WebAuthn/FIDO2: What’s new in MDS3? Migrating from MDS2 to MDS3.

Ackermann Yuriy
May 26 · 5 min read

It’s a JSON! It looks like MDS2? Nope, that’s MDS3!

This is continuation of our series on Webauthn and FIDO2.

Recently FIDO Alliance released new version of the metadata specification. And it’s not simple added new fields, and called it day.

MDS3 Metadata entirely overhauled schema, deleting old fields, merging some and replacing numerical and flags with strings, in addition to the major improvements for Metadata Service.

Changes to Metadata Service

First, and the most important thing: YOU NO LONGER NEED ACCESS TOKEN TO ACCESS MDS.

You can find all the access info on the FIDO Alliance website: https://fidoalliance.org/metadata/

Second, nor less important thing: YOU NO LONGER NEED TO DOWNLOAD HUNDREDS OF FILES! ALL METADATA COMES AS ONE BLOB! HALLELUJAH!

Big shout-out to Hideez Group Inc for the service they’ve built.

Regarding Metadata Service it self:

  • Completely overhauled UI. One place to submit metadata, request certification, add new root certificates, submit security notification, etc.
Looks good, right?
  • Direct integration with conformance tools. Now when you complete conformance testing, you can select your metadata to be submitted to your account.

Here is decode BLOB sample:

{
"no": 1234,
"nextUpdate": "2014-03-31",
"entries": [
{
"aaid": "1234#5678",
// Metadata Statement Object https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html#metadata-statement-format
"metadataStatement": {"aaid": "1234#5678"...},
"statusReports": [
{
"status": "FIDO_CERTIFIED",
"effectiveDate": "2014-01-04"
}
],
"timeOfLastStatusChange": "2014-01-04"
},
{
"attestationCertificateKeyIdentifiers": [
"7c0903708b87115b0b422def3138c3c864e44573"
],
// Metadata Statement Object https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html#metadata-statement-format
"metadataStatement": {"attestationCertificateKeyIdentifiers": ["7c0903708b87115b0b422def3138c3c864e44573"]...},
"statusReports": [
{
"status": "FIDO_CERTIFIED",
"effectiveDate": "2014-01-07"
},
{
"status": "UPDATE_AVAILABLE",
"effectiveDate": "2014-02-19",
"url": "https://example.com/update1234"
}
],
"timeOfLastStatusChange": "2014-02-19"
}
]
}

You can find more in depth info in the latest publication of Metadata Service spec: https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html

Changes to Metadata Statement

  1. Numerical fields became string:
WAS: "userVerificationDetails": [[{ "userVerification": 2 }]]NOW: "userVerificationDetails": [[{ "userVerificationMethod": "fingerprint_internal" }]]-------------------------------------------------------------WAS: "keyProtection": 6NOW: "keyProtection": ["hardware", "tee"]

This applies to authenticationAlgorithms, publicKeyAlgAndEncodings, attestationTypes, userVerificationDetails, keyProtection, matcherProtection, attachmentHint, tcDisplay

2. Major cleanup:

  • Removed: assertionScheme, authenticationAlgorithm, publicKeyAlgAndEncoding, operatingEnv, isSecondFactorOnly

