LANGUAGE

Authenticator Level 1

Authenticator Certification Level 1 (L1) evaluates FIDO Authenticator protection against basic, at-scale attacks. Being certified to at least Authenticator Certification Level 1 (L1) is required for UAF, U2F, and FIDO2 certification.

For L1, the Authenticator typically belongs into one of 4 categories:

  1. Authenticator Application running on some HLOS without an effective protection of the Authenticator Security Parameters against most other applications running in the same environment.
  2. Authenticator Application running on some HLOS with an effective protection of the Authenticator Security Parameters against most other applications running in the same environment – without breaking the HLOS.
  3. As #2, but having the Secret Authenticator Security Parameters stored in an Allowed Restricted Operating Environment (AROE).
  4. Entire Authenticator is implemented in an AROE (i.e. typically qualifying for L2+).

Next Steps

Depending on your current implementation and the Level you wish to complete the process varies slightly. The scenarios below will help determine the next steps:

Client or Server Implementation

Certification levels are only for Authenticators, Clients and Servers can complete Functional Certification.

New Authenticator Implementation

If you are completing FIDO Certification for the first time for this implementation, the first step for certification is to start at Functional Certification.

Functional Certification tests conformance to the specifications and Interoperability with FIDO Clients and Servers.

During Interoperability Testing, some requirements will be tested for L1, these are the L1 Certification Testing Procedures and are outlined in the Functional Certification Policy as well as referenced in the Test Procedures included within the Authenticator Security Requirements.

After Functional Certification, the implementation continues on to the process outlined in the Authenticator Certification Policy, and on the Authenticator Certification Levels page.

All L1 implementers must create an account for FIDO Certification, you can request an account, or login.

It is required that the L1 Vendor Questionnaire be evaluated by the FIDO Security Secretariat as part of the Security Evaluation step of Authenticator Certification.

Functionally Certified Authenticator Implementation

First step to recieve L1 Certification for an existing Functionally Certified Implementation is to complete Functional Certification again, during Interoperability Testing, L1 Certification Testing Procedures must be verified by the Test Proctor during Interoperability Testing.

Once the Functional Certification steps are completed, you will be ready to continue on to the process outlined in the Authenticator Certification Policy, and on the Authenticator Certification Levels page,to finish the Vendor Questionnaire and submit it to the FIDO Security Secretariat for Security Evaluation.

All L1 implementers must create an account for FIDO Certification, you can request an account, or login.

L1 Certification Fees

Fees are per implementation certified and must be paid before a Certificate will be issued.

For an overview of the different Certification options and fees, please review the Authenticator Certification Scenarios page.

Functional Certification Fees

  • FIDO Member: $5,000 USD
  • FIDO Member Derivative: $500 USD
  • Non-Member: $6,500 USD
  • Non-Member Derivative: $750 USD

L1 Certification Fees

  • Free*

* Authenticators completing L1 are required to pay the Functional Certification Fee, there is no additional fee for L1 Certification.

Implementer Dashboard

Implementers can Login to view their Dashboard.

Download Specs