Product Documentation

    This section of the Policy is optional. If you don’t want MDS to be checked, do not specify it in the policy.

    This API allows Relying Parties to retrieve current information about FIDO authenticators. The type of information that can be retrieved includes the following:

    • version number
    • algorithms
    • user verification method
    • status report

    In the MDS object, locate authenticatorStatusReport; it is a list of statuses and how SKFS will handle them.

     

    authenticatorStatusReport

    This is a list all expected status reports and how SKFS should handle them. The status reports are retieved from the MDS and checked whenever a new registration occurs. During registration the authenticator returns an aaguid that uniquely identities the exact make and model of the authenticator. SKFS then checks the MDS for the status report on that model of authenticator. The status can be any of the following: 

        "NOT_FIDO_CERTIFIED",
    "FIDO_CERTIFIED",
    "USER_VERIFICATION_BYPASS",
    "ATTESTATION_KEY_COMPROMISE",
    "USER_KEY_REMOTE_COMPROMISE",
    "USER_KEY_PHYSICAL_COMPROMISE",
    "UPDATE_AVAILABLE",
    "REVOKED",
    "SELF_ASSERTION_SUBMITTED",
    "FIDO_CERTIFIED_L1",
    "FIDO_CERTIFIED_L2",
    "FIDO_CERTIFIED_L3",
    "FIDO_CERTIFIED_L4",
    "FIDO_CERTIFIED_L5"

    NOTE: If MDS is enabled in properties then UPDATE_AVAILABLE and REVOKED must be present as Status values of authenticatorStatusReport entries.

    There are three parts to authenticatorStatusReport:

    • Status is the authenticator status to which this behavior pertains
    • Priority is the priority of this status in comparison to all the others [Not currently implemented]
    • Decision is how the FIDO Server should act; accepted values: DENY | IGNORE | ACCEPT