecting via the SmartCard interface.");
-                WaitForReclaimTimeout(Transport.SmartCard);
-                return new SmartCardConnection(_smartCardDevice, (YubiKeyApplication)application);
+                _log.LogError(ex, "Failed to connect to YubiKey");
             }
 
-            _log.LogInformation("No smart card interface present. Unable to establish connection to YubiKey.");
-            return null;
+            connection = null;
+            return false;
         }
 
         /// <inheritdoc/>
@@ -565,15 +425,15 @@ public void SetDeviceFlags(DeviceFlags deviceFlags)
         /// <inheritdoc/>
         public void LockConfiguration(ReadOnlySpan<byte> lockCode)
         {
-            if (lockCode.Length != _lockCodeLength)
+            if (lockCode.Length != LockCodeLength)
             {
                 throw new ArgumentException(
                     string.Format(
                         CultureInfo.CurrentCulture,
                         ExceptionMessages.LockCodeWrongLength,
-                        _lockCodeLength,
+                        LockCodeLength,
                         lockCode.Length),
-                        nameof(lockCode));
+                    nameof(lockCode));
             }
 
             if (lockCode.SequenceEqual(_lockCodeAllZeros.Span))
@@ -596,15 +456,15 @@ public void LockConfiguration(ReadOnlySpan<byte> lockCode)
         /// <inheritdoc/>
         public void UnlockConfiguration(ReadOnlySpan<byte> lockCode)
         {
-            if (lockCode.Length != _lockCodeLength)
+            if (lockCode.Length != LockCodeLength)
             {
                 throw new ArgumentException(
                     string.Format(
                         CultureInfo.CurrentCulture,
                         ExceptionMessages.LockCodeWrongLength,
-                        _lockCodeLength,
+                        LockCodeLength,
                         lockCode.Length),
-                        nameof(lockCode));
+                    nameof(lockCode));
             }
 
             var command = new MgmtCmd.SetDeviceInfoCommand();
@@ -627,6 +487,7 @@ public void SetLegacyDeviceConfiguration(
             int autoEjectTimeout)
         {
             #region argument checks
+
             // Keep only flags related to interfaces. This makes the operation easier for users
             // who may be doing bitwise operations on [Available/Enabled]UsbCapabilities.
             yubiKeyInterfaces &=
@@ -665,6 +526,7 @@ public void SetLegacyDeviceConfiguration(
                         nameof(autoEjectTimeout));
                 }
             }
+
             #endregion
 
             IYubiKeyResponse response;
@@ -674,8 +536,8 @@ public void SetLegacyDeviceConfiguration(
             {
                 var deviceFlags =
                     touchEjectEnabled
-                    ? DeviceFlags | DeviceFlags.TouchEject
-                    : DeviceFlags & ~DeviceFlags.TouchEject;
+                        ? DeviceFlags | DeviceFlags.TouchEject
+                        : DeviceFlags & ~DeviceFlags.TouchEject;
 
                 var setDeviceInfoCommand = new MgmtCmd.SetDeviceInfoCommand
                 {
@@ -758,6 +620,7 @@ public void DeviceReset()
                         CultureInfo.CurrentCulture,
                         ExceptionMessages.NotSupportedByYubiKeyVersion));
             }
+
             IYubiKeyConnection? connection = null;
             try
             {
@@ -781,6 +644,8 @@ public void DeviceReset()
             }
         }
 
+        /////////////////////////////////////////// PRIVATE //////////////////////////////////////////////////////////////////
+
         private IYubiKeyResponse SendConfiguration(MgmtCmd.SetDeviceInfoBaseCommand baseCommand)
         {
             IYubiKeyConnection? connection = null;
@@ -813,8 +678,7 @@ private IYubiKeyResponse SendConfiguration(MgmtCmd.SetDeviceInfoBaseCommand base
             }
         }
 
-        private IYubiKeyResponse SendConfiguration(
-            MgmtCmd.SetLegacyDeviceConfigBase baseCommand)
+        private IYubiKeyResponse SendConfiguration(MgmtCmd.SetLegacyDeviceConfigBase baseCommand)
         {
             IYubiKeyConnection? connection = null;
             try
@@ -842,7 +706,49 @@ private IYubiKeyResponse SendConfiguration(
             }
         }
 
+        private void MergeDevice(IDevice device)
+        {
+            switch (device)
+            {
+                case ISmartCardDevice scardDevice:
+                    _smartCardDevice = scardDevice;
+                    IsNfcDevice = scardDevice.IsNfcTransport();
+                    break;
+                case IHidDevice hidDevice when hidDevice.IsKeyboard():
+                    _hidKeyboardDevice = hidDevice;
+                    break;
+                case IHidDevice hidDevice when hidDevice.IsFido():
+                    _hidFidoDevice = hidDevice;
+                    break;
+                default:
+                    throw new ArgumentException(ExceptionMessages.DeviceTypeNotRecognized, nameof(device));
+            }
+
+            LastActiveTransport = GetTransportIfOnlyDevice();
+        }
+
+        bool IYubiKeyDevice.HasSameParentDevice(IDevice device) => HasSameParentDevice(device);
+
+        internal protected bool HasSameParentDevice(IDevice device)
+        {
+            if (device is null)
+            {
+                throw new ArgumentNullException(nameof(device));
+            }
+
+            // Never match on a missing parent ID
+            if (device.ParentDeviceId is null)
+            {
+                return false;
+            }
+
+            return _smartCardDevice?.ParentDeviceId == device.ParentDeviceId
+                || _hidFidoDevice?.ParentDeviceId == device.ParentDeviceId
+                || _hidKeyboardDevice?.ParentDeviceId == device.ParentDeviceId;
+        }
+
         #region IEquatable<T> and IComparable<T>
+
         /// <inheritdoc/>
         public override bool Equals(object obj)
         {
@@ -903,7 +809,7 @@ internal protected bool Contains(IDevice other) =>
             {
                 ISmartCardDevice scDevice => scDevice.Path == _smartCardDevice?.Path,
                 IHidDevice hidDevice => hidDevice.Path == _hidKeyboardDevice?.Path ||
-                                        hidDevice.Path == _hidFidoDevice?.Path,
+                    hidDevice.Path == _hidFidoDevice?.Path,
                 _ => false
             };
 
@@ -929,7 +835,9 @@ public int CompareTo(IYubiKeyDevice other)
 
                 if (HasSmartCard)
                 {
-                    int delta = string.Compare(_smartCardDevice!.Path, concreteKey._smartCardDevice!.Path, StringComparison.Ordinal);
+                    int delta = string.Compare(
+                        _smartCardDevice!.Path, concreteKey._smartCardDevice!.Path, StringComparison.Ordinal);
+
                     if (delta != 0)
                     {
                         return delta;
@@ -942,7 +850,9 @@ public int CompareTo(IYubiKeyDevice other)
 
                 if (HasHidFido)
                 {
-                    int delta = string.Compare(_hidFidoDevice!.Path, concreteKey._hidFidoDevice!.Path, StringComparison.Ordinal);
+                    int delta = string.Compare(
+                        _hidFidoDevice!.Path, concreteKey._hidFidoDevice!.Path, StringComparison.Ordinal);
+
                     if (delta != 0)
                     {
                         return delta;
@@ -955,7 +865,9 @@ public int CompareTo(IYubiKeyDevice other)
 
                 if (HasHidKeyboard)
                 {
-                    int delta = string.Compare(_hidKeyboardDevice!.Path, concreteKey._hidKeyboardDevice!.Path, StringComparison.Ordinal);
+                    int delta = string.Compare(
+                        _hidKeyboardDevice!.Path, concreteKey._hidKeyboardDevice!.Path, StringComparison.Ordinal);
+
                     if (delta != 0)
                     {
                         return delta;
@@ -998,7 +910,9 @@ public int CompareTo(IYubiKeyDevice other)
 
         /// <inheritdoc/>
         public static bool operator <(YubiKeyDevice left, YubiKeyDevice right) =>
-            left is null ? right is object : left.CompareTo(right) < 0;
+            left is null
+                ? right is object
+                : left.CompareTo(right) < 0;
 
         /// <inheritdoc/>
         public static bool operator <=(YubiKeyDevice left, YubiKeyDevice right) =>
@@ -1010,10 +924,14 @@ public int CompareTo(IYubiKeyDevice other)
 
         /// <inheritdoc/>
         public static bool operator >=(YubiKeyDevice left, YubiKeyDevice right) =>
-            left is null ? right is null : left.CompareTo(right) >= 0;
+            left is null
+                ? right is null
+                : left.CompareTo(right) >= 0;
+
         #endregion
 
         #region System.Object overrides
+
         /// <inheritdoc/>
         public override int GetHashCode()
         {
@@ -1026,6 +944,7 @@ public override int GetHashCode()
         }
 
         private static readonly string EOL = Environment.NewLine;
+
         /// <inheritdoc/>
         public override string ToString()
         {
@@ -1041,19 +960,11 @@ public override string ToString()
                 + "- Available NFC Capabilities: " + AvailableNfcCapabilities + EOL
                 + "- Enabled USB Capabilities: " + EnabledUsbCapabilities + EOL
                 + "- Enabled NFC Capabilities: " + EnabledNfcCapabilities + EOL;
+
             return res;
         }
-        #endregion
 
-        private DateTime GetLastActiveTime() =>
-            _lastActiveTransport switch
-            {
-                Transport.SmartCard when _smartCardDevice is { } => _smartCardDevice.LastAccessed,
-                Transport.HidFido when _hidFidoDevice is { } => _hidFidoDevice.LastAccessed,
-                Transport.HidKeyboard when _hidKeyboardDevice is { } => _hidKeyboardDevice.LastAccessed,
-                Transport.None => DateTime.Now,
-                _ => throw new InvalidOperationException(ExceptionMessages.DeviceTypeNotRecognized)
-            };
+        #endregion
 
         // If this YubiKey only has a single active USB transport attached to it, we do not really need to worry about
         // the reclaim timeout. This can help speed up the first access of the device as we know for a fact that there
@@ -1080,62 +991,76 @@ private Transport GetTransportIfOnlyDevice()
             return Transport.None;
         }
 
-        // This function handles waiting for the reclaim timeout on the YubiKey to elapse. The reclaim timeout requires
-        // the SDK to wait 3 seconds since the last USB message to an interface before switching to a different interface.
-        // Failure to wait can result in very strange behavior from the USB devices ultimately resulting in communication
-        // failures (i.e. exceptions).
-        private void WaitForReclaimTimeout(Transport newTransport)
+        /// <inheritdoc />
+        [Obsolete("Use new Scp")]
+        public bool TryConnectScp03(
+            YubiKeyApplication application,
+            Yubico.YubiKey.Scp03.StaticKeys scp03Keys,
+            [MaybeNullWhen(returnValue: false)] out IScp03YubiKeyConnection connection)
         {
-            // Newer YubiKeys are able to switch interfaces much, much faster. Maybe this is being paranoid, but we
-            // should still probably wait a few milliseconds for things to stabilize. But definitely not the full
-            // three seconds! For older keys, we use a value of 3.01 seconds to give us a little wiggle room as the
-            // YubiKey's measurement for the reclaim timeout is likely not as accurate as our system clock.
-            var reclaimTimeout = CanFastReclaim() ? TimeSpan.FromMilliseconds(100) : TimeSpan.FromSeconds(3.01);
-
-            // We're only affected by the reclaim timeout if we're switching USB transports.
-            if (_lastActiveTransport == newTransport)
+            try
             {
-                _log.LogInformation(
-                    "{Transport} transport is already active. No need to wait for reclaim.",
-                    _lastActiveTransport);
-
-                return;
+                connection = ConnectionFactory.CreateScpConnection(application, scp03Keys);
+                return true;
             }
-
-            _log.LogInformation(
-                "Switching USB transports from {OldTransport} to {NewTransport}.",
-                _lastActiveTransport,
-                newTransport);
-
-            var timeSinceLastActivation = DateTime.Now - GetLastActiveTime();
-
-            // If we haven't already waited the duration of the reclaim timeout, we need to do so.
-            // Otherwise, we've already waited and can immediately switch the transport.
-            if (timeSinceLastActivation < reclaimTimeout)
+            catch (Exception ex)
             {
-                var waitNeeded = reclaimTimeout - timeSinceLastActivation;
-
-                _log.LogInformation(
-                    "Reclaim timeout still active. Need to wait {TimeMS} milliseconds.",
-                    waitNeeded.TotalMilliseconds);
-
-                Thread.Sleep(waitNeeded);
+                _log.LogError(ex, "Failed to connect to YubiKey");
             }
 
-            _lastActiveTransport = newTransport;
-
-            _log.LogInformation("Reclaim timeout has lapsed. It is safe to switch USB transports.");
+            connection = null;
+            return false;
         }
 
-        private bool CanFastReclaim()
+        /// <inheritdoc />
+        [Obsolete("Use new Scp")]
+        public bool TryConnectScp03(
+            byte[] applicationId,
+            Yubico.YubiKey.Scp03.StaticKeys scp03Keys,
+            [MaybeNullWhen(returnValue: false)] out IScp03YubiKeyConnection connection)
         {
-            if (AppContext.TryGetSwitch(YubiKeyCompatSwitches.UseOldReclaimTimeoutBehavior, out bool useOldBehavior) &&
-                useOldBehavior)
+            try
             {
-                return false;
+                connection = ConnectionFactory.CreateScpConnection(applicationId.GetYubiKeyApplication(), scp03Keys);
+                return true;
+            }
+            catch (Exception ex)
+            {
+                _log.LogError(ex, "Failed to connect to YubiKey");
             }
 
-            return this.HasFeature(YubiKeyFeature.FastUsbReclaim);
+            connection = null;
+            return false;
         }
+
+        /// <inheritdoc />
+        [Obsolete("Use new Scp")]
+        public IScp03YubiKeyConnection ConnectScp03(YubiKeyApplication application, Yubico.YubiKey.Scp03.StaticKeys scp03Keys) =>
+            (IScp03YubiKeyConnection)ConnectionFactory.CreateScpConnection(application, scp03Keys);
+
+        /// <inheritdoc />
+        [Obsolete("Use new Scp")]
+        public IScp03YubiKeyConnection ConnectScp03(byte[] applicationId, Yubico.YubiKey.Scp03.StaticKeys scp03Keys) =>
+            ConnectionFactory.CreateScpConnection(
+                applicationId.GetYubiKeyApplication(), scp03Keys);
+
+        [Obsolete("Use new Scp")]
+        internal virtual IYubiKeyConnection? Connect(
+            YubiKeyApplication? application,
+            byte[]? applicationId,
+            Yubico.YubiKey.Scp03.StaticKeys scp03Keys)
+        {
+            var app = application ??
+                applicationId?.GetYubiKeyApplication() ??
+                throw new ArgumentNullException(nameof(applicationId));
+
+            return ConnectionFactory.CreateScpConnection(app, scp03Keys);
+        }
+
+        [Obsolete("Obsolete")]
+        public virtual IYubiKeyConnection Connect(
+            YubiKeyApplication application,
+            Yubico.YubiKey.Scp03.StaticKeys scp03Keys) =>
+            ConnectionFactory.CreateScpConnection(application, scp03Keys);
     }
 }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDeviceExtensions.cs b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDeviceExtensions.cs
index 5a258aefc..636e197f7 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDeviceExtensions.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDeviceExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright 2023 Yubico AB
+// Copyright 2023 Yubico AB
 //
 // Licensed under the Apache License, Version 2.0 (the "License").
 // You may not use this file except in compliance with the License.
@@ -17,74 +17,11 @@
 
 namespace Yubico.YubiKey
 {
-    /// <summary>
-    /// A static class containing extension methods for YubiKeyDevice objects,
-    /// such as <see cref="WithScp03"/>.
-    /// </summary>
+    [Obsolete("This class is deprecated")]
     public static class YubiKeyDeviceExtensions
     {
-        /// <summary>
-        /// Use this method to make sure any Smart Card communication is
-        /// conducted using SCP03. If the input <c>device</c> is already set for
-        /// SCP03, this method will verify that the input <c>staticKeys</c> are
-        /// the same as those used to build the <c>device</c> and if they are,
-        /// simply return the input device.
-        /// </summary>
-        /// <remarks>
-        /// This method of making an SCP03 connection is deprecated. See the
-        /// <xref href="UsersManualScp03">User's Manual entry</xref> on SCP03 for
-        /// information on how best to make an SCP03 connection..
-        /// <para>
-        /// The YubiKey itself is represented by an instance of
-        /// <see cref="YubiKeyDevice"/>. After choosing the YubiKey to use, you
-        /// can specify that Smart Card communications be conduced using SCP03.
-        /// The key set you supply will be the keys used to encrypt and
-        /// authenticate/verify. That key set must already be loaded onto the
-        /// YubiKey.
-        /// </para>
-        /// <para>
-        /// For example, use SCP03 in a PivSession.
-        /// <code language="csharp">
-        ///  if (!YubiKeyDevice.TryGetYubiKey(serialNumber, out IYubiKeyDevice yubiKeyDevice))
-        ///  {
-        ///      // error, can't find YubiKey
-        ///  }
-        ///  yubiKeyDevice = (YubiKeyDevice)yubiKeyDevice.WithScp03(scp03Keys);
-        ///  using (var pivSession = new pivSession(yubiKeyDevice))
-        ///  {
-        ///    . . .
-        ///  }
-        /// </code>
-        /// </para>
-        /// </remarks>
-        /// <param name="device">
-        /// The underlying YubiKey device for which SCP03 communications are to
-        /// be used.
-        /// </param>
-        /// <param name="scp03Keys">
-        /// The symmetric key set to use. This call will copy the keys (not just
-        /// a reference).
-        /// </param>
-        /// <returns>
-        /// A wrapped <see cref="YubiKeyDevice"/> that uses SCP03.
-        /// </returns>
-        /// <exception cref="ArgumentNullException">
-        /// The <c>device</c> or <c>scp03Keys</c> arg is null.
-        /// </exception>
-        /// <exception cref="NotSupportedException">
-        /// The YubiKey device does not have an available smart card interface or
-        /// it does not support SCP03.
-        /// </exception>
-        [Obsolete("The WithScp03 extension will be deprecated, please specify SCP03 during the Connect call.", error: false)]
         public static IYubiKeyDevice WithScp03(this YubiKeyDevice device, StaticKeys scp03Keys) =>
             GetScp03Device(device, scp03Keys);
-
-        /// <summary>
-        /// This is the same as <c>WithScp03</c>, except it returns an
-        /// <c>Scp03YubiKeyDevice</c> instead of an <c>IYubiKeyDevice</c>.
-        /// Internally, we want an instance of this class, not a non-specific
-        /// object.
-        /// </summary>
         internal static Scp03YubiKeyDevice GetScp03Device(this IYubiKeyDevice device, StaticKeys scp03Keys)
         {
             if (device is null)
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDeviceInfo.cs b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDeviceInfo.cs
index a09979ba0..90f3846da 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDeviceInfo.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyDeviceInfo.cs
@@ -27,8 +27,8 @@ namespace Yubico.YubiKey
     /// </summary>
     public class YubiKeyDeviceInfo : IYubiKeyDeviceInfo
     {
-        private const byte FipsMask = 0b1000_0000;
-        private const byte SkyMask = 0b0100_0000;
+        private const byte FipsMask = 0x80;
+        private const byte SkyMask = 0x40;
         private const byte FormFactorMask = unchecked((byte)~(FipsMask | SkyMask));
 
         private static readonly FirmwareVersion _fipsInclusiveLowerBound =
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeature.cs b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeature.cs
index 705cfec8c..e10b21e7e 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeature.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeature.cs
@@ -64,6 +64,16 @@ public enum YubiKeyFeature
         /// </summary>
         Scp03,
 
+        /// <summary>
+        ///     The ability to communicate using Secure Channel Protocol 3 (SCP03) for OATH credentials.
+        /// </summary>
+        Scp03Oath,
+
+        /// <summary>
+        ///     The ability to communicate using Secure Channel Protocol 11a/b/c (SCP11).
+        /// </summary>
+        Scp11,
+
         /// <summary>
         ///     The YubiKey is capable of switching USB interfaces without the lengthy 3-second reclaim timeout.
         /// </summary>
@@ -270,6 +280,6 @@ public enum YubiKeyFeature
         /// <summary>
         ///     Allows temporarily disabling NFC until the next time the YubiKey is powered over USB.
         /// </summary>
-        ManagementNfcRestricted
+        ManagementNfcRestricted,
     }
 }
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeatureExtensions.cs b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeatureExtensions.cs
index 528c88dd0..4da78a2e4 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeatureExtensions.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeatureExtensions.cs
@@ -92,7 +92,17 @@ public static bool HasFeature(this IYubiKeyDevice yubiKeyDevice, YubiKeyFeature
                     yubiKeyDevice.FirmwareVersion >= FirmwareVersion.V5_3_0
                     && (HasApplication(yubiKeyDevice, YubiKeyCapabilities.Piv)
                     || HasApplication(yubiKeyDevice, YubiKeyCapabilities.Oath)
-                    || HasApplication(yubiKeyDevice, YubiKeyCapabilities.OpenPgp)),
+                    || HasApplication(yubiKeyDevice, YubiKeyCapabilities.OpenPgp)
+                    || HasApplication(yubiKeyDevice, YubiKeyCapabilities.Otp)
+                    || HasApplication(yubiKeyDevice, YubiKeyCapabilities.YubiHsmAuth)),
+
+                YubiKeyFeature.Scp03Oath =>
+                    yubiKeyDevice.FirmwareVersion >= FirmwareVersion.V5_6_3
+                    && HasFeature(yubiKeyDevice, YubiKeyFeature.Scp03),
+
+                YubiKeyFeature.Scp11 =>
+                    yubiKeyDevice.FirmwareVersion >= FirmwareVersion.V5_7_2
+                    && HasFeature(yubiKeyDevice, YubiKeyFeature.Scp03),
 
                 YubiKeyFeature.FastUsbReclaim =>
                     yubiKeyDevice.FirmwareVersion >= FirmwareVersion.V5_6_0,
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyResponse.cs b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyResponse.cs
index 7ac50887b..89857e220 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyResponse.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyResponse.cs
@@ -151,12 +151,7 @@ public class YubiKeyResponse : IYubiKeyResponse
         /// <exception cref="ArgumentNullException">responseApdu</exception>
         public YubiKeyResponse(ResponseApdu responseApdu)
         {
-            if (responseApdu is null)
-            {
-                throw new ArgumentNullException(nameof(responseApdu));
-            }
-
-            ResponseApdu = responseApdu;
+            ResponseApdu = responseApdu ?? throw new ArgumentNullException(nameof(responseApdu));
         }
 
         /// <inheritdoc />
diff --git a/Yubico.YubiKey/tests/integration/Yubico.YubiKey.IntegrationTests.csproj b/Yubico.YubiKey/tests/integration/Yubico.YubiKey.IntegrationTests.csproj
index ad352daf2..346fb7c40 100644
--- a/Yubico.YubiKey/tests/integration/Yubico.YubiKey.IntegrationTests.csproj
+++ b/Yubico.YubiKey/tests/integration/Yubico.YubiKey.IntegrationTests.csproj
@@ -31,6 +31,7 @@ limitations under the License. -->
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Portable.BouncyCastle" Version="1.9.0" />
     <PackageReference Include="Xunit.SkippableFact" Version="1.4.13" />
     <ProjectReference Include="..\..\src\Yubico.YubiKey.csproj" />
     <ProjectReference Include="..\unit\Yubico.YubiKey.UnitTests.csproj" />
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Oath/OathSessionPasswordTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Oath/OathSessionPasswordTests.cs
index ce3043ab7..dc492b2d4 100644
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Oath/OathSessionPasswordTests.cs
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Oath/OathSessionPasswordTests.cs
@@ -13,6 +13,7 @@
 // limitations under the License.
 
 using Xunit;
+using Yubico.YubiKey.Scp;
 using Yubico.YubiKey.TestUtilities;
 
 namespace Yubico.YubiKey.Oath
@@ -21,101 +22,130 @@ namespace Yubico.YubiKey.Oath
     [Trait(TraitTypes.Category, TestCategories.Simple)]
     public sealed class OathSessionPasswordTests
     {
-        [Theory, TestPriority(0)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void SetPassword(StandardTestDevice testDeviceType)
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, false)]
+        [InlineData(StandardTestDevice.Fw5, true)]
+        [InlineData(StandardTestDevice.Fw5Fips, false)]
+        [InlineData(StandardTestDevice.Fw5Fips, true)]
+        public void SetPassword(
+            StandardTestDevice testDeviceType, bool useScp)
         {
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
-            using (var oathSession = new OathSession(testDevice))
+            var keyParameters = useScp ? Scp03KeyParameters.DefaultKey : null;
+            using (var resetSession = new OathSession(testDevice, keyParameters))
             {
-                var collectorObj = new SimpleOathKeyCollector();
-                oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
+                resetSession.ResetApplication();
+            }
 
-                oathSession.SetPassword();
+            using var oathSession = new OathSession(testDevice, keyParameters);
+            var collectorObj = new SimpleOathKeyCollector();
+            oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
 
-                Assert.False(oathSession._oathData.Challenge.IsEmpty);
-            }
+            oathSession.SetPassword();
+
+            Assert.False(oathSession._oathData.Challenge.IsEmpty);
         }
 
