Attestation and Authenticator Metadata
Intended audience
This conceptual article will be of most interest to organizations that need to ensure that their workforce is using a strong authenticator and identity providers looking to provide that assurance to organizations via their products.
Background
Organizations may want to limit the use of FIDO authenticators to specific makes and models to ensure the devices users authenticate with meet their security and compliance needs. In order to facilitate this, the FIDO specification provides a mechanism called attestation. Attestation uses data supplied by device manufacturers and validated and aggregated by the FIDO Alliance to verify cryptographic signatures generated during FIDO authenticator registration.
AAGUIDs
Identity providers (IdPs) use an authenticator’s AAGUID to look up a certificate chain that can be used to validate the attestation statement’s signature. IdPs may also use the AAGUID to look up other information about an authenticator, such as the features it supports, or the presence of specific 3rd party certifications, or even an icon to display to help a user to determine where their passkey is stored. [1] This information is collectively known as the authenticator metadata.
FIDO Metadata Service (MDS)
In order to facilitate IdPs’ use of authenticator metadata, the FIDO Alliance hosts the FIDO Metadata Service (MDS), which is updated as vendors produce new authenticators with different AAGUIDs and as authenticators achieve FIDO and 3rd party certifications. The MDS prevents IdPs from having to hard code AAGUID and certificate chain information.
The MDS is a single large document which is over 5 megabytes in size at the time of writing. The bandwidth and compute requirements to obtain and process it make it unsuitable for checking during every new authenticator registration. IdPs should download and ingest a new MDS document into their systems periodically, out of band from the authenticator registration process.
The FIDO Alliance recommends that the MDS is downloaded and ingested monthly. [2] However, in 2024, the MDS averaged between one and two updates per week. Identity providers may want to download and process the MDS more frequently to support the rapid changes in the FIDO authenticator ecosystem.
The MDS is not exhaustive. There is no requirement to list an authenticator in the MDS, even if it has received a FIDO Alliance certification. There are a number of reasons why device manufacturers or customers may not want the metadata for their authenticators published, but ultimately customers must have the option of privacy, even if they are using an authenticator that has been customized for them by a device manufacturer. [3]
Synced passkey providers aren’t even eligible for listing in the MDS because, with some exceptions, they are not currently capable of producing attestations.
More information about the MDS can be found at the FIDO Alliance Metadata Service page: https://fidoalliance.org/metadata/
| [1] | FIDO Metadata Statement standard |
| [2] | “How often should I be fetching MDS3 blob?” at https://fidoalliance.org/metadata/ |
| [3] | See the Use Cases section in the “Authenticator Enforcement Best Practices for Identity Providers” chapter of this guide for more detail. |