FIDO Biometrics Certification Policy

1. Revision History

2. Introduction

This document gives an overview of the policies that govern Biometrics Certification as part of two programs: -Biometric Component Certification (BCC) for certifying either a biometric sensor or for integrating a certified biometric sensor in a FIDO Authenticator. -Face Verification for Remote Identity Verification (IdV - Face) solutions.

These policies are the requirements and operational rules that guide the implementation, process, and ongoing operation of the Biometrics Certification programs and create an overall framework for FIDO Alliance biometric certification programming to operate within.

The policies in this document apply to both programs unless otherwise specified, where each section may include a subsection that is specific to each program.

2.1. Audience

The intended audiences of this document are the Biometric Working Group (BWG), Certification Working Group (CWG), Identity Verification and Binding Working Group (IDWG), FIDO Administration, FIDO Board of Directors, and FIDO Accredited Laboratories.

The owner of this document is the Certification Working Group.

2.2. FIDO Roles

Certification Working Group (CWG) (CWG)

FIDO working group responsible for the approval of policy documents and ongoing maintenance of policy documents once a certification program is launched.

Biometrics Working Group (BWG)

FIDO working group responsible for defining the Biometric Requirements and Test Procedures for the Biometric Certification Programs and to act as Subject Matter Expert (SME) following the launch of the program.

Identity Verification and Binding Working Group (IDWG)

FIDO working group responsible for defining the Biometric Requirements and Test Procedures for the Remote Identity Verification (IdV) Certification Programs and to act as Subject Matter Expert (SME) following the launch of the program.

FIDO Biometric Secretariat

FIDO Alliance Subject Matter Expert (SME) responsible for the coordination and final approval of evaluation reports from FIDO Accredited Biometric Laboratories. Also known as "secretariat".

FIDO Identity Verification Secretariat

FIDO Alliance Subject Matter Expert (SME) responsible for the coordination and final approval of evaluation reports from FIDO Accredited Identity Verification Laboratories. Also known as "secretariat".

FIDO Certification Secretariat

FIDO Alliance certification expert responsible for administration of the FIDO Certification Programs, including finalizing certification requests, updating product listings, and issuing program certificates. For any questions related to this document or FIDO Certification Programs, please contact the FIDO Certification Secretariat at certification@fidoalliance.org.

Vendor / Developer

Party seeking certification. Responsible for providing the testing harness to perform both online and offline testing that includes enrollment system (with data capture sensor) and verification software.

Original Equipment Manufacturer (OEM)

Company whose goods are used as components in the products of another company, which then sells the finished items to users.

Laboratory

Party performing testing. Testing will be performed by third-party test laboratories Accredited by FIDO Alliance to perform Biometric and/or Identity Verification Certification Testing. See also, FIDO Accredited Biometrics Laboratory and FIDO Accredited Identity Verification Laboratory.

2.3. FIDO Terms

FIDO Certified Authenticator

An Authenticator that has successfully completed FIDO Certification program and has been issued a FIDO Certificate.

FIDO Accredited Biometrics Laboratory

Laboratory that has been Accredited by the FIDO Alliance to perform FIDO Biometrics Testing for the Biometrics Certification Program.

FIDO Accredited Identity Verification Laboratory

Laboratory that has been Accredited by the FIDO Alliance to perform FIDO Remote Identity Verification and/or Biometrics Testing for the Remote Identity Verification Document Authenticity (DocAuth) and/or Face Verification Certification Programs.

FIDO Member

A company or organization that has joined the FIDO Alliance through the Membership process.

Certified Biometric Component

A Biometric Subcomponent that has completed the FIDO Biometric Component Certification program and has been issued a Biometric Component Certificate.

Certified Face Verification for Remote Identity Verification (IdV)

A face verification system for IdV that has completed the FIDO Biometric Certification Program and has been issued a Biometric IdV Face Verification Certificate.

2.4. Personnel Terms

Test Subject

User whose biometric data is intended to be enrolled or compared as part of the evaluation. See Section 4.3.2 in [ISOIEC-19795-1].

Note: For the purposes of this document, multiple fingers up to four fingers from one individual may be considered as different test subjects. Two eyes from one individual may be considered as different test subjects.

Test Crew

Set of test subjects gathered for an evaluation. See Section 4.3.3 in [ISOIEC-19795-1].

Target Population

Set of users of the application for which performance is being evaluated. See Section 4.3.4 in [ISOIEC-19795-1].

Test Operator

Individual with function in the actual system. See Section 4.3.6 in [ISOIEC-19795-1].

2.5. Key Words

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].

• SHALL indicates an absolute requirement, as does MUST.

• SHALL NOT indicates an absolute prohibition, as does MUST NOT.

• SHOULD indicates a recommendation.

• MAY indicates an option.