-        [Theory, TestPriority(1)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void VerifyCorrectPassword(StandardTestDevice testDeviceType)
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, false)]
+        [InlineData(StandardTestDevice.Fw5, true)]
+        [InlineData(StandardTestDevice.Fw5Fips, false)]
+        [InlineData(StandardTestDevice.Fw5Fips, true)]
+        public void VerifyCorrectPassword(
+            StandardTestDevice testDeviceType, bool useScp)
         {
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
-            using (var oathSession = new OathSession(testDevice))
-            {
-                var collectorObj = new SimpleOathKeyCollector();
-                oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
+            SetTestPassword(testDevice);
 
-                bool isVerified = oathSession.TryVerifyPassword();
-                Assert.True(isVerified);
-            }
+            using var oathSession = new OathSession(testDevice, useScp ? Scp03KeyParameters.DefaultKey : null);
+            var collectorObj = new SimpleOathKeyCollector();
+            oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
+
+            var isVerified = oathSession.TryVerifyPassword();
+
+            Assert.True(isVerified);
         }
 
-        [Theory, TestPriority(2)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void VerifyWrongPassword(StandardTestDevice testDeviceType)
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, false)]
+        [InlineData(StandardTestDevice.Fw5, true)]
+        [InlineData(StandardTestDevice.Fw5Fips, false)]
+        [InlineData(StandardTestDevice.Fw5Fips, true)]
+        public void VerifyWrongPassword(
+            StandardTestDevice testDeviceType, bool useScp)
         {
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
-            using (var oathSession = new OathSession(testDevice))
-            {
-                var collectorObj = new SimpleOathKeyCollector();
-                oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
+            SetTestPassword(testDevice);
 
-                collectorObj.KeyFlag = 1;
+            using var oathSession = new OathSession(testDevice, useScp ? Scp03KeyParameters.DefaultKey : null);
+            var collectorObj = new SimpleOathKeyCollector();
+            oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
 
-                bool isVerified = oathSession.TryVerifyPassword();
-                Assert.False(isVerified);
-            }
+            collectorObj.KeyFlag = 1;
+
+            var isVerified = oathSession.TryVerifyPassword();
+            Assert.False(isVerified);
         }
 
-        [Theory, TestPriority(3)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void ChangePassword(StandardTestDevice testDeviceType)
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, false)]
+        [InlineData(StandardTestDevice.Fw5, true)]
+        [InlineData(StandardTestDevice.Fw5Fips, false)]
+        [InlineData(StandardTestDevice.Fw5Fips, true)]
+        public void ChangePassword(
+            StandardTestDevice testDeviceType, bool useScp)
         {
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
-            using (var oathSession = new OathSession(testDevice))
-            {
-                var collectorObj = new SimpleOathKeyCollector();
-                oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
+            SetTestPassword(testDevice);
 
-                collectorObj.KeyFlag = 1;
-                oathSession.SetPassword();
+            using var oathSession = new OathSession(testDevice, useScp ? Scp03KeyParameters.DefaultKey : null);
+            var collectorObj = new SimpleOathKeyCollector();
+            oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
+            collectorObj.KeyFlag = 1;
 
-                Assert.False(oathSession._oathData.Challenge.IsEmpty);
-            }
+            oathSession.SetPassword();
+
+            Assert.False(oathSession._oathData.Challenge.IsEmpty);
         }
 
-        [Theory, TestPriority(4)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void UnsetPassword(StandardTestDevice testDeviceType)
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, false)]
+        [InlineData(StandardTestDevice.Fw5, true)]
+        [InlineData(StandardTestDevice.Fw5Fips, false)]
+        [InlineData(StandardTestDevice.Fw5Fips, true)]
+        public void UnsetPassword(
+            StandardTestDevice testDeviceType, bool useScp)
         {
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
-            using (var oathSession = new OathSession(testDevice))
-            {
-                oathSession.ResetApplication();
+            SetTestPassword(testDevice);
+            using var oathSession = new OathSession(testDevice, useScp ? Scp03KeyParameters.DefaultKey : null);
+            var collectorObj = new SimpleOathKeyCollector();
+            oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
 
-                var collectorObj = new SimpleOathKeyCollector();
-                oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
+            oathSession.UnsetPassword();
 
-                oathSession.SetPassword();
+            Assert.False(oathSession.IsPasswordProtected);
+        }
 
-                Assert.True(oathSession.IsPasswordProtected);
+        private void SetTestPassword(IYubiKeyDevice testDevice, Scp03KeyParameters? keyParameters = null)
+        {
+            using (var resetSession = new OathSession(testDevice, keyParameters))
+            {
+                resetSession.ResetApplication();
             }
 
-            using (var oathSession = new OathSession(testDevice))
+            using (var oathSession = new OathSession(testDevice, keyParameters))
             {
                 var collectorObj = new SimpleOathKeyCollector();
                 oathSession.KeyCollector = collectorObj.SimpleKeyCollectorDelegate;
+                oathSession.SetPassword();
 
-                oathSession.UnsetPassword();
-
-                Assert.False(oathSession.IsPasswordProtected);
+                Assert.True(oathSession.IsPasswordProtected);
             }
         }
     }
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Otp/ConfigureStaticTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Otp/ConfigureStaticTests.cs
deleted file mode 100644
index 13db59558..000000000
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Otp/ConfigureStaticTests.cs
+++ /dev/null
@@ -1,56 +0,0 @@
-// Copyright 2021 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using Xunit;
-using Yubico.Core.Devices.Hid;
-using Yubico.YubiKey.Otp.Operations;
-using Yubico.YubiKey.TestUtilities;
-
-namespace Yubico.YubiKey.Otp
-{
-    public class ConfigureStaticTests
-    {
-
-        [Trait(TraitTypes.Category, TestCategories.Simple)]
-        [SkippableTheory(typeof(DeviceNotFoundException))]
-        [InlineData(StandardTestDevice.Fw5)]
-        [InlineData(StandardTestDevice.Fw5Fips)]
-        public void ConfigureStaticPassword_Succeeds(StandardTestDevice testDeviceType)
-        {
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
-
-            using (var otpSession = new OtpSession(testDevice))
-            {
-                if (otpSession.IsLongPressConfigured)
-                {
-                    otpSession.DeleteSlot(Slot.LongPress);
-                }
-
-                ConfigureStaticPassword configObj = otpSession.ConfigureStaticPassword(Slot.LongPress);
-                Assert.NotNull(configObj);
-
-                var generatedPassword = new Memory<char>(new char[16]);
-
-                configObj = configObj.WithKeyboard(KeyboardLayout.en_US);
-                configObj = configObj.AllowManualUpdate(false);
-                configObj = configObj.AppendCarriageReturn(false);
-                configObj = configObj.SendTabFirst(false);
-                configObj = configObj.SetAllowUpdate();
-                configObj = configObj.GeneratePassword(generatedPassword);
-                configObj.Execute();
-            }
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Otp/OtpSessionTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Otp/OtpSessionTests.cs
new file mode 100644
index 000000000..9e2859178
--- /dev/null
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Otp/OtpSessionTests.cs
@@ -0,0 +1,83 @@
+// Copyright 2021 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Xunit;
+using Yubico.Core.Devices.Hid;
+using Yubico.YubiKey.Otp.Operations;
+using Yubico.YubiKey.Scp;
+using Yubico.YubiKey.TestUtilities;
+
+namespace Yubico.YubiKey.Otp
+{
+    public class OtpSessionTests
+    {
+
+        [Trait(TraitTypes.Category, TestCategories.Simple)]
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void ConfigureStaticPassword_Succeeds(StandardTestDevice testDeviceType)
+        {
+            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+
+            using var otpSession = new OtpSession(testDevice);
+            if (otpSession.IsLongPressConfigured)
+            {
+                otpSession.DeleteSlot(Slot.LongPress);
+            }
+
+            ConfigureStaticPassword configObj = otpSession.ConfigureStaticPassword(Slot.LongPress);
+            Assert.NotNull(configObj);
+
+            var generatedPassword = new Memory<char>(new char[16]);
+
+            configObj = configObj.WithKeyboard(KeyboardLayout.en_US);
+            configObj = configObj.AllowManualUpdate(false);
+            configObj = configObj.AppendCarriageReturn(false);
+            configObj = configObj.SendTabFirst(false);
+            configObj = configObj.SetAllowUpdate();
+            configObj = configObj.GeneratePassword(generatedPassword);
+            configObj.Execute();
+        }
+
+        [Trait(TraitTypes.Category, TestCategories.Simple)]
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void ConfigureStaticPassword_WithWScp_Succeeds(StandardTestDevice testDeviceType)
+        {
+            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+
+            using var otpSession = new OtpSession(testDevice, Scp03KeyParameters.DefaultKey);
+            if (otpSession.IsLongPressConfigured)
+            {
+                otpSession.DeleteSlot(Slot.LongPress);
+            }
+
+            ConfigureStaticPassword configObj = otpSession.ConfigureStaticPassword(Slot.LongPress);
+            Assert.NotNull(configObj);
+
+            var generatedPassword = new Memory<char>(new char[16]);
+
+            configObj = configObj.WithKeyboard(KeyboardLayout.en_US);
+            configObj = configObj.AllowManualUpdate(false);
+            configObj = configObj.AppendCarriageReturn(false);
+            configObj = configObj.SendTabFirst(false);
+            configObj = configObj.SetAllowUpdate();
+            configObj = configObj.GeneratePassword(generatedPassword);
+            configObj.Execute();
+        }
+    }
+}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/GenerateTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/GenerateTests.cs
index cf3c6e7b0..4d1bb46cf 100644
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/GenerateTests.cs
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/GenerateTests.cs
@@ -15,6 +15,7 @@
 using System;
 using Xunit;
 using Yubico.YubiKey.Piv.Commands;
+using Yubico.YubiKey.Scp;
 using Yubico.YubiKey.Scp03;
 using Yubico.YubiKey.TestUtilities;
 
@@ -37,13 +38,14 @@ public void SimpleGenerate(PivAlgorithm expectedAlgorithm, bool useScp03 = false
             var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(Transport.SmartCard, FirmwareVersion.V5_3_0);
 
             Assert.True(testDevice.AvailableUsbCapabilities.HasFlag(YubiKeyCapabilities.Piv));
+            using var pivSession = useScp03
+                ? new PivSession(testDevice, Scp03KeyParameters.DefaultKey)
+                : new PivSession(testDevice);
 
-            using var pivSession = useScp03 ? new PivSession(testDevice, new StaticKeys()) : new PivSession(testDevice);
             var collectorObj = new Simple39KeyCollector();
             pivSession.KeyCollector = collectorObj.Simple39KeyCollectorDelegate;
 
             var result = pivSession.GenerateKeyPair(PivSlot.Retired12, expectedAlgorithm);
-
             Assert.Equal(expectedAlgorithm, result.Algorithm);
         }
 
@@ -58,12 +60,6 @@ public void GenerateAndSign(PivAlgorithm algorithm)
 
             Assert.True(testDevice.AvailableUsbCapabilities.HasFlag(YubiKeyCapabilities.Piv));
             Assert.True(testDevice is YubiKeyDevice);
-            //             if (testDevice is YubiKeyDevice device)
-            //             {
-            // #pragma warning disable CS0618 // Specifically testing this feature
-            //                 // testDevice = device.WithScp03(new StaticKeys());
-            // #pragma warning restore CS0618 //
-            //             }
 
             var isValid = DoGenerate(testDevice, 0x86, algorithm, PivPinPolicy.Once, PivTouchPolicy.Never);
             Assert.True(isValid);
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/GetPutDataTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/GetPutDataTests.cs
index 9ff52ba1a..35d6b94ed 100644
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/GetPutDataTests.cs
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/GetPutDataTests.cs
@@ -17,6 +17,7 @@
 using Xunit;
 using Yubico.Core.Tlv;
 using Yubico.YubiKey.Piv.Commands;
+using Yubico.YubiKey.Scp;
 using Yubico.YubiKey.Scp03;
 using Yubico.YubiKey.TestUtilities;
 
@@ -29,7 +30,7 @@ public class GetPutDataTests
         public void Cert_Auth_Req(StandardTestDevice testDeviceType)
         {
             var isValid = SampleKeyPairs.GetMatchingKeyAndCert(PivAlgorithm.Rsa2048,
-                out X509Certificate2 cert, out PivPrivateKey privateKey);
+                out var cert, out var privateKey);
             Assert.True(isValid);
 
             var certDer = cert.GetRawCertData();
@@ -45,7 +46,7 @@ public void Cert_Auth_Req(StandardTestDevice testDeviceType)
             var certData = tlvWriter.Encode();
             tlvWriter.Clear();
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -61,13 +62,13 @@ public void Cert_Auth_Req(StandardTestDevice testDeviceType)
             {
                 // There should be no data.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Authentication);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
 
                 // Now put some data.
                 // This should fail because the mgmt key is needed.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.Authentication, certData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 // Verify the PIN
@@ -87,7 +88,7 @@ public void Cert_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand((int)PivDataTag.Authentication, certData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -95,10 +96,10 @@ public void Cert_Auth_Req(StandardTestDevice testDeviceType)
             {
                 // There should be data this time.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Authentication);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(certData.Length, getData.Length);
             }
         }
@@ -114,21 +115,24 @@ public void Chuid_Auth_Req(StandardTestDevice testDeviceType)
                 0x08, 0x32, 0x30, 0x33, 0x30, 0x30, 0x31, 0x30, 0x31, 0x3e, 0x00, 0xfe, 0x00
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
-            using (var pivSession = new PivSession(testDevice, new StaticKeys()))
+            using (var pivSession = new PivSession(testDevice))
             {
                 pivSession.ResetApplication();
+            }
 
+            using (var pivSession = new PivSession(testDevice, Scp03KeyParameters.DefaultKey))
+            {
                 // There should be no data.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Chuid);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
 
                 // Now put some data.
                 // This should fail because the mgmt key is needed.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.Chuid, chuidData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 // Verify the PIN
@@ -148,7 +152,7 @@ public void Chuid_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand((int)PivDataTag.Chuid, chuidData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -157,10 +161,10 @@ public void Chuid_Auth_Req(StandardTestDevice testDeviceType)
             using (var pivSession = new PivSession(testDevice))
             {
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Chuid);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(61, getData.Length);
             }
         }
@@ -176,7 +180,7 @@ public void Capability_Auth_Req(StandardTestDevice testDeviceType)
                 0x00, 0xFD, 0x00, 0xFE, 0x00
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -186,13 +190,13 @@ public void Capability_Auth_Req(StandardTestDevice testDeviceType)
 #pragma warning disable CS0618 // Testing an obsolete feature
                 var getDataCommand = new GetDataCommand(PivDataTag.Capability);
 #pragma warning restore CS0618 // Type or member is obsolete
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
 
                 // Now put some data.
                 // This should fail because the mgmt key is needed.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.Capability, capabilityData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 // Verify the PIN
@@ -214,7 +218,7 @@ public void Capability_Auth_Req(StandardTestDevice testDeviceType)
 #pragma warning disable CS0618 // Testing an obsolete feature
                 var putDataCommand = new PutDataCommand(PivDataTag.Capability, capabilityData);
 #pragma warning restore CS0618 // Type or member is obsolete
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -225,10 +229,10 @@ public void Capability_Auth_Req(StandardTestDevice testDeviceType)
 #pragma warning disable CS0618 // Testing an obsolete feature
                 var getDataCommand = new GetDataCommand(PivDataTag.Capability);
 #pragma warning restore CS0618 // Type or member is obsolete
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(53, getData.Length);
             }
         }
@@ -242,7 +246,7 @@ public void Discovery_Auth_Req(StandardTestDevice testDeviceType)
                 0x2F, 0x02, 0x40, 0x00,
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -250,10 +254,10 @@ public void Discovery_Auth_Req(StandardTestDevice testDeviceType)
 
                 // There should be data.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Discovery);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(20, getData.Length);
 
                 // Now put some data.
@@ -271,21 +275,8 @@ public void Printed_Auth_Req(StandardTestDevice testDeviceType)
             byte[] printedData = {
                 0x53, 0x04, 0x04, 0x02, 0xd4, 0xe7
             };
-            byte[] key1 = {
-                0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
-            };
-            byte[] key2 = {
-                0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11
-            };
-            byte[] key3 = {
-                0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11, 0x22
-            };
-            var newKeys = new StaticKeys(key2, key1, key3)
-            {
-                KeyVersionNumber = 2
-            };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -293,7 +284,7 @@ public void Printed_Auth_Req(StandardTestDevice testDeviceType)
 
                 // There should be no data, but even so, the error should be Auth Required.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Printed);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, getDataResponse.Status);
 
                 // Authenticate the mgmt key and try again. It should still
@@ -304,8 +295,7 @@ public void Printed_Auth_Req(StandardTestDevice testDeviceType)
                 getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, getDataResponse.Status);
             }
-
-            using (var pivSession = new PivSession(testDevice, newKeys))
+            using (var pivSession = new PivSession(testDevice))
             {
                 // Verify the PIN
                 pivSession.KeyCollector = PinOnlyKeyCollectorDelegate;
@@ -314,7 +304,7 @@ public void Printed_Auth_Req(StandardTestDevice testDeviceType)
                 // Get the data. This time we should be able to see that there's
                 // NoData.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Printed);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
             }
 
@@ -325,7 +315,7 @@ public void Printed_Auth_Req(StandardTestDevice testDeviceType)
                 // With no PIN nor mgmt key, or with only the PIN, this should
                 // fail.
                 var putDataCommand = new PutDataCommand(0x5FC109, printedData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 pivSession.KeyCollector = PinOnlyKeyCollectorDelegate;
@@ -342,7 +332,7 @@ public void Printed_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand(0x5FC109, printedData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -351,7 +341,7 @@ public void Printed_Auth_Req(StandardTestDevice testDeviceType)
             using (var pivSession = new PivSession(testDevice))
             {
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Printed);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, getDataResponse.Status);
 
                 pivSession.KeyCollector = MgmtKeyOnlyKeyCollectorDelegate;
@@ -369,10 +359,10 @@ public void Printed_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.VerifyPin();
 
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Printed);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(6, getData.Length);
             }
         }
@@ -386,7 +376,7 @@ public void Security_Auth_Req(StandardTestDevice testDeviceType)
                 0x53, 0x08, 0xBA, 0x01, 0x11, 0xBB, 0x01, 0x22, 0xFE, 0x00
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -394,13 +384,13 @@ public void Security_Auth_Req(StandardTestDevice testDeviceType)
 
                 // There should be no data.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.SecurityObject);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
 
                 // Now put some data.
                 // This should fail because the mgmt key is needed.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.SecurityObject, securityData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 // Verify the PIN
@@ -420,7 +410,7 @@ public void Security_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand((int)PivDataTag.SecurityObject, securityData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -429,10 +419,10 @@ public void Security_Auth_Req(StandardTestDevice testDeviceType)
             using (var pivSession = new PivSession(testDevice))
             {
                 var getDataCommand = new GetDataCommand((int)PivDataTag.SecurityObject);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(10, getData.Length);
             }
         }
@@ -445,7 +435,7 @@ public void KeyHistory_Auth_Req(StandardTestDevice testDeviceType)
                 0x53, 0x0A, 0xC1, 0x01, 0x00, 0xC2, 0x01, 0x00, 0xF3, 0x00, 0xFE, 0x00
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -453,13 +443,13 @@ public void KeyHistory_Auth_Req(StandardTestDevice testDeviceType)
 
                 // There should be no data.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.KeyHistory);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
 
                 // Now put some data.
                 // This should fail because the mgmt key is needed.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.KeyHistory, keyHistoryData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 // Verify the PIN
@@ -479,7 +469,7 @@ public void KeyHistory_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand((int)PivDataTag.KeyHistory, keyHistoryData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -488,10 +478,10 @@ public void KeyHistory_Auth_Req(StandardTestDevice testDeviceType)
             using (var pivSession = new PivSession(testDevice))
             {
                 var getDataCommand = new GetDataCommand((int)PivDataTag.KeyHistory);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(12, getData.Length);
             }
         }
@@ -505,7 +495,7 @@ public void Iris_Auth_Req(StandardTestDevice testDeviceType)
                 0x53, 0x05, 0xBC, 0x01, 0x11, 0xFE, 0x00
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -513,7 +503,7 @@ public void Iris_Auth_Req(StandardTestDevice testDeviceType)
 
                 // There should be no data, but even so, the error should be Auth Required.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.IrisImages);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, getDataResponse.Status);
 
                 // Authenticate the mgmt key and try to get data again. It should still
@@ -534,7 +524,7 @@ public void Iris_Auth_Req(StandardTestDevice testDeviceType)
                 // Get the data. This time we should be able to see that there's
                 // NoData.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.IrisImages);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
             }
 
@@ -544,7 +534,7 @@ public void Iris_Auth_Req(StandardTestDevice testDeviceType)
                 // With no PIN nor mgmt key, or with only the PIN, this should
                 // fail.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.IrisImages, irisData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 pivSession.KeyCollector = PinOnlyKeyCollectorDelegate;
@@ -561,7 +551,7 @@ public void Iris_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand((int)PivDataTag.IrisImages, irisData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -570,7 +560,7 @@ public void Iris_Auth_Req(StandardTestDevice testDeviceType)
             using (var pivSession = new PivSession(testDevice))
             {
                 var getDataCommand = new GetDataCommand((int)PivDataTag.IrisImages);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, getDataResponse.Status);
 
                 pivSession.KeyCollector = MgmtKeyOnlyKeyCollectorDelegate;
@@ -588,10 +578,10 @@ public void Iris_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.VerifyPin();
 
                 var getDataCommand = new GetDataCommand((int)PivDataTag.IrisImages);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(7, getData.Length);
             }
         }
@@ -605,7 +595,7 @@ public void Facial_Auth_Req(StandardTestDevice testDeviceType)
                 0x53, 0x05, 0xBC, 0x01, 0x11, 0xFE, 0x00
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -613,7 +603,7 @@ public void Facial_Auth_Req(StandardTestDevice testDeviceType)
 
                 // There should be no data, but even so, the error should be Auth Required.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.FacialImage);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, getDataResponse.Status);
 
                 // Authenticate the mgmt key and try to get data again. It should still
@@ -634,7 +624,7 @@ public void Facial_Auth_Req(StandardTestDevice testDeviceType)
                 // Get the data. This time we should be able to see that there's
                 // NoData.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.FacialImage);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
             }
 
@@ -644,7 +634,7 @@ public void Facial_Auth_Req(StandardTestDevice testDeviceType)
                 // With no PIN nor mgmt key, or with only the PIN, this should
                 // fail.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.FacialImage, facialData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 pivSession.KeyCollector = PinOnlyKeyCollectorDelegate;
@@ -661,7 +651,7 @@ public void Facial_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand((int)PivDataTag.FacialImage, facialData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -670,7 +660,7 @@ public void Facial_Auth_Req(StandardTestDevice testDeviceType)
             using (var pivSession = new PivSession(testDevice))
             {
                 var getDataCommand = new GetDataCommand((int)PivDataTag.FacialImage);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, getDataResponse.Status);
 
                 pivSession.KeyCollector = MgmtKeyOnlyKeyCollectorDelegate;
@@ -688,10 +678,10 @@ public void Facial_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.VerifyPin();
 
                 var getDataCommand = new GetDataCommand((int)PivDataTag.FacialImage);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(7, getData.Length);
             }
         }
@@ -705,7 +695,7 @@ public void Fingerprint_Auth_Req(StandardTestDevice testDeviceType)
                 0x53, 0x05, 0xBC, 0x01, 0x11, 0xFE, 0x00
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -713,7 +703,7 @@ public void Fingerprint_Auth_Req(StandardTestDevice testDeviceType)
 
                 // There should be no data, but even so, the error should be Auth Required.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Fingerprints);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, getDataResponse.Status);
 
                 // Authenticate the mgmt key and try to get data again. It should still
@@ -734,7 +724,7 @@ public void Fingerprint_Auth_Req(StandardTestDevice testDeviceType)
                 // Get the data. This time we should be able to see that there's
                 // NoData.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Fingerprints);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
             }
 
@@ -744,7 +734,7 @@ public void Fingerprint_Auth_Req(StandardTestDevice testDeviceType)
                 // With no PIN nor mgmt key, or with only the PIN, this should
                 // fail.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.Fingerprints, fingerprintData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 pivSession.KeyCollector = PinOnlyKeyCollectorDelegate;
@@ -761,7 +751,7 @@ public void Fingerprint_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand((int)PivDataTag.Fingerprints, fingerprintData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -770,7 +760,7 @@ public void Fingerprint_Auth_Req(StandardTestDevice testDeviceType)
             using (var pivSession = new PivSession(testDevice))
             {
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Fingerprints);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, getDataResponse.Status);
 
                 pivSession.KeyCollector = MgmtKeyOnlyKeyCollectorDelegate;
@@ -788,10 +778,10 @@ public void Fingerprint_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.VerifyPin();
 
                 var getDataCommand = new GetDataCommand((int)PivDataTag.Fingerprints);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(7, getData.Length);
             }
         }
@@ -805,7 +795,7 @@ public void Bitgt_Auth_Req(StandardTestDevice testDeviceType)
                 0x7F, 0x61, 0x07, 0x02, 0x01, 0x01, 0x7F, 0x60, 0x01, 0x01
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -815,7 +805,7 @@ public void Bitgt_Auth_Req(StandardTestDevice testDeviceType)
 #pragma warning disable CS0618 // Testing an obsolete feature
                 var getDataCommand = new GetDataCommand(PivDataTag.BiometricGroupTemplate);
 #pragma warning restore CS0618 // Type or member is obsolete
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
 
