It’s a JSON! It looks like MDS2? Nope, that’s MDS3!

This is continuation of our series on Webauthn and FIDO2.

Recently FIDO Alliance released new version of the metadata specification. And it’s not simple added new fields, and called it day.

MDS3 Metadata entirely overhauled schema, deleting old fields, merging some and replacing numerical and flags with strings, in addition to the major improvements for Metadata Service.

Changes to Metadata Service

First, and the most important thing: YOU NO LONGER NEED ACCESS TOKEN TO ACCESS MDS.

You can find all the access info on the FIDO Alliance website: https://fidoalliance.org/metadata/

Second, nor less important thing…


This is continuation of our series on Webauthn and FIDO2.

The fancies of wine are authentic events
- Italo Svevo

There is no doubt that attestation is a misunderstood and sometimes controversial topic. I’ve been personally present at a few heated discussions, that some might mistaken for an upcoming fight scene, and thought that it might be the time to call the police. Gladly no police were involved and we would leave to a pub to change the topic and discuss life, hobbies, travel and family.

Attestation is one of the most important and in the same time useless mechanism……


Disclaimer: Thoughts expressed here are my own, and not of my employers.

Recently Cloudflare released their FIDO based CAPTCHA replacement. You can read more about it https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/, and try it here https://cloudflarechallenge.com/. In the nutshell the way it works:

  1. User gets FIDO CAPTCHA page.

2. User clicks “I am human”.

3. User’s security key lights up. User taps the security key.

4. Browser asks if user allows Cloudflare to receive device attestation.


Please note that this is an advance post, and requires prior understanding of the FIDO2 attestations. You can read more about them here.

The apple does not fall far from the Packed… TPM…

https://commons.wikimedia.org/wiki/File:Apple_and_Orange_-_they_do_not_compare.jpg

As the proverb goes, it’s all almost exactly the same as Packed attestation, with the nonce in the attestation certificate… like TPM… Without further ado, let’s verify it, shall we?

If you check attStmt and it contains “x5c” it is a FULL attestation. FULL basically means that it is an attestation that chains to the manufacturer. It is signed by batch private key, who’s public key is…


CTAP1 my U2F you FIDO2 CTAP2.

If you are confused about all various FIDO terms, you are not alone. Over the years FIDO has expanded from two, to a dozen working groups. Standards started overlapping, having backwards compatibility and everything went terminologically speaking, bonkers.

TL;DR image

So here is a breakdown:

  • FIDOFast IDentity Online, or FIDO Alliance. As I explained earlier it’s a consortium that develops secure, open, phishing proof, passwordless authentication standards. FIDO Protocol Family is a set of protocol that was developed by FIDO Alliance. UAF — Universal Authentication Framework. U2F — Universal Second Factor, and FIDO2. …


…or Level 1 Credential Management API extension for Public Key Credentials, and the untold stories of managing credentials in the browser…

What should I expect from this article?

Learn what is FIDO2 and Webauthn, and how to use them to kill passwords.

What is not going to be here?

Assertion and attestation verification. This is done by the server and so described in my series of articles: “WebAuthn/FIDO2: Verifying responses”.

Table of contents

A long time ago in a galaxy far, far away

Phishing!

Was killed by WebAuthn!… Or FIDO2… Hm… What do these terms even mean?

Well, if…


Please note that this is an advance post, and requires prior understanding of the FIDO2 attestations. You can read more about them here.

Security, yeah
That’s all I want from you, oh now
Security, yeah
And a little love that will be true, oh
— Otis Redding — Security

Android KeyStore is a key management container, that defends key material from extraction. Depending on the device, it can be either software or hardware backed. The main functionality of the KeyStore, manage and store keys, encrypt, decrypt and sign.

One of the important features of KeyStore is ability to provide attestation…


Please note that this is an advance post, and requires prior understanding of the FIDO2 attestations. You can read more about them here.

2014 is outside. Pharrell Williams’s Happy is top chart. Obama is still President. And U2F just was released with simple merged buffer response structure. Then everyone decided that CBOR was the new cool kid in town, and slapped it on top of U2F creating FIDO2 Packed attestation.

A sample of FIDO2 packed attestation response. The fields are hexed for simplicity

Verifying packed attestation is probably the simplest of all attestation. …

Ackermann Yuriy

FIDO, Identity, Standards

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store