The FIDO Metadata Service (MDS) helps ensure you have the information necessary to successfully validate authenticators. As your organization deploys passkeys and FIDO authentication, it is critical to distinguish between trusted, certified authenticators and unverified implementations.
MDS supplies the information you need to validate all authenticators that connect to your service. For example, with MDS you can check attributes to verify whether authenticators come from a proven FIDO Certified device. MDS integration is designed to be low-maintenance and equips you with the ability to:
- Verify provenance: Validate that an authenticator is FIDO Certified and distinguish legitimate passkey providers from unknown or non-compliant passkey providers.
- Enforce policy: Allows you to permit or restrict decisions based on passkey provider’s specific capabilities (e.g., “Must have biometrics” or “Must be FIDO Certified to at least L3”).
- Mitigate risk: Stay up to date with the information your server needs to grant or deny devices access to your systems, which helps you achieve a rapid revocation of trust.
- Optimize the UX: Use MDS data to recognize specific device models, display the correct authenticator icon, and tailor instructions based on the device’s actual capabilities (e.g., distinguishing between a biometrics-only platform and a USB security key).
How it Works
MDS acts as a global registry of passkey capabilities and equips your FIDO server with the intelligence needed to make data-driven decisions about which devices are allowed to access your systems.
Your FIDO server allows you to configure an automated download of the Metadata BLOB – a single, digitally signed file that contains the complete, up-to-date registry of all FIDO certified devices. When a user authenticates, your server validates their device against this local registry in real-time.
Get started
Access the resources you need to implement MDS with your FIDO server (relying party) or submit metadata if you are an authentication vendor. All licensing information can be found in HTML and PDF formats here.
For Relying Parties and Developers
The following FIDO Metadata Service resources are for service providers, relying parties, and developers that have implemented, or are implementing, FIDO Authentication.
MDS Implementation
- Access the MDS3 BLOB This master registry file (JSON) contains metadata for all registered passkeys. We suggest downloading the BLOB once a month and then caching its content because the MDS data does not change often. This file is public and does not require an authorization token to fetch. https://mds3.fidoalliance.org/
- Root Certificate The GlobalSign R3 root certificate is required to verify the BLOB’s digital signature. Relying Parties must validate the chain of trust against this root to ensure data integrity. https://valid.r3.roots.globalsign.com/
- Metadata Convenience Service Provides a subset of MDS data aimed at UX such as user friendly names for authenticators, and light and dark logo images that can be incorporated into user display. https://c-mds.fidoalliance.org/
Developer Resources
- FIDO Metadata Statement Specification The data dictionary for the service. Read this to understand the JSON schema and the meaning of every field inside the BLOB (e.g., icons, attachment hints, and verification methods). https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.1.1-rd-20251016.html
- FIDO Metadata Service Specification The technical architecture guide. Read this to understand how to correctly verify the BLOB signature and implement server-side caching. https://fidoalliance.org/specs/mds/fido-metadata-service-v3.1.1-rd-20251016.html
- FIDO Convenience Metadata Service Enables RPs to offer a consistent user experience so that end-users see the same presentation of their passkeys, no matter which service or platform they’re using, to simplify the process of selecting and managing their credentials. https://fidoalliance.org/specs/mds/fido-convenience-metadata-service-v1.0-ps-20250521.html#sctn-cmds-details
Policy and Licensing
- Metadata Usage Terms (for RPs) The license agreement required for commercial Relying Parties to use MDS data to verify user authenticators. https://fidoalliance.org/metadata-usage-terms-for-relying-parties-or-service-providers-2/
- Metadata Usage Terms (for Developers) A limited license for developers using MDS data for non-commercial testing, debugging, and implementation trials. https://fidoalliance.org/metadata-usage-terms-for-developers/
For Authenticator Vendors
The following FIDO Metadata Service resources are for companies submitting device data to the FIDO Metadata Service.
- Log in to Submit Metadata (MyMDS) The Submission Portal for authenticator vendors. Log in here to upload your Metadata Statements. Once approved, statements are automatically added to the global MDS3 BLOB. https://mymds.fidoalliance.org/
Policy
- Metadata Submission Terms The legal agreements that govern the accuracy, maintenance, and liability of the authenticator data you submit to the service. https://fidoalliance.org/metadata-submission-terms-for-authenticator-vendors-2/