                 // Now try to put some data.
@@ -837,7 +827,7 @@ public void SMSigner_Auth_Req(StandardTestDevice testDeviceType)
                 0x53, 0x08, 0x70, 0x01, 0x11, 0x71, 0x01, 0x00, 0xFE, 0x00
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
@@ -846,7 +836,7 @@ public void SMSigner_Auth_Req(StandardTestDevice testDeviceType)
                 // There is no auth required to get data, but there should be no
                 // data at the moment.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.SecureMessageSigner);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
             }
 
@@ -856,7 +846,7 @@ public void SMSigner_Auth_Req(StandardTestDevice testDeviceType)
                 // With no PIN nor mgmt key, or with only the PIN, this should
                 // fail.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.SecureMessageSigner, smSignerData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 pivSession.KeyCollector = PinOnlyKeyCollectorDelegate;
@@ -873,7 +863,7 @@ public void SMSigner_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand((int)PivDataTag.SecureMessageSigner, smSignerData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -882,10 +872,10 @@ public void SMSigner_Auth_Req(StandardTestDevice testDeviceType)
             using (var pivSession = new PivSession(testDevice))
             {
                 var getDataCommand = new GetDataCommand((int)PivDataTag.SecureMessageSigner);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(10, getData.Length);
             }
         }
@@ -899,7 +889,7 @@ public void PCRef_Auth_Req(StandardTestDevice testDeviceType)
                 0x53, 0x0C, 0x99, 0x08, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0xFE, 0x00
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
             using (var pivSession = new PivSession(testDevice))
             {
                 pivSession.ResetApplication();
@@ -907,7 +897,7 @@ public void PCRef_Auth_Req(StandardTestDevice testDeviceType)
                 // There is no auth required to get data, but there should be no
                 // data at the moment.
                 var getDataCommand = new GetDataCommand((int)PivDataTag.PairingCodeReferenceData);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
             }
 
@@ -917,7 +907,7 @@ public void PCRef_Auth_Req(StandardTestDevice testDeviceType)
                 // With no PIN nor mgmt key, or with only the PIN, this should
                 // fail.
                 var putDataCommand = new PutDataCommand((int)PivDataTag.PairingCodeReferenceData, pcRefData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 pivSession.KeyCollector = PinOnlyKeyCollectorDelegate;
@@ -934,7 +924,7 @@ public void PCRef_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand((int)PivDataTag.PairingCodeReferenceData, pcRefData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -943,10 +933,10 @@ public void PCRef_Auth_Req(StandardTestDevice testDeviceType)
             using (var pivSession = new PivSession(testDevice))
             {
                 var getDataCommand = new GetDataCommand((int)PivDataTag.PairingCodeReferenceData);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(14, getData.Length);
             }
         }
@@ -959,19 +949,19 @@ public void AdminData_Auth_Req(StandardTestDevice testDeviceType)
                 0x53, 0x09, 0x80, 0x07, 0x81, 0x01, 0x00, 0x03, 0x02, 0x5C, 0x29
             };
 
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
 
             using (var pivSession = new PivSession(testDevice))
             {
                 // There should be no data.
                 var getDataCommand = new GetDataCommand(0x5FFF00);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.NoData, getDataResponse.Status);
 
                 // Now put some data.
                 // This should fail because the mgmt key is needed.
                 var putDataCommand = new PutDataCommand(0x5FFF00, adminData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.AuthenticationRequired, putDataResponse.Status);
 
                 // Verify the PIN
@@ -991,7 +981,7 @@ public void AdminData_Auth_Req(StandardTestDevice testDeviceType)
                 pivSession.AuthenticateManagementKey();
 
                 var putDataCommand = new PutDataCommand(0x5FFF00, adminData);
-                PutDataResponse putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
+                var putDataResponse = pivSession.Connection.SendCommand(putDataCommand);
                 Assert.Equal(ResponseStatus.Success, putDataResponse.Status);
             }
 
@@ -999,10 +989,10 @@ public void AdminData_Auth_Req(StandardTestDevice testDeviceType)
             {
                 // There should be data this time.
                 var getDataCommand = new GetDataCommand(0x5FFF00);
-                GetDataResponse getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
+                var getDataResponse = pivSession.Connection.SendCommand(getDataCommand);
                 Assert.Equal(ResponseStatus.Success, getDataResponse.Status);
 
-                ReadOnlyMemory<byte> getData = getDataResponse.GetData();
+                var getData = getDataResponse.GetData();
                 Assert.Equal(11, getData.Length);
             }
         }
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/SignTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/SignTests.cs
index cded8cb9f..08fa81cc4 100644
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/SignTests.cs
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/SignTests.cs
@@ -18,6 +18,7 @@
 using Yubico.Core.Tlv;
 using Yubico.YubiKey.Cryptography;
 using Yubico.YubiKey.Piv.Commands;
+using Yubico.YubiKey.Scp;
 using Yubico.YubiKey.Scp03;
 using Yubico.YubiKey.TestUtilities;
 
@@ -47,9 +48,8 @@ public void Sign_EccP256_Succeeds(bool useScp03, StandardTestDevice device, PivP
             bool isValid = LoadKey(PivAlgorithm.EccP256, 0x89, pinPolicy, PivTouchPolicy.Never, testDevice);
             Assert.True(isValid);
             Assert.True(testDevice.AvailableUsbCapabilities.HasFlag(YubiKeyCapabilities.Piv));
-
             using var pivSession = useScp03
-                ? new PivSession(testDevice, new StaticKeys())
+                ? new PivSession(testDevice, Scp03KeyParameters.DefaultKey)
                 : new PivSession(testDevice);
 
