Certified Authenticator Levels
The Authenticator Certification Levels introduce Authenticator Security Requirements to the FIDO Certification Program. Authenticators must be certified to at least Authenticator Certification Level 1 (L1) for UAF, U2F, and FIDO2 certification.
Currently, the supported Certification Levels are:
The Levels build on each other, so L2 includes all the requirements for L1, plus additional requirements for L2.
Higher levels are in active development by the FIDO Security & Privacy Requirements Working Group (SPWG).
Policy and Requirements Documents
The documents for Authenticator Certification include:
This policy governs the Authenticator Certification Levels as part of the FIDO Certification Program and more generally all FIDO technical specifications.
|FIDO Authenticator Certification Policy This policy governs the Authenticator Certification Levels as part of the FIDO Certification Program.Download: PDF|
|FIDO Authenticator Security and Privacy Requirements This document outlines the Authenticator Security and Privacy Requirements for the Authenticator Certification Levels. Example: Implementations seeking L1 Certification must meet the requirements labeled “L1 and higher”, Implementations seeking L2 Certification must meet the requirements labeled “L1 and higher” and “L2 and higher”, and so forth depending on Certification level seeking. This document also includes the Vendor Questionnaire (for Levels L1 and L2), the Mapping Table (for Levels L3 and L3+) and the Test Procedure instructions for each requirement.Download v1.4 (active): HTML | PDF Download v1.3 (Sunset date: 11 December 2021): HTML | PDF|
|FIDO Authenticator Vendor NDA Non-disclosure Agreement to be signed by the Authenticator Vendors (Implementers) completing Authenticator Certification.Download: PDF|
|Vendor Questionnaire Worksheets Non-normative worksheets of the Vendor Questionnaires are available to assist Authenticator Vendors (Implementers) completing Authenticator Certification at L1 or L2.Download: Level 1 | Level 2 Sample Vendor Questionnaire. This sample should be used as a reference only. It is being provided as a guide for completing the Vendor Questionnaire and to help make the evaluation process more efficient and effective.|
|FIDO Mapping TableNon-normative worksheets are available to assist Authenticator Vendors (implementers) completing Authenticator Certification at L3 or L3+, depending on the selected Companion Program.Download: Level 3/3+|
FIDO Impact Analysis Report (FIAR) This document defines the FIDO Impact Analysis Report (FIAR) template listing the scope and the structure of the expected contents. It describes the requirements for when changes are made to the authenticator and helps determine whether the authenticator is eligible for Derivative or Delta certification. This report must be completed by Authenticator Vendors (Implementers) and submitted to the FIDO Security Secretariat.Download: FIDO Impact Analysis Report (FIAR)
|FIDO Allowed Cryptography List This document defines Allowed Cryptography referenced in the Authenticator Security and Privacy Requirements.Download: HTML | PDF|
|FIDO Allowed Restricted Operating Environments List This document defines the Allowed Restricted Operating Environments referenced in the Authenticator Security and Privacy Requirements.Download: HTML | PDF|
|FIDO Authenticator Metadata Requirements This document defines the Authenticator Metadata Requirements referenced in the Authenticator Security and Privacy Requirements.Download: HTML | PDF|
Authenticator Certification Process
The Authenticator Certification follows the Functional Certification process, and the Authenticator Certification process adds the evaluation of a completed Vendor Questionnaire at L1 or L2, or a completed Mapping Table at L3 or L3+. The Vendor Questionnaire is how a vendors documents their implementation meets the Authenticator Security Requirements.
If you already have a certified authenticator and made modifications, or are trying to obtain a Derivative certification, please refer to our Certification Maintenance and Updates page for the correct process to follow. Otherwise, please follow the steps below for Authenticator Certification.
The high-level process steps are:
- Functional Certification Requirements
- Authenticator Certification Application
- Security Evaluation
- Vendor Questionnaire
- Security Secretariat (L1) or Accredited Security Laboratory (L2, L3, or L3+) Security Evaluation & FIDO Evaluation Report
- Report Review
- Certification Issuance
- (Optional) Trademark Usage
- (Optional) Metadata Submission to FIDO MDS
Implementations seeking FIDO Certification must fulfill the requirements specified in the documents above.