3. Overall Biometrics Certification Policies

The Biometrics Certification program as a whole is the responsibility of the FIDO Certification Working Group (CWG), with the Biometrics Working Group and Identity Verification and Binding Working Group acting as the Subject Matter Experts (SME), with necessary oversights and approvals from the FIDO Board of Directors and collaboration with other FIDO Working Groups where needed.

The CWG may, at the discretion of its chair(s) and members, create subgroups and delegate responsibilities for all or some portion of the CWG’s certification program responsibilities to those subgroups. The Certification Secretariat is responsible for implementing, operating, and managing the certification program defined by the CWG.

Implementations seeking Biometrics Certification may be FIDO Members or non-member organizations.

3.1. Prerequisite Certifications

FIDO Biometric Certification is independent of other FIDO Certification Programs. There are no FIDO Certification prerequisites to apply for Biometric Certification programs.

3.3.1. Biometric Recognition Boundary

The boundary of the Biometric Recognition to be certified (also called TOE, or Target of Evaluation) is defined by the Vendor. All functionality required for biometrics must be included within the boundary, this includes the Data Capture, Signal Processing, Data Storage, Comparison, and Decision functionality.

3.4. Biometric Certification Process

1. Application

2. Qualification

3. Biometric Testing

4. Laboratory Report

5. Certification Request

6. Certification Issuance

3.4.1. Application

Vendor applies for FIDO Biometric Certification by submitting an Application. Vendor enters a contract with a FIDO Accredited Biometric or Identity Verification Laboratory.

Biometric or Identity Verification Secretariat reviews the Application and notifies the Vendor that it is approved or requires clarification.

3.4.2. Qualification

After the developer officially applied for certification, they SHALL provide the following to the laboratory:

• The TOE and test harness, along with its required descriptions on use

• The TOE Description Document

• The Test Plan Document

• The Allowed Integration Document (if applicable)

• any other test plans about tests performed by the developer (if available)

• any other information deemed necessary by the developer

The laboratory SHALL review the TOE, the test harness, and the provided documents and ensure they are complete. The laboratory SHALL specifically ensure and perform:

• that the TOE and the test harness can be used on the basis of the instructions provided by the developer,

• that the TOE Description, Test Plan, and other test documentation provided by the developer is a complete and comprehensive

• that the test documentation looks auspicious (it should, however, be evident that the laboratory cannot perform a complete review of the test documentation at this point),

• that any test plans about tests performed by the developer (if any) are complete and comprehensive descriptions of the tests that the developer has performed,

• the laboratory SHOULD perform a pre-test to ensure that the TOE can be integrated into the test environment of the laboratory. The pre-test should at least contain one transaction for performance testing and one attempt for PAD testing. Pre-testing should also ensure that the test infrastructure of the laboratory (e.g. for offline testing or logging) can interact with the TOE. The pre-test may be skipped if the positive integration of the test harness into the infrastructure can be shown differently (e.g. as the TOE has been certified before by the same laboratory),

• the laboratory SHALL perform a first review of the TOE concerning the FIDO criteria for certification. While it is certain that the laboratory cannot perform the whole test up to this point, the laboratory shall ensure that all existing criteria are taken into account for planning of further tests (this can e.g. be easily achieved by the use of a checklist).

The laboratory SHALL submit all reviewed and complete test documentation to the FIDO Biometric or Identity Verification Secretariat. All parties SHALL agree that the TOE envisions a positive perspective to finish the certification. While this agreement cannot (and does not) mean that the decision on certification will be taken, it rather be reached so that no obvious obstacles are visible that would be in the way of a certification. The secretariat will notify the laboratory that all test documentation is approved or requires clarification.

Upon test documentation approval, the laboratory, developer, and FIDO Certification Secretariat SHALL then work to reach an agreement on:

• the schedule for the certification,

• the required contract (if any) for finishing the certification (if this has not yet been done in the first place),

The FIDO qualification stage for biometric certification does not confirm self-attested biometric performance numbers that may be provided by the vendor, e.g., false accept rate (FAR), false reject rate (FRR), or presentation attack detection performance (PAD).

The agreement is summarized by the laboratory in written form. This can be part of the test plan for the rest of the certification or in the form of a separate document.

After this agreement has been reached, the developer is considered to have reached the qualification of the certification.

3.4.3. Biometric Testing

The FIDO Accredited Biometric or Identity Verification Laboratory will be responsible for testing against the requirements through a combination of online and offline live subject testing. Testing will be completed according to the FIDO Biometrics Requirements ([FIDOBiometricsRequirements]).

