Monday, March 23, 2020

Obtaining device metadata for FIDO / FIDO2 security devices

Zoo of FIDO2 security keys
Last year, I started my journey to passwordless logins. I bought my first FIDO2 USB security key. Then, I added the key as an alternative to time-based one-time passwords (TOTP) to my online accounts where possible. Over time, I got more FIDO devices and also enabled an IBM Cloud tutorial on end-to-end security for passwordless support. What I learned through the process is that sometimes device metadata is important. So today I am going to write about what it is and where / how to obtain it.



FIDO device metadata

Not all FIDO devices are created equal, and that is just fine. Manufacturers are asked to assign a globally unique authenticator attestation GUID. It should be the same for all "substantially identical authenticators made by that manufacturer". There are several other fields that can or must be present. The metadata structure is defined as well.

The metadata can be used to quickly assess device (security key) properties, such as what FIDO specification (protocol family) is supported or the biometric accuracy. The device information can also be used to manage allowed security keys. Services like IBM Cloud Identity can register devices. Only those devices can then be used as second factor or even for passwordless sign-in.


Metadata service (MDS)

How do you find about device metadata, how can you obtain those properties? Unfortunately, there is no single and simple answer. It is still developing. The FIDO Alliance hosts a metadata service (MDS) which I will discuss first. It should be the only way forward, but right now it is not.

After registering for an access token, you can download a TOC (table of contents) file as well as the actual device-related metadata files. All files are encoded as JWTs (JSON Web Token) which uses base64 underneath. First, you need to download the TOC and decode the payload. You could utilize an online service like the debugger on jwt.io. Another option is to install a tool on your machine. I use a shell script which I forked online.

Once you have the decoded TOC, you can search it for the device manufacturer and model in question. Each entry has a related URL. Use the URL together with the access token to download the device-specific JWT, then decode its payload. The payload JSON is the device metadata as needed by, e.g., IBM Cloud Identity.

Add device metadata in IBM Cloud Identity


Files on GitHub and vendor websites

Another source for metadata are GitHub repositories and vendor websites. On GitHub, you can find the metadata for the popular Solokeys. Yubico has an extensive developer site with metadata provided in their own format. They and other vendors provide tools on GitHub which you could use to read out metadata. The following shows device data for four different security keys, listing their AAGUID and supported standards.

FIDO2 device metadata

Conclusions

All the FIDO / FIDO2 security keys have metadata. It is good to know how to obtain it because some tools may need it for device management or you need to know supported protocols.

If you want to learn more, I recommend the resources on the Awesome WebAuthn repo as well as FIDO2 articles by IBMer Shane Weeden. Among others, he discusses a debugger fido2viewer as a useful utility to get more insights.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.