Certified Authenticator Levels
The Authenticator Certification Levels introduce Authenticator Security Requirements to the FIDO Certification Program. Authenticators must be certified to at least Authenticator Certification Level 1 (L1) for UAF, U2F, and FIDO2 certification.
Currently, the supported Certification Levels are:
The Levels build on each other, so L2 includes all the requirements for L1, plus additional requirements for L2.
Higher levels are in active development by the FIDO Security Requirements Working Group (SRWG).
The documents for Authenticator Certification include:
|FIDO Authenticator Certification Policy|
This policy governs the Authenticator Certification Levels as part of the FIDO Certification Program.
|FIDO Authenticator Security Requirements|
This document outlines the Authenticator Security Requirements for the Authenticator Certification Levels. Example: Implementations seeking L1 Certification must meet the requirements labeled L1 and higher, Implementations seeking L2 Certification must meet the requirements labeled L1 and higher and L2 and higher, and so forth depending on Certification level seeking. This document also includes the Vendor Questionnaire and Test Procedure instructions for each requirement.
|FIDO Authenticator Vendor NDA|
Non-disclosure Agreement to be signed by Authenticator Vendors (Implemeters) completing Authenticator Certification.
|Vendor Questionnaire Worksheets|
Non-normative companion excel worksheets of the Vendor Questionnaires are available to assist Implementers completing Authenticator Certification.
Sample Vendor Questionnaire. This sample should be used as a reference only. It is being provided as a guide for completing the Vendor Questionnaire and to help make the evaluation process more efficient and effective.
|FIDO Allowed Cryptography List|
This document defines Allowed Cryptography referenced in the Authenticator Security Requirements.
|FIDO Allowed Restricted Operating Environments List|
This document defines the Allowed Restricted Operating Environments referenced in the Authenticator Security Requirements.
|FIDO Authenticator Metadata Requirements|
This document defines the Authenticator Metadata Requirements referenced in the Authenticator Security Requirements.
The Authenticator Certification follows the Functional Certification process and the Authenticator Certification process adds the evaluation of a completed Vendor Questionnaire. The Vendor Questionnaire is how Vendors document how their implementation meets the Authenticator Security Requirements.
The high-level process steps are:
- Functional Certification Requirements
- Authenticator Certification Application
- Security Evaluation
- Vendor Questionnaire
- Security Secretariat (L1) or Accredited Security Laboratory (L2, L3, or L3+) Security Evaluation & FIDO Evaluation Report
- Report Review
- Certification Issuance
- (Optional) Trademark Usage.
- (Optional) Metadata Submission to MDS
Implementations seeking FIDO Certification must fulfill the requirements specified in the documents above.
For Level 2 and higher, it is recommended that the Vendor contact a FIDO Accredited Security Laboratory early in order to work out contract and NDA details so the Vendor and the Lab are ready for the Security Evaluation process, and so the Accredited Security Laboratory can be listed as part of the Authenticator Certification Application step.
Functional Certification Requirements
Vendors must complete FIDO Functional Certification requirements for Authenticators, including the Conformance Self-Validation and Interoperability Testing, prior to submitting an application for FIDO Authenticator Certification.
For L1, this includes the L1 Interoperability Requirements that must be verified during Interoperabilty Testing.
Authenticator Certification Application
To begin FIDO Authenticator Certification, the Vendor completes the Authenticator Certification Application (through the Implementer Dashboard).
The Certification Secretariat is responsible for reviewing and approving the Authenticator Certification Application and, if approved as complete, returning it to the Vendor.
The Authenticator Certification Application must be approved before the Security Evaluation step can begin.
The Security Evaluation step includes the Vendor’s attestation of how the implementation meets the Security Requirements and the Security Evaluation performed by FIDO Security Secretariat or a FIDO Accredited Security Laboratory to review the Vendor Questionnaire and complete the Test Procedures.
For L1, The Vendor Questionnaire is completed in two steps:
- L1 Interoperability Requirements are verified during an Interoperability Event for a subset of the L1 Security Requirements. (This must be completed prior to the Authenticator Certification Application).
- The Vendor completes the L1 Vendor Questionnaire by providing a rationale for the remainder of the requirements not verified at the Interoperability Event.
Once the Vendor Questionnaire is complete, it is submitted to the Security Secretariat. The Security Evaluation will be performed by the Security Secretariat by reviewing the completed Vendor Questionnaire and performing the Security Test Procedures. The Security Secretariat will prepare the FIDO Evaluation Report.
For L2 and higher, the Vendor will choose a FIDO Accredited Security Laboratory to perform Security Evaluation. The Vendor will submit the L2 and higher Vendor Questionnaire to the FIDO Accredited Security Laboratory and an Approved Evaluator will perform the Security Test Procedures. The Approved Evaluator will submit a FIDO Evaluation Report to the Security Secretariat.
Once complete, the implementer reviews the FIDO Evaluation Report prepared by the FIDO Security Secretariat or Accredited Security Laboratory and submits to the Security Secretariat (through the Implementer Dashboard).
For L1, the approved Vendor Questionnaire and FIDO Evaluation Report must be submitted to the Security Secretariat.
For L2 and higher, only the FIDO Evaluation Report must be submitted to the Security Secretariat.
The FIDO Evaluation Report must be approved by the Security Secretariat before the Vendor can complete the Certification Request.
As part of submitting the required documents to FIDO, the Vendor will also submit the Certification Request. The Certification Request will be evaluated by the Certification Secretariat to ensure all requirements are met.
The Vendor must pay the Authenticator Certification Fees before a Certificate will be issued.
Trademark Usage (Optional)
After executing the Trademark License Agreement (TMLA), Vendors may use the FIDO® Certified mark and logo on their product, packaging, and marketing literature.
Metadata Submission to MDS (Optional)
The Vendor has the option to submit Metadata to the FIDO Metadata Service (MDS).
Implementers can Login to view their Dashboard.