Yubico · fdennis · Feb 10, 2026 · Feb 6, 2026 · Feb 6, 2026 · Feb 9, 2026
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorStatus.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorStatus.java
@@ -99,6 +99,18 @@ public enum AuthenticatorStatus {
    */
   UPDATE_AVAILABLE(0),
 
+  /**
+   * The authenticator vendor has decided to retire the product, that this authenticator should not
+   * be accepted any longer. For example if a prototype version of the authenticator was added to
+   * FIDO MDS and has now been superseded by the final product, the entry for the prototype might be
+   * set to "retired".
+   *
+   * @see <a
+   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.1.1-rd-20251016.html#enumdef-authenticatorstatus">FIDO
+   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
+   */
+  RETIRED(0),
+
   /**
    * The FIDO Alliance has determined that this authenticator should not be trusted for any reason.
    * For example if it is known to be a fraudulent product or contain a deliberate backdoor. Relying

diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala
@@ -562,6 +562,54 @@ class FidoMds3Spec extends AnyFunSpec with Matchers {
     }
   }
 
+  it("RETIRED AuthenticatorStatus is parsed correctly.") {
+    val (blobJwt, cert, crls) = makeBlob("""{
+        "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+        "nextUpdate" : "2022-12-01",
+        "no" : 0,
+        "entries": [
+          {
+            "aaguid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
+            "statusReports": [
+              {
+                "status": "RETIRED",
+                "effectiveDate": "2022-02-15"
+              }
+            ],
+            "timeOfLastStatusChange": "2022-02-15"
+          }
+        ]
+      }""")
+    val downloader: FidoMetadataDownloader = FidoMetadataDownloader
+      .builder()
+      .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+      .useTrustRoot(cert)
+      .useBlob(blobJwt)
+      .clock(
+        Clock.fixed(Instant.parse("2022-02-15T18:00:00Z"), ZoneOffset.UTC)
+      )
+      .useCrls(crls)
+      .build()
+    val mds =
+      FidoMetadataService.builder().useBlob(downloader.loadCachedBlob()).build()
+    mds should not be null
+
+    val entries = mds
+      .findEntries(
+        Collections.emptyList(),
+        Some(
+          new AAGUID(ByteArray.fromHex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
+        ).toJava,
+      )
+      .asScala
+    entries should not be empty
+    entries should have size 1
+    entries.head.getStatusReports should have size 1
+    entries.head.getStatusReports.get(0).getStatus should be(
+      AuthenticatorStatus.RETIRED
+    )
+  }
+
   it("More [AuthenticatorTransport] values might be added in the future. FIDO Servers MUST silently ignore all unknown AuthenticatorStatus values.") {
     val (blobJwt, cert, crls) = makeBlob("""{
         "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",