Validation of attestation response using MDS status reports is incorrect

[syh-jeffk]

trafficstars

The current version of AuthenticatorAttestationResponse.VerifyAsync() loads the metadata entry for the authenticator and throws a Fido2VerificationException if any of the status reports in the entry reported a security issue with the authenticator.

From looking at the FIDO Metadata Service spec, this logic appears to be incorrect for a couple of reasons. First, according to the spec, the list of status reports is cumulative and only the latest report is supposed to be used as the "current" status for the authenticator. So if an issue is discovered, it can get reported and then later fixed with an upgrade. For example, a status of USER_VERIFICATION_BYPASS followed by a status of UPDATE_AVAILABLE means that the reported issue has been resolved with an update. The second issue is that the spec seems to suggest a RP may decide whether or not to accept the increased risk of using an authenticator with a security issue.

I would like to suggest two changes. First, that the verification should only look at the latest status to make this decision. Second, there should be a way for the application to decide whether or not to accept particular undesired statuses as a configuration setting on Fido2Configuration. The default could be to reject all undesired statuses.

I would also suggest that if an authenticator is rejected because of its MDS status, a more specific exception should be thrown that contains the offending status report, specifically so that the user can be given a specific error for the status and directed to the URL in the report for more information.

Thanks.

[aseigler]

Fixed by #290. Thank you!