Labs seeking FIDO Accreditation shall follow the FIDO Biometric and/or Identity Verification Laboratory Accreditation Policy [FIDOBiometricsLaboratoryAccreditationPolicy]. A list of FIDO Accredited Biometric and Identity Verification Laboratories will be available on the [FIDO Website](https://fidoalliance.org). Prior to testing, the FIDO Accredited Biometric and Identity Verification Laboratories shall prepare a test plan and submit this test plan to FIDO for approval.

3.4.3.2. Biometric Data

Biometric data captured from Test Subjects SHALL be maintained in a secure manner by the Laboratory. Biometric data MAY be provided to Vendor under an agreement between the Vendor and Laboratory, pursuant to laws of the jurisdiction(s) of the parties. Aside from the Vendor, the Accredited Biometrics or Identity Verification Laboratory SHALL NOT provide the biometric data to any other third parties or FIDO, except as needed for purposes of an audit of the Laboratory by FIDO.

Note: Additional logical security requirements are provided in Section 5.3.2. Logical Security of the FIDO Biometric Laboratory Accreditation Policy.

3.4.4. Laboratory Evaluation Report

Accredited Laboratory performs testing and returns Laboratory Evaluation Report to Vendor and FIDO secretariat. The Laboratory Evaluation Report MUST include:

• biometric testing results for all requirements

• the review of the Allowed Integration Document (if applicable), and the laboratory MUST validate that the changes will not impact performance.

• self-attestated results by the developer (if applicable). Please note that requirements that address questions of self-attestation SHALL be understood as checklist items. This specifically means that the Laboratory is not meant to perform any comprehensive analysis with respect to the information on self-attestation received by the developer.

FIDO secretariat reviews the Laboratory Evaluation Report and makes a decision to Approve, Reject, or ask for clarification.

3.4.5. Certification Request and Issuance

3.6.1. Certificate Issuance

[FIDO® Certified products](https://fidoalliance.org/certification/fido-certified-products/) will be viewable and searchable by FIDO members and the public at large, with the exception of certifications that are confidential.

3.9. Post-Certification Changes

3.14. Certification Suspension

A Certificate may be suspended by the FIDO secretariat.

In the event that the FIDO secretariat becomes aware of a suspension event, the secretariat will investigate the claim to determine if the event is cause for Suspension.

The FIDO secretariat may decide that:

• no further action is required, and the Certification remains Active, OR

• a Delta Certification is required to verify the Biometric still meets Requirements.

Vendors will be given at least 30-day notice prior to updating the Certificate status to Suspended, along with the necessary steps to remove the Suspension.

Suspension is an indication that the Certification must undergo a Delta Certification to reactive the Certified status.

The Suspended status will not be publicly shared, but the Implementation will be removed from the Certified list on the FIDO Website while the Certificate status is Suspended.

3.15. Certification Revocation

A Certificate may be revoked by the FIDO secretariat.

In the event that the secretariat becomes aware of a revocation event, they will investigate the claim to determine if the event is cause for Revocation.

Revocation events include:

1. Certificate expiration, or

2. Remaining in a Suspended status for more than 180 days, whichever occurs first.

Revocation is an indication that the Certificate is no longer certified and must undergo a New Certification to be certified.

The secretariat will provide 30-day notice prior to updating the Certificate status to Revoked.

If not done so already due to a Suspension, any Revoked Certificates will be removed from the Certified list on the FIDO Website.

3.16. Dispute Resolution Process

In the event a Vendor disputes the results of decisions made by the FIDO secretariat, a Dispute Request may be submitted to the secretariat via a form on the FIDO Website.

Upon receipt of a Dispute Request, the FIDO secretariat forwards the Dispute Request to the Dispute Resolution Team. The Dispute Resolution Team is responsible for determining the validity of the request and the appropriate routing of the request. The Vendor can indicate in the request if they would like to remain anonymous (the default behavior), or if their company name and implementation name may be shared with the Dispute Resolution Team.

If the certification has outstanding disputes or other issues, the certification may be delayed. Should the certification be delayed, the FIDO secretariat will notify the Vendor seeking Certification.

3.17. Program Administration

The Certification Working Group will be responsible for maintaining these policies.

3.17.1. Sensitive Information

3.17.1.1. Data Protection

The secretariat is responsible for protecting sensitive information during transit and storage.

When submitting electronic documentation to the secretariat, it must be uploaded using forms on the FIDO website.

All Biometric Certification forms and their attachments will be stored within an encrypted database only accessible by the FIDO secretariat, and will not be shared.

Unless a previous agreement has been made between the FIDO secretariat and the Vendor or Accredited Laboratory, all documents sent via email will not be reviewed and will be deleted.

3.17.1.2. Certification Status

No Vendor, Accredited Laboratory, nor other third-party may refer to a product, service, or facility as FIDO approved, accredited, certified, nor otherwise state or imply that FIDO (or any agent of FIDO) has in whole or part approved, accredited, or certified a Vendor, Laboratory, or other third-party or its products, services, or facilities, except to the extent and subject to the terms, conditions, and restrictions expressly set forth within in an Accreditation Certification or Biometric Certificate issued by FIDO.

