LANGUAGE

Certified Authenticator Levels

The Authenticator Certification Levels introduce Authenticator Security Requirements to the FIDO Certification Program. Authenticators must be certified to at least Authenticator Certification Level 1 (L1) for UAF, U2F, and FIDO2 certification.

Currently, the supported Certification Levels are:

The Levels build on each other, so L2 includes all the requirements for L1, plus additional requirements for L2.

Higher levels are in active development by the FIDO Security & Privacy Requirements Working Group (SPWG).

FIDO Authenticator Certification Levels - Sample Device Hardware & Software Requirements Defend Against Which Level of Attack
FIDO Authenticator Certification Level Examples

This page contains the Policy and Requirements Documents and the Authenticator Certification Process.

Policy and Requirements Documents

The documents for Authenticator Certification include:

FIDO Authenticator Privacy Policy

This policy governs the Authenticator Certification Levels as part of the FIDO Certification Program and more generally all FIDO technical specifications.

Download: PDF

FIDO Authenticator Certification Policy  This policy governs the Authenticator Certification Levels as part of the FIDO Certification Program.Download: PDF
FIDO Authenticator Security and Privacy Requirements  This document outlines the Authenticator Security and Privacy Requirements for the Authenticator Certification Levels. Example: Implementations seeking L1 Certification must meet the requirements labeled “L1 and higher”, Implementations seeking L2 Certification must meet the requirements labeled “L1 and higher” and “L2 and higher”, and so forth depending on Certification level seeking. This document also includes the Vendor Questionnaire (for Levels L1 and L2), the Mapping Table (for Levels L3 and L3+) and the Test Procedure instructions for each requirement.Download v1.4 (active): HTML | PDF Download v1.3 (Sunset date: 11 December 2021): HTML | PDF
FIDO Authenticator Vendor NDA  Non-disclosure Agreement to be signed by the Authenticator Vendors (Implementers) completing Authenticator Certification.Download: PDF
Vendor Questionnaire Worksheets  Non-normative  worksheets of the Vendor Questionnaires are available to assist Authenticator Vendors (Implementers) completing Authenticator Certification at L1 or L2.Download: Level 1 | Level 2 Sample Vendor Questionnaire. This sample should be used as a reference only. It is being provided as a guide for completing the Vendor Questionnaire and to help make the evaluation process more efficient and effective.
FIDO Mapping TableNon-normative worksheets are available to assist Authenticator Vendors (implementers) completing Authenticator Certification at L3 or L3+, depending on the selected Companion Program.Download: Level 3/3+
FIDO Impact Analysis Report (FIAR)  This document defines the FIDO Impact Analysis Report (FIAR) template listing the scope and the structure of the expected contents. It describes the requirements for when changes are made to the authenticator and helps determine whether the authenticator is eligible for Derivative or Delta certification. This report must be completed by Authenticator Vendors (Implementers) and submitted to the FIDO Security Secretariat.Download: FIDO Impact Analysis Report (FIAR)
FIDO Allowed Cryptography List  This document defines Allowed Cryptography referenced in the Authenticator Security and Privacy Requirements.Download: HTML | PDF
FIDO Allowed Restricted Operating Environments List  This document defines the Allowed Restricted Operating Environments referenced in the Authenticator Security and Privacy Requirements.Download: HTML | PDF
FIDO Authenticator Metadata Requirements  This document defines the Authenticator Metadata Requirements referenced in the Authenticator Security and Privacy Requirements.Download: HTML | PDF

Authenticator Certification Process

The Authenticator Certification follows the Functional Certification process, and the Authenticator Certification process adds the evaluation of a completed Vendor Questionnaire at L1 or L2, or a completed Mapping Table at L3 or L3+. The Vendor Questionnaire is how a vendors documents their implementation  meets the Authenticator Security Requirements.

If you already have a certified authenticator and made modifications, or are trying to obtain a Derivative certification, please refer to our Certification Maintenance and Updates page for the correct process to follow. Otherwise, please follow the steps below for Authenticator Certification.

The high-level process steps are:

  1. Preparation
  2. Functional Certification Requirements
  3. Authenticator Certification Application
  4. Security Evaluation 
    • Vendor Questionnaire
    • Security Secretariat (L1) or Accredited Security Laboratory (L2, L3, or L3+) Security Evaluation & FIDO Evaluation Report
  5. Report Review
  6. Certification Issuance
  7. (Optional) Trademark Usage
  8. (Optional) Metadata Submission to FIDO MDS

Preparation
Implementations seeking FIDO Certification must fulfill the requirements specified in the documents above.