             var collectorObj = new Simple39KeyCollector();
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp03Tests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp03Tests.cs
new file mode 100644
index 000000000..e67c657e2
--- /dev/null
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp03Tests.cs
@@ -0,0 +1,469 @@
+// Copyright 2023 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography;
+using Xunit;
+using Yubico.Core.Tlv;
+using Yubico.YubiKey.Cryptography;
+using Yubico.YubiKey.Piv;
+using Yubico.YubiKey.Piv.Commands;
+using Yubico.YubiKey.Scp03;
+using Yubico.YubiKey.TestUtilities;
+using GetDataCommand = Yubico.YubiKey.Scp.Commands.GetDataCommand;
+
+namespace Yubico.YubiKey.Scp
+{
+    [Trait(TraitTypes.Category, TestCategories.Simple)]
+    public class Scp03Tests
+    {
+        private readonly ReadOnlyMemory<byte> _defaultPin = new byte[] { 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 };
+
+        public Scp03Tests()
+        {
+            ResetAllowedDevices();
+        }
+
+        private IYubiKeyDevice GetDevice(
+            StandardTestDevice desiredDeviceType,
+            Transport transport = Transport.All,
+            FirmwareVersion? minimumFirmwareVersion = null)
+        {
+            var testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(desiredDeviceType, transport, minimumFirmwareVersion);
+            
+            // Since we are in testing, we assume that the keys the default keys are present on the device and haven't been changed
+            // Therefore we will throw an exception if the device is FIPS and the transport is NFC
+            // This can be changed in the future if needed
+            Assert.False(
+                desiredDeviceType == StandardTestDevice.Fw5Fips &&
+                transport == Transport.NfcSmartCard &&
+                testDevice.IsFipsSeries,
+                "SCP03 with the default static keys is not allowed over NFC on FIPS capable devices");
+
+            return testDevice;
+        }
+
+        private static void ResetAllowedDevices()
+        {
+            // Reset all attached allowed devices
+            foreach (var availableDevice in IntegrationTestDeviceEnumeration.GetTestDevices())
+            {
+                using var session = new SecurityDomainSession(availableDevice);
+                session.Reset();
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_PutKey_with_StaticKey_Imports_Key(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            byte[] sk =
+            {
+                0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+                0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+            };
+
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            var newKeyParams = Scp03KeyParameters.FromStaticKeys(new StaticKeys(sk, sk, sk));
+
+            // Authenticate with default key, then replace default key
+            using (var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+            {
+                session.PutKey(newKeyParams.KeyReference, newKeyParams.StaticKeys, 0);
+            }
+
+            using (_ = new SecurityDomainSession(testDevice, newKeyParams))
+            {
+            }
+
+            // Default key should not work now and throw an exception
+            Assert.Throws<ArgumentException>(() =>
+            {
+                using (_ = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+                {
+                }
+            });
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        [Obsolete("Use Scp03_PutKey_with_StaticKey_Imports_Key instead")]
+        public void Obsolete_Scp03_PutKey_with_StaticKey_Imports_Key(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            byte[] sk =
+            {
+                0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+                0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+            };
+
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            var defaultStaticKeys = new Scp03.StaticKeys();
+            var newStaticKeys = new Scp03.StaticKeys(sk, sk, sk);
+
+            // Authenticate with default key, then replace default key
+            using (var session = new Scp03Session(testDevice, defaultStaticKeys))
+            {
+                session.PutKeySet(newStaticKeys);
+            }
+
+            using (_ = new Scp03Session(testDevice, newStaticKeys))
+            {
+            }
+
+            // Default key should not work now and throw an exception
+            Assert.Throws<ArgumentException>(() =>
+            {
+                using (_ = new Scp03Session(testDevice, defaultStaticKeys))
+                {
+                }
+            });
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_PutKey_with_PublicKey_Imports_Key(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var keyReference = new KeyReference(ScpKeyIds.ScpCaPublicKey, 0x3);
+            var testDevice = GetDevice(desiredDeviceType, transport, FirmwareVersion.V5_7_2);
+
+            using var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey);
+            using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+
+            var publicKey = new ECPublicKeyParameters(ecdsa);
+            session.PutKey(keyReference, publicKey, 0);
+
+            // Verify the generated key was stored
+            var keyInformation = session.GetKeyInformation();
+            Assert.True(keyInformation.ContainsKey(keyReference));
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_AuthenticateWithWrongKey_Should_ThrowException(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            var incorrectKeys = RandomStaticKeys();
+            var keyRef = Scp03KeyParameters.FromStaticKeys(incorrectKeys);
+
+            // Authentication with incorrect key should throw
+            Assert.Throws<ArgumentException>(() =>
+            {
+                using (var session = new SecurityDomainSession(testDevice, keyRef)) { }
+            });
+
+            // Authentication with default key should succeed
+            using (_ = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+            {
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_GetInformation_WithDefaultKey_Returns_DefaultKey(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            using var session = new SecurityDomainSession(testDevice);
+
+            var result = session.GetKeyInformation();
+            if (testDevice.FirmwareVersion < FirmwareVersion.V5_7_2)
+            {
+                Assert.Equal(3, result.Count);
+            }
+            else
+            {
+                Assert.Equal(4, result.Count);
+            }
+            Assert.Equal(0xFF, result.Keys.First().VersionNumber);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_Connect_GetKeyInformation_WithDefaultKey_Returns_DefaultKey(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            using var connection = testDevice.Connect(YubiKeyApplication.SecurityDomain);
+
+            const byte TAG_KEY_INFORMATION = 0xE0;
+            var response = connection.SendCommand(new GetDataCommand(TAG_KEY_INFORMATION));
+            var result = response.GetData();
+
+            var keyInformation = new Dictionary<KeyReference, Dictionary<byte, byte>>();
+            foreach (var tlvObject in TlvObjects.DecodeList(result.Span))
+            {
+                var value = TlvObjects.UnpackValue(0xC0, tlvObject.GetBytes().Span);
+                var keyRef = new KeyReference(value.Span[0], value.Span[1]);
+                var keyComponents = new Dictionary<byte, byte>();
+
+                // Iterate while there are more key components, each component is 2 bytes, so take 2 bytes at a time
+                while (!(value = value[2..]).IsEmpty)
+                {
+                    keyComponents.Add(value.Span[0], value.Span[1]);
+                }
+
+                keyInformation.Add(keyRef, keyComponents);
+            }
+
+            Assert.NotEmpty(keyInformation);
+            Assert.Equal(0xFF, keyInformation.Keys.First().VersionNumber); // 0xff, Default kvn
+
+            if (testDevice.FirmwareVersion < FirmwareVersion.V5_7_2)
+            {
+                Assert.Equal(3, keyInformation.Keys.Count);
+            }
+            else
+            {
+                Assert.Equal(4, keyInformation.Keys.Count);
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_GetCertificates_ReturnsCerts(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport, FirmwareVersion.V5_7_2);
+
+            using var session = new SecurityDomainSession(testDevice);
+
+            var keyReference = new KeyReference(ScpKeyIds.Scp11B, 0x1);
+            var certificateList = session.GetCertificates(keyReference);
+
+            Assert.NotEmpty(certificateList);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_Reset_Restores_SecurityDomainKeys_To_FactoryKeys(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            byte[] sk =
+            {
+                0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+                0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+            };
+
+            var newKeyParams = new Scp03KeyParameters(
+                ScpKeyIds.Scp03,
+                0x01,
+                new StaticKeys(sk, sk, sk));
+
+            using (var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+            {
+                session.PutKey(newKeyParams.KeyReference, newKeyParams.StaticKeys, 0);
+            }
+
+            // Authentication with new key should succeed
+            using (var session = new SecurityDomainSession(testDevice, newKeyParams))
+            {
+                session.GetKeyInformation();
+            }
+
+            // Default key should not work now and throw an exception
+            Assert.Throws<ArgumentException>(() =>
+            {
+                using (_ = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+                {
+                }
+            });
+
+            using (var session = new SecurityDomainSession(testDevice))
+            {
+                session.Reset();
+            }
+
+            // Successful authentication with default key means key has been restored to factory settings
+            using (var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+            {
+                _ = session.GetKeyInformation();
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_GetSupportedCaIdentifiers_Succeeds(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport, FirmwareVersion.V5_7_2);
+            using var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey);
+
+            var result = session.GetSupportedCaIdentifiers(true, true);
+            Assert.NotEmpty(result);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_GetCardRecognitionData_Succeeds(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+
+            using var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey);
+            var result = session.GetCardRecognitionData();
+
+            Assert.True(result.Length > 0);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_GetData_Succeeds(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+
+            using var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey);
+            var result = session.GetData(0x66); // Card Data
+
+            Assert.True(result.Length > 0);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_PivSession_TryVerifyPinAndGetMetaData_Succeeds(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            Assert.True(testDevice.FirmwareVersion >= FirmwareVersion.V5_3_0);
+            Assert.True(testDevice.HasFeature(YubiKeyFeature.Scp03));
+
+            using var pivSession = new PivSession(testDevice, Scp03KeyParameters.DefaultKey);
+            var result = pivSession.TryVerifyPin(_defaultPin, out _);
+
+            Assert.True(result);
+
+            var metadata = pivSession.GetMetadata(PivSlot.Pin)!;
+            Assert.Equal(3, metadata.RetryCount);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_Device_Connect_With_Application_Succeeds(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            Assert.True(testDevice.FirmwareVersion >= FirmwareVersion.V5_3_0);
+
+            using var connection = testDevice.Connect(YubiKeyApplication.Piv, Scp03KeyParameters.DefaultKey);
+            Assert.NotNull(connection);
+
+            var cmd = new VerifyPinCommand(_defaultPin);
+            var rsp = connection!.SendCommand(cmd);
+            Assert.Equal(ResponseStatus.Success, rsp.Status);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_Device_Connect_ApplicationId_Succeeds(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            Assert.True(testDevice.FirmwareVersion >= FirmwareVersion.V5_3_0);
+
+            using IYubiKeyConnection connection = testDevice.Connect(
+                YubiKeyApplication.Piv.GetIso7816ApplicationId(), Scp03KeyParameters.DefaultKey);
+
+            Assert.NotNull(connection);
+
+            var cmd = new VerifyPinCommand(_defaultPin);
+            var rsp = connection!.SendCommand(cmd);
+            Assert.Equal(ResponseStatus.Success, rsp.Status);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_Device_TryConnect_With_Application_Succeeds(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            Assert.True(testDevice.FirmwareVersion >= FirmwareVersion.V5_3_0);
+
+            var isValid = testDevice.TryConnect(
+                YubiKeyApplication.Piv,
+                Scp03KeyParameters.DefaultKey,
+                out var connection);
+
+            using (connection)
+            {
+                Assert.NotNull(connection);
+                Assert.True(isValid);
+                var cmd = new VerifyPinCommand(_defaultPin);
+                var rsp = connection!.SendCommand(cmd);
+                Assert.Equal(ResponseStatus.Success, rsp.Status);
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.UsbSmartCard)]
+        [InlineData(StandardTestDevice.Fw5Fips, Transport.NfcSmartCard)]
+        public void Scp03_Device_TryConnect_With_ApplicationId_Succeeds(StandardTestDevice desiredDeviceType, Transport transport)
+        {
+            var testDevice = GetDevice(desiredDeviceType, transport);
+            Assert.True(testDevice.FirmwareVersion >= FirmwareVersion.V5_3_0);
+
+            var isValid = testDevice.TryConnect(YubiKeyApplication.Piv, Scp03KeyParameters.DefaultKey,
+                out var connection);
+
+            using (connection)
+            {
+                Assert.True(isValid);
+                Assert.NotNull(connection);
+                var cmd = new VerifyPinCommand(_defaultPin);
+                var rsp = connection!.SendCommand(cmd);
+                Assert.Equal(ResponseStatus.Success, rsp.Status);
+            }
+        }
+
+        #region Helpers
+
+        private static StaticKeys RandomStaticKeys() =>
+            new StaticKeys(
+                GetRandom16Bytes(),
+                GetRandom16Bytes(),
+                GetRandom16Bytes()
+            );
+
+        private static ReadOnlyMemory<byte> GetRandom16Bytes()
+        {
+            var buffer = new byte[16];
+            Random.Shared.NextBytes(buffer);
+            return buffer;
+        }
+
+        #endregion
+    }
+}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp11TestData.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp11TestData.cs
new file mode 100644
index 000000000..e54d026ec
--- /dev/null
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp11TestData.cs
@@ -0,0 +1,79 @@
+using System;
+using System.Text;
+
+namespace Yubico.YubiKey.Scp
+{
+    public static class Scp11TestData
+    {
+        public readonly static ReadOnlyMemory<byte> OceCerts = Encoding.UTF8.GetBytes(
+            "-----BEGIN CERTIFICATE-----\n" +
+            "MIIB8DCCAZegAwIBAgIUf0lxsK1R+EydqZKLLV/vXhaykgowCgYIKoZIzj0EAwIw\n" +
+            "KjEoMCYGA1UEAwwfRXhhbXBsZSBPQ0UgUm9vdCBDQSBDZXJ0aWZpY2F0ZTAeFw0y\n" +
+            "NDA1MjgwOTIyMDlaFw0yNDA4MjYwOTIyMDlaMC8xLTArBgNVBAMMJEV4YW1wbGUg\n" +
+            "T0NFIEludGVybWVkaWF0ZSBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEGCCqGSM49\n" +
+            "AwEHA0IABMXbjb+Y33+GP8qUznrdZSJX9b2qC0VUS1WDhuTlQUfg/RBNFXb2/qWt\n" +
+            "h/a+Ag406fV7wZW2e4PPH+Le7EwS1nyjgZUwgZIwHQYDVR0OBBYEFJzdQCINVBES\n" +
+            "R4yZBN2l5CXyzlWsMB8GA1UdIwQYMBaAFDGqVWafYGfoHzPc/QT+3nPlcZ89MBIG\n" +
+            "A1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgIEMCwGA1UdIAEB/wQiMCAw\n" +
+            "DgYMKoZIhvxrZAAKAgEoMA4GDCqGSIb8a2QACgIBADAKBggqhkjOPQQDAgNHADBE\n" +
+            "AiBE5SpNEKDW3OehDhvTKT9g1cuuIyPdaXGLZ3iX0x0VcwIgdnIirhlKocOKGXf9\n" +
+            "ijkE8e+9dTazSPLf24lSIf0IGC8=\n" +
+            "-----END CERTIFICATE-----\n" +
+            "-----BEGIN CERTIFICATE-----\n" +
+            "MIIB2zCCAYGgAwIBAgIUSf59wIpCKOrNGNc5FMPTD9zDGVAwCgYIKoZIzj0EAwIw\n" +
+            "KjEoMCYGA1UEAwwfRXhhbXBsZSBPQ0UgUm9vdCBDQSBDZXJ0aWZpY2F0ZTAeFw0y\n" +
+            "NDA1MjgwOTIyMDlaFw0yNDA2MjcwOTIyMDlaMCoxKDAmBgNVBAMMH0V4YW1wbGUg\n" +
+            "T0NFIFJvb3QgQ0EgQ2VydGlmaWNhdGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\n" +
+            "AASPrxfpSB/AvuvLKaCz1YTx68Xbtx8S9xAMfRGwzp5cXMdF8c7AWpUfeM3BQ26M\n" +
+            "h0WPvyBJKhCdeK8iVCaHyr5Jo4GEMIGBMB0GA1UdDgQWBBQxqlVmn2Bn6B8z3P0E\n" +
+            "/t5z5XGfPTASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjA8BgNV\n" +
+            "HSABAf8EMjAwMA4GDCqGSIb8a2QACgIBFDAOBgwqhkiG/GtkAAoCASgwDgYMKoZI\n" +
+            "hvxrZAAKAgEAMAoGCCqGSM49BAMCA0gAMEUCIHv8cgOzxq2n1uZktL9gCXSR85mk\n" +
+            "TieYeSoKZn6MM4rOAiEA1S/+7ez/gxDl01ztKeoHiUiW4FbEG4JUCzIITaGxVvM=\n" +
+            "-----END CERTIFICATE-----").AsMemory();
+
+        // PKCS12 certificate with a private key and full certificate chain
+        public static readonly Memory<byte> Oce = Convert.FromBase64String(
+            "MIIIfAIBAzCCCDIGCSqGSIb3DQEHAaCCCCMEgggfMIIIGzCCBtIGCSqGSIb3DQEHBqCCBsMwgga/" +
+            "AgEAMIIGuAYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAg8IcJO44iS" +
+            "gAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEAllIHdoQx/USA3jmRMeciiAggZQAHCP" +
+            "J5lzPV0Z5tnssXZZ1AWm8AcKEq28gWUTVqVxc+0EcbKQHig1Jx7rqC3q4G4sboIRw1vDH6q5O8eG" +
+            "sbkeNuYBim8fZ08JrsjeJABJoEiJrPqplMWA7H6a7athg3YSu1v4OR3UKN5Gyzn3s0Yx5yMm/xzw" +
+            "204TEK5/1LpK8AMcUliFSq7jw3Xl1RY0zjMSWyQjX0KmB9IdubqQCfhy8zkKluAQADtHsEYAn0F3" +
+            "LoMETQytyUSkIvGMZoFemkCWV7zZ5n5IPhXL7gvnTu0WS8UxEnz/+FYdF43cjmwGfSb3OpaxOND4" +
+            "PBCpwzbFfVCLa6mUBlwq1KQWRm1+PFm4LnL+3s2mxfjJAsVYP4U722/FHpW8rdTsyvdift9lsQja" +
+            "s2jIjCu8PFClFZJLQldu5FxOhKzx2gsjYS/aeTdefwjlRiGtEFSrE1snKBbnBeRYFocBjhTD/sy3" +
+            "Vj0i5sbWwTx7iq67joWydWAMp/lGSZ6akWRsyku/282jlwYsc3pR05qCHkbV0TzJcZofhXBwRgH5" +
+            "NKfulnJ1gH+i3e3RT3TauAKlqCeAfvDvA3+jxEDy/puPncod7WH0m9P4OmXjZ0s5EI4U+v6bKPgL" +
+            "7LlTCEI6yj15P7kxmruoxZlDAmhixVmlwJ8ZbVxD6Q+AOhXYPg+il3AYaRAS+VyJla0K+ac6hpYV" +
+            "AnbZCPzgHVkKC6iq4a/azf2b4uq9ks109jjnryAChdBsGdmStpZaPW4koMSAIJf12vGRp5jNjSax" +
+            "aIL5QxTn0WCO8FHi1oqTmlTSWvR8wwZLiBmqQtnNTpewiLL7C22lerUT7pYvKLCq/nnPYtb5UrST" +
+            "HrmTNOUzEGVOSAGUWV293S4yiPGIwxT3dPE5/UaU/yKq1RonMRaPhOZEESZEwLKVCqyDVEbAt7Hd" +
+            "ahp+Ex0FVrC5JQhpVQ0Wn6uCptF2Jup70u+P2kVWjxrGBuRrlgEkKuHcohWoO9EMX/bLK9KcY4s1" +
+            "ofnfgSNagsAyX7N51Bmahgz1MCFOEcuFa375QYQhqkyLO2ZkNTpFQtjHjX0izZWO55LN3rNpcD9+" +
+            "fZt6ldoZCpg+t6y5xqHy+7soH0BpxF1oGIHAUkYSuXpLY0M7Pt3qqvsJ4/ycmFUEyoGv8Ib/ieUB" +
+            "bebPz0Uhn+jaTpjgtKCyym7nBxVCuUv39vZ31nhNr4WaFsjdB/FOJh1s4KI6kQgzCSObrIVXBcLC" +
+            "TXPfZ3jWxspKIREHn+zNuW7jIkbugSRiNFfVArcc7cmU4av9JPSmFiZzeyA0gkrkESTg8DVPT16u" +
+            "7W5HREX4CwmKu+12R6iYQ/po9Hcy6NJ8ShLdAzU0+q/BzgH7Cb8qimjgfGBA3Mesc+P98FlCzAjB" +
+            "2EgucRuXuehM/FemmZyNl0qI1Mj9qOgx/HeYaJaYD+yXwojApmetFGtDtMJsDxwL0zK7eGXeHHa7" +
+            "pd7OybKdSjDq25CCTOZvfR0DD55FDIGCy0FsJTcferzPFlkz/Q45vEwuGfEBnXXS9IhH4ySvJmDm" +
+            "yfLMGiHW6t+9gjyEEg+dwSOq9yXYScfCsefRl7+o/9nDoNQ8s/XS7LKlJ72ZEBaKeAxcm6q4wVwU" +
+            "WITNNl1R3EYAsFBWzYt4Ka9Ob3igVaNfeG9K4pfQqMWcPpqVp4FuIsEpDWZYuv71s+WMYCs1JMfH" +
+            "bHDUczdRet1Ir2vLDGeWwvci70AzeKvvQ9OwBVESRec6cVrgt3EJWLey5sXY01WpMm526fwtLolS" +
+            "MpCf+dNePT97nXemQCcr3QXimagHTSGPngG3577FPrSQJl+lCJDYxBFFtnd6hq4OcVr5HiNAbLnS" +
+            "jBWbzqxhHMmgoojy4rwtHmrfyVYKXyl+98r+Lobitv2tpnBqmjL6dMPRBOJvQl8+Wp4MGBsi1gvT" +
+            "gW/+pLlMXT++1iYyxBeK9/AN5hfjtrivewE3JY531jwkrl3rUl50MKwBJMMAtQQIYrDg7DAg/+Qc" +
+            "Oi+2mgo9zJPzR2jIXF0wP+9FA4+MITa2v78QVXcesh63agcFJCayGAL1StnbSBvvDqK5vEei3uGZ" +
+            "beJEpU1hikQx57w3UzS9O7OSQMFvRBOrFBQsYC4JzfF0soIweGNpJxpm+UNYz+hB9vCb8+3OHA06" +
+            "9M0CAlJVOTF9uEpLVRzK+1kwggFBBgkqhkiG9w0BBwGgggEyBIIBLjCCASowggEmBgsqhkiG9w0B" +
+            "DAoBAqCB7zCB7DBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIexxrwNlHM34CAggAMAwG" +
+            "CCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAkK96h6gHJglyJl1/yEylvBIGQh62z7u5RoQ9y5wIX" +
+            "bE3/oMQTKVfCSrtqGUmj38sxDY7yIoTVQq7sw0MPNeYHROgGUAzawU0DlXMGuOWrbgzYeURZs0/H" +
+            "Z2Cqk8qhVnD8TgpB2n0U0NB7aJRHlkzTl5MLFAwn3NE49CSzb891lGwfLYXYCfNfqltD7xZ7uvz6" +
+            "JAo/y6UtY8892wrRv4UdejyfMSUwIwYJKoZIhvcNAQkVMRYEFJBU0s1/6SLbIRbyeq65gLWqClWN" +
+            "MEEwMTANBglghkgBZQMEAgEFAAQgqkOJRTcBlnx5yn57k23PH+qUXUGPEuYkrGy+DzEQiikECB0B" +
+            "XjHOZZhuAgIIAA==");
+
+        public static readonly ReadOnlyMemory<char> OcePassword = "password".AsMemory();
+    }
+}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp11Tests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp11Tests.cs
new file mode 100644
index 000000000..d4a48db8e
--- /dev/null
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp11Tests.cs
@@ -0,0 +1,616 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using Org.BouncyCastle.Pkcs;
+using Org.BouncyCastle.Security;
+using Xunit;
+using Yubico.Core.Devices.Hid;
+using Yubico.Core.Tlv;
+using Yubico.YubiKey.Cryptography;
+using Yubico.YubiKey.Oath;
+using Yubico.YubiKey.Otp;
+using Yubico.YubiKey.Piv;
+using Yubico.YubiKey.TestUtilities;
+using Yubico.YubiKey.YubiHsmAuth;
+using ECCurve = System.Security.Cryptography.ECCurve;
+using ECPoint = System.Security.Cryptography.ECPoint;
+
+
+namespace Yubico.YubiKey.Scp
+{
+    [Trait(TraitTypes.Category, TestCategories.Simple)]
+    public class Scp11Tests
+    {
+        private const byte OceKid = 0x010;
+
+        public Scp11Tests()
+        {
+            ResetAllowedDevices();
+        }
+
+        private IYubiKeyDevice GetDevice(
+            StandardTestDevice desiredDeviceType,
+            Transport transport = Transport.SmartCard,
+            FirmwareVersion? minimumFirmwareVersion = null) =>
+            IntegrationTestDeviceEnumeration.GetTestDevice(desiredDeviceType, transport,
+                minimumFirmwareVersion ?? FirmwareVersion.V5_7_2);
+        
+        private static void ResetAllowedDevices()
+        {
+            // Reset all attached allowed devices
+            foreach (var availableDevice in IntegrationTestDeviceEnumeration.GetTestDevices())
+            {
+                using var session = new SecurityDomainSession(availableDevice);
+                session.Reset();
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11b_PivSession_Operations_Succeeds(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            var keyReference = new KeyReference(ScpKeyIds.Scp11B, 0x1);
+            var keyParams = Get_Scp11b_EncryptedChannel_Parameters(testDevice, keyReference);
+
+            using var session = new PivSession(testDevice, keyParams);
+            session.ResetApplication();
+
+            session.KeyCollector = new Simple39KeyCollector().Simple39KeyCollectorDelegate;
+            var isVerified = session.TryVerifyPin();
+            Assert.True(isVerified);
+
+            var result = session.GenerateKeyPair(PivSlot.Retired12, PivAlgorithm.EccP256);
+            Assert.Equal(PivAlgorithm.EccP256, result.Algorithm);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11b_OathSession_Operations_Succeeds(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            var keyReference = new KeyReference(ScpKeyIds.Scp11B, 0x1);
+            var keyParams = Get_Scp11b_EncryptedChannel_Parameters(testDevice, keyReference);
+
+            using (var resetSession = new OathSession(testDevice, keyParams))
+            {
+                resetSession.ResetApplication();
+            }
+
+            using var session = new OathSession(testDevice, keyParams);
+            session.KeyCollector = new SimpleOathKeyCollector().SimpleKeyCollectorDelegate;
+
+            session.SetPassword();
+            Assert.True(session.IsPasswordProtected);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11b_OtpSession_Operations_Succeeds(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            var keyReference = new KeyReference(ScpKeyIds.Scp11B, 0x1);
+            var keyParams = Get_Scp11b_EncryptedChannel_Parameters(testDevice, keyReference);
+
+            using var session = new OtpSession(testDevice, keyParams);
+            if (session.IsLongPressConfigured)
+            {
+                session.DeleteSlot(Slot.LongPress);
+            }
+
+            var configObj = session.ConfigureStaticPassword(Slot.LongPress);
+            var generatedPassword = new Memory<char>(new char[16]);
+            configObj = configObj.WithKeyboard(KeyboardLayout.en_US);
+            configObj = configObj.GeneratePassword(generatedPassword);
+
+            configObj.Execute();
+        }
+        
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11b_YubiHsmSession_Operations_Succeeds(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = YhaTestUtilities.GetCleanDevice(desiredDeviceType);
+            var keyReference = new KeyReference(ScpKeyIds.Scp11B, 0x1);
+            var keyParams = Get_Scp11b_EncryptedChannel_Parameters(testDevice, keyReference);
+
+            using var session = new YubiHsmAuthSession(testDevice, keyParams);
+            session.AddCredential(YhaTestUtilities.DefaultMgmtKey, YhaTestUtilities.DefaultAes128Cred);
+            
+            var result = session.ListCredentials();
+            Assert.Single(result);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11b_Establish_Connection_Succeeds(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            var keyReference = new KeyReference(ScpKeyIds.Scp11B, 0x1);
+
+            IReadOnlyCollection<X509Certificate2> certificateList;
+            using (var session = new SecurityDomainSession(testDevice))
+            {
+                certificateList = session.GetCertificates(keyReference);
+            }
+
+            var leaf = certificateList.Last();
+            var ecDsaPublicKey = leaf.PublicKey.GetECDsaPublicKey()!.ExportParameters(false);
+            var keyParams = new Scp11KeyParameters(keyReference, new ECPublicKeyParameters(ecDsaPublicKey));
+
+            using (var session = new SecurityDomainSession(testDevice, keyParams))
+            {
+                var result = session.GetKeyInformation();
+                Assert.NotEmpty(result);
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11b_Import_Succeeds(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            var keyReference = new KeyReference(ScpKeyIds.Scp11B, 0x2);
+
+            // Start authenticated session with default key
+            using var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey);
+
+            // Import private key
+            var ecDsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+            var privateKey = new ECPrivateKeyParameters(ecDsa);
+            session.PutKey(keyReference, privateKey, 0);
+
+            var result = session.GetKeyInformation();
+            Assert.NotEmpty(result);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11b_GetCertificates_IsNotEmpty(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            using var session = new SecurityDomainSession(testDevice);
+
+            var keyReference = new KeyReference(ScpKeyIds.Scp11B, 0x1);
+            var certificateList = session.GetCertificates(keyReference);
+
+            Assert.NotEmpty(certificateList);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11b_StoreCertificates_CanBeRetrieved(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            var keyReference = new KeyReference(ScpKeyIds.Scp11B, 0x1);
+
+            using var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey);
+            var oceCertificates = GetOceCertificates(Scp11TestData.OceCerts.Span);
+
+            session.StoreCertificates(keyReference, oceCertificates.Bundle);
+            var result = session.GetCertificates(keyReference);
+
+            // Assert that we can store and retrieve the off card entity certificate
+            var oceThumbprint = oceCertificates.Bundle.Single().Thumbprint;
+            Assert.Single(result);
+            Assert.Equal(oceThumbprint, result[0].Thumbprint);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11a_GenerateEcKey_Succeeds(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            var keyReference = new KeyReference(ScpKeyIds.Scp11A, 0x3);
+
+            // Start authenticated session
+            using var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey);
+
+            // Generate a new EC key
+            var generatedKey = session.GenerateEcKey(keyReference, 0);
+
+            // Verify the generated key
+            Assert.NotNull(generatedKey.Parameters.Q.X);
+            Assert.NotNull(generatedKey.Parameters.Q.Y);
+            Assert.Equal(32, generatedKey.Parameters.Q.X.Length);
+            Assert.Equal(32, generatedKey.Parameters.Q.Y.Length);
+            Assert.Equal(ECCurve.NamedCurves.nistP256.Oid.Value, generatedKey.Parameters.Curve.Oid.Value);
+
+            using var ecdsa = ECDsa.Create(generatedKey.Parameters);
+            Assert.NotNull(ecdsa);
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11a_WithAllowList_AllowsApprovedSerials(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            const byte kvn = 0x05;
+            var oceKeyRef = new KeyReference(OceKid, kvn);
+
+            Scp11KeyParameters keyParams;
+            using (var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+            {
+                keyParams = LoadKeys(session, ScpKeyIds.Scp11A, kvn);
+            }
+
+            using (var session = new SecurityDomainSession(testDevice, keyParams))
+            {
+                var serials = new List<string>
+                {
+                    // Serial numbers from oce certs
+                    "7F4971B0AD51F84C9DA9928B2D5FEF5E16B2920A",
+                    "6B90028800909F9FFCD641346933242748FBE9AD"
+                };
+
+                // Only the above serials shall work. 
+                session.StoreAllowlist(oceKeyRef, serials);
+            }
+
+            using (var session = new SecurityDomainSession(testDevice, keyParams))
+            {
+                session.DeleteKey(new KeyReference(ScpKeyIds.Scp11A, kvn));
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11a_WithAllowList_BlocksUnapprovedSerials(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            const byte kvn = 0x03;
+            var oceKeyRef = new KeyReference(OceKid, kvn);
+
+            Scp03KeyParameters scp03KeyParams;
+            using (var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+            {
+                // Import SCP03 key and get key parameters
+                scp03KeyParams = ImportScp03Key(session);
+            }
+
+            Scp11KeyParameters scp11KeyParams;
+            using (var session = new SecurityDomainSession(testDevice, scp03KeyParams))
+            {
+                // Make space for new key
+                session.DeleteKey(new KeyReference(ScpKeyIds.Scp11B, 0x01), false);
+
+                // Load SCP11a keys
+                scp11KeyParams = LoadKeys(session, ScpKeyIds.Scp11A, kvn);
+
+                // Create list of serial numbers
+                var serials = new List<string>
+                {
+                    "01",
+                    "02",
+                    "03"
+                };
+
+                // Store the allow list
+                session.StoreAllowlist(oceKeyRef, serials);
+            }
+
+            // This is the test. Authenticate with SCP11a should throw.
+            Assert.Throws<SecureChannelException>(() =>
+            {
+                using (var session = new SecurityDomainSession(testDevice, scp11KeyParams))
+                {
+                    // ... Authenticated
+                }
+            });
+
+            // Reset the allow list
+            using (var session = new SecurityDomainSession(testDevice, scp03KeyParams))
+            {
+                session.ClearAllowList(oceKeyRef);
+            }
+
+            // Now, with the allowlist removed, authenticate with SCP11a should now succeed
+            using (var session = new SecurityDomainSession(testDevice, scp11KeyParams))
+            {
+                // ... Authenticated
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11a_Authenticate_Succeeds(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            const byte kvn = 0x03;
+            var keyRef = new KeyReference(ScpKeyIds.Scp11A, kvn);
+
+            // Start authenticated session with default key
+            Scp11KeyParameters keyParams;
+            using (var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+            {
+                keyParams = LoadKeys(session, ScpKeyIds.Scp11A, kvn);
+            }
+
+            // Start authenticated session using new key params and public key from yubikey
+            using (var session = new SecurityDomainSession(testDevice, keyParams))
+            {
+                session.DeleteKey(keyRef);
+            }
+        }
+
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        public void Scp11c_Authenticate_Succeeds(
+            StandardTestDevice desiredDeviceType)
+        {
+            var testDevice = GetDevice(desiredDeviceType);
+            const byte kvn = 0x03;
+            var keyReference = new KeyReference(ScpKeyIds.Scp11C, kvn);
+
+            Scp11KeyParameters keyParams;
+            using (var session = new SecurityDomainSession(testDevice, Scp03KeyParameters.DefaultKey))
+            {
+                keyParams = LoadKeys(session, ScpKeyIds.Scp11C, kvn);
+            }
+
+            Assert.Throws<SecureChannelException>(() =>
+            {
+                using var session = new SecurityDomainSession(testDevice, keyParams);
+                session.DeleteKey(keyReference);
+            });
+        }
+
+        private Scp11KeyParameters LoadKeys(
+            SecurityDomainSession session,
+            byte scpKid,
+            byte kvn)
+        {
+            var sessionRef = new KeyReference(scpKid, kvn);
+            var oceRef = new KeyReference(OceKid, kvn);
+
+            // Generate new key pair on YubiKey and store public key for later use
+            var newPublicKey = session.GenerateEcKey(sessionRef, 0);
+
+            var oceCerts = GetOceCertificates(Scp11TestData.OceCerts.Span);
+            if (oceCerts.Ca == null)
+            {
+                throw new InvalidOperationException("Missing CA certificate");
+            }
+
+            // Put Oce Keys
+            var ocePublicKey = new ECPublicKeyParameters(oceCerts.Ca.PublicKey.GetECDsaPublicKey()!);
+            session.PutKey(oceRef, ocePublicKey, 0);
+
+            // Get Oce subject key identifier
+            var ski = GetSki(oceCerts.Ca);
+            if (ski.IsEmpty)
+            {
+                throw new InvalidOperationException("CA certificate missing Subject Key Identifier");
+            }
+
+            // Store the key identifier with the referenced off card entity on the Yubikey
+            session.StoreCaIssuer(oceRef, ski);
+
+            var (certChain, privateKey) =
+                GetOceCertificateChainAndPrivateKey(Scp11TestData.Oce, Scp11TestData.OcePassword);
+
+            // Now we have the EC private key parameters and cert chain
+            return new Scp11KeyParameters(
+                sessionRef,
+                new ECPublicKeyParameters(newPublicKey.Parameters),
+                oceRef,
+                new ECPrivateKeyParameters(privateKey),
+                certChain
+            );
+        }
+
+        private static (List<X509Certificate2> certChain, ECParameters privateKey) GetOceCertificateChainAndPrivateKey(
+            ReadOnlyMemory<byte> ocePkcs12,
+            ReadOnlyMemory<char> ocePassword)
+        {
+            // Load the OCE PKCS12 using Bouncy Castle Pkcs12 Store
+            using var pkcsStream = new MemoryStream(ocePkcs12.ToArray());
+            var pkcs12Store = new Pkcs12Store(pkcsStream, ocePassword.ToArray());
+
+            // Get the first alias (usually there's only one)
+            var alias = pkcs12Store.Aliases.Cast<string>().FirstOrDefault();
+            if (alias == null || !pkcs12Store.IsKeyEntry(alias))
+            {
+                throw new InvalidOperationException("No private key entry found in PKCS12");
+            }
+
+            // Get the certificate chain
+            var x509CertificateEntries = pkcs12Store.GetCertificateChain(alias);
+            var x509Certs = x509CertificateEntries
+                .Select(certEntry =>
+                {
+                    var cert = DotNetUtilities.ToX509Certificate(certEntry.Certificate);
+                    return new X509Certificate2(
+                        cert.Export(X509ContentType.Cert)
+                    );
+                });
+
+            var certs = ScpCertificates.From(x509Certs);
+            var certChain = new List<X509Certificate2>(certs.Bundle);
+            if (certs.Leaf != null)
+            {
+                certChain.Add(certs.Leaf);
+            }
+
+            // Get the private key
+            var privateKeyEntry = pkcs12Store.GetKey(alias);
+            if (!(privateKeyEntry.Key is Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters ecPrivateKey))
+            {
+                throw new InvalidOperationException("Private key is not an EC key");
+            }
+
+            return (certChain, ConvertToECParameters(ecPrivateKey));
+        }
+
+        static ECParameters ConvertToECParameters(
+            Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters bcPrivateKey)
+        {
+            // Convert the BigInteger D to byte array
+            var dBytes = bcPrivateKey.D.ToByteArrayUnsigned();
+
+            // Calculate public key point Q = d*G
+            var Q = bcPrivateKey.Parameters.G.Multiply(bcPrivateKey.D);
+
+            // Get X and Y coordinates as byte arrays
+            var xBytes = Q.XCoord.ToBigInteger().ToByteArrayUnsigned();
+            var yBytes = Q.YCoord.ToBigInteger().ToByteArrayUnsigned();
+
+            // Create ECParameters with P-256 curve
+            return new ECParameters
+            {
+                Curve = ECCurve.NamedCurves.nistP256,
+                D = dBytes,
+                Q = new ECPoint
+                {
+                    X = xBytes,
+                    Y = yBytes
+                }
+            };
+        }
+
+        private ScpCertificates GetOceCertificates(
+            ReadOnlySpan<byte> pem)
+        {
+            try
+            {
+                var certificates = new List<X509Certificate2>();
+
+                // Convert PEM to a string
+                var pemString = Encoding.UTF8.GetString(pem);
+
+                // Split the PEM string into individual certificates
+                var pemCerts = pemString.Split(
+                    new[] { "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----" },
+                    StringSplitOptions.RemoveEmptyEntries
+                );
+
+                foreach (var certString in pemCerts)
+                {
+                    if (!string.IsNullOrWhiteSpace(certString))
+                    {
+                        // Remove any whitespace and convert to byte array
+                        var certData = Convert.FromBase64String(certString.Trim());
+                        var cert = new X509Certificate2(certData);
+                        certificates.Add(cert);
+                    }
+                }
+
+                return ScpCertificates.From(certificates);
+            }
+            catch (Exception ex)
+            {
+                throw new InvalidOperationException("Failed to parse PEM certificates", ex);
+            }
+        }
+
+        private Memory<byte> GetSki(
+            X509Certificate2 certificate)
+        {
+            var extension = certificate.Extensions["2.5.29.14"];
+            if (!(extension is X509SubjectKeyIdentifierExtension skiExtension))
+            {
+                throw new InvalidOperationException("Invalid Subject Key Identifier extension");
+            }
+
+            var rawData = skiExtension.RawData;
+            if (rawData == null || rawData.Length == 0)
+            {
+                throw new InvalidOperationException("Missing Subject Key Identifier");
+            }
+
+            var tlv = TlvObject.Parse(skiExtension.RawData);
+            return tlv.Value;
+        }
+
+        private static Scp03KeyParameters ImportScp03Key(
+            SecurityDomainSession session)
+        {
+            var scp03Ref = new KeyReference(0x01, 0x01);
+            var staticKeys = new StaticKeys(
+                GetRandomBytes(16),
+                GetRandomBytes(16),
+                GetRandomBytes(16)
+            );
+
+            session.PutKey(scp03Ref, staticKeys, 0);
+
+            return new Scp03KeyParameters(scp03Ref, staticKeys);
+        }
+
+        private static Memory<byte> GetRandomBytes(
+            byte length)
+        {
+            using var rng = CryptographyProviders.RngCreator();
+            Span<byte> hostChallenge = stackalloc byte[length];
+            rng.GetBytes(hostChallenge);
+
+            return hostChallenge.ToArray();
+        }
+
+        /// <summary>
+        /// This is a copy of Scp11b_Authenticate_Succeeds test
+        /// </summary>
+        /// <param name="testDevice"></param>
+        /// <param name="keyReference"></param>
+        /// <returns></returns>
+        private static Scp11KeyParameters Get_Scp11b_EncryptedChannel_Parameters(
+            IYubiKeyDevice testDevice,
+            KeyReference keyReference)
+        {
+            IReadOnlyCollection<X509Certificate2> certificateList;
+            using (var session = new SecurityDomainSession(testDevice))
+            {
+                certificateList = session.GetCertificates(keyReference);
+            }
+
+            var leaf = certificateList.Last();
+            var ecDsaPublicKey = leaf.PublicKey.GetECDsaPublicKey()!.ExportParameters(false);
+            var keyParams = new Scp11KeyParameters(keyReference, new ECPublicKeyParameters(ecDsaPublicKey));
+
+            return keyParams;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/ScpCertificates.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/ScpCertificates.cs
new file mode 100644
index 000000000..87197bab2
--- /dev/null
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/ScpCertificates.cs
@@ -0,0 +1,99 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Yubico.YubiKey.Scp
+{
+    public class ScpCertificates
+    {
+        public X509Certificate2? Ca { get; }
+        public IReadOnlyList<X509Certificate2> Bundle { get; }
+        public X509Certificate2? Leaf { get; }
+
+        private ScpCertificates(X509Certificate2? ca, IReadOnlyList<X509Certificate2> bundle, X509Certificate2? leaf)
+        {
+            Ca = ca;
+            Bundle = bundle ?? throw new ArgumentNullException(nameof(bundle));
+            Leaf = leaf;
+        }
+
+        public static ScpCertificates From(IEnumerable<X509Certificate2>? certificates)
+        {
+            if (certificates == null || !certificates.Any())
+            {
+                return new ScpCertificates(null, Array.Empty<X509Certificate2>(), null);
+            }
+
+            var certList = certificates.ToList();
+            X509Certificate2? ca = null;
+            byte[]? seenSerial = null;
+
+            // Order certificates with the Root CA on top
+            var ordered = new List<X509Certificate2> { certList[0] };
+            certList.RemoveAt(0);
+
+            while (certList.Count > 0)
+            {
+                var head = ordered[0];
+                var tail = ordered[^1];
+                var cert = certList[0];
+                certList.RemoveAt(0);
+
+                if (IsIssuedBy(cert, cert))
+                {
+                    ordered.Insert(0, cert);
+                    ca = ordered[0];
+                    continue;
+                }
+
+                if (IsIssuedBy(cert, tail))
+                {
+                    ordered.Add(cert);
+                    continue;
+                }
+
+                if (IsIssuedBy(head, cert))
+                {
+                    ordered.Insert(0, cert);
+                    continue;
+                }
+
+                if (seenSerial != null && cert.GetSerialNumber().SequenceEqual(seenSerial))
+                {
+                    throw new InvalidOperationException($"Cannot decide the order of {cert} in {string.Join(", ", ordered)}");
+                }
+
+                // This cert could not be ordered, try to process rest of certificates
+                // but if you see this cert again fail because the cert chain is not complete
+                certList.Add(cert);
+                seenSerial = cert.GetSerialNumber();
+            }
+
+            // Find ca and leaf
+            if (ca != null)
+            {
+                ordered.RemoveAt(0);
+            }
+
+            X509Certificate2? leaf = null;
+            if (ordered.Count > 0)
+            {
+                var lastCert = ordered[^1];
+                var keyUsage = lastCert.Extensions.OfType<X509KeyUsageExtension>().FirstOrDefault()?.KeyUsages ?? default;
+                if (keyUsage.HasFlag(X509KeyUsageFlags.DigitalSignature))
+                {
+                    leaf = lastCert;
+                    ordered.RemoveAt(ordered.Count - 1);
+                }
+            }
+
+            return new ScpCertificates(ca, ordered, leaf);
+        }
+
+        private static bool IsIssuedBy(X509Certificate2 subjectCert, X509Certificate2 issuerCert)
+        {
+            return subjectCert.IssuerName.RawData.SequenceEqual(issuerCert.SubjectName.RawData);
+        }
+    }
+}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/Commands/DeleteKeyCommandTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/Commands/DeleteKeyCommandTests.cs
deleted file mode 100644
index 46b3245aa..000000000
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/Commands/DeleteKeyCommandTests.cs
+++ /dev/null
@@ -1,113 +0,0 @@
-// Copyright 2023 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using Xunit;
-using Yubico.YubiKey.TestUtilities;
-
-namespace Yubico.YubiKey.Scp03.Commands
-{
-    [Trait(TraitTypes.Category, TestCategories.Simple)]
-    public class DeleteKeyCommandTests
-    {
-        [SkippableTheory(typeof(DeviceNotFoundException))]
-        [InlineData(StandardTestDevice.Fw5Fips)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void DeleteKey_One_Succeeds(StandardTestDevice testDeviceType)
-        {
-            byte[] key1 = {
-                0x33, 0xff, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd,
-            };
-            byte[] key2 = {
-                0x33, 0xee, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xff,
-            };
-            byte[] key3 = {
-                0x33, 0xdd, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xee, 0xff, 0x11,
-            };
-            var currentKeys = new StaticKeys(key2, key1, key3)
-            {
-                KeyVersionNumber = 3
-            };
-
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
-            var isValid = testDevice.TryConnectScp03(YubiKeyApplication.Scp03, currentKeys, out IScp03YubiKeyConnection? connection);
-
-            Assert.True(isValid);
-            Assert.NotNull(connection);
-
-            var cmd = new DeleteKeyCommand(1, false);
-            Scp03Response rsp = connection!.SendCommand(cmd);
-            Assert.Equal(ResponseStatus.Success, rsp.Status);
-        }
-
-        [SkippableTheory(typeof(DeviceNotFoundException))]
-        [InlineData(StandardTestDevice.Fw5Fips)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void DeleteKey_Two_Succeeds(StandardTestDevice testDeviceType)
-        {
-            byte[] key1 = {
-                0x33, 0xff, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd,
-            };
-            byte[] key2 = {
-                0x33, 0xee, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xff,
-            };
-            byte[] key3 = {
-                0x33, 0xdd, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xee, 0xff, 0x11,
-            };
-            var currentKeys = new StaticKeys(key2, key1, key3)
-            {
-                KeyVersionNumber = 3
-            };
-
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
-            var isValid = testDevice.TryConnectScp03(YubiKeyApplication.Scp03, currentKeys, out IScp03YubiKeyConnection? connection);
-
-            Assert.True(isValid);
-            Assert.NotNull(connection);
-
-            var cmd = new DeleteKeyCommand(2, false);
-            Scp03Response rsp = connection!.SendCommand(cmd);
-            Assert.Equal(ResponseStatus.Success, rsp.Status);
-        }
-
-        [SkippableTheory(typeof(DeviceNotFoundException))]
-        [InlineData(StandardTestDevice.Fw5Fips)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void DeleteKey_Three_Succeeds(StandardTestDevice testDeviceType)
-        {
-            byte[] key1 = {
-                0x33, 0xff, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd,
-            };
-            byte[] key2 = {
-                0x33, 0xee, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xff,
-            };
-            byte[] key3 = {
-                0x33, 0xdd, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xee, 0xff, 0x11,
-            };
-            var currentKeys = new StaticKeys(key2, key1, key3)
-            {
-                KeyVersionNumber = 3
-            };
-
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
-            var isValid = testDevice.TryConnectScp03(YubiKeyApplication.Scp03, currentKeys, out IScp03YubiKeyConnection? connection);
-
-            Assert.True(isValid);
-            Assert.NotNull(connection);
-
-            var cmd = new DeleteKeyCommand(3, true);
-            Scp03Response rsp = connection!.SendCommand(cmd);
-            Assert.Equal(ResponseStatus.Success, rsp.Status);
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/Commands/PutKeyCommandTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/Commands/PutKeyCommandTests.cs
deleted file mode 100644
index 52c67645c..000000000
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/Commands/PutKeyCommandTests.cs
+++ /dev/null
@@ -1,147 +0,0 @@
-// Copyright 2023 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using Xunit;
-using Yubico.YubiKey.TestUtilities;
-
-namespace Yubico.YubiKey.Scp03.Commands
-{
-    public class PutKeyCommandTests
-    {
-        // These may require that DeleteKeyCommandTests have been run first.
-        [SkippableTheory(typeof(DeviceNotFoundException))]
-        [InlineData(StandardTestDevice.Fw5Fips)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void ChangeDefaultKey_Succeeds(StandardTestDevice testDeviceType)
-        {
-            byte[] key1 = {
-                0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
-            };
-            byte[] key2 = {
-                0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11
-            };
-            byte[] key3 = {
-                0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11, 0x22
-            };
-
-            var currentKeys = new StaticKeys();
-            var newKeys = new StaticKeys(key2, key1, key3);
-
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
-            var isValid = testDevice.TryConnectScp03(YubiKeyApplication.Scp03, currentKeys, out IScp03YubiKeyConnection? connection);
-
-            Assert.True(isValid);
-            Assert.NotNull(connection);
-
-            var cmd = new PutKeyCommand(currentKeys, newKeys);
-            PutKeyResponse rsp = connection!.SendCommand(cmd);
-            Assert.Equal(ResponseStatus.Success, rsp.Status);
-            ReadOnlyMemory<byte> checksum = rsp.GetData();
-            bool isEqual = checksum.Span.SequenceEqual(cmd.ExpectedChecksum.Span);
-            Assert.True(isEqual);
-        }
-
-        [SkippableTheory(typeof(DeviceNotFoundException))]
-        [InlineData(StandardTestDevice.Fw5Fips)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void AddNewKeySet_Succeeds(StandardTestDevice testDeviceType)
-        {
-            byte[] key1 = {
-                0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
-            };
-            byte[] key2 = {
-                0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11
-            };
-            byte[] key3 = {
-                0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11, 0x22
-            };
-            byte[] newKey1 = {
-                0xff, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee,
-            };
-            byte[] newKey2 = {
-                0xee, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xff, 0x11
-            };
-            byte[] newKey3 = {
-                0xdd, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xee, 0xff, 0x11, 0x22
-            };
-
-            var currentKeys = new StaticKeys(key2, key1, key3);
-            var newKeys = new StaticKeys(newKey2, newKey1, newKey3)
-            {
-                KeyVersionNumber = 2
-            };
-
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
-            var isValid = testDevice.TryConnectScp03(YubiKeyApplication.Scp03, currentKeys, out IScp03YubiKeyConnection? connection);
-
-            Assert.True(isValid);
-            Assert.NotNull(connection);
-
-            var cmd = new PutKeyCommand(currentKeys, newKeys);
-            PutKeyResponse rsp = connection!.SendCommand(cmd);
-            Assert.Equal(ResponseStatus.Success, rsp.Status);
-            ReadOnlyMemory<byte> checksum = rsp.GetData();
-            bool isEqual = checksum.Span.SequenceEqual(cmd.ExpectedChecksum.Span);
-            Assert.True(isEqual);
-        }
-
-        [SkippableTheory(typeof(DeviceNotFoundException))]
-        [InlineData(StandardTestDevice.Fw5Fips)]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void AddThirdKeySet_Succeeds(StandardTestDevice testDeviceType)
-        {
-            byte[] key1 = {
-                0xff, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xee,
-            };
-            byte[] key2 = {
-                0xee, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xff, 0x11
-            };
-            byte[] key3 = {
-                0xdd, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xee, 0xff, 0x11, 0x22
-            };
-            byte[] newKey1 = {
-                0x33, 0xff, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd,
-            };
-            byte[] newKey2 = {
-                0x33, 0xee, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xdd, 0xff,
-            };
-            byte[] newKey3 = {
-                0x33, 0xdd, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xaa, 0xbb, 0xcc, 0xee, 0xff, 0x11,
-            };
-
-            var currentKeys = new StaticKeys(key2, key1, key3)
-            {
-                KeyVersionNumber = 2
-            };
-            var newKeys = new StaticKeys(newKey2, newKey1, newKey3)
-            {
-                KeyVersionNumber = 3
-            };
-
-            IYubiKeyDevice testDevice = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
-            var isValid = testDevice.TryConnectScp03(YubiKeyApplication.Scp03, currentKeys, out IScp03YubiKeyConnection? connection);
-
-            Assert.True(isValid);
-            Assert.NotNull(connection);
-
-            var cmd = new PutKeyCommand(currentKeys, newKeys);
-            PutKeyResponse rsp = connection!.SendCommand(cmd);
-            Assert.Equal(ResponseStatus.Success, rsp.Status);
-            ReadOnlyMemory<byte> checksum = rsp.GetData();
-            bool isEqual = checksum.Span.SequenceEqual(cmd.ExpectedChecksum.Span);
-            Assert.True(isEqual);
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/PutDeleteKeyTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/PutDeleteKeyTests.cs
deleted file mode 100644
index 97839d4b3..000000000
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/PutDeleteKeyTests.cs
+++ /dev/null
@@ -1,153 +0,0 @@
-// Copyright 2023 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using Xunit;
-using Yubico.YubiKey.TestUtilities;
-
-namespace Yubico.YubiKey.Scp03
-{
-    // These may require that DeleteKeyCommandTests have been run first.
-    [TestCaseOrderer(PriorityOrderer.TypeName, PriorityOrderer.AssembyName)]
-    public class PutDeleteTests
-    {
-        [Fact]
-        [TestPriority(3)]
-        public void PutKey_Succeeds()
-        {
-            using var staticKeys = new StaticKeys();
-            IYubiKeyDevice device = IntegrationTestDeviceEnumeration.GetTestDevice(
-                Transport.SmartCard,
-                minimumFirmwareVersion: FirmwareVersion.V5_3_0);
-
-            using (var scp03Session = new Scp03Session(device, staticKeys))
-            {
-                using StaticKeys newKeys = GetKeySet(1);
-                scp03Session.PutKeySet(newKeys);
-
-                using StaticKeys nextKeys = GetKeySet(2);
-                scp03Session.PutKeySet(nextKeys);
-            }
-
-            using StaticKeys keySet2 = GetKeySet(2);
-
-            using (var scp03Session = new Scp03Session(device, keySet2))
-            {
-                using StaticKeys keySet3 = GetKeySet(3);
-                scp03Session.PutKeySet(keySet3);
-            }
-        }
-
-        [Fact]
-        [TestPriority(3)]
-        public void ReplaceKey_Succeeds()
-        {
-            using StaticKeys staticKeys = GetKeySet(2);
-            IYubiKeyDevice device = IntegrationTestDeviceEnumeration.GetTestDevice(
-                Transport.SmartCard,
-                FirmwareVersion.V5_3_0);
-
-            using (var scp03Session = new Scp03Session(device, staticKeys))
-            {
-                using StaticKeys newKeys = GetKeySet(1);
-                newKeys.KeyVersionNumber = 2;
-                scp03Session.PutKeySet(newKeys);
-            }
-        }
-
-        [Fact]
-        [TestPriority(0)]
-        public void DeleteKey_Succeeds()
-        {
-            using StaticKeys staticKeys = GetKeySet(3);
-            IYubiKeyDevice device = IntegrationTestDeviceEnumeration.GetTestDevice(
-                Transport.SmartCard,
-                FirmwareVersion.V5_3_0);
-
-            using var scp03Session = new Scp03Session(device, staticKeys);
-            scp03Session.DeleteKeySet(1);
-            scp03Session.DeleteKeySet(2);
-
-            scp03Session.DeleteKeySet(3, true);
-        }
-
-        // The setNumber is to be 1, 2, or 3
-        private StaticKeys GetKeySet(int setNumber) => setNumber switch
-        {
-            1 => GetKeySet1(),
-            2 => GetKeySet2(),
-            _ => GetKeySet3()
-        };
-
-        private StaticKeys GetKeySet1()
-        {
-            var key1 = new ReadOnlyMemory<byte>(new byte[]
-            {
-                0x11, 0x11, 0x11, 0x11, 0x49, 0x2f, 0x4d, 0x09, 0x22, 0xec, 0x3d, 0xb4, 0x6b, 0x20, 0x94, 0x7a
-            });
-            var key2 = new ReadOnlyMemory<byte>(new byte[]
-            {
-                0x12, 0x12, 0x12, 0x12, 0x53, 0xB3, 0xE3, 0x78, 0x2A, 0x1D, 0xE5, 0xDC, 0x5A, 0xF4, 0xa6, 0x41
-            });
-            var key3 = new ReadOnlyMemory<byte>(new byte[]
-            {
-                0x13, 0x13, 0x13, 0x13, 0x68, 0xDE, 0x7A, 0xB7, 0x74, 0x19, 0xBB, 0x7F, 0xB0, 0x55, 0x7d, 0x40
-            });
-
-            return new StaticKeys(key2, key1, key3);
-        }
-
-        private StaticKeys GetKeySet2()
-        {
-            var key1 = new ReadOnlyMemory<byte>(new byte[]
-            {
-                0x21, 0x21, 0x21, 0x21, 0x20, 0x94, 0x7a, 0x49, 0x2f, 0x4d, 0x09, 0x22, 0xec, 0x3d, 0xb4, 0x6b
-            });
-            var key2 = new ReadOnlyMemory<byte>(new byte[]
-            {
-                0x22, 0x22, 0x22, 0x22, 0xDC, 0x5A, 0xF4, 0xa6, 0x41, 0x53, 0xB3, 0xE3, 0x78, 0x2A, 0x1D, 0xE5
-            });
-            var key3 = new ReadOnlyMemory<byte>(new byte[]
-            {
-                0x23, 0x23, 0x23, 0x23, 0x7d, 0x40, 0x68, 0xDE, 0x7A, 0xB7, 0x74, 0x19, 0xBB, 0x7F, 0xB0, 0x55
-            });
-
-            return new StaticKeys(key2, key1, key3)
-            {
-                KeyVersionNumber = 2
-            };
-        }
-
-        private StaticKeys GetKeySet3()
-        {
-            var key1 = new ReadOnlyMemory<byte>(new byte[]
-            {
-                0x21, 0x21, 0x21, 0x21, 0x20, 0xDC, 0x5A, 0xF4, 0xa6, 0x41, 0x94, 0x7a, 0x49, 0x2f, 0x4d, 0x09
-            });
-            var key2 = new ReadOnlyMemory<byte>(new byte[]
-            {
-                0x22, 0x22, 0x22, 0x22, 0x22, 0xec, 0x3d, 0xb4, 0x6b, 0x53, 0xB3, 0xE3, 0x78, 0x2A, 0x1D, 0xE5
-            });
-            var key3 = new ReadOnlyMemory<byte>(new byte[]
-            {
-                0x23, 0x23, 0x23, 0x23, 0x7A, 0xB7, 0x74, 0x19, 0x7d, 0x40, 0x68, 0xDE, 0xBB, 0x7F, 0xB0, 0x55
-            });
-
-            return new StaticKeys(key2, key1, key3)
-            {
-                KeyVersionNumber = 3
-            };
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/SimpleSessionTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/SimpleSessionTests.cs
deleted file mode 100644
index 9adcf96df..000000000
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp03/SimpleSessionTests.cs
+++ /dev/null
@@ -1,119 +0,0 @@
-// Copyright 2021 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using Xunit;
-using Yubico.YubiKey.Piv;
-using Yubico.YubiKey.Piv.Commands;
-using Yubico.YubiKey.TestUtilities;
-
-namespace Yubico.YubiKey.Scp03
-{
-    public class SimpleSessionTests
-    {
-        private readonly byte[] _pin = { 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 };
-
-        [Theory]
-        [InlineData(StandardTestDevice.Fw5)]
-        public void SessionSetupAndUse_Succeeds(StandardTestDevice testDeviceType)
-        {
-            IYubiKeyDevice device = IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType);
-            Assert.True(device.FirmwareVersion >= FirmwareVersion.V5_3_0);
-            Assert.True(device.HasFeature(YubiKeyFeature.Scp03));
-
-#pragma warning disable CS0618 // Specifically testing this soon-to-be-deprecated feature
-            IYubiKeyDevice scp03Device = (device as YubiKeyDevice)!.WithScp03(new StaticKeys());
-#pragma warning restore CS0618
-
-            using var piv = new PivSession(scp03Device);
-            bool result = piv.TryVerifyPin(new ReadOnlyMemory<byte>(new byte[] { 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 }), out _);
-            Assert.True(result);
-
-            PivMetadata metadata = piv.GetMetadata(PivSlot.Pin)!;
-            Assert.Equal(3, metadata.RetryCount);
-        }
-
-        [Fact]
-        public void ConnectScp03_Application_Succeeds()
-        {
-            IYubiKeyDevice device = IntegrationTestDeviceEnumeration.GetTestDevice(
-                Transport.SmartCard, FirmwareVersion.V5_3_0);
-
-            using var scp03Keys = new StaticKeys();
-
-            using IYubiKeyConnection connection = device.ConnectScp03(YubiKeyApplication.Piv, scp03Keys);
-            Assert.NotNull(connection);
-
-            var cmd = new VerifyPinCommand(_pin);
-            VerifyPinResponse rsp = connection!.SendCommand(cmd);
-            Assert.Equal(ResponseStatus.Success, rsp.Status);
-        }
-
-        [Fact]
-        public void ConnectScp03_AlgorithmId_Succeeds()
-        {
-            IYubiKeyDevice device = IntegrationTestDeviceEnumeration.GetTestDevice(
-                Transport.SmartCard, FirmwareVersion.V5_3_0);
-
-            using var scp03Keys = new StaticKeys();
-
-            using IYubiKeyConnection connection = device.ConnectScp03(
-                YubiKeyApplication.Piv.GetIso7816ApplicationId(), scp03Keys);
-            Assert.NotNull(connection);
-
-            var cmd = new VerifyPinCommand(_pin);
-            VerifyPinResponse rsp = connection!.SendCommand(cmd);
-            Assert.Equal(ResponseStatus.Success, rsp.Status);
-        }
-
-        [Fact]
-        public void TryConnectScp03_Application_Succeeds()
-        {
-            IYubiKeyDevice device = IntegrationTestDeviceEnumeration.GetTestDevice(
-                Transport.SmartCard, FirmwareVersion.V5_3_0);
-
-            using var scp03Keys = new StaticKeys();
-
-            bool isValid = device.TryConnectScp03(YubiKeyApplication.Piv, scp03Keys, out IScp03YubiKeyConnection? connection);
-            using (connection)
-            {
-                Assert.NotNull(connection);
-                Assert.True(isValid);
-                var cmd = new VerifyPinCommand(_pin);
-                VerifyPinResponse rsp = connection!.SendCommand(cmd);
-                Assert.Equal(ResponseStatus.Success, rsp.Status);
-            }
-        }
-
-        [Fact]
-        public void TryConnectScp03_AlgorithmId_Succeeds()
-        {
-            IYubiKeyDevice device = IntegrationTestDeviceEnumeration.GetTestDevice(
-                Transport.SmartCard, FirmwareVersion.V5_3_0);
-
-            using var scp03Keys = new StaticKeys();
-
-            bool isValid = device.TryConnectScp03(
-                YubiKeyApplication.Piv.GetIso7816ApplicationId(), scp03Keys, out IScp03YubiKeyConnection? connection);
-            using (connection)
-            {
-                Assert.NotNull(connection);
-                Assert.True(isValid);
-                var cmd = new VerifyPinCommand(_pin);
-                VerifyPinResponse rsp = connection!.SendCommand(cmd);
-                Assert.Equal(ResponseStatus.Success, rsp.Status);
-            }
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/YubiHsmAuth/SessionCredentialTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/YubiHsmAuth/SessionCredentialTests.cs
index 5249cc4e9..451b6767a 100644
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/YubiHsmAuth/SessionCredentialTests.cs
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/YubiHsmAuth/SessionCredentialTests.cs
@@ -17,22 +17,28 @@
 using System.Linq;
 using System.Security;
 using Xunit;
+using Yubico.YubiKey.Scp;
+using Yubico.YubiKey.TestUtilities;
 