3.17.1.3. Operational Reports

The FIDO secretariat will provide Operations Reports as requested by FIDO or FIDO Working Groups.

Any reporting performed by the Biometric Secretariat will be performed at the aggregate level to preserve confidentiality, and will not include the specific name or details of any Vendor or Implementation.

Operational reports will include:

• the number of certification requests,

• the number of certifications granted,

• disputes and their resolutions,

• process updates,

• certification mark or TMLA violations,

• any other notable events or operational metrics.

3.17.2. Biometric Requirement Versioning

Every certification issued by FIDO Alliance must be against an Active Version of the Biometric Requirements. Version history, including the Active Version(s) and their descriptions, will be maintained on FIDO Website.

The Document Hierarchy dictates that Biometric Requirements, as the lowest level, will always be updated and it is therefore the revision of the Biometric Requirements that will trigger the following versioning process.

3.17.2.1. Biometric Requirements

1. Biometric Requirements,

2. Biometrics Test Procedures,

3.17.2.2. Active Version(s)

The Active Version(s) of Biometric Requirements refers to a version or versions that are currently published and will be accepted for Certification. A new version of the Biometric Requirements is published and available for certification on an Evaluation Availability Date specific to that version. After this date the version becomes Active, and there will be a Transition Period (described below) where the previous Biometric Requirements are being phased out to a Sunset Date (described below). A version is no longer considered Active once the Sunset Date has passed.

The example below is a scenario for a Version 2.0 release. In this scenario, the Biometric Requirements Version 2.0 has an Evaluation Availability date of July 1, 2020. The Sunset Date for Version 1.0 is then assigned to be one year from that date. A vendor wishing to complete Certification between July 1, 2020 and December 31, 2020 has the option to apply for Certification against the two Test Procedure versions that are active, 1.0 and 2.0. This is considered the transition period for Version 1.0. On January 1, 2021 the only Active Version will be 2.0. Since the Sunset Date for Version 1.0 has passed, and the vendor must comply with the Version 2.0 Biometric Requirements for any new or Delta Certifications.

3.17.2.2.1. Evaluation Availability Date

Biometric Requirements will be assigned an Evaluation Availability Release Date that is equivalent to the first day the version is available for Biometric Evaluation. The Evaluation Availability Date is the date at which the version becomes an Active Version.

Biometric Requirements will include a Version Release Statement to document the Biometric Requirements that have changed from the previous version.

3.17.2.2.2. Transition Period

Biometric Certification is associated with a particular version of Biometric Requirements. When a new version of the Biometric Requirements is available for evaluation (i.e., is an Active Version), the previous version will enter a Transition Period where it is available for Certification only up to an assigned Sunset Date.

3.17.2.2.3. Sunset Date

A Sunset Date is the date at which a version of Biometric Requirements is no longer an Active Version accepted for Certification. New and Delta Certifications can only be made against an Active Version of Biometric Requirements.

The Sunset Date is not an indication that the biometric subcomponent becomes untrustworthy on this date. It only means that Biometric Requirements have been updated, and the Active version(s) is required for Certification. Biometric Requirements are updated when new requirements or test procedures may have entered the ecosystem. Biometric Requirements may also be updated to improve testing techniques.

When changes are made to the Biometric Requirements it must be determined how quickly these should be implemented for all evaluations. The scope and type of changes within the Biometric Requirements are used to determine the Sunset Date for previous versions.

There are three classifications of changes which allow to gauge the time period which should be assigned for the Sunset Date: Major changes, Minor changes, and Emergency changes.

Major changes would generally be noted by a change in the major version number for the Procedures. The expectation of a major change version would include a change to Requirements and/or Test Procedure(s). Major changes will be assigned a Sunset Date of 6 months to the previous version of the Biometric Requirements.

Minor changes would generally be noted by a change in the minor version number for the Procedures. The expectation of a minor change would be clarifications to the procedures, but which don’t impact the Biometric functionality. Minor changes will be assigned a Sunset Date of 6 months to the previous version of the Biometric Requirements.

Emergency changes would generally be only done under extreme circumstances such as a widespread threat that has an immediate impact on FIDO clients. When such a scenario occurs that requires changes to the Biometric Requirements, an immediate Sunset Date for previous versions would be assigned. Due to the extreme nature of the Sunset Date, changes required through an Emergency Sunset must be limited specifically to those needed to ensure the Biometric subcomponents of the FIDO client meet the defined emergency; no other changes are allowed to be included.

3.17.2.2.4. Sunset Dates and Products Already Under Evaluation

3.17.2.2.5. Sunset Date Voting