WebAuthn | MDS

The Metadata Service (MDS) is a centralized service provided by the FIDO Alliance that aggregates and publishes Metadata Statements about authenticators certified through FIDO certification programs. These statements contain detailed security, compliance, and operational information about the authenticators.

• The service endpoint is often referred to as MDS3 (the third version of the Metadata Service protocol).

• Relying Parties (e.g., websites or applications implementing WebAuthn) retrieve metadata statements from MDS to make informed trust decisions about authenticators.

 

The MDS adds a crucial layer of trust and security validation for relying parties using WebAuthn:

 

• Authenticator Validation: Enables verification of authenticator compliance with FIDO standards and helps validate the AAGUID presented in a WebAuthn attestation.
• Compromise & Revocation Detection: Provides up-to-date information on compromised or revoked authenticators, allowing relying parties to block insecure devices.
• Security Assurance: Helps enforce security policies, such as only allowing authenticators that meet a certain FIDO certification level or user verification strength.
• Interoperability: Ensures consistent behavior and security expectations across different browsers, platforms, and devices using different authenticators.

 

Configuration

You can configure the use of the MDS using the property WebAuthnOptions.MDS, find below the main properties:

 

• Enabled: if true (the default value), the webauthn requests will be validated against the configured MDS file.
• MDS_FileName: the path where the MDS file is stored. It can be downloaded from the following URL: https://mds3.fidoalliance.org/
• RootCert_FileName: the path where the Root Certificate is stored. Must be defined to validate the certificate chain. It can be downloaded from https://valid.r3.roots.globalsign.com/
• Leaf_CertificateCRL: if true (by default is false), the leaf certificate of the blob will be validated against the CRL (Certificate Revocation List).
• CRL_FileName: the path where the CRL file is stored. If it's not defined and Leaf_CertificateCRL is enabled, it will try to download the CRL automatically.