When William Brown posted a rant on Mastodon about the FIDO Metadata Service, it sounded like exactly the sort of thing I wanted to learn more about. So that’s what I did! It’s a fun conversation, William is really good at explaining insanely complicated topics in a way that’s easy to understand. This one is dense, but it’s really interesting, you’re going to learn a ton.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

What is FIDO?

FIDO (Fast Identity Online) serves as an industry working group focused on developing authentication standards. Unlike open-source projects, FIDO operates as a closed consortium that defines critical security protocols. William explained that FIDO began with U2F (Universal Second Factor) authentication, which evolved into the Client to Authenticator Protocol (CTAP).

The relationship between standards bodies creates part of the complexity. FIDO defines CTAP (now on version 2.1), while the W3C defines WebAuthn. These interconnected specifications must coexist despite coming from different organizations.

How WebAuthn Authentication Works

The evolution from U2F to WebAuthn created some changes in how we can start to authenticate. WebAuthn introduced self-contained multi-factor devices, the most famous example of this being passkeys.

This shift places enormous trust in the authenticators. But not all authenticators are created equal. William provided an example with Bitwarden’s passkey implementation. When Bitwarden prompts you to continue logging in via its extension, it sets the user verification flag to “true” without requiring you to re-enter your master password. The website receiving this assertion believes verification occurred when it actually didn’t (it should be noted both William and I think Bitwarden is great, this is just an example).

The Importance of Attestation

Given this trust model, how can a service provider ensure that users employ sufficiently secure authenticators? The answer lies in attestation, one of the hardest problems we have in security.

“This is where the FIDO MDS becomes important. MDS is the list of active attestation CAs and what devices they are actually administering over.

For high-security environments like banking (at least banks outside the US), this mechanism allows enforcing authenticator requirements. We want to guarantee that they’re storing the authentication data in something secure, like maybe a YubiKey. And we know that that YubiKey is trustworthy.

The FIDO Metadata Service (MDS)

The FIDO Metadata Service serves as the authoritative registry of authenticators. It catalogs device capabilities, trustworthiness, and attestation certificates. It’s like a certificate transparency list for authenticators.

And the MDS having problems was why I was chatting with William. The MDS should provide reliable information to make trust decisions about authenticators, but it regularly fails to meet this requirement.

Fido keeps changing the layout of that specification without updating the actual data sheet according to William. He has a parser, written to strictly follow the specification, that often detects errors in the MDS data. For example in the past year, FIDO updated the MDS and broke it three times.

The obvious question would be “why can’t you help them”, but FIDO is an industry group that has a hefty entrance fee. It’s not an open group that anyone can help out with. This is an unfortunate reality of some

Practical Recommendations for Security Professionals

William had a few suggestions on which hardware tokens are the best. Yubikey, FEITIAN, and Token 2 are his suggestions. Yubikey is the best by a wide margin, the tamper proof manufacturing, sending the tokens in packaging that’s hard to remove the key from, and having really great hardware on the inside.

What now?

Even though William had some complaints about the FIDO group, he has an encyclopedic amount of knowledge around FIDO, U2F, and WebAuthn. It was super fun learning about these technologies and I can’t wait to have William back for more discussions. It would be lovely if FIDO found a way to include someone like William, but given past experiences with such groups, I’m not optimistic.