For Level 2 and higher, it is recommended that the Vendor contact a FIDO Accredited Security Laboratory early to work out contract and NDA details so the Vendor and the Lab are ready for the Security Evaluation process, and so the Accredited Security Laboratory can be listed as part of the Authenticator Certification Application step.
Functional Certification Requirements
Vendors must complete FIDO Functional Certification requirements for Authenticators, including the Conformance Self-Validation and Interoperability Testing, prior to submitting an application for FIDO Authenticator Certification.
For L1, this includes the L1 Interoperability Requirements which must be verified during Interoperability Testing.
Authenticator Certification Application
To begin FIDO Authenticator Certification, the Vendor completes the Authenticator Certification Application (through the Implementer Dashboard).
The Certification Secretariat is responsible for reviewing and approving the Authenticator Certification Application and, if approved as complete, returning it to the Vendor.
The Authenticator Certification Application must be approved before the Security Evaluation step can begin.
The Security Evaluation step includes the Vendor’s attestation of how the implementation meets the Security Requirements, and the Security Evaluation performed by the FIDO Security Secretariat or a FIDO Accredited Security Laboratory. The Vendor Questionnaire is reviewed at levels L1 and L2, or the Mapping Table at levels L3 or L3+, and completes the Test Procedures.
For L1, The Vendor Questionnaire is completed in two steps:
- L1 Interoperability Requirements are verified during an Interoperability Event for a subset of the L1 Security Requirements. (This must be completed prior to the Authenticator Certification Application).
- The Vendor completes the L1 Vendor Questionnaire by providing a rationale for the remainder of the requirements not verified at the Interoperability Event.
Once the Vendor Questionnaire is complete, it is submitted to the Security Secretariat. The Security Evaluationis performed by the Security Secretariat who reviews the completed Vendor Questionnaire and performs the Security Test Procedures. The Security Secretariat will prepare the FIDO Evaluation Report.
For L2, the Authenticator Vendor (Implementer) chooses a FIDO Accredited Security Laboratory to perform the Security Evaluation. The Authenticator Vendor (Implementer) submits the L2 Vendor Questionnaire to the FIDO Accredited Security Laboratory and an Approved Evaluator performs the Security Test Procedures. The Approved Evaluator submits a FIDO Evaluation Report to the Security Secretariat.
For L3 and L3+, the Authenticator Vendor (Implementer) chooses a FIDO Accredited Security Laboratory to perform Security Evaluation. The Authenticator Vendor (Implementer) submits the Mapping Table to the FIDO Accredited Security Laboratory and an Approved Evaluator performs the Security Test Procedures. The Approved Evaluator submits a FIDO Evaluation Report to the Security Secretariat.
Once complete, the Authenticator Vendor (Implementer) reviews the FIDO Evaluation Report prepared by the FIDO Security Secretariat or Accredited Security Laboratory and submits to the Security Secretariat (through the Implementer Dashboard).
For L1, the approved Vendor Questionnaire and FIDO Evaluation Report must be submitted to the Security Secretariat.
For L2 and higher, only the FIDO Evaluation Report must be submitted to the Security Secretariat.
The FIDO Evaluation Report must be approved by the Security Secretariat before the Authenticator Vendor (Implementer) can complete the Certification Request.
As part of submitting the required documents to FIDO, the Authenticator Vendor (Implementer) will also submit the Certification Request. The Certification Request is evaluated by the Certification Secretariat to ensure all requirements are met.
The Authenticator Vendor (Implementer) must pay the Authenticator Certification Fees before a Certificate is issued.
Trademark Usage (Optional)
After executing the Trademark License Agreement (TMLA), Authenticator Vendors (Implementers) may use the FIDO® Certified mark and logo on their product, packaging, and marketing literature.
Metadata Submission to MDS (Optional)
The Authenticator Vendor (Implementer) has the option to submit Metadata to the FIDO Metadata Service (MDS).
Authenticator Vendors (Implementers) can Login to view their Dashboard.