Authenticator Certification Level 3 (L3) evaluates FIDO Authenticator protection against enhanced-basic effort software and hardware attacks.
For L3, the Authenticator is required to conform to a solution included in FIDO Allowed Restricted Operating Environment and Allowed Cryptography lists as part of the Authenticator Security Requirements.
Examples of implementations that will meet Level 3 Security Requirements:
USB U2F Token built on a basic CPU with a CC certified OS at AVA_VAN.3 or above. In addition to a good physical anti-tampering enclosure.
UAF implemented as a Trusted Application running on a certified TEE with POP memory – intrusion-resistant and tamper-evident FIPS-validated.
FIDO2 Authenticator implemented on a CPU with RAM encryption and integrity check connected to RAM via simple PCB. The hardware casing cannot be opened easily and this opening shall be visible to the user.
If your implementation does not meet these requirements, please visit Authenticator Level 2.
Next Steps
The process varies slightly depending on your current implementation and the Certified Authenticator Level you wish to complete. The scenarios below will help determine the next steps:
Client or Server Implementation
Certification levels are only for Authenticators; Clients and Servers can complete Functional Certification.
New Authenticator Implementation
If you are completing FIDO Certification for the first time for this implementation, the first step for certification is to start with Functional Certification.
Functional Certification tests conformance to the specifications and Interoperability with FIDO Clients and Servers.
No Security Requirements are tested during interoperability testing for L3, but the Functional Certification steps are still required.
After Functional Certification, the implementation continues on to the process outlined in the Authenticator Certification Policy, and on the Authenticator Certification Levels page.
It is required that the Level 3 vendor questionnaire be evaluated by a FIDO Accredited security laboratory as part of the security evaluation step of Authenticator Certification. The vendor is responsible for choosing and working with one of the FIDO Accredited Security Laboratories to complete the security evaluation.
All L3 implementers must create an account to submit for FIDO Certification, you can request an account, or login.
Functionally Certified Authenticators seeking L3 Certification do not have added interoperability requirements as these were already met during the functional certification process. The next required step is to complete the Vendor Questionnaire – as is detailed in the Authenticator Certification Policy and on the Authenticator Certification Levels page.
The Level 3 Vendor Questionnaire must be evaluated by a FIDO Accredited security laboratory. The Vendor is responsible for choosing and working with one of the FIDO Accredited Security Laboratories to complete the Security Evