MDS Changelog

3.1.1 – May 26, 2026

Please review the following changelog entry along with the updated specifications. If you are a vendor listing in the MDS, please review to see if any of the new values apply to your products. If you are a relying party (RP) consuming the MDS data, please review the updates to ensure your service is compatible.

Several changes to the MDS3 service were rolled out. These changes were made to include the updates to the FIDO CTAP 2.3 and FIDO Registry of Predefined Values 2.3 specs. In the 3.1.1 Proposed Standard spec the Registry 2.3 is now referenced. 

In addition, improvements have been made to the UI copy within the MDS Portal to add clarity and enhance the user experience. These changes are focused on creating a better user experience and should not affect functionality.

Fixed

MDS Console 

Improvements have been made to the UI copy within the MDS Portal to add clarity and enhance the user experience. These updates should not affect functionality.

Changed

LongTouchForReset data type (FIDO CTAP 2.3)

LongTouchForReset: Changed the data type from uint? to bool? to better reflect the boolean nature of the long touch requirement for device resets.

Authenticator Service Updates (FIDO Registry of Predefined Values 2.3)

Added new attestation types: none and anonca. 

Validation Changes (FIDO Registry of Predefined Values 2.3)

Root Certificate Validation: Updated ValidateAttestationRootCertificates to allow empty certificate arrays if the attestation type is none or anonca.

View the FIDO Registry of Predefined Values 2.3. 

Infrastructure – Rate Limit Change

Rate limiting for the MDS3 BLOB download service has been adjusted. The previous setting limited downloads to two times per minute based on the requesting IP address. The limit has been been adjusted to limit downloads to once per hour. 

Reminder – localCopySerial Parameter

Please note that there is an optional parameter for requesting the MDS3 BLOB metadata blob called localCopySerial. This will allow adding a parameter to the GET request with the serial number of the MDS3 BLOB to see if a newer version is available (e.g ?localCopySerial=xx).

If there is not a newer version, the service will return an HTTP code of 304 (Not Modified).

For more details, refer to the FIDO Metadata Service – Sec. 3.2  Metadata BLOB object processing rules.

Added

AuthenticatorGetInfo properties (FIDO CTAP 2.3)

New properties were added to the AuthenticatorGetInfo class to support expanded authenticator capabilities and security policies:

• EncIdentifier (string)
• TransportsForReset (string[])
• PinComplexityPolicy (bool?)
• PinComplexityPolicyURL (string)
• MaxPINLength (uint?)
• EncCredStoreState (string) 
• AuthenticatorConfigCommands (ulong[])

Refer to the section 6.4. authenticatorGetInfo (0x04) of the Client to Authenticator Protocol (CTAP) standard for more detailed information. 

Options Class Updates (FIDO CTAP 2.3)

PerCredMgmtRO (bool?): Added support for read-only Per-Credential Management, allowing for more granular control over how credentials are managed on the device.

Core Logic and Enums (FIDO Registry 2.3)

• Added New Enums:
  • AuthenticationAlgorithm: Added ed448_eddsa_sha512_raw.
  • AttestationType: Added none and anonca.
  • KeyProtectionType: Added sync_fabric.
  • AttachmentHint: Added smart-card.

MDS3 Statement Updates (FIDO CTAP 2.3)

• Added support for new authentication algorithms: ed448_eddsa_sha512_raw.
• Added support for new attestation types: none and anonca.
• Added sync_fabric to KeyProtectionType flags.
• Added smart_card as a valid AttachmentHint.
• Expanded AuthenticatorGetInfo to include: EncIdentifier, TransportsForReset, PinComplexityPolicy, MaxPINLength, and AuthenticatorConfigCommands.
• Expanded Options model to include: PerCredMgmtRO.