 namespace Yubico.YubiKey.YubiHsmAuth
 {
     public class SessionCredentialTests
     {
         #region DeleteCredential
-        [Fact]
-        public void AddCredential_DefaultTestCred_AppContainsOneCred()
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        [InlineData(StandardTestDevice.Fw5, true)]
+        [InlineData(StandardTestDevice.Fw5Fips, true)]
+        public void AddCredential_DefaultTestCred_AppContainsOneCred(StandardTestDevice selectedDevice, bool useScp = false)
         {
             // Preconditions
-            IYubiKeyDevice testDevice = YhaTestUtilities.GetCleanDevice();
+            IYubiKeyDevice testDevice = YhaTestUtilities.GetCleanDevice(selectedDevice);
 
             IReadOnlyList<CredentialRetryPair> credentialList;
 
             // Test
-            using (var yubiHsmAuthSession = new YubiHsmAuthSession(testDevice))
+            using (var yubiHsmAuthSession = new YubiHsmAuthSession(testDevice, useScp ? Scp03KeyParameters.DefaultKey : null))
             {
                 yubiHsmAuthSession.AddCredential(YhaTestUtilities.DefaultMgmtKey, YhaTestUtilities.DefaultAes128Cred);
 
@@ -173,15 +179,19 @@ public void TryDeleteCredentialKeyCollector_NoKeyCollector_ThrowsInvalidOpEx()
         #endregion
 
         #region AddCredential
-        [Fact]
-        public void TryAddCredentialKeyCollector_CorrectMgmtKey_AppContainsNewCred()
+        [SkippableTheory(typeof(DeviceNotFoundException))]
+        [InlineData(StandardTestDevice.Fw5)]
+        [InlineData(StandardTestDevice.Fw5Fips)]
+        [InlineData(StandardTestDevice.Fw5, true)]
+        [InlineData(StandardTestDevice.Fw5Fips, true)]
+        public void TryAddCredentialKeyCollector_CorrectMgmtKey_AppContainsNewCred(StandardTestDevice selectedDevice, bool useScp = false)
         {
             // Preconditions
-            IYubiKeyDevice testDevice = YhaTestUtilities.GetCleanDevice();
+            IYubiKeyDevice testDevice = YhaTestUtilities.GetCleanDevice(selectedDevice);
 
             IReadOnlyList<CredentialRetryPair> credentialList;
 
-            using (var yubiHsmAuthSession = new YubiHsmAuthSession(testDevice))
+            using (var yubiHsmAuthSession = new YubiHsmAuthSession(testDevice, useScp ? Scp03KeyParameters.DefaultKey : null))
             {
                 yubiHsmAuthSession.KeyCollector = SimpleKeyCollector.DefaultValueCollectorDelegate;
 
diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/YubiHsmAuth/YhaTestUtilities.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/YubiHsmAuth/YhaTestUtilities.cs
index 7e5a51905..9a3ea6a8d 100644
--- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/YubiHsmAuth/YhaTestUtilities.cs
+++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/YubiHsmAuth/YhaTestUtilities.cs
@@ -90,9 +90,9 @@ public class YhaTestUtilities
         /// into a known "control" state for performing integration
         /// tests with the YubiHSM Auth application.
         /// </summary>
-        public static IYubiKeyDevice GetCleanDevice()
+        public static IYubiKeyDevice GetCleanDevice(StandardTestDevice testDeviceType = StandardTestDevice.Fw5)
         {
-            var testDevice = DeviceReset.EnableAllCapabilities(IntegrationTestDeviceEnumeration.GetTestDevice());
+            var testDevice = DeviceReset.EnableAllCapabilities(IntegrationTestDeviceEnumeration.GetTestDevice(testDeviceType));
             return DeviceReset.ResetYubiHsmAuth(testDevice);
         }
 
diff --git a/Yubico.YubiKey/tests/sandbox/Plugins/GregPlugin.cs b/Yubico.YubiKey/tests/sandbox/Plugins/GregPlugin.cs
index 01505a9b5..c57e77e19 100644
--- a/Yubico.YubiKey/tests/sandbox/Plugins/GregPlugin.cs
+++ b/Yubico.YubiKey/tests/sandbox/Plugins/GregPlugin.cs
@@ -14,6 +14,9 @@
 
 using System;
 using System.Linq;
+using Microsoft.Extensions.Logging;
+using Yubico.Core.Logging;
+using Yubico.YubiKey.Piv;
 
 namespace Yubico.YubiKey.TestApp.Plugins
 {
@@ -23,6 +26,7 @@ internal class GregPlugin : PluginBase
         public override string Description => "A place for Greg's test code";
 
         public GregPlugin(IOutput output) : base(output) { }
+        public static ILogger Logger => Log.GetLogger<GregPlugin>();
 
         public override bool Execute()
         {
@@ -33,8 +37,13 @@ public override bool Execute()
             Console.Error.WriteLine($"YubiKey Version: {yubiKey.FirmwareVersion}");
             Console.Error.WriteLine("NFC Before Value: " + yubiKey.IsNfcRestricted);
 
-            yubiKey.SetIsNfcRestricted(true);
-
+            using (var session = new PivSession(yubiKey))
+            {
+                Logger.LogDebug("Disconnect Yubikey");
+                Console.ReadLine();
+            }
+            //Dispose
+            Console.ReadLine();
             return true;
         }
 
diff --git a/Yubico.YubiKey/tests/sandbox/Plugins/Scp03Plugin.cs b/Yubico.YubiKey/tests/sandbox/Plugins/Scp03Plugin.cs
index 1bc529047..f6e091423 100644
--- a/Yubico.YubiKey/tests/sandbox/Plugins/Scp03Plugin.cs
+++ b/Yubico.YubiKey/tests/sandbox/Plugins/Scp03Plugin.cs
@@ -16,6 +16,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using Yubico.YubiKey.Piv;
+using Yubico.YubiKey.Scp;
 using Yubico.YubiKey.Scp03;
 
 namespace Yubico.YubiKey.TestApp.Plugins
@@ -45,10 +46,7 @@ private bool BasicE2ETest()
             IEnumerable<IYubiKeyDevice> keys = YubiKeyDevice.FindByTransport(Transport.UsbSmartCard);
             IYubiKeyDevice device = keys.Single()!;
 
