The FIDO Alliance describes the FIDO Authenticator as a “set of hardware and software that implements the Authenticator portion of the FIDO UAF, FIDO U2F, or FIDO2 protocols.” The FIDO Authenticator Certification Program provide trust and reduces the risk of potential vulnerabilities by enforcing countermeasures, ensuring that these measures are correct and satisfy the FIDO Authenticator Security Requirements. The higher the level of certification is, the greater the security assurance or trust.
Here is a list of the top 10 things you should know about the FIDO Authenticator Certification Program:
1. There are Three "Primary" Security Certification Levels for Authenticators
There are three main security certification levels for authenticators:
- L1 - Better than passwords. Software-based only implementation. Certification possible on any device with any OS or HW.
- L2 - Certification of full authenticator possible. Requires a Restricted Operating Environment (ROE) supported by some Hardware countermeasures allowing application isolation, to be able to certify the full authenticator.
- L3 - Adds physical defenses to L2 so lost and stolen devices are hard to disassemble and break in a garage or lab.
2. There are a Total of Six Levels
For each of the 3 primary levels above, there is an additional “+” level. L1 is the base level providing the easiest certification. L1+ is based on white-box cryptography. L2 was created as a fast track evaluation of security based on a ROE capabilities. L2+ is still not defined yet but is expected to increase confidence in L2 like certification by adding additional testing procedures, while L3 requires a certified ROE. L3+ requires chip level defenses against physical attacks supported by smart card technologies.
3. FIDO Certification as a Marketing Differentiator and a Trust Mark
FIDO’s six-level certification program covers hardware, software, operating systems, and security mechanisms from the lowest to the highest level. However, it remains neutral to the vendor and technology, allowing the vendor to receive the acknowledgment or praise for meeting the customers’ security requirements. Users, Service Providers or Relying Parties can trust Authenticators by verifying their certification level.
4. The FIDO Functional Certification Is a Prerequisite of the FIDO Authenticator Certification
All Authenticator vendors seeking Authenticator Certification must complete FIDO Functional Certification requirements. Prior to creating an account for FIDO Certification and applying for FIDO Authenticator Certification through the Implementer Dashboard, vendors must complete requirements, which include the Interoperability Testing and Conformance Self-Assessment.
5. FIDO Certification can rely on Companion Programs
FIDO Certification at higher levels relies on recongnized certification schemes such as the Common Criteria (CC). This allows a vendor that is implementing his Authenticator application upon a CC certified platform to get FIDO certified by proving the security level of the composition through a mapping table and simplified delta testing procedures.
6. L1 is not a Self-Declaration
At L1, there is no lab involved, but to avoid a self-declaration process FIDO involve a fast security expert review of the Vendor Questionnaire. The Security Secretariat then reviews the completed Vendor Questionnaire, spot issues, exchange Observation Reports to solve inconclusive requirements before passing the certification.
7. A FIDO Accredited Security Laboratory Performs the Security Evaluation for L2 and Higher
For L2 and higher, the vendor chooses a third-party FIDO-accredited Security Laboratory to perform the Security Test Procedures. The Approved Evaluator reviews the Vendor Questionnaire for L2 and higher and performs a comprehensive review, which may include a source code review and penetration testing. Once approved, the evaluator submits a FIDO Evaluation Report to the Security Secretariat.
8. Delta Certification is Accepted
In order to maintain the validity of a certificate in case a Vendor updates some features or in case the requirements changed or a vulnerability is disclosed, a FIDO Impact Analysis Report allows to evaluate the changes and judge if a Delta certification is required. In that case, the vendor would have to highlight the changes and update the Vendor Questionnaire to reflect the impacted security requirements which will be reviewed and tested accordingly before amending the certificate.
9. Over 130 Authenticators are already security certified
FIDO Authenticator Certification Program has been launched in 2018 for L1 and progressively included the other higher levels. Up to now, the majority are L1 certified but vendors are expected to seek more for higher certification levels especially with the upcoming regulations (e.g. eIDAS) and industry procurement requirements which is setting the bar high thus increasing competitveness.
10. Privacy Is A Priority
FIDO defined a list of Privacy Principles and these are enforced by the FIDO Authenticator Certification Program at least for the consumer market.
Finally, FIDO Certification has been defined and endorsed by more than 250 companies members of FIDO Alliance including vendors and RPs to provide trust. This trust is strengthened by offering information in a transparent manner on the level of security of Authenticators.
Lack of trust is the first barrier for market adoption especially for secure products therefore the importance of certification.
Finally, an increase in trust can be facilitated if you aim at a higher level of security assurance with evaluation criteria that could cover the whole life-cycle process of the Authenticator from development, to delivery, to operational up to maintenance.