By: FIDO Alliance staff
A major milestone has been realized, with the German Federal Office for Information Security (BSI-Bundesamt für Sicherheit in der Informationstechnik) becoming the first organization to the achieve the Certified Authenticator Level 3+ level, which is the highest level of validation currently offered by the FIDO Alliance.
The path toward the Level 3+ designation has been several years in the making.
Dr. Rae Rivera, Certification Director for the FIDO Alliance explained that the Certified Authenticator program was originally launched in August 2018 in a bid to define greater levels of assurance for FIDO authenticators. She noted that the FIDO Specifications include an inherent amount of security and privacy. The goal with the Certified Authenticator program is to provide additional security assurances for the authenticators themselves.
With the first Certified Authenticator Level 3+ designation now granted, Rivera expects other organizations will follow, helping to improve strong authentication for users and organizations around the world.
“We’re continuing to see more pickup and uptake in the Certified Authenticator program,” Rivera said. “At each higher level, there’s less risk of a vulnerability.”
Understanding the Different Certified Authenticator Levels
There are three core levels (L1, L2, L3 and ) in the Certified Authenticator program with each level building on the requirements of the preceding level. Incremental additional assurance can be obtained to allow a vendor to achieve a “+” within each level (L1+, L2+, L3+).
The program evaluates authenticators to answer the question ‘how well does the authenticator protect the private key?The most basic entry level is L1 which Rivera said a vendor can achieve by supporting and implementing the FIDO specifications. An authenticator certified at L1 provides protection against phishing and credential abuse.
Moving up to L2, Rivera noted that restricted operating environments are required to protect against malware attacks. When you get to L3 and L3+, Rivera said that it’s all about looking at hardware authenticators, and how they provide protection against brute force attacks.
“One of the core attributes of our higher level programs, specifically level three and three plus, is that they require the product to have what we call a companion program certification,” Rivera said.
She noted that the companion program certification that has been defined for those higher levels is Common Criteria which provides sets of evaluations and designations to help define the security posture for a given device or service.
“The higher level that you go, the less vulnerable the authenticator is to any kind of attack,” Rivera said.
Why the Level 3+ Certification is Significant
With BSI now certified at L3+ the door is open to others to follow the same path toward the highest level of security assurance.
“Personally I feel like this is a huge leap forward for the program,” Rivera said.
Rivera noted that to date there have been many products that have been certified at the lower levels of the Certified Authenticator program. Now that the first L3+ has been achieved she anticipates that there will be more interest from organizations to go through the program to gain that additional higher level of assurance.
“This certification clearly demonstrates the value of our certified authenticator program – particularly at the higher levels,” she said. “Government and regulated industries such as finance, healthcare, energy and education often have more sensitive use cases that require specific types of authentication into their networks. Vendors and relying parties in these markets see this as a benefit because it meets the need for hardware protection and is also Common Criteria certified.”
How Others Can Benefit from the First Level 3+ Certification
Now that BSI has hit the Level 3+ certification, there is now quite literally a path for others to follow.
Rivera explained that with the L3+ certification there is a protection profile associated with it. The protection profile contains all the components that are used to achieve the L3+. As such, another vendor could utilize the protection profile to develop their product to get certified at the higher level.
“The protection profile serves as good guidance for those that are seeking the higher levels as to what they need to do and what modifications they need to make to their implementation,” Rivera said. “BSI getting certified at Level 3+ has made it a little easier for others to start achieving this level.”