Authenticator Certification Levels
The Authenticator Certification Levels introduce Authenticator Security Requirements to the FIDO Certification Program. Currently, Level 1 (L1) and Level 2 (L2) are available for Certification.
The certification levels build on each other, so L2 includes all the requirements for L1 plus additional requirements for L2.
Policy and Requirements Documents
The documents for Authenticator Certification include:
- Authenticator Certification Program Policy
- Authenticator Security Requirements
- Vendor Questionnaire
- L1 (within the Authenticator Security Requirements above)
- L2 (within the Authenticator Security Requirements above, and as a companion excel worksheet)
- Test Procedures (within the Authenticator Security Requirements)
- Vendor Questionnaire
- Allowed Cryptography List
- Allowed Restricted Operating Environments (ROE) List
- Authenticator Metadata Requirements
Additionally, as part of Level 2 or higher (L2+) Authenticator Certification, it is required that a FIDO Accredited Security Laboratory perform the Security Evaluation as part of the certification process.
Authenticator Levels
Currently, the supported Certification levels are:
Higher levels are in active development by the FIDO Security Requirements Working Group (SRWG).
Authenticator Certification Process
The Authenticator Certification follows the Functional Certification process and the Authenticator Certification process adds the evaluation of a completed Vendor Questionnaire. The Vendor Questionnaire is how Vendors document how their implementation meets the Authenticator Security Requirements.
The high-level process steps are:
- Preparation
- Functional Certification Requirements
- Authenticator Certification Application
- Security Evaluation
- Vendor Questionnaire
- Lab or Security Secretariat Security Evaluation & Report
- Report Review
- Certification Issuance
- (Optional) Trademark Usage.
Preparation
Implementations seeking FIDO Certification must fulfill the requirements specified in the documents above.
All Authenticator Vendors seeking L1 or L2 must create an account for FIDO Certification, you can request an account, or login.
For Level 2, it is recommended for the Vendor should contact a FIDO Accredited Security Laboratory early in order to work out contract and NDA details so the Vendor and the Lab are ready for the Security Evaluation process, and so the Lab can be listed as part of the Application step.
Functional Certification Requirements
Vendors must complete FIDO Functional Certification requirements for Authenticators, including the Conformance Self-Validation and Interoperability Testing, prior to submitting an application for FIDO Authenticator Certification. For L1, this includes the L1 Requirements that must be verified during Interoperabilty Testing.
Authenticator Certification Application
To begin FIDO Authenticator Certification, the Vendor completes the Authenticator Certification Application.
FIDO Certification Secretariat is responsible for reviewing and approving the Authenticator Certification Application and, if approved as complete, returning it to the Vendor.
Security Evaluation
The Security Evaluation step includes the Vendor’s attestation of how the implementation meets the Security Requirements and the Security Evaluation performed by FIDO Security Secretariat or a FIDO Accredited Security Laboratory to review the Vendor Questionnaire and complete the Test Procedures.
For L1, the Security Evaluation will be performed by the Security Secretariat by reviewing the completed Vendor Questionnaire and performing the Security Test Procedures. The Security Secretariat will prepare an Evaluation Report.
For L2, the Vendor will choose a FIDO Accredited Security Laboratory to perform Security Evaluation by reviewing the Vendor Questionnaire and performing the Security Test Procedures. The lab will submit a Lab Report to FIDO.
Report Review
Once complete, the Vendor reviews the FIDO Evaluation Report prepared by the Laboratory or the FIDO Security Secretariat and submits to FIDO. For Level 1, the approved Vendor Questionnaire and FIDO Evaluation Report must be submitted to FIDO. For Level 2, only the FIDO Evaluation Report must be submitted to FIDO.
Certification Issuance
As part of submitting the required documents to FIDO, the Vendor will also submit the Certification Request. The Certification Request will be evaluated by the Certification Secretariat to ensure all requirements are met.
The Vendor must pay the Authenticator Certification Fees before a Certificate will be issued.
Trademark Usage (Optional)
After executing the Trademark License Agreement, implementers may use the FIDO® Certified mark and logo on their product, packaging, and marketing literature.
