FIDO Alliance Metadata Service
The FIDO Alliance Metadata Service (MDS) is a web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download. This provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators.
FIDO MDS Purpose
The universe of FIDO authenticators is dynamic. Vendors are frequently releasing new authenticators or updating existing ones. In addition, vulnerabilities may be discovered in existing authenticators, requiring that their use be limited or phased out.
FIDO servers can validate the integrity of a device population by periodically downloading a digitally signed metadata Table of Contents (TOC) file containing URLs used to verify individual metadata statements.
An organization deploying FIDO should keep its metadata database up-to-date to ensure it has the latest information about new authenticators, including their certification status, and protect itself against vulnerabilities in trusted authenticators.
What are the new Legal Terms?
As you may know the biggest change in MDS 2.0 is the introduction of new legal terms for both Authenticator vendors and consumers of Metadata (Relying Parties). The MDS 2.0 Legal terms can be viewed at the URLs listed below:
- Publisher Terms for Authenticator vendors who publish metadata:
- Usage Terms for Relying parties or any one who wishes to access Metadata:
How do I Get an Access Token?
To retrieve metadata or TOC (Table of Contents for all metadata statements) you will have to first register to get a MDS Access Token. To do this visit: https://mds2.fidoalliance.org/tokens/
How do I Retrieve the TOC file from MDS2?
Once you have an issued Access Token, you can get to the Metadata TOC by using the URL below after you substitute in the URL below with your access token string.
Example (this does not use a valid token) : https://mds2.fidoalliance.org/?token=6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000
This will download a TOC file in an encoded JWT format (not human-readable).
How do I View a readable TOC file?
- Visit JWT decoding web site: https://jwt.io
- Click on Debugger at the top (or scroll down)
- On the Debugger page, in the Encoded box on the left side: Replace all existing text with the encode string in the toc.jwt file.
How do I verify the digital signature in the TOC?
TOC is a digitally signed document. In order to verify the digital signature please use the following information:
- The root certificate from the FIDO alliance is available at https://mds.fidoalliance.org/Root.cer
- To validate the digital certificates used in the digital signature, the certificate revocation information is available in the form of CRLs at the following locations
How do I View Metadata statement for an authenticator?
The URLs in the TOC corresponding to each Authenticator will be of the format:
This URL will no longer work as is. You must now append this URL with your Access Token as shown below: (this does not use a valid token)
Once you retrieve the metadata statement it will be in Base64 format. Use https://www.base64decode.org/ to decode it to see a readable form of the metadata statement.
How do I publish my authenticator’s metadata?
The Authenticator vendors portal for metadata submission can be accessed at https://mymds2.fidoalliance.org/
How do I get a Vendor ID?
For UAF Authenticator Vendors only: To be able to publish a metadata statement, UAF Authenticator vendors must first get a Vendor ID issued by the Alliance.