WebAuthn/FIDO2: What’s new in MDS3? Migrating from MDS2 to MDS3.

Ackermann Yuriy
May 26 · 5 min read

It’s a JSON! It looks like MDS2? Nope, that’s MDS3!

This is continuation of our series on Webauthn and FIDO2.

Recently FIDO Alliance released new version of the metadata specification. And it’s not simple added new fields, and called it day.

MDS3 Metadata entirely overhauled schema, deleting old fields, merging some and replacing numerical and flags with strings, in addition to the major improvements for Metadata Service.

Changes to Metadata Service

First, and the most important thing: YOU NO LONGER NEED ACCESS TOKEN TO ACCESS MDS.

You can find all the access info on the FIDO Alliance website: https://fidoalliance.org/metadata/


Big shout-out to Hideez Group Inc for the service they’ve built.

Regarding Metadata Service it self:

  • Completely overhauled UI. One place to submit metadata, request certification, add new root certificates, submit security notification, etc.
Looks good, right?
  • Direct integration with conformance tools. Now when you complete conformance testing, you can select your metadata to be submitted to your account.
  • Enterprise security features: Event logging accessible by the vendors to see what actions happened. Mandatory FIDO MFA. Ability to manage teams, for large vendors.
  • Daily on-demand updates. You no longer need to wait for a month for you metadata to be submitted.
  • MDS BLOB is now CDN backed for better availability.
  • PKI by GlobalSign!
  • Multi-lingual support.

Here is decode BLOB sample:

You can find more in depth info in the latest publication of Metadata Service spec: https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html

Changes to Metadata Statement

  1. Numerical fields became string:

This applies to authenticationAlgorithms, publicKeyAlgAndEncodings, attestationTypes, userVerificationDetails, keyProtection, matcherProtection, attachmentHint, tcDisplay

2. Major cleanup:

  • Removed: assertionScheme, authenticationAlgorithm, publicKeyAlgAndEncoding, operatingEnv, isSecondFactorOnly
  • authenticationAlgorithms replaced authenticationAlgorithm
  • publicKeyAlgAndEncodings replaced publicKeyAlgAndEncoding

3. New fields:

  • schema — Numerical identifier of the schema. Use this to check if you are dealing with old or new metadata.
  • authenticatorGetInfo — Snapshot of authenticatorGetInfo. Relying parties can use it to make informed decisions about FIDO2 authenticators.

You can find out more from reading latest spec: https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html

What about legacy MDS2?

Legacy MDS2 have been deprecated. PKI updated to the GlobalSign. No new metadata will be added there and it will be shutdown in 18 months, or in October 2022. You can find more information about it here https://fidoalliance.org/legacy-mds2-information/

Relying parties should start planning moving to MDS3 quiet soon, and our guide will help you just do that. You

Migrating to MDS3

First I would like to clarify implication for certified servers. If you update your code to support MDS3, and then run conformance tests, your certification will not be affected.

FIRST: The processing rules for new BLOB have not changed that much. JWT, certificate, and CRL validation are exactly the same. So you basically need to delete all of the individual metadata download code, and return entry.metadataStatement, since this is where the metadata object is now located.

One thing that I might note here is that GlobalSign is now returning CRL not in PEM, but as bytes, with content type “application/pkix-crl” so you might need to adjust your CRL validation code.

If your solutions is downloading root certificates on-demand, please ensure that you add root certificate directly to your code, or certificate storage.

SECOND: Import latest registry. FIDO Alliance kindly provides registry as JS dictionaries that can be easily convert to what ever ENUM you need https://github.com/fido-alliance/conformance-test-tools-resources/blob/master/snippets/registry.js

THIRD: Update your code to work with new SHORT string constant:

For attestationTypes:

  • For packed and fido-u2f check that attestation types contains “basic_full” or “basic_surrogate” in case of FIDO2 self attestation.
  • For tpm check that attestation types contain “attca”
  • For apple, apple-appattest, safety-net, android-key check that attestation types contain “anonca”

For authenticationAlgorithms and publicKeyAlgAndEncodings:

For UAF: tcDisplay is now a list of short for flags, like: [“any”, “tee“]. tcDisplayContentType and tcDisplayDisplayPNGCharacteristics.

FOURTH: Version 3 Metadata now contains “schema” field with value 3. Using that you can easily distinguish old and new schema in the mixed MDS environments.

FIFTH: Apple Anonymous Attestation is now mandatory. You can find how to validate it in my recent article https://medium.com/webauthnworks/webauthn-fido2-verifying-apple-anonymous-attestation-5eaff334c849



This article is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0). So you are free to read, share, etc. If you are interested in commercial use of this article, or wish to translate it to a different language, please contact us at info(at)webauthn(dot)works

The code samples are licensed under MIT license.

WebAuthn Works Limited

WebAuthn Works
Ackermann Yuriy

Written by

FIDO, Identity, Standards

WebAuthn Works

WebAuthn Works Limited