-#pragma warning disable CS0618 // Specifically testing this soon-to-be-deprecated feature
-            IYubiKeyDevice scp03Device = (device as YubiKeyDevice)!.WithScp03(new StaticKeys());
-#pragma warning restore CS0618
-            using var piv = new PivSession(scp03Device);
+            using var piv = new PivSession(device, Scp03KeyParameters.DefaultKey);
             bool result = piv.TryVerifyPin(new ReadOnlyMemory<byte>(new byte[] { 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 }), out _);
             Output.WriteLine($"pin 123456: {result}");
 
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Cryptography/AesUtilitiesTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Cryptography/AesUtilitiesTests.cs
index ed654dad4..84ea502d4 100644
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Cryptography/AesUtilitiesTests.cs
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Cryptography/AesUtilitiesTests.cs
@@ -56,7 +56,7 @@ public void AesBlockCipher_GivenKeyPlaintext_EncryptsCorrectly()
             byte[] plaintext = GetPlaintext();
 
             // Act
-            byte[] result = AesUtilities.BlockCipher(key, plaintext);
+            var result = AesUtilities.BlockCipher(key, plaintext);
 
             // Assert
             Assert.Equal(result, Hex.HexToBytes("dcc0c378ec111cb23048486ef9d9a6b7"));
@@ -116,7 +116,7 @@ public void AesCbcEncrypt_GivenKeyIVPlaintext_EncryptsCorrectly()
             byte[] iv = GetIV();
 
             // Act
-            byte[] result = AesUtilities.AesCbcEncrypt(key, iv, plaintext);
+            ReadOnlyMemory<byte> result = AesUtilities.AesCbcEncrypt(key, iv, plaintext);
 
             // Assert
             Assert.Equal(result, Hex.HexToBytes("da19df061b1bcba151d692a4a9e63901"));
@@ -175,7 +175,7 @@ public void AesCbcDecrypt_GivenKeyIVCiphertext_EncryptsCorrectly()
             byte[] iv = GetIV();
 
             // Act
-            byte[] result = AesUtilities.AesCbcDecrypt(key, iv, ciphertext);
+            ReadOnlyMemory<byte> result = AesUtilities.AesCbcDecrypt(key, iv, ciphertext);
 
             // Assert
             Assert.Equal(result, Hex.HexToBytes("d1af13631ea24595793ddf5bf6f9c42c"));
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Fido2/Fido2SessionTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Fido2/Fido2SessionTests.cs
index 5e5ecd4f3..38bac23f1 100644
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Fido2/Fido2SessionTests.cs
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Fido2/Fido2SessionTests.cs
@@ -92,8 +92,6 @@ void GetAuthenticatorInfo_SendsGetInfoCommand()
 
             var session = new Fido2Session(mockYubiKey.Object);
 
-            //session.AuthenticatorInfo;
-
             mockConnection.Verify(c => c.SendCommand(It.IsAny<GetInfoCommand>()));
         }
     }
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Pipelines/Scp03ApduTransformTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Pipelines/Scp03ApduTransformTests.cs
deleted file mode 100644
index 287cf0135..000000000
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Pipelines/Scp03ApduTransformTests.cs
+++ /dev/null
@@ -1,123 +0,0 @@
-// Copyright 2021 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using System.Linq;
-using System.Security.Cryptography;
-using Xunit;
-using Yubico.Core.Buffers;
-using Yubico.Core.Iso7816;
-using Yubico.YubiKey.InterIndustry.Commands;
-using Yubico.YubiKey.Piv.Commands;
-using Yubico.YubiKey.Scp03;
-
-namespace Yubico.YubiKey.Pipelines
-{
-    public class PipelineFixture : IApduTransform
-    {
-        public ResponseApdu Invoke(CommandApdu command, Type commandType, Type responseType)
-        {
-            if (command is null)
-            {
-                throw new ArgumentNullException(nameof(command));
-            }
-
-            if (command.AsByteArray().SequenceEqual(new SelectApplicationCommand(YubiKeyApplication.Piv).CreateCommandApdu().AsByteArray()))
-            {
-                return new ResponseApdu(Hex.HexToBytes("9000"));
-            }
-            else if (command.AsByteArray().SequenceEqual(Hex.HexToBytes("8050FF0008360CB43F4301B894")))
-            {
-                return new ResponseApdu(Hex.HexToBytes("010B001F002500000000FF0360CAAFA4DAC615236ADD5607216F3E115C9000"));
-            }
-            else if (command.AsByteArray().SequenceEqual(Hex.HexToBytes("848233001045330AB30BB1A079A8E7F77376DB9F2C")))
-            {
-                return new ResponseApdu(Hex.HexToBytes("9000"));
-            }
-            else if (command.AsByteArray().SequenceEqual(Hex.HexToBytes("84FD0000181CE4E3D8F32D986A886DDBC90C8DB22553C2C04391250CCE")))
-            {
-                return new ResponseApdu(Hex.HexToBytes("5F67E9E059DF3C52809DC9F6DDFBEF3E4C45691B2C8CDDD89000"));
-            }
-            else
-            {
-                string apduHex = Hex.BytesToHex(command.AsByteArray());
-                throw new SecureChannelException($"Error: received unexpected APDU {apduHex}");
-                // return new ResponseApdu(Hex.HexToBytes("6a80"));
-            }
-        }
-        public void Setup()
-        {
-
-        }
-        public void Cleanup()
-        {
-
-        }
-    }
-
-    public class RandomNumberGeneratorFixture : RandomNumberGenerator
-    {
-        private readonly byte[] bytesToGenerate = Hex.HexToBytes("360CB43F4301B894"); // host challenge
-        public override void GetBytes(byte[] arr)
-        {
-            if (arr is null)
-            {
-                throw new ArgumentNullException(nameof(arr));
-            }
-            for (int i = 0; i < bytesToGenerate.Length; i++)
-            {
-                arr[i] = bytesToGenerate[i];
-            }
-        }
-    }
-
-    public class Scp03ApduTransformTests
-    {
-        private static IApduTransform GetPipeline() => new PipelineFixture();
-        private static StaticKeys GetStaticKeys() => new StaticKeys();
-
-        [Fact]
-        public void Constructor_GivenNullPipeline_ThrowsArgumentNullException()
-        {
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => new Scp03ApduTransform(null, GetStaticKeys()));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
-        [Fact]
-        public void Constructor_GivenNullStaticKeys_ThrowsArgumentNullException()
-        {
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => new Scp03ApduTransform(GetPipeline(), null));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
-        [Fact]
-        public void Invoke_GivenPriorSetup_CorrectlyEncodesCommand()
-        {
-            // Arrange
-            var pipeline = new Scp03ApduTransform(GetPipeline(), GetStaticKeys());
-            using var fakeRng = new RandomNumberGeneratorFixture();
-            pipeline.Setup(fakeRng);
-
-            // Act
-            ResponseApdu responseApdu = pipeline.Invoke(new VersionCommand().CreateCommandApdu(), typeof(object), typeof(object));
-            var versionResponse = new VersionResponse(responseApdu);
-            FirmwareVersion fwv = versionResponse.GetData();
-
-            // Assert
-            Assert.Equal(5, fwv.Major);
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Pipelines/ScpApduTransformTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Pipelines/ScpApduTransformTests.cs
new file mode 100644
index 000000000..f3059a43d
--- /dev/null
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Pipelines/ScpApduTransformTests.cs
@@ -0,0 +1,144 @@
+// Copyright 2023 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Moq;
+using Xunit;
+using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Scp;
+using Yubico.YubiKey.InterIndustry.Commands;
+
+namespace Yubico.YubiKey.Pipelines
+{
+    public class ScpApduTransformTests
+    {
+        private readonly Mock<IApduTransform> _previous = new Mock<IApduTransform>();
+        private readonly Scp03KeyParameters _scp03KeyParams = Scp03KeyParameters.DefaultKey;
+
+        [Fact]
+        public void Constructor_NullPipeline_ThrowsArgumentNullException()
+        {
+            // Act & Assert
+            Assert.Throws<ArgumentNullException>(() => new ScpApduTransform(null!, _scp03KeyParams));
+        }
+
+        [Fact]
+        public void Constructor_NullKeyParameters_ThrowsArgumentNullException()
+        {
+            // Act & Assert
+            Assert.Throws<ArgumentNullException>(() => new ScpApduTransform(_previous.Object, null!));
+        }
+
+        [Fact]
+        public void Constructor_ValidParameters_CreatesInstance()
+        {
+            // Act
+            var transform = new ScpApduTransform(_previous.Object, _scp03KeyParams);
+
+            // Assert
+            Assert.NotNull(transform);
+            Assert.Same(_scp03KeyParams, transform.KeyParameters);
+        }
+
+        [Fact]
+        public void EncryptDataFunc_BeforeSetup_ThrowsInvalidOperationException()
+        {
+            // Arrange
+            var transform = new ScpApduTransform(_previous.Object, _scp03KeyParams);
+
+            // Act & Assert
+            Assert.Throws<InvalidOperationException>(() => transform.EncryptDataFunc);
+        }
+
+        [Fact]
+        public void Invoke_ExemptedCommands_BypassEncoding()
+        {
+            // Arrange
+            var transform = new ScpApduTransform(_previous.Object, _scp03KeyParams);
+
+            var testCases = new[]
+            {
+                new CommandTestCase{
+                    Command = new SelectApplicationCommand(YubiKeyApplication.SecurityDomain),
+                    CommandType = typeof(SelectApplicationCommand),
+                    ResponseType = typeof(ISelectApplicationResponse<GenericSelectApplicationData>)
+                },
+                new CommandTestCase{
+                    Command =  new Oath.Commands.SelectOathCommand(),
+                    CommandType = typeof(Oath.Commands.SelectOathCommand),
+                    ResponseType = typeof(Oath.Commands.SelectOathResponse)
+                },
+                new CommandTestCase{
+                    Command =  new Scp.Commands.ResetCommand(0x84, 0x01, 0x01, new byte[] { 0x00 }),
+                    CommandType = typeof(Scp.Commands.ResetCommand),
+                    ResponseType = typeof(YubiKeyResponse)
+                }
+            };
+
+            foreach (var testCase in testCases)
+            {
+                _previous.Setup(p => p.Invoke(
+                    It.IsAny<CommandApdu>(),
+                    It.IsAny<Type>(),
+                    It.IsAny<Type>()))
+                    .Returns(new ResponseApdu(new byte[] { 0x90, 0x00 }));
+
+                // Act
+                _ = transform.Invoke(
+                    testCase.Command.CreateCommandApdu(),
+                    testCase.CommandType,
+                    testCase.ResponseType);
+
+                // Assert that the previous pipeline was called (which is the one that doesn't do encoding)
+                _previous.Verify(p => p.Invoke(
+                    It.IsAny<CommandApdu>(),
+                    testCase.CommandType,
+                    testCase.ResponseType), Times.Once);
+
+                _previous.Reset();
+            }
+        }
+
+        private struct CommandTestCase
+        {
+            public IYubiKeyCommand<IYubiKeyResponse> Command;
+            public Type CommandType;
+            public Type ResponseType;
+        }
+
+        [Fact]
+        public void Dispose_MultipleCalls_DoesNotThrow()
+        {
+            // Arrange
+            var transform = new ScpApduTransform(_previous.Object, _scp03KeyParams);
+
+            // Act & Assert
+            transform.Dispose();
+            transform.Dispose(); // Should not throw
+        }
+
+        [Fact]
+        public void Cleanup_CallsUnderlyingPipelineCleanup()
+        {
+            // Arrange
+            var transform = new ScpApduTransform(_previous.Object, _scp03KeyParams);
+
+            // Act
+            transform.Cleanup();
+
+            // Assert
+            _previous.Verify(p => p.Cleanup(), Times.Once);
+        }
+    }
+}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/ChannelEncryptionTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/ChannelEncryptionTests.cs
similarity index 92%
rename from Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/ChannelEncryptionTests.cs
rename to Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/ChannelEncryptionTests.cs
index 1e4742718..1ce7fd438 100644
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/ChannelEncryptionTests.cs
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/ChannelEncryptionTests.cs
@@ -15,8 +15,9 @@
 using System;
 using Xunit;
 using Yubico.Core.Buffers;
+using Yubico.YubiKey.Scp.Helpers;
 
-namespace Yubico.YubiKey.Scp03
+namespace Yubico.YubiKey.Scp
 {
     public class ChannelEncryptionTests
     {
@@ -46,7 +47,7 @@ public void EncryptData_GivenCorrectKeyPayload_ReturnsCorrectly()
             int ec = GetEncryptionCounter();
 
             // Act
-            byte[] output = ChannelEncryption.EncryptData(payload, key, ec);
+            ReadOnlyMemory<byte> output = ChannelEncryption.EncryptData(payload, key, ec);
 
             // Assert
             Assert.Equal(GetCorrectEncryptOutput(), output);
@@ -77,7 +78,7 @@ public void DecryptData_GivenCorrectKeyPayload_ReturnsCorrectly()
             int ec = 1;
 
             // Act
-            byte[] output = ChannelEncryption.DecryptData(payload, key, ec);
+            ReadOnlyMemory<byte> output = ChannelEncryption.DecryptData(payload, key, ec);
 
             // Assert
             Assert.Equal(GetCorrectDecryptedOutput(), output);
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/ChannelMacTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/ChannelMacTests.cs
similarity index 98%
rename from Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/ChannelMacTests.cs
rename to Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/ChannelMacTests.cs
index ad92329f5..7efd3e9ac 100644
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/ChannelMacTests.cs
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/ChannelMacTests.cs
@@ -16,8 +16,9 @@
 using Xunit;
 using Yubico.Core.Buffers;
 using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Scp.Helpers;
 
-namespace Yubico.YubiKey.Scp03
+namespace Yubico.YubiKey.Scp
 {
     public class ChannelMacTests
     {
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/Scp03ResponseTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Commands/ScpResponseTests.cs
similarity index 86%
rename from Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/Scp03ResponseTests.cs
rename to Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Commands/ScpResponseTests.cs
index 2036ab9b8..4c011c35d 100644
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/Scp03ResponseTests.cs
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Commands/ScpResponseTests.cs
@@ -15,16 +15,17 @@
 using System;
 using Xunit;
 using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Scp.Commands;
 
-namespace Yubico.YubiKey.Scp03.Commands
+namespace Yubico.YubiKey.Scp.Commands
 {
-    public class Scp03ResponseTests
+    public class ScpResponseTests
     {
         [Fact]
         public void Constructor_GivenNullResponseApdu_ThrowsArgumentNullException()
         {
 #pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => new Scp03Response(null));
+            _ = Assert.Throws<ArgumentNullException>(() => new ScpResponse(null));
 #pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
         }
 
@@ -35,7 +36,7 @@ public void StatusWord_GivenResponseApdu_EqualsSWField()
             var responseApdu = new ResponseApdu(new byte[] { 24, 73 });
 
             // Act
-            var scp03Response = new Scp03Response(responseApdu);
+            var scp03Response = new ScpResponse(responseApdu);
 
             // Assert
             Assert.Equal(responseApdu.SW, scp03Response.StatusWord);
@@ -48,7 +49,7 @@ public void Status_GivenSuccessfulResponseApdu_ReturnsSuccess()
             var responseApdu = new ResponseApdu(new byte[] { SW1Constants.Success, 0x00 });
 
             // Act
-            var scp03Response = new Scp03Response(responseApdu);
+            var scp03Response = new ScpResponse(responseApdu);
 
             // Assert
             Assert.Equal(ResponseStatus.Success, scp03Response.Status);
@@ -61,7 +62,7 @@ public void Status_GivenFailedResponseApdu_ReturnsFailed()
             var responseApdu = new ResponseApdu(new byte[] { SW1Constants.CommandNotAllowed, 0x00 });
 
             // Act
-            var scp03Response = new Scp03Response(responseApdu);
+            var scp03Response = new ScpResponse(responseApdu);
 
             // Assert
             Assert.Equal(ResponseStatus.Failed, scp03Response.Status);
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/DerivationTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/DerivationTests.cs
similarity index 92%
rename from Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/DerivationTests.cs
rename to Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/DerivationTests.cs
index ed571e511..45aff3055 100644
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/DerivationTests.cs
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/DerivationTests.cs
@@ -15,8 +15,10 @@
 using System;
 using Xunit;
 using Yubico.Core.Buffers;
+using Yubico.YubiKey.Scp.Helpers;
+
+namespace Yubico.YubiKey.Scp
 
-namespace Yubico.YubiKey.Scp03
 {
     public class DerivationTests
     {
@@ -49,7 +51,7 @@ public void Derive_GivenBadKey_ThrowsArgumentException()
         [Fact]
         public void Derive_GivenCorrectVals_ReturnsCorrectHostCryptogram()
         {
-            byte[] hostCryptogram = Derivation.Derive(Derivation.DDC_HOST_CRYPTOGRAM, 0x40, GetKey(), GetHostChallenge(), GetCardChallenge());
+            var hostCryptogram = Derivation.Derive(Derivation.DDC_HOST_CRYPTOGRAM, 0x40, GetKey(), GetHostChallenge(), GetCardChallenge());
             Assert.Equal(GetCorrectDeriveOutput(), hostCryptogram);
         }
     }
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/PaddingTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/PaddingTests.cs
similarity index 71%
rename from Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/PaddingTests.cs
rename to Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/PaddingTests.cs
index 4cbb95920..77b659f19 100644
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/PaddingTests.cs
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/PaddingTests.cs
@@ -15,8 +15,9 @@
 using System;
 using Xunit;
 using Yubico.Core.Buffers;
+using Yubico.YubiKey.Scp.Helpers;
 
-namespace Yubico.YubiKey.Scp03
+namespace Yubico.YubiKey.Scp
 {
     public class PaddingTests
     {
@@ -27,22 +28,6 @@ public class PaddingTests
         private static byte[] Get16BytePayload() => Hex.HexToBytes("000102038005060708090A0B0C0D0E0F");
         private static byte[] GetPadded16BytePayload() => Hex.HexToBytes("000102038005060708090A0B0C0D0E0F80000000000000000000000000000000");
 
-        [Fact]
-        public void PadToBlockSize_GivenNullPayload_ThrowsArgumentNullException()
-        {
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => Padding.PadToBlockSize(null));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
-        [Fact]
-        public void RemovePadding_GivenNullPayload_ThrowsArgumentNullException()
-        {
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => Padding.RemovePadding(null));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
         [Fact]
         public void PadToBlockSize_Given1BytePayload_ReturnsCorrectlyPaddedBlock()
         {
@@ -50,7 +35,7 @@ public void PadToBlockSize_Given1BytePayload_ReturnsCorrectlyPaddedBlock()
             byte[] payload = Get1BytePayload();
 
             // Act
-            byte[] paddedPayload = Padding.PadToBlockSize(payload);
+            Memory<byte> paddedPayload = Padding.PadToBlockSize(payload);
 
             // Assert
             Assert.Equal(paddedPayload, GetPadded1BytePayload());
@@ -63,7 +48,7 @@ public void PadToBlockSize_Given8BytePayload_ReturnsCorrectlyPaddedBlock()
             byte[] payload = Get8BytePayload();
 
             // Act
-            byte[] paddedPayload = Padding.PadToBlockSize(payload);
+            Memory<byte> paddedPayload = Padding.PadToBlockSize(payload);
 
             // Assert
             Assert.Equal(paddedPayload, GetPadded8BytePayload());
@@ -76,7 +61,7 @@ public void PadToBlockSize_Given16BytePayload_ReturnsCorrectlyPaddedBlock()
             byte[] payload = Get16BytePayload();
 
             // Act
-            byte[] paddedPayload = Padding.PadToBlockSize(payload);
+            Memory<byte> paddedPayload = Padding.PadToBlockSize(payload);
 
             // Assert
             Assert.Equal(paddedPayload, GetPadded16BytePayload());
@@ -89,7 +74,7 @@ public void RemovePadding_GivenPadded1BytePayload_ReturnsPayloadWithPaddingRemov
             byte[] paddedPayload = GetPadded1BytePayload();
 
             // Act
-            byte[] payload = Padding.RemovePadding(paddedPayload);
+            Memory<byte> payload = Padding.RemovePadding(paddedPayload);
 
             // Assert
             Assert.Equal(payload, Get1BytePayload());
@@ -102,7 +87,7 @@ public void RemovePadding_GivenPadded8BytePayload_ReturnsPayloadWithPaddingRemov
             byte[] paddedPayload = GetPadded8BytePayload();
 
             // Act
-            byte[] payload = Padding.RemovePadding(paddedPayload);
+            Memory<byte> payload = Padding.RemovePadding(paddedPayload);
 
             // Assert
             Assert.Equal(payload, Get8BytePayload());
@@ -115,7 +100,7 @@ public void RemovePadding_GivenPadded16BytePayload_ReturnsPayloadWithPaddingRemo
             byte[] paddedPayload = GetPadded16BytePayload();
 
             // Act
-            byte[] payload = Padding.RemovePadding(paddedPayload);
+            Memory<byte> payload = Padding.RemovePadding(paddedPayload);
 