All Authenticator Vendors seeking Authenticator Certification must create an account for FIDO Certification, you can request an account, or login.

For Level 2 and higher, it is recommended that the Vendor contact a FIDO Accredited Security Laboratory early to work out contract and NDA details so the Vendor and the Lab are ready for the Security Evaluation process, and so the Accredited Security Laboratory can be listed as part of the Authenticator Certification Application step.

Functional Certification Requirements
Vendors must complete FIDO Functional Certification requirements for Authenticators, including the Conformance Self-Validation and Interoperability Testing, prior to submitting an application for FIDO Authenticator Certification.

For L1, this includes the L1 Interoperability Requirements which  must be verified during Interoperability Testing.

Authenticator Certification Application
To begin FIDO Authenticator Certification, the Vendor completes the Authenticator Certification Application (through the Implementer Dashboard).

The Certification Secretariat is responsible for reviewing and approving the Authenticator Certification Application and, if approved as complete, returning it to the Vendor.

The Authenticator Certification Application must be approved before the Security Evaluation step can begin.

Security Evaluation
The Security Evaluation step includes the Vendor’s attestation of how the implementation meets the Security Requirements, and the Security Evaluation performed by the FIDO Security Secretariat or a FIDO Accredited Security Laboratory.  The Vendor Questionnaire is reviewed  at levels L1 and L2, or the Mapping Table at levels L3 or L3+, and completes the Test Procedures.

For L1, The Vendor Questionnaire is completed in two steps:

  1. L1 Interoperability Requirements are verified during an Interoperability Event for a subset of the L1 Security Requirements. (This must be completed prior to the Authenticator Certification Application).
  2. The Vendor completes the L1 Vendor Questionnaire by providing a rationale for the remainder of the requirements not verified at the Interoperability Event.

Once the Vendor Questionnaire is complete, it is submitted to the Security Secretariat. The Security Evaluationis performed by the Security Secretariat who reviews  the completed Vendor Questionnaire and performs the Security Test Procedures. The Security Secretariat will prepare the FIDO Evaluation Report.

For L2, the Authenticator Vendor (Implementer) chooses a FIDO Accredited Security Laboratory to perform the Security Evaluation. The Authenticator Vendor (Implementer) submits  the L2 Vendor Questionnaire to the FIDO Accredited Security Laboratory and an Approved Evaluator performs the Security Test Procedures. The Approved Evaluator submits  a FIDO Evaluation Report to the Security Secretariat.

For L3 and L3+, the Authenticator Vendor (Implementer) chooses  a FIDO Accredited Security Laboratory to perform Security Evaluation. The Authenticator Vendor (Implementer) submits the Mapping Table to the FIDO Accredited Security Laboratory and an Approved Evaluator performs the Security Test Procedures. The Approved Evaluator submits a FIDO Evaluation Report to the Security Secretariat.

Report Review
Once complete, the Authenticator Vendor (Implementer) reviews the FIDO Evaluation Report prepared by the FIDO Security Secretariat or Accredited Security Laboratory and submits to the Security Secretariat (through the Implementer Dashboard).

For L1, the approved Vendor Questionnaire and FIDO Evaluation Report must be submitted to the Security Secretariat.

For L2 and higher, only the FIDO Evaluation Report must be submitted to the Security Secretariat.

The FIDO Evaluation Report must be approved by the Security Secretariat before the Authenticator Vendor (Implementer) can complete the Certification Request.

Certification Issuance
As part of submitting the required documents to FIDO, the Authenticator Vendor (Implementer) will also submit the Certification Request. The Certification Request is evaluated by the Certification Secretariat to ensure all requirements are met.

The Authenticator Vendor (Implementer) must pay the Authenticator Certification Fees before a Certificate is issued.

Trademark Usage (Optional)
After executing the Trademark License Agreement (TMLA), Authenticator Vendors (Implementers) may use the FIDO® Certified mark and logo on their product, packaging, and marketing literature.

Metadata Submission to MDS (Optional)
The Authenticator Vendor (Implementer) has the option to submit Metadata to the FIDO Metadata Service (MDS).

Implementer Dashboard

Authenticator Vendors (Implementers) can Login to view their Dashboard.

Download Authn Specs
Sign up for updates!Get news from FIDO Alliance in your inbox.

By submitting this form, you are consenting to receive communications from: FIDO Alliance, 3855 SW 153rd Drive, Beaverton, OR 97003, US, http://www.fidoalliance.org. You can revoke your consent to receive emails at any time by using the unsubscribe link found at the bottom of every email.