Fiber doesn’t use a “modem” so I’m a little curious what you’re talking about. As to “backdoors”—all fiber CPE has to have the capability to be managed from the provider side. A lit fiber is like an Ethernet cable plugged into the provider’s switch. Nobody would be crazy enough to not control both ends of that connnection. Even if you spend thousands of dollars a month for a business grade Metro Ethernet connection, the provider will install CPE that it can manage remotely, usually an L2 switch.
AT&T's fiber service comes with two pieces of hardware: the ONT and a "residential gateway" that, in addition to being a router, is a terminal for the VoIP service and also has some guts for facilitating their UVerse IPTV platform.
Officially you can't opt out of using the RG. This differs from, say, Verizon's FiOS, which allows customers to just plug their own router straight into the ONT if they don't want the phone company's router.
You can put the RG into a "passthrough" mode that gives a downstream client the public IP address, so a router thinks it's bridged, but under the hood the RG is still maintaining all the connections in its own NAT table.
You can't simply plug a router into the ONT and have it work off the bat, as the RG has necessary 802.1x certs burned into the firmware. What you can do is use the eap_proxy tool mentioned in this same thread. I ran it on an EdgeRouter, and it essentially MITM'd the 802.1x handshaking and delegated that to the AT&T-provided RG, then once the 802.1x was dealt with, the EdgeRouter could get an address via DHCP.
There's apparently nothing customer-specific about the 802.1x certs; there's a thread on DSLReports about people buying old AT&T RG's off eBay and rooting them to extract the certs to use on their own router.
At the end of the day AT&T still owns and manages the hardware at the customer's end of the fiber (at the ONT level), they just also enforce usage of the router plugged into it too.
I think the issue is with the fact that it also forced you to use their router as it was built in, as I'm pretty sure all fiber providers require you use their hardware.
Good to have a service from a proper and somewhat local ISP. They set us up initially with a DASAN fiber->WiFi router completely administered on their end, but at some point I called them with the request to replace it with just a fiber->Ethernet bridge. They complied without a problem, replaced the box, and gave me the PPPoE credentials with a warning that past the bridge's Ethernet end, I'm on my own.