3. New fields:

  • schema — Numerical identifier of the schema. Use this to check if you are dealing with old or new metadata.
{
"legalHeader": "https://fidoalliance.org/metadata/metadata-statement-legal-header/",
"description": "FIDO Alliance Sample FIDO2 Authenticator",
"aaguid": "0132d110-bf4e-4208-a403-ab4f5f12efe5",
"alternativeDescriptions": {
"ru-RU": "Пример FIDO2 аутентификатора от FIDO Alliance",
"fr-FR": "Exemple FIDO2 authenticator de FIDO Alliance",
"zh-CN": "來自FIDO Alliance的示例FIDO2身份驗證器"
},
"protocolFamily": "fido2",
"schema": 3,
"authenticatorVersion": 5,
"upv": [
{ "major": 1, "minor": 0 }
],
"authenticationAlgorithms": ["secp256r1_ecdsa_sha256_raw", "rsassa_pkcsv15_sha256_raw"],
"publicKeyAlgAndEncodings": ["cose"],
"attestationTypes": ["basic_full"],
"userVerificationDetails": [
[
{"userVerificationMethod": "none"}
],
[
{"userVerificationMethod": "presence_internal"}
],
[{
"userVerificationMethod": "passcode_external",
"caDesc": {
"base": 10,
"minLength": 4
}
}],
[{
"userVerificationMethod": "passcode_external",
"caDesc": {
"base": 10,
"minLength": 4
}},
{"userVerificationMethod": "presence_internal"}
]
],
"keyProtection": ["hardware", "secure_element"],
"matcherProtection": ["on_chip"],
"cryptoStrength": 128,
"attachmentHint": ["external", "wired", "wireless", "nfc"],
"tcDisplay": [],
"attestationRootCertificates": [
"MIICPTCCAeOgAwIBAgIJAOuexvU3Oy2wMAoGCCqGSM49BAMCMHs..."
],
"icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAE8A...",
"supportedExtensions": [
{
"id": "hmac-secret",
"fail_if_unknown": false
},
{
"id": "credProtect",
"fail_if_unknown": false
}
],
"authenticatorGetInfo": {
"versions": [ "U2F_V2", "FIDO_2_0" ],
"extensions": [ "credProtect", "hmac-secret" ],
"aaguid": "0132d110bf4e4208a403ab4f5f12efe5",
"options": {
"plat": false,
"rk": true,
"clientPin": true,
"up": true,
"uv": true,
"uvToken": false,
"config": false
},
"maxMsgSize": 1200,
"pinUvAuthProtocols": [1],
"maxCredentialCountInList": 16,
"maxCredentialIdLength": 128,
"transports": ["usb", "nfc"],
"algorithms": [{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
}
],
"maxAuthenticatorConfigLength": 1024,
"defaultCredProtect": 2,
"firmwareVersion": 5
}
}

You can find out more from reading latest spec: https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html

What about legacy MDS2?

Legacy MDS2 have been deprecated. PKI updated to the GlobalSign. No new metadata will be added there and it will be shutdown in 18 months, or in October 2022. You can find more information about it here https://fidoalliance.org/legacy-mds2-information/

Relying parties should start planning moving to MDS3 quiet soon, and our guide will help you just do that. You

Migrating to MDS3

First I would like to clarify implication for certified servers. If you update your code to support MDS3, and then run conformance tests, your certification will not be affected.

FIRST: The processing rules for new BLOB have not changed that much. JWT, certificate, and CRL validation are exactly the same. So you basically need to delete all of the individual metadata download code, and return entry.metadataStatement, since this is where the metadata object is now located.

One thing that I might note here is that GlobalSign is now returning CRL not in PEM, but as bytes, with content type “application/pkix-crl” so you might need to adjust your CRL validation code.

If your solutions is downloading root certificates on-demand, please ensure that you add root certificate directly to your code, or certificate storage.

SECOND: Import latest registry. FIDO Alliance kindly provides registry as JS dictionaries that can be easily convert to what ever ENUM you need https://github.com/fido-alliance/conformance-test-tools-resources/blob/master/snippets/registry.js

THIRD: Update your code to work with new SHORT string constant:

For attestationTypes:

  • For packed and fido-u2f check that attestation types contains “basic_full” or “basic_surrogate” in case of FIDO2 self attestation.

For authenticationAlgorithms and publicKeyAlgAndEncodings:

For UAF: tcDisplay is now a list of short for flags, like: [“any”, “tee“]. tcDisplayContentType and tcDisplayDisplayPNGCharacteristics.

FOURTH: Version 3 Metadata now contains “schema” field with value 3. Using that you can easily distinguish old and new schema in the mixed MDS environments.

FIFTH: Apple Anonymous Attestation is now mandatory. You can find how to validate it in my recent article https://medium.com/webauthnworks/webauthn-fido2-verifying-apple-anonymous-attestation-5eaff334c849

Resources

License

This article is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0). So you are free to read, share, etc. If you are interested in commercial use of this article, or wish to translate it to a different language, please contact us at info(at)webauthn(dot)works

The code samples are licensed under MIT license.

WebAuthn Works

WebAuthn Works Limited

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store