Authenticator Certification Level 3+ (L3+) evaluates FIDO Authenticator protection against moderate or high effort software and hardware attacks. The confidence in the Authenticator’s security properties is high and the risk for having a successful attack is mitigated. At this level, an attacker should be hindered from performing successful attacks at the chip level (e.g. IC package opened/decapsulated and attack equipment can act directly on the silicon chip) with high professional electronic lab equipment within weeks to months. For L3+, the Authenticator is required to conform to a solution included in FIDO Allowed Restricted Operating Environment and Allowed Cryptography lists as part of the Authenticator Security Requirements. Examples of implementations that will meet Level 3+ Security Requirements:
Authenticator Level 3+
- An authenticator implemented on a Common Criteria certified Secure Element or TPM
Next StepsDepending on your current implementation and the Level you wish to complete the process varies slightly. The scenarios below will help determine the next steps:
Client or Server ImplementationCertification levels are only for Authenticators; Clients and Servers can complete Functional Certification.
New Authenticator ImplementationIf you are completing FIDO Certification for the first time for this implementation, the first step for certification is to start with Functional Certification. Functional Certification tests conformance to the specifications and Interoperability with FIDO Clients and Servers. No Security Requirements are tested during Interoperability Testing for L3+, but the Functional Certification steps are still required. After Functional Certification, the implementation continues on to the process outlined in the Authenticator Certification Policy, and on the Authenticator Certification Levels page. It is required that the Level 3+ Vendor Questionnaire be evaluated by a FIDO Accredited Security Laboratory as part of the Security Evaluation step of Authenticator Certification. The Vendor is responsible for choosing and working with one of the FIDO Accredited Security Laboratories to complete the Security Evaluation. All L3+ implementers must create an account for FIDO Certification, you can request an account, or login.
Functionally Certified Authenticator ImplementationFunctionally Certified Authenticators seeking L3+ Certification do not have added interoperability requirements as these were already met during the functional certification process. The next required step is to complete the Vendor Questionnaire – as is detailed in the Authenticator Certification Policy and on the Authenticator Certification Levels page. It is required that the Level 3+ Vendor Questionnaire be evaluated by a FIDO Accredited Security Laboratory as part of the Security Evaluation step of Authenticator Certification. The Vendor is responsible for choosing and working with one of the FIDO Accredited Security Laboratories to complete the Security Evaluation.
Biometric Certification and Authenticator Certification RelationshipImplementations completing Authenticator Certification Level 3 or above that use biometric authentication is required to complete the Biometrics Certification prior to starting Authenticator Certification (including the Security Evaluation). All L3+ implementers must create an account for FIDO Certification, you can request an account, or login.
Certification FeesFees are per implementation certified and must be paid before a Certificate will be issued. For an overview of the different Certification options and fees, please review the Authenticator Certification Scenarios page.
Functional Certification Fees
- FIDO Alliance Member: $5,000 USD
- Non-Member: $6,500 USD
Authenticator Certification FeesAuthentication Certification L3+:
- FIDO Alliance Member
- Authenticator Certification Fees L3+: $7,500 USD
- Derivative: $500 USD
- Delta: $500 USD
- Authenticator Certification Fees L3+: $13,000 USD
- Derivative: $750 USD
- Delta: $750 USD