In today's digital age, secure authentication is more critical than ever. With the increasing frequency of data breaches and cyberattacks, ensuring that authentication mechanisms are robust and reliable is paramount. Certification programs play a vital role in this landscape, providing a standardized way to evaluate and validate the security of various authentication methods. Among these programs, the FIDO certification stands out for its comprehensive approach and proven success. In this blog, we explore the intricacies of FIDO certification levels and how they compare with other renowned standards like FIPS 140-2/3 and Common Criteria (CC) certifications. For further insights, you can also refer to our previous blog on the Top 10 Things You Should Know About the FIDO Authenticator Certification Program.

Overview of FIDO Certification Levels

FIDO certification ensures that authenticators meet stringent security standards. Here’s a closer look at the three primary certification levels and their “+” enhancements:

1. Level 1 (L1): This level is designed to be better than traditional passwords. It focuses on software-based implementations that can be certified on any device, regardless of the operating system or hardware.
2. Level 2 (L2): L2 certification requires a Restricted Operating Environment (ROE) supported by some hardware countermeasures for application isolation. This allows for the certification of the full authenticator, ensuring a higher level of security.
3. Level 3 (L3): This level builds on L2 by adding physical defenses. These defenses make it difficult to disassemble and compromise the device, even if it is lost or stolen.

Enhanced Security with "+" Levels

In addition to the primary levels, FIDO has introduced “+” levels for each primary level, resulting in a total of six certification levels:

• L1+: This level enhances L1 by incorporating white-box cryptography.
• L2+: Although still being defined, L2+ is expected to increase confidence in L2-like certification by adding additional testing procedures. FIPS 140-2/3 could potentially fit here.
• L3+: This level requires chip-level defenses against physical attacks, supported by advanced hardware technologies like Secure Elements.

FIDO and Common Criteria

For levels L3 and L3+, FIDO leverages Companion Programs like CC. Instead of defining its own evaluation methodology for these higher levels, FIDO uses the CC evaluation methodology (ISO/IEC 18045) with specific Protection Profiles and coverage mapping tables to meet FIDO authenticator security requirements. Accredited third-party laboratories conducting these evaluations must comply with ISO17025 with CC in scope, making them essentially CC accredited under their respective national schemes.

FIDO and FIPS 140-2/3 Compatibility

FIPS 140-2 (at the time) has significantly influenced the structure and content of the FIDO Authenticator Certification Program. FIDO Certification is compatible with FIPS 140-3 validation, with most algorithms specified for use with FIDO allowed under FIPS 140-3.

So what could be your future FIDO certification options with FIPS 140-3 today?

1. Integrated Security Policy: FIDO-specific requirements can be integrated into the FIPS 140-3 Security Policy before validation. A FIPS lab verifies compliance with both FIPS and FIDO requirements.
2. Additional Verification: A FIDO accredited lab can verify requirements beyond FIPS, using the Security Policy to determine what functionality was included in the FIPS validation.

While FIDO is considering including FIPS 140-3 as a companion program, this is contingent on market demand.

Relevance to the Financial Sector

It is worth to highlight that the L1+ certification program is particularly relevant to the financial sector, especially for software applications not backed by hardware security capabilities. The Security and Privacy Requirements for L1+ ensure robust defense even if the device operating system is compromised. White-box cryptography and other software protection techniques are used instead of an AROE, making L1+ similar to what EMVCo requires for evaluating software-based mobile payment applications.

Conclusion

FIDO certification has achieved significant success, with over a thousand authenticators certified to date. Its comprehensive approach, leveraging companion programs like CC and FIPS 140-3, ensures better interoperability, reduces costs and efforts for vendors, and promotes wider adoption worldwide. By understanding and leveraging FIDO certification, organizations can ensure their authentication mechanisms are secure, reliable, and compliant with industry standards, thereby protecting sensitive information and maintaining user trust.

By embracing the FIDO certification program, organizations can navigate the complex security landscape with confidence, ensuring robust protection for their authentication solutions in a rapidly changing digital world.