             // Assert
             Assert.Equal(payload, Get16BytePayload());
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Scp03KeyParametersTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Scp03KeyParametersTests.cs
new file mode 100644
index 000000000..f3e962312
--- /dev/null
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Scp03KeyParametersTests.cs
@@ -0,0 +1,106 @@
+// Copyright 2024 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Linq;
+using Xunit;
+
+namespace Yubico.YubiKey.Scp
+{
+    public class Scp03KeyParametersTests
+    {
+        [Fact]
+        public void DefaultKey_ReturnsValidInstance()
+        {
+            // Act
+            var keyParams = Scp03KeyParameters.DefaultKey;
+
+            // Assert
+            Assert.NotNull(keyParams);
+            Assert.NotNull(keyParams.StaticKeys);
+            Assert.Equal(ScpKeyIds.Scp03, keyParams.KeyReference.Id);
+            Assert.Equal(0xFF, keyParams.KeyReference.VersionNumber);
+        }
+
+        [Fact]
+        public void FromStaticKeys_ValidKeys_ReturnsValidInstance()
+        {
+            // Arrange
+            var staticKeys = new StaticKeys(
+                new byte[16], // enc
+                new byte[16], // mac
+                new byte[16]  // dek
+            );
+
+            // Act
+            var keyParams = Scp03KeyParameters.FromStaticKeys(staticKeys);
+
+            // Assert
+            Assert.NotNull(keyParams);
+            Assert.True(staticKeys.AreKeysSame(keyParams.StaticKeys));
+            Assert.Equal(ScpKeyIds.Scp03, keyParams.KeyReference.Id);
+            Assert.Equal(0x01, keyParams.KeyReference.VersionNumber);
+        }
+
+        [Fact]
+        public void Constructor_ValidParameters_SetsProperties()
+        {
+            // Arrange
+            var staticKeys = new StaticKeys(
+                new byte[16], // enc
+                new byte[16], // mac
+                new byte[16]  // dek
+            );
+            const int keyId = ScpKeyIds.Scp03;
+            const int kvn = 0x02;
+
+            // Act
+            var keyParams = new Scp03KeyParameters(keyId, kvn, staticKeys);
+
+            // Assert
+            Assert.NotNull(keyParams);
+            Assert.True(staticKeys.AreKeysSame(keyParams.StaticKeys));
+            Assert.Equal(keyId, keyParams.KeyReference.Id);
+            Assert.Equal(kvn, keyParams.KeyReference.VersionNumber);
+        }
+
+        [Fact]
+        public void Dispose_DisposesStaticKeys()
+        {
+            // Arrange
+            var staticKeys = new StaticKeys(
+                new byte[16], // enc
+                new byte[16], // mac
+                new byte[16]  // dek
+            );
+            
+            var keyParams = new Scp03KeyParameters(ScpKeyIds.Scp03, 0x01, staticKeys);
+
+            // Act
+            keyParams.Dispose();
+            Assert.True(keyParams.StaticKeys.DataEncryptionKey.ToArray().All(b => b == 0));
+        }
+
+        [Fact]
+        public void Dispose_MultipleCalls_DoesNotThrow()
+        {
+            // Arrange
+            var keyParams = Scp03KeyParameters.DefaultKey;
+
+            // Act & Assert - Should not throw
+            keyParams.Dispose();
+            keyParams.Dispose();
+        }
+    }
+}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Scp03StateTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Scp03StateTests.cs
new file mode 100644
index 000000000..f582f6922
--- /dev/null
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Scp03StateTests.cs
@@ -0,0 +1,146 @@
+using System;
+using Moq;
+using Xunit;
+using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Cryptography;
+using Yubico.YubiKey.Scp.Commands;
+using Yubico.YubiKey.Scp.Helpers;
+
+namespace Yubico.YubiKey.Scp
+{
+    public class Scp03StateTests
+    {
+        readonly byte[] ResponseData;
+        
+        internal Scp03State State { get; set; }
+        
+        public Scp03StateTests()
+        {
+            var parent = new Mock<IApduTransform>();
+            var keyParams = Scp03KeyParameters.DefaultKey;
+            var hostChallenge = new byte[8];
+            var cardChallenge = new byte[8];
+
+            ResponseData = GetFakeResponseApduData(hostChallenge, cardChallenge);
+
+            parent.Setup(p => p.Invoke(
+                    It.IsAny<CommandApdu>(),
+                    typeof(InitializeUpdateCommand),
+                    typeof(InitializeUpdateResponse)))
+                .Returns(new ResponseApdu(ResponseData));
+            
+            
+            parent.Setup(p => p.Invoke(
+                    It.IsAny<CommandApdu>(),
+                    typeof(ExternalAuthenticateCommand),
+                    typeof(ExternalAuthenticateResponse)))
+                .Returns(new ResponseApdu(ResponseData));
+
+            // Act
+            State = Scp03State.CreateScpState(parent.Object, keyParams, hostChallenge);
+        }
+
+        [Fact]
+        public void CreateScpState_ValidParameters_InitializesCorrectly()
+        {
+            // Arrange
+            var parent = new Mock<IApduTransform>();
+            var keyParams = Scp03KeyParameters.DefaultKey;
+            var hostChallenge = new byte[8];
+            var cardChallenge = new byte[8];
+
+            var responseApduData = GetFakeResponseApduData(hostChallenge, cardChallenge);
+
+            parent.Setup(p => p.Invoke(
+                    It.IsAny<CommandApdu>(),
+                    typeof(InitializeUpdateCommand),
+                    typeof(InitializeUpdateResponse)))
+                .Returns(new ResponseApdu(responseApduData));
+            
+            
+            parent.Setup(p => p.Invoke(
+                    It.IsAny<CommandApdu>(),
+                    typeof(ExternalAuthenticateCommand),
+                    typeof(ExternalAuthenticateResponse)))
+                .Returns(new ResponseApdu(responseApduData));
+
+            // Act
+            var state = Scp03State.CreateScpState(parent.Object, keyParams, hostChallenge);
+
+            // Assert
+            Assert.NotNull(state);
+            Assert.NotNull(state.GetDataEncryptor());
+        }
+
+        [Fact]
+        public void CreateScpState_NullPipeline_ThrowsArgumentNullException()
+        {
+            // Arrange
+            var keyParams = Scp03KeyParameters.DefaultKey;
+            byte[] hostChallenge = new byte[8];
+
+            // Act & Assert
+            Assert.Throws<ArgumentNullException>(() =>
+                Scp03State.CreateScpState(null!, keyParams, hostChallenge));
+        }
+
+        [Fact]
+        public void CreateScpState_NullKeyParams_ThrowsArgumentNullException()
+        {
+            // Arrange
+            var pipeline = new Mock<IApduTransform>();
+            byte[] hostChallenge = new byte[8];
+
+            // Act & Assert
+            Assert.Throws<ArgumentNullException>(() =>
+                Scp03State.CreateScpState(pipeline.Object, null!, hostChallenge));
+        }
+
+        [Fact]
+        public void EncodeCommand_ValidCommand_ReturnsEncodedApdu()
+        {
+            // Arrange
+            using var rng = CryptographyProviders.RngCreator();
+            Span<byte> putKeyData = stackalloc byte[256];
+            rng.GetBytes(putKeyData);
+            var originalCommand = new PutKeyCommand(1, 2, putKeyData.ToArray()).CreateCommandApdu();
+        
+            // Act
+            var encodedCommand = State.EncodeCommand(originalCommand);
+        
+            // Assert
+            Assert.NotNull(encodedCommand);
+            Assert.NotEqual(originalCommand.Data, encodedCommand.Data);
+        }
+       
+        private static byte[] GetFakeResponseApduData(
+            byte[] hostChallenge,
+            byte[] cardChallenge)
+        {
+            Array.Fill(hostChallenge, (byte)1);
+            Array.Fill(cardChallenge, (byte)1);
+
+            // Derive session keys
+            var sessionKeys = Derivation.DeriveSessionKeysFromStaticKeys(
+                Scp03KeyParameters.DefaultKey.StaticKeys,
+                hostChallenge,
+                cardChallenge);
+
+            // Check supplied card cryptogram
+            var calculatedCardCryptogram = Derivation.DeriveCryptogram(
+                Derivation.DDC_CARD_CRYPTOGRAM,
+                sessionKeys.MacKey.Span,
+                hostChallenge,
+                cardChallenge);
+
+            var responseApduData = new byte[31];
+            Array.Fill(responseApduData, (byte)1);
+            responseApduData[^2] = 0x90;
+            responseApduData[^1] = 0x00;
+
+            // Add fake Card Crypto response
+            calculatedCardCryptogram.Span.CopyTo(responseApduData.AsSpan(21..29));
+            return responseApduData;
+        }
+    }
+}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Scp11KeyParametersTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Scp11KeyParametersTests.cs
new file mode 100644
index 000000000..d63c5fcd1
--- /dev/null
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/Scp11KeyParametersTests.cs
@@ -0,0 +1,204 @@
+// Copyright 2024 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Xunit;
+using Yubico.YubiKey.Cryptography;
+
+namespace Yubico.YubiKey.Scp
+{
+    public class Scp11KeyParametersTests : IDisposable
+    {
+        private readonly ECCurve _curve = ECCurve.NamedCurves.nistP256;
+        private readonly ECParameters _sdParams;
+        private readonly ECParameters _oceParams;
+        private readonly X509Certificate2[] _certificates;
+
+        public Scp11KeyParametersTests()
+        {
+            using var sdKey = ECDsa.Create(_curve);
+            _sdParams = sdKey.ExportParameters(false);
+
+            using var oceKey = ECDsa.Create(_curve);
+            _oceParams = oceKey.ExportParameters(true);
+
+            // Create a self-signed cert for testing
+            var req = new CertificateRequest(
+                "CN=Test",
+                oceKey,
+                HashAlgorithmName.SHA256);
+
+            _certificates = new[]
+            {
+                req.CreateSelfSigned(
+                    DateTimeOffset.UtcNow,
+                    DateTimeOffset.UtcNow.AddYears(1))
+            };
+        }
+
+        [Fact]
+        public void Constructor_Scp11b_ValidParameters_Succeeds()
+        {
+            // Arrange
+            var keyRef = new KeyReference(ScpKeyIds.Scp11B, 0x01);
+            var pkSdEcka = new ECPublicKeyParameters(_sdParams);
+
+            // Act
+            var keyParams = new Scp11KeyParameters(keyRef, pkSdEcka);
+
+            // Assert
+            Assert.NotNull(keyParams);
+            Assert.Equal(ScpKeyIds.Scp11B, keyParams.KeyReference.Id);
+            Assert.Equal(0x01, keyParams.KeyReference.VersionNumber);
+            Assert.NotNull(keyParams.PkSdEcka);
+            Assert.Null(keyParams.OceKeyReference);
+            Assert.Null(keyParams.SkOceEcka);
+            Assert.Null(keyParams.OceCertificates);
+        }
+
+        [Theory]
+        [InlineData(ScpKeyIds.Scp11A)]
+        [InlineData(ScpKeyIds.Scp11C)]
+        public void Constructor_Scp11ac_ValidParameters_Succeeds(byte keyId)
+        {
+            // Arrange
+            var keyRef = new KeyReference(keyId, 0x01);
+            var oceKeyRef = new KeyReference(0x01, 0x01);
+            var pkSdEcka = new ECPublicKeyParameters(_sdParams);
+            var skOceEcka = new ECPrivateKeyParameters(_oceParams);
+
+            // Act
+            var keyParams = new Scp11KeyParameters(
+                keyRef,
+                pkSdEcka,
+                oceKeyRef,
+                skOceEcka,
+                _certificates);
+
+            // Assert
+            Assert.NotNull(keyParams);
+            Assert.Equal(keyId, keyParams.KeyReference.Id);
+            Assert.Equal(0x01, keyParams.KeyReference.VersionNumber);
+            Assert.NotNull(keyParams.PkSdEcka);
+            Assert.NotNull(keyParams.OceKeyReference);
+            Assert.NotNull(keyParams.SkOceEcka);
+            Assert.NotNull(keyParams.OceCertificates);
+            Assert.Single(keyParams.OceCertificates);
+        }
+
+        [Fact]
+        public void Constructor_Scp11b_WithOptionalParams_ThrowsArgumentException()
+        {
+            // Arrange
+            var keyRef = new KeyReference(ScpKeyIds.Scp11B, 0x01);
+            var oceKeyRef = new KeyReference(0x01, 0x01);
+            var pkSdEcka = new ECPublicKeyParameters(_sdParams);
+            var skOceEcka = new ECPrivateKeyParameters(_oceParams);
+
+            // Act & Assert
+            Assert.Throws<ArgumentException>(() => new Scp11KeyParameters(
+                keyRef,
+                pkSdEcka,
+                oceKeyRef,
+                skOceEcka,
+                _certificates));
+        }
+
+        [Theory]
+        [InlineData(ScpKeyIds.Scp11A)]
+        [InlineData(ScpKeyIds.Scp11C)]
+        public void Constructor_Scp11ac_MissingParams_ThrowsArgumentException(byte keyId)
+        {
+            // Arrange
+            var keyRef = new KeyReference(keyId, 0x01);
+            var pkSdEcka = new ECPublicKeyParameters(_sdParams);
+
+            // Act & Assert
+            Assert.Throws<ArgumentException>(() => new Scp11KeyParameters(
+                keyRef,
+                pkSdEcka));
+        }
+
+        [Theory]
+        [InlineData(0x00)]  // Invalid key ID
+        [InlineData(0x10)]  // Invalid key ID
+        [InlineData(0xFF)]  // Invalid key ID
+        public void Constructor_InvalidKeyId_ThrowsArgumentException(byte keyId)
+        {
+            // Arrange
+            var keyRef = new KeyReference(keyId, 0x01);
+            var pkSdEcka = new ECPublicKeyParameters(_sdParams);
+
+            // Act & Assert
+            Assert.Throws<ArgumentException>(() => new Scp11KeyParameters(
+                keyRef,
+                pkSdEcka));
+        }
+
+        [Fact]
+        public void Dispose_ClearsPrivateKey()
+        {
+            // Arrange
+            var keyRef = new KeyReference(ScpKeyIds.Scp11A, 0x01);
+            var oceKeyRef = new KeyReference(0x01, 0x01);
+            var pkSdEcka = new ECPublicKeyParameters(_sdParams);
+            var skOceEcka = new ECPrivateKeyParameters(_oceParams);
+
+            Scp11KeyParameters keyParams = new Scp11KeyParameters(
+                keyRef,
+                pkSdEcka,
+                oceKeyRef,
+                skOceEcka,
+                _certificates);
+
+            // Act
+            keyParams.Dispose();
+
+            // Assert
+            Assert.Null(keyParams.SkOceEcka);
+            Assert.Null(keyParams.OceKeyReference);
+        }
+
+        [Fact]
+        public void Dispose_MultipleCalls_DoesNotThrow()
+        {
+            // Arrange
+            var keyRef = new KeyReference(ScpKeyIds.Scp11A, 0x01);
+            var oceKeyRef = new KeyReference(0x01, 0x01);
+            var pkSdEcka = new ECPublicKeyParameters(_sdParams);
+            var skOceEcka = new ECPrivateKeyParameters(_oceParams);
+
+            var keyParams = new Scp11KeyParameters(
+                keyRef,
+                pkSdEcka,
+                oceKeyRef,
+                skOceEcka,
+                _certificates);
+
+            // Act & Assert - Should not throw
+            keyParams.Dispose();
+            keyParams.Dispose();
+        }
+
+        public void Dispose()
+        {
+            foreach (var cert in _certificates)
+            {
+                cert.Dispose();
+            }
+        }
+    }
+}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/StaticKeysTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/StaticKeysTests.cs
similarity index 98%
rename from Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/StaticKeysTests.cs
rename to Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/StaticKeysTests.cs
index 10a4c0b2b..d2d668545 100644
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/StaticKeysTests.cs
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp/StaticKeysTests.cs
@@ -15,7 +15,7 @@
 using System;
 using Xunit;
 
-namespace Yubico.YubiKey.Scp03
+namespace Yubico.YubiKey.Scp
 {
     public class StaticKeysTests
     {
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateCommandTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateCommandTests.cs
deleted file mode 100644
index 9209b227f..000000000
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateCommandTests.cs
+++ /dev/null
@@ -1,79 +0,0 @@
-// Copyright 2021 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using Xunit;
-using Yubico.Core.Iso7816;
-
-namespace Yubico.YubiKey.Scp03.Commands
-{
-    public class ExternalAuthenticateCommandTests
-    {
-        [Fact]
-        public void CreateCommandApdu_GetClaProperty_ReturnsHex84()
-        {
-            Assert.Equal(0x84, GetExternalAuthenticateCommandApdu().Cla);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetInsProperty_ReturnsHex82()
-        {
-            Assert.Equal(0x82, GetExternalAuthenticateCommandApdu().Ins);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetP1Property_ReturnsHex33()
-        {
-            Assert.Equal(0x33, GetExternalAuthenticateCommandApdu().P1);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetP2Property_ReturnsZero()
-        {
-            Assert.Equal(0, GetExternalAuthenticateCommandApdu().P2);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetData_ReturnsData()
-        {
-            ReadOnlyMemory<byte> data = GetExternalAuthenticateCommandApdu().Data;
-            Assert.True(data.Span.SequenceEqual(GetData()));
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetNc_ReturnsDataLength()
-        {
-            Assert.Equal(GetData().Length, GetExternalAuthenticateCommandApdu().Nc);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetNe_ReturnsZero()
-        {
-            Assert.Equal(0, GetExternalAuthenticateCommandApdu().Ne);
-        }
-
-        private static byte[] GetData()
-        {
-            return new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 };
-        }
-        private static ExternalAuthenticateCommand GetExternalAuthenticateCommand()
-        {
-            return new ExternalAuthenticateCommand(GetData());
-        }
-        private static CommandApdu GetExternalAuthenticateCommandApdu()
-        {
-            return GetExternalAuthenticateCommand().CreateCommandApdu();
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateResponseTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateResponseTests.cs
deleted file mode 100644
index 67d8b5d67..000000000
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/ExternalAuthenticateResponseTests.cs
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright 2021 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using Xunit;
-using Yubico.Core.Iso7816;
-
-namespace Yubico.YubiKey.Scp03.Commands
-{
-    public class ExternalAuthenticateResponseTests
-    {
-        public static ResponseApdu GetResponseApdu()
-        {
-            return new ResponseApdu(new byte[] { 0x90, 0x00 });
-        }
-
-        [Fact]
-        public void Constructor_GivenNullResponseApdu_ThrowsArgumentNullExceptionFromBase()
-        {
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => new ExternalAuthenticateResponse(null));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
-        [Fact]
-        public void Constructor_GivenResponseApdu_SetsStatusWordCorrectly()
-        {
-            // Arrange
-            ResponseApdu responseApdu = GetResponseApdu();
-
-            // Act
-            var externalAuthenticateResponse = new ExternalAuthenticateResponse(responseApdu);
-
-            // Assert
-            Assert.Equal(SWConstants.Success, externalAuthenticateResponse.StatusWord);
-        }
-
-        [Fact]
-        public void ExternalAuthenticateResponse_GivenResponseApduWithData_ThrowsArgumentException()
-        {
-            var badResponseApdu = new ResponseApdu(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x90, 0x00 });
-
-            _ = Assert.Throws<ArgumentException>(() => new ExternalAuthenticateResponse(badResponseApdu));
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/InitializeUpdateCommandTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/InitializeUpdateCommandTests.cs
deleted file mode 100644
index 04e3b31fc..000000000
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/InitializeUpdateCommandTests.cs
+++ /dev/null
@@ -1,82 +0,0 @@
-// Copyright 2021 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using Xunit;
-using Yubico.Core.Iso7816;
-
-namespace Yubico.YubiKey.Scp03.Commands
-{
-    public class InitializeUpdateCommandTests
-    {
-        [Fact]
-        public void CreateCommandApdu_GetClaProperty_ReturnsHex80()
-        {
-            Assert.Equal(0x80, GetInitializeUpdateCommandApdu().Cla);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetInsProperty_ReturnsHex50()
-        {
-            Assert.Equal(0x50, GetInitializeUpdateCommandApdu().Ins);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetP1Property_ReturnsZero()
-        {
-            Assert.Equal(0, GetInitializeUpdateCommandApdu().P1);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetP2Property_ReturnsZero()
-        {
-            Assert.Equal(0, GetInitializeUpdateCommandApdu().P2);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetData_ReturnsChallenge()
-        {
-            CommandApdu commandApdu = GetInitializeUpdateCommandApdu();
-            byte[] challenge = GetChallenge();
-
-            Assert.False(commandApdu.Data.IsEmpty);
-            Assert.True(commandApdu.Data.Span.SequenceEqual(challenge));
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetNc_Returns8()
-        {
-            Assert.Equal(8, GetInitializeUpdateCommandApdu().Nc);
-        }
-
-        [Fact]
-        public void CreateCommandApdu_GetNe_ReturnsZero()
-        {
-            Assert.Equal(0, GetInitializeUpdateCommandApdu().Ne);
-        }
-
-        private static byte[] GetChallenge()
-        {
-            return new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 };
-        }
-        private static InitializeUpdateCommand GetInitializeUpdateCommand()
-        {
-            return new InitializeUpdateCommand(0, GetChallenge());
-        }
-        private static CommandApdu GetInitializeUpdateCommandApdu()
-        {
-            return GetInitializeUpdateCommand().CreateCommandApdu();
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/InitializeUpdateResponseTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/InitializeUpdateResponseTests.cs
deleted file mode 100644
index d85a9f18f..000000000
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/Commands/InitializeUpdateResponseTests.cs
+++ /dev/null
@@ -1,111 +0,0 @@
-// Copyright 2021 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using System.Collections.Generic;
-using Xunit;
-using Yubico.Core.Iso7816;
-
-namespace Yubico.YubiKey.Scp03.Commands
-{
-    public class InitializeUpdateResponseTests
-    {
-        public static ResponseApdu GetResponseApdu()
-        {
-            return new ResponseApdu(new byte[] {
-                1, 2, 3, 4, 5, 6, 7, 8,
-                9, 10, 11, 12, 13, 14,
-                15, 16, 17, 18, 19, 20, 21, 22,
-                23, 24, 25, 26, 27, 28, 29,
-                0x90, 0x00
-            });
-        }
-
-        private static IReadOnlyCollection<byte> GetDiversificationData() => GetResponseApdu().Data.Slice(0, 10).ToArray();
-        private static IReadOnlyCollection<byte> GetKeyInfo() => GetResponseApdu().Data.Slice(10, 3).ToArray();
-        private static IReadOnlyCollection<byte> GetCardChallenge() => GetResponseApdu().Data.Slice(13, 8).ToArray();
-        private static IReadOnlyCollection<byte> GetCardCryptogram() => GetResponseApdu().Data.Slice(21, 8).ToArray();
-
-        [Fact]
-        public void Constructor_GivenNullResponseApdu_ThrowsArgumentNullExceptionFromBase()
-        {
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => new InitializeUpdateResponse(null));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
-        [Fact]
-        public void Constructor_GivenResponseApdu_SetsStatusWordCorrectly()
-        {
-            // Arrange
-            ResponseApdu responseApdu = GetResponseApdu();
-
-            // Act
-            var initializeUpdateResponse = new InitializeUpdateResponse(responseApdu);
-
-            // Assert
-            Assert.Equal(SWConstants.Success, initializeUpdateResponse.StatusWord);
-        }
-
-        [Fact]
-        public void InitializeUpdateResponse_GivenResponseApdu_DiversificationDataEqualsBytes0To10()
-        {
-            // Arrange
-            ResponseApdu responseApdu = GetResponseApdu();
-
-            // Act
-            var initializeUpdateResponse = new InitializeUpdateResponse(responseApdu);
-
-            // Assert
-            Assert.Equal(GetDiversificationData(), initializeUpdateResponse.DiversificationData);
-        }
-
-        [Fact]
-        public void InitializeUpdateResponse_GivenResponseApdu_KeyInfoEqualsBytes10To13()
-        {
-            // Arrange
-            ResponseApdu responseApdu = GetResponseApdu();
-
-            // Act
-            var initializeUpdateResponse = new InitializeUpdateResponse(responseApdu);
-
-            // Assert
-            Assert.Equal(GetKeyInfo(), initializeUpdateResponse.KeyInfo);
-        }
-        [Fact]
-        public void InitializeUpdateResponse_GivenResponseApdu_CardChallengeEqualsBytes13To21()
-        {
-            // Arrange
-            ResponseApdu responseApdu = GetResponseApdu();
-
-            // Act
-            var initializeUpdateResponse = new InitializeUpdateResponse(responseApdu);
-
-            // Assert
-            Assert.Equal(GetCardChallenge(), initializeUpdateResponse.CardChallenge);
-        }
-        [Fact]
-        public void InitializeUpdateResponse_GivenResponseApdu_CardCryptogramEqualsBytes21To29()
-        {
-            // Arrange
-            ResponseApdu responseApdu = GetResponseApdu();
-
-            // Act
-            var initializeUpdateResponse = new InitializeUpdateResponse(responseApdu);
-
-            // Assert
-            Assert.Equal(GetCardCryptogram(), initializeUpdateResponse.CardCryptogram);
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/SessionTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/SessionTests.cs
deleted file mode 100644
index 2f131cf47..000000000
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Scp03/SessionTests.cs
+++ /dev/null
@@ -1,124 +0,0 @@
-// Copyright 2021 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using Xunit;
-using Yubico.Core.Buffers;
-using Yubico.Core.Iso7816;
-using Yubico.YubiKey.Scp03.Commands;
-
-namespace Yubico.YubiKey.Scp03
-{
-    public class SessionTests
-    {
-        private static byte[] GetChallenge() => Hex.HexToBytes("360CB43F4301B894");
-        private static byte[] GetCorrectInitializeUpdate() => Hex.HexToBytes("8050000008360CB43F4301B894");
-        private static byte[] GetInitializeUpdateResponse() => Hex.HexToBytes("010B001F002500000000FF0360CAAFA4DAC615236ADD5607216F3E115C9000");
-        private static byte[] GetCorrectExternalAuthenticate() => Hex.HexToBytes("848233001045330AB30BB1A079A8E7F77376DB9F2C");
-
-        private static StaticKeys GetStaticKeys()
-        {
-            return new StaticKeys();
-        }
-
-        private static Session GetSession()
-        {
-            return new Session();
-        }
-
-        [Fact]
-        public void Constructor_GivenStaticKeys_Succeeds()
-        {
-            _ = GetSession();
-        }
-
-        [Fact]
-        public void BuildInitializeUpdate_GivenNullHostChallenge_ThrowsArgumentNullException()
-        {
-            Session sess = GetSession();
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => sess.BuildInitializeUpdate(0, null));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
-        [Fact]
-        public void BuildInitializeUpdate_GivenHostChallengeWrongLength_ThrowsArgumentException()
-        {
-            byte[] hostChallengeWrongLength = new byte[9];
-            Session sess = GetSession();
-            _ = Assert.Throws<ArgumentException>(() => sess.BuildInitializeUpdate(0, hostChallengeWrongLength));
-        }
-
-        [Fact]
-        public void BuildInitializeUpdate_GivenHostChallenge_BuildsCorrectInitializeUpdate()
-        {
-            // Arrange
-            Session sess = GetSession();
-
-            // Act
-            InitializeUpdateCommand initializeUpdateCommand = sess.BuildInitializeUpdate(0, GetChallenge());
-            byte[] initializeUpdateCommandBytes = initializeUpdateCommand.CreateCommandApdu().AsByteArray();
-
-            // Assert
-            Assert.Equal(initializeUpdateCommandBytes, GetCorrectInitializeUpdate());
-        }
-
-        [Fact]
-        public void LoadInitializeUpdate_GivenNullInitializeUpdateResponse_ThrowsArgumentNullException()
-        {
-            Session sess = GetSession();
-            InitializeUpdateCommand initializeUpdateCommand = sess.BuildInitializeUpdate(0, GetChallenge());
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => sess.LoadInitializeUpdateResponse(null, GetStaticKeys()));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
-        [Fact]
-        public void LoadInitializeUpdate_GivenNullStaticKeys_ThrowsArgumentNullException()
-        {
-            Session sess = GetSession();
-            InitializeUpdateCommand initializeUpdateCommand = sess.BuildInitializeUpdate(0, GetChallenge());
-            var correctResponse = new InitializeUpdateResponse(new ResponseApdu(GetInitializeUpdateResponse()));
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<ArgumentNullException>(() => sess.LoadInitializeUpdateResponse(correctResponse, null));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
-        [Fact]
-        public void LoadInitializeUpdate_CalledBeforeBuildInitializeUpdate_ThrowsInvalidOperationException()
-        {
-            Session sess = GetSession();
-            var correctResponse = new InitializeUpdateResponse(new ResponseApdu(GetInitializeUpdateResponse()));
-#pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            _ = Assert.Throws<InvalidOperationException>(() => sess.LoadInitializeUpdateResponse(correctResponse, GetStaticKeys()));
-#pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
-        }
-
-        [Fact]
-        public void Session_GivenInitializeUpdateResponse_BuildsCorrectExternalAuthenticate()
-        {
-            // Arrange
-            Session sess = GetSession();
-            InitializeUpdateCommand initializeUpdateCommand = sess.BuildInitializeUpdate(0, GetChallenge());
-            sess.LoadInitializeUpdateResponse(initializeUpdateCommand.CreateResponseForApdu(new ResponseApdu(GetInitializeUpdateResponse())), GetStaticKeys());
-
-            // Act
-            ExternalAuthenticateCommand externalAuthenticateCommand = sess.BuildExternalAuthenticate();
-            byte[] externalAuthenticateCommandBytes = externalAuthenticateCommand.CreateCommandApdu().AsByteArray();
-
-            // Assert
-            Assert.Equal(externalAuthenticateCommandBytes, GetCorrectExternalAuthenticate());
-        }
-    }
-}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/YubiKeyDeviceExtensionsTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/YubiKeyDeviceExtensionsTests.cs
deleted file mode 100644
index 544dc9680..000000000
--- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/YubiKeyDeviceExtensionsTests.cs
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright 2021 Yubico AB
-//
-// Licensed under the Apache License, Version 2.0 (the "License").
-// You may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-using System;
-using Moq;
-using Xunit;
-using Yubico.Core.Devices.SmartCard;
-using Yubico.YubiKey.Scp03;
-
-namespace Yubico.YubiKey
-{
-#pragma warning disable CS0618 // Specifically testing this soon-to-be-deprecated feature
-    public class YubiKeyDeviceExtensionsTests
-    {
-        [Fact]
-        public void WithScp03_WhenDeviceIsNull_Throws()
-        {
-            YubiKeyDevice? ykDevice = null;
-            _ = Assert.Throws<ArgumentNullException>(() => ykDevice!.WithScp03(new StaticKeys()));
-        }
-
-        [Fact]
-        public void WithScp03_WhenDeviceDoesNotHaveSmartCard_ThrowsException()
-        {
-            var ykDeviceInfo = new YubiKeyDeviceInfo()
-            {
-                AvailableUsbCapabilities = YubiKeyCapabilities.All,
-                EnabledUsbCapabilities = YubiKeyCapabilities.All,
-            };
-
-            var ykDevice = new YubiKeyDevice(null, null, null, ykDeviceInfo);
-            _ = Assert.Throws<NotSupportedException>(() => ykDevice.WithScp03(new StaticKeys()));
-        }
-
-        [Fact]
-        public void WithScp03_WhenDeviceCorrect_Succeeds()
-        {
-            var mockSmartCard = new Mock<ISmartCardDevice>();
-            var ykDeviceInfo = new YubiKeyDeviceInfo()
-            {
-                AvailableUsbCapabilities = YubiKeyCapabilities.All,
-                EnabledUsbCapabilities = YubiKeyCapabilities.All,
-            };
-
-            var ykDevice = new YubiKeyDevice(mockSmartCard.Object, null, null, ykDeviceInfo);
-            IYubiKeyDevice scp03Device = ykDevice.WithScp03(new StaticKeys());
-            _ = Assert.IsAssignableFrom<Scp03YubiKeyDevice>(scp03Device);
-        }
-    }
-#pragma warning restore CS0618
-}
diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/YubikeyApplicationTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/YubikeyApplicationTests.cs
new file mode 100644
index 000000000..f71e42120
--- /dev/null
+++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/YubikeyApplicationTests.cs
@@ -0,0 +1,68 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using Xunit;
+
+namespace Yubico.YubiKey
+{
+    public class YubiKeyApplicationExtensionsTests
+    {
+        [Theory]
+        [InlineData(YubiKeyApplication.Management, new byte[] { 0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17 })]
+        [InlineData(YubiKeyApplication.Otp, new byte[] { 0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01 })]
+        [InlineData(YubiKeyApplication.FidoU2f, new byte[] { 0xa0, 0x00, 0x00, 0x06, 0x47, 0x2f, 0x00, 0x01 })]
+        [InlineData(YubiKeyApplication.Piv, new byte[] { 0xa0, 0x00, 0x00, 0x03, 0x08 })]
+        public void GetIso7816ApplicationId_ReturnsCorrectId(YubiKeyApplication application, byte[] expectedId)
+        {
+            byte[] result = application.GetIso7816ApplicationId();
+            Assert.Equal(expectedId, result);
+        }
+
+        [Fact]
+        public void GetIso7816ApplicationId_ThrowsForUnsupportedApplication()
+        {
+            var unsupportedApp = (YubiKeyApplication)999;
+            Assert.Throws<NotSupportedException>(() => unsupportedApp.GetIso7816ApplicationId());
+        }
+
+        [Fact]
+        public void ApplicationIds_ContainsAllApplications()
+        {
+            var result = YubiKeyApplicationExtensions.Iso7816ApplicationIds;
+            Assert.Equal(11, result.Count);
+            Assert.Contains(YubiKeyApplication.Management, result.Keys);
+            Assert.Contains(YubiKeyApplication.Otp, result.Keys);
+            Assert.Contains(YubiKeyApplication.FidoU2f, result.Keys);
+            // Add assertions for other applications
+        }
+
+        [Theory]
+        [InlineData(new byte[] { 0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17 }, YubiKeyApplication.Management)]
+        [InlineData(new byte[] { 0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01 }, YubiKeyApplication.Otp)]
+        [InlineData(new byte[] { 0xa0, 0x00, 0x00, 0x06, 0x47, 0x2f, 0x00, 0x01 }, YubiKeyApplication.FidoU2f)]
+        public void GetById_ReturnsCorrectApplication(byte[] applicationId, YubiKeyApplication expectedApplication)
+        {
+            var result = YubiKeyApplicationExtensions.GetYubiKeyApplication(applicationId);
+            Assert.Equal(expectedApplication, result);
+        }
+
+        [Fact]
+        public void GetById_ThrowsForUnknownApplicationId()
+        {
+            byte[] unknownId = new byte[] { 0x00, 0x11, 0x22, 0x33 };
+            Assert.Throws<ArgumentException>(() => YubiKeyApplicationExtensions.GetYubiKeyApplication(unknownId));
+        }
+    }
+}
diff --git a/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/HollowYubiKeyDevice.cs b/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/HollowYubiKeyDevice.cs
index 6dfb33f44..e3c8f741e 100644
--- a/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/HollowYubiKeyDevice.cs
+++ b/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/HollowYubiKeyDevice.cs
@@ -14,7 +14,8 @@
 
