Copyright © 2016-2020 FIDO Alliance All Rights Reserved.
The fields in the Authenticator Metadata will be the primary method of communicating Authenticator Certification status and details about implementations to Relying Parties (RPs).
This section describes the status of this document at the time of its publication. Other documents may supersede this document. The most recent version of this document can be found on the FIDO Alliance Website at https://fidoalliance.org.
This document was published by the FIDO Alliance as a Final Requirements Document. If you wish to make comments regarding this document, please Contact Us. All comments are welcome.
No rights are granted to prepare derivative works of this document. Entities seeking permission to reproduce portions of this document for other uses must contact the FIDO Alliance to determine whether an appropriate license for such use is available.
Implementation of certain elements of this Requirements Document may require licenses under third party intellectual property rights, including without limitation, patent rights. The FIDO Alliance, Inc. and its Members and any other contributors to the Requirements Document are not, and shall not be held, responsible in any manner for identifying or failing to identify any or all such third party intellectual property rights.
THIS FIDO ALLIANCE REQUIREMENTS DOCUMENT IS PROVIDED “AS IS” AND WITHOUT ANY WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTY OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
This document reflects the Metadata Requirements for Authenticator Certification.
Mandatory fields are required to be evaluated by the FIDO Security Secretariat (Level 1), or the FIDO Accredited Security Laboratory (Level 2 and above) and submitted to FIDO Security Secretariat as part of the Certification Request. Submitted metadata will be verified to be an accurate representation of the implementation.
Submission of Metadata to the FIDO Metadata Service (MDS) is optional, and can be done after recieving FIDO Authenticator Certification. If Metadata is submitted to MDS, the elements marked herin as Mandatory (and applicable to the product type under certification) must be submitted and must match the Metadata submitted to FIDO during Authenticator Certification.
For each field listed in this document an Application Note is provided. All these fields are described in [FIDOMetadataStatement] and/or [FIDOMetadataService] document.
The following Functional Metadata Fields are Mandatory for Authenticator Certification when applicable.
|VerificationMethodDescriptor||Applicable to all.|
|verificationMethodANDCombination||Applicable to all.|
|AAID||Applicable to FIDO UAF.|
|AAGUID||Applicable to FIDO 2.0.|
|attestationCertificateKeyIdentifiers||Applicable to all.|
|description||Applicable to all.|
|authenticatorVersion||Applicable to all.|
|protocolFamily||Applicable to all.|
|upv||Applicable to all.|
|userVerificationDetails||Applicable to all.|
|attachmentHint||Applicable to all.|
|isSecondFactorOnly||Applicable to all.|
|tcDisplay||Applicable to all.|
|tcDisplayContentType||Applicable to all.|
The following Security-related Metadata Fields are Mandatory for Authenticator Certification when applicable.
|CodeAccuracyDescriptor||Applicable to all.|
|PatternAccuracyDescriptor||Applicable to all.|
|EcdaaTrustAnchor||Applicable in the case of ECDAA attestation|
|attestationRootCertificate||Applicable in the case of ECDAA attestation|
|assertionScheme||Applicable to all.|
|authenticationAlgorithm||Applicable to all.|
|publicKeyAlgAndEncoding||Applicable to all.|
|attestationTypes||Applicable to all.|
|keyProtection||Applicable to all.|
|matcherProtection||Applicable to all.|
|isKeyRestricted||Applicable to all.|
|isFreshUserVerificationRequired||Applicable to all.|
|certificationDescriptor||Applicable to all.|
|certificateNumber||Applicable to all.|
|certificationRequirementsVersion||Applicable to all.|
|cryptoStrength||Applicable to Authenticators certified at L2 or above|
|operatingEnv||Applicable to Authenticators certified at L2 or above|
Providing the biometry related Metadata Statement field [FIDOMetadataStatement] is not mandatory for passing FIDO Authenticator Certification at L2 and below.
|BiometricAccuracyDescriptor||Applicable to the FIDO Biometrics Component|
|selfAttestedFRR||Applicable to the FIDO Biometrics Component|
|selfAttestedFAR||Applicable to the FIDO Biometrics Component|
|maxTemplates||Applicable to the FIDO Biometrics Component|
|maxRetries||Applicable to the FIDO Biometrics Component|
|blockSlowdown||Applicable to the FIDO Biometrics Component|
SRWG recommends the use of the Status Dictionary to report the issue dates of Certifications within the array of status report entries. Default status to as “not FIDO Certified” and status is updated to include Certifications as they are achieved. Each Certification would have a separate entry.