 using System;
 using Yubico.Core.Devices;
-using Yubico.YubiKey.Scp03;
+using Yubico.YubiKey.Scp;
+
 
 namespace Yubico.YubiKey.TestUtilities
 {
@@ -141,9 +142,9 @@ public HollowYubiKeyDevice(bool alwaysAuthenticatePiv = false)
             EnabledUsbCapabilities = 0;
         }
 
-        public IYubiKeyConnection Connect(YubiKeyApplication yubikeyApplication)
+        public IYubiKeyConnection Connect(YubiKeyApplication yubiKeyApplication)
         {
-            var connection = new HollowConnection(yubikeyApplication, FirmwareVersion)
+            var connection = new HollowConnection(yubiKeyApplication, FirmwareVersion)
             {
                 AlwaysAuthenticatePiv = _alwaysAuthenticatePiv,
             };
@@ -151,57 +152,87 @@ public IYubiKeyConnection Connect(YubiKeyApplication yubikeyApplication)
             return connection;
         }
 
-        public IScp03YubiKeyConnection ConnectScp03(YubiKeyApplication yubikeyApplication, StaticKeys scp03Keys)
+        public IYubiKeyConnection Connect(byte[] applicationId)
         {
             throw new NotImplementedException();
         }
 
-        public IYubiKeyConnection Connect(byte[] applicationId)
+        [Obsolete("Obsolete")]
+        public IScp03YubiKeyConnection ConnectScp03(YubiKeyApplication yubikeyApplication, Yubico.YubiKey.Scp03.StaticKeys scp03Keys)
         {
             throw new NotImplementedException();
         }
 
-        public IScp03YubiKeyConnection ConnectScp03(byte[] applicationId, StaticKeys scp03Keys)
+        [Obsolete("Obsolete")]
+        public IScp03YubiKeyConnection ConnectScp03(byte[] applicationId, Yubico.YubiKey.Scp03.StaticKeys scp03Keys)
         {
             throw new NotImplementedException();
         }
 
-        /// <inheritdoc />
-        bool IYubiKeyDevice.HasSameParentDevice(IDevice other)
+        public IScpYubiKeyConnection Connect(YubiKeyApplication yubikeyApplication, ScpKeyParameters scp03Keys)
         {
-            return false;
+            throw new NotImplementedException();
+        }
+
+        public IScpYubiKeyConnection Connect(byte[] applicationId, ScpKeyParameters scp03Keys)
+        {
+            throw new NotImplementedException();
         }
 
-        bool IYubiKeyDevice.TryConnect(
+        public bool TryConnect(
             YubiKeyApplication application,
             out IYubiKeyConnection connection)
         {
             throw new NotImplementedException();
         }
 
-        bool IYubiKeyDevice.TryConnectScp03(
+        public bool TryConnect(
+            byte[] applicationId,
+            out IYubiKeyConnection connection)
+        {
+            throw new NotImplementedException();
+        }
+
+        [Obsolete("Obsolete")]
+        public bool TryConnectScp03(
             YubiKeyApplication application,
-            StaticKeys scp03Keys,
+            Yubico.YubiKey.Scp03.StaticKeys scp03Keys,
             out IScp03YubiKeyConnection connection)
         {
             throw new NotImplementedException();
         }
 
-        bool IYubiKeyDevice.TryConnect(
+        [Obsolete("Obsolete")]
+        public bool TryConnectScp03(
             byte[] applicationId,
-            out IYubiKeyConnection connection)
+            Yubico.YubiKey.Scp03.StaticKeys scp03Keys,
+            out IScp03YubiKeyConnection connection)
         {
             throw new NotImplementedException();
         }
 
-        bool IYubiKeyDevice.TryConnectScp03(
+        public bool TryConnect(
+            YubiKeyApplication application,
+            ScpKeyParameters keyParameters,
+            out IScpYubiKeyConnection connection)
+        {
+            throw new NotImplementedException();
+        }
+
+        public bool TryConnect(
             byte[] applicationId,
-            StaticKeys scp03Keys,
-            out IScp03YubiKeyConnection connection)
+            ScpKeyParameters keyParameters,
+            out IScpYubiKeyConnection connection)
         {
             throw new NotImplementedException();
         }
 
+        /// <inheritdoc />
+        bool IYubiKeyDevice.HasSameParentDevice(IDevice other)
+        {
+            return false;
+        }
+
         public void SetEnabledNfcCapabilities(YubiKeyCapabilities yubiKeyCapabilities) =>
             throw new NotImplementedException();
 
@@ -246,6 +277,16 @@ public void UnlockConfiguration(ReadOnlySpan<byte> lockCode)
             throw new NotImplementedException();
         }
 
+        public void SetLegacyDeviceConfiguration(
+            YubiKeyCapabilities yubiKeyInterfaces,
+            byte challengeResponseTimeout,
+            bool touchEjectEnabled,
+            int autoEjectTimeout = 0,
+            ScpKeyParameters? keyParameters = null)
+        {
+            throw new NotImplementedException();
+        }
+
         public void SetLegacyDeviceConfiguration(
             YubiKeyCapabilities yubiKeyInterfaces, byte challengeResponseTimeout, bool touchEjectEnabled,
             int autoEjectTimeout = 0)
diff --git a/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/IntegrationTestDeviceEnumeration.cs b/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/IntegrationTestDeviceEnumeration.cs
index 8da5e7d69..29a070a0d 100644
--- a/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/IntegrationTestDeviceEnumeration.cs
+++ b/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/IntegrationTestDeviceEnumeration.cs
@@ -50,7 +50,8 @@ private static readonly Lazy<IntegrationTestDeviceEnumeration> SingleInstance
         private const string YubikeyIntegrationtestAllowedKeysName = "YUBIKEY_INTEGRATIONTEST_ALLOWEDKEYS";
         private readonly string _allowlistFileName = $"{YubikeyIntegrationtestAllowedKeysName}.txt";
 
-        public IntegrationTestDeviceEnumeration(string? configDirectory = null)
+        public IntegrationTestDeviceEnumeration(
+            string? configDirectory = null)
         {
             var defaultDirectory =
                 Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Yubico");
@@ -89,21 +90,24 @@ public IntegrationTestDeviceEnumeration(string? configDirectory = null)
         /// </summary>
         /// <param name="serialNumber"></param>
         /// <returns></returns>
-        public static IYubiKeyDevice GetBySerial(int serialNumber)
+        public static IYubiKeyDevice GetBySerial(
+            int serialNumber)
             => GetTestDevices().Single(d => d.SerialNumber == serialNumber);
 
         /// <summary>
         /// Enumerates all YubiKey test devices on a system.
         /// </summary>
         /// <returns>The allow-list filtered list of available Yubikeys</returns>
-        public static IList<IYubiKeyDevice> GetTestDevices(Transport transport = Transport.All)
+        public static IList<IYubiKeyDevice> GetTestDevices(
+            Transport transport = Transport.All)
         {
             return YubiKeyDevice
                 .FindByTransport(transport)
                 .Where(IsAllowedKey)
                 .ToList();
 
-            static bool IsAllowedKey(IYubiKeyDevice key)
+            static bool IsAllowedKey(
+                IYubiKeyDevice key)
                 => key.SerialNumber == null ||
                    Instance.AllowedSerialNumbers.Contains(key.SerialNumber.Value.ToString());
         }
@@ -113,12 +117,15 @@ static bool IsAllowedKey(IYubiKeyDevice key)
         /// </summary>
         /// <param name="testDeviceType">The type of the device.</param>
         /// <param name="transport">The transport the device must support.</param>
+        /// <param name="minimumFirmwareVersion">The earliest version number the
+        /// caller is willing to accept. Defaults to the minimum version for the given device.</param>
         /// <returns>The allow-list filtered YubiKey that was found.</returns>
         public static IYubiKeyDevice GetTestDevice(
             StandardTestDevice testDeviceType = StandardTestDevice.Fw5,
-            Transport transport = Transport.All)
+            Transport transport = Transport.All,
+            FirmwareVersion? minimumFirmwareVersion = null)
             => GetTestDevices(transport)
-                .SelectByStandardTestDevice(testDeviceType);
+                .SelectByStandardTestDevice(testDeviceType, minimumFirmwareVersion, transport);
 
         /// <summary>
         /// Get YubiKey test device of specified transport and for which the
@@ -128,12 +135,14 @@ public static IYubiKeyDevice GetTestDevice(
         /// <param name="minimumFirmwareVersion">The earliest version number the
         /// caller is willing to accept.</param>
         /// <returns>The allow-list filtered YubiKey that was found.</returns>
-        public static IYubiKeyDevice GetTestDevice(Transport transport, FirmwareVersion minimumFirmwareVersion)
+        public static IYubiKeyDevice GetTestDevice(
+            Transport transport,
+            FirmwareVersion minimumFirmwareVersion)
             => GetTestDevices(transport)
                 .SelectByMinimumVersion(minimumFirmwareVersion);
 
-
-        private static void CreateAllowListFileIfMissing(string allowListFilePath)
+        private static void CreateAllowListFileIfMissing(
+            string allowListFilePath)
         {
             if (File.Exists(allowListFilePath))
             {
diff --git a/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/StandardTestDevice.cs b/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/StandardTestDevice.cs
index c8fb1e939..7253f9e1b 100644
--- a/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/StandardTestDevice.cs
+++ b/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/StandardTestDevice.cs
@@ -36,16 +36,6 @@ public enum StandardTestDevice
         /// </summary>
         Fw5Fips,
 
-        /// <summary>
-        /// Major version 5, USB C Lightning, not FIPS
-        /// </summary>
-        Fw5Ci,
-
-        /// <summary>
-        /// Major version 5, USB C Keychain
-        /// </summary>
-        Fw5C,
-
         /// <summary>
         /// Major version 5, USB A biometric keychain, not FIPS
         /// </summary>
diff --git a/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/TestDeviceSelection.cs b/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/TestDeviceSelection.cs
index 09662c0ea..5d5954423 100644
--- a/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/TestDeviceSelection.cs
+++ b/Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/TestDeviceSelection.cs
@@ -14,6 +14,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
 using System.Linq;
 using TestDev = Yubico.YubiKey.TestUtilities.IntegrationTestDeviceEnumeration;
 
@@ -27,7 +28,8 @@ public static class TestDeviceSelection
         /// <exception cref="InvalidOperationException">
         /// Thrown if the test device could not be found.
         /// </exception>
-        public static IYubiKeyDevice RenewDeviceEnumeration(int serialNumber)
+        public static IYubiKeyDevice RenewDeviceEnumeration(
+            int serialNumber)
         {
             const int maxReconnectAttempts = 40;
             const int sleepDuration = 100; //ms
@@ -54,52 +56,85 @@ public static IYubiKeyDevice RenewDeviceEnumeration(int serialNumber)
         /// Retrieves a single <see cref="IYubiKeyDevice"/> based on test device requirements.
         /// </summary>
         /// <exception cref="ArgumentException">
-        /// Thrown when <paramref name="testDevice"/> is not a recognized value.
+        /// Thrown when <paramref name="testDeviceType"/> is not a recognized value.
         /// </exception>
         /// <exception cref="InvalidOperationException">
         /// Thrown when the input sequence did not contain a valid test device.
         /// </exception>
+        /// <param name="testDeviceType">The type of the device.</param>
+        /// <param name="minimumFirmwareVersion">The earliest version number the
+        /// caller is willing to accept. Defaults to the minimum version for the given device.</param>
+        /// <param name="yubiKeys">The list of yubikeys to select from</param>
+        /// <param name="transport">The desired transport</param>
+        /// <returns>The allow-list filtered YubiKey that was found.</returns>
         public static IYubiKeyDevice SelectByStandardTestDevice(
             this IEnumerable<IYubiKeyDevice> yubiKeys,
-            StandardTestDevice testDevice)
+            StandardTestDevice testDeviceType,
+            FirmwareVersion? minimumFirmwareVersion = null,
+            Transport transport = Transport.All
+            )
         {
             var devices = yubiKeys as IYubiKeyDevice[] ?? yubiKeys.ToArray();
             if (!devices.Any())
             {
-                throw new InvalidOperationException("Could not find any connected Yubikeys");
+                ThrowDeviceNotFoundException("Could not find any connected Yubikeys (Transport: {transport})", devices);
             }
 
-            return testDevice switch
+            var devicesVersionFiltered =
+                devices.Where(d => d.FirmwareVersion >= MatchVersion(testDeviceType, minimumFirmwareVersion));
+
+            return testDeviceType switch
             {
                 StandardTestDevice.Fw3 => SelectDevice(3),
                 StandardTestDevice.Fw4Fips => SelectDevice(4, isFipsSeries: true),
                 StandardTestDevice.Fw5 => SelectDevice(5),
                 StandardTestDevice.Fw5Fips => SelectDevice(5, formFactor: FormFactor.UsbAKeychain, isFipsSeries: true),
                 StandardTestDevice.Fw5Bio => SelectDevice(5, formFactor: FormFactor.UsbABiometricKeychain),
-                _ => throw new ArgumentException("Invalid test device value.", nameof(testDevice)),
+                _ => throw new ArgumentException("Invalid test device value.", nameof(testDeviceType)),
             };
 
-            IYubiKeyDevice SelectDevice(int majorVersion, FormFactor? formFactor = null, bool isFipsSeries = false)
+            IYubiKeyDevice SelectDevice(
+                int majorVersion,
+                FormFactor? formFactor = null,
+                bool isFipsSeries = false)
             {
                 IYubiKeyDevice device = null!;
                 try
                 {
-                    bool MatchingDeviceSelector(IYubiKeyDevice d) =>
+                    bool MatchingDeviceSelector(
+                        IYubiKeyDevice d) =>
                         d.FirmwareVersion.Major == majorVersion &&
                         (formFactor is null || d.FormFactor == formFactor) &&
                         d.IsFipsSeries == isFipsSeries;
 
-                    device = devices.First(MatchingDeviceSelector);
+                    device = devicesVersionFiltered.First(MatchingDeviceSelector);
                 }
                 catch (InvalidOperationException)
                 {
-                    ThrowDeviceNotFoundException($"Target test device not found ({testDevice})", devices);
+                    ThrowDeviceNotFoundException($"Target test device not found ({testDeviceType}, Transport: {transport})", devices);
                 }
 
                 return device;
             }
         }
 
+        private static FirmwareVersion MatchVersion(
+            StandardTestDevice testDeviceType,
+            FirmwareVersion? minimumFirmwareVersion)
+        {
+            if (minimumFirmwareVersion is { })
+            {
+                return minimumFirmwareVersion;
+            }
+
+            return testDeviceType switch
+            {
+                StandardTestDevice.Fw3 => FirmwareVersion.V3_1_0,
+                StandardTestDevice.Fw4Fips => FirmwareVersion.V4_0_0,
+                _ => FirmwareVersion.V5_0_0,
+            };
+        }
+
         public static IYubiKeyDevice SelectByMinimumVersion(
             this IEnumerable<IYubiKeyDevice> yubiKeys,
             FirmwareVersion minimumFirmwareVersion)
@@ -116,16 +151,20 @@ public static IYubiKeyDevice SelectByMinimumVersion(
                 ThrowDeviceNotFoundException("No matching YubiKey found", devices);
             }
 
-            return device!;
+            return device;
         }
 
-        private static void ThrowDeviceNotFoundException(string errorMessage, IYubiKeyDevice[] devices)
+        [DoesNotReturn]
+        private static void ThrowDeviceNotFoundException(
+            string errorMessage,
+            IYubiKeyDevice[] devices)
         {
             var connectedDevicesText = FormatConnectedDevices(devices);
             throw new DeviceNotFoundException($"{errorMessage}. {connectedDevicesText}");
         }
 
-        private static string FormatConnectedDevices(IReadOnlyCollection<IYubiKeyDevice> devices)
+        private static string FormatConnectedDevices(
+            IReadOnlyCollection<IYubiKeyDevice> devices)
         {
             var deviceText =
                 devices.Select(y => $"{{{y.FirmwareVersion}, {y.FormFactor}, IsFipsSeries: {y.IsFipsSeries}}}");
@@ -139,6 +178,9 @@ private static string FormatConnectedDevices(IReadOnlyCollection<IYubiKeyDevice>
     // Custom test exception inheriting from InvalidOperationException as some test code depends on InvalidOperationExceptions 
     public class DeviceNotFoundException : InvalidOperationException
     {
-        public DeviceNotFoundException(string message) : base(message) { }
+        public DeviceNotFoundException(
+            string message) : base(message)
+        {
+        }
     }
 }
diff --git a/build/CompilerSettings.props b/build/CompilerSettings.props
index db506cd74..36737af72 100644
--- a/build/CompilerSettings.props
+++ b/build/CompilerSettings.props
@@ -61,6 +61,8 @@ on things like conditions in this file.
     -->
     <NoWarn>@(NoWarn);NU5105</NoWarn>
 
+    <NeutralLanguage>en-US</NeutralLanguage>
+
     <!--
     Create byte-for-byte identical build artifacts given the same build input. Normally, the compiler will
     add certain things to the binary header like timestamp, compiler version, and even more seemingly
@@ -71,15 +73,13 @@ on things like conditions in this file.
     <Deterministic>true</Deterministic>
     <EnableNETAnalyzers>true</EnableNETAnalyzers>
     <AnalysisLevel>latest</AnalysisLevel>
-    <AnalysisMode>AllEnabledByDefault</AnalysisMode>
+    <AnalysisMode>Recommended</AnalysisMode>
     <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
   </PropertyGroup>
 
   <PropertyGroup Label="Production assembly project settings" Condition="'$(IsProdProject)' == 'true'">
 
-    <NeutralLanguage>en-US</NeutralLanguage>
-
-    <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
+    <GeneratePackageOnBuild Condition="$(Configuration.Contains('WithDocs'))">true</GeneratePackageOnBuild>
 
   </PropertyGroup>
 
@@ -110,12 +110,7 @@ on things like conditions in this file.
     being packed as part of its project build, but because of the main project's build pass.
     -->
     <IsPackable>false</IsPackable>
-
-    <!--
-    If no other language or locale is specified, assume that we're all speaking United States English.
-    -->
-    <NeutralLanguage>en-US</NeutralLanguage>
-
+    
   </PropertyGroup>
 
   <!--
@@ -130,4 +125,13 @@ on things like conditions in this file.
 
   </PropertyGroup>
 
+  <PropertyGroup Label="Sample project settings" Condition="'$(IsSampleProject)'=='true'">
+
+    <!--
+    Do not pack sample projects in any of the NuGet packages.
+    -->
+    <IsPackable>false</IsPackable>
+
+  </PropertyGroup>
+
 </Project>
\ No newline at end of file
diff --git a/build/ProjectTypes.props b/build/ProjectTypes.props
index ea57b8051..75c2e5400 100644
--- a/build/ProjectTypes.props
+++ b/build/ProjectTypes.props
@@ -44,6 +44,14 @@ limitations under the License. -->
     <IsTestProject Condition="$(MSBuildProjectName.EndsWith('Tests', StringComparison.OrdinalIgnoreCase))">true</IsTestProject>
     <IsTestProject Condition="!$(MSBuildProjectName.EndsWith('Tests', StringComparison.OrdinalIgnoreCase))">false</IsTestProject>
 
+    <!--
+    A project is a SampleCode project if it it ends with Tests in the project name. For example:
+    MyProject.SampleCode.csproj will pick up this property. MyProject.SampleCode.csproj will not.
+    The filename convention is case Insensitive.
+    -->
+    <IsSampleCodeProject Condition="$(MSBuildProjectName.EndsWith('SampleCode', StringComparison.OrdinalIgnoreCase))">true</IsSampleCodeProject>
+    <IsSampleCodeProject Condition="!$(MSBuildProjectName.EndsWith('SampleCode', StringComparison.OrdinalIgnoreCase))">false</IsSampleCodeProject>
+
     <!--
     A project is a reference assembly project if it ends with Ref in the project name. For
     example: MyProject.Ref.csproj will pick up this property. The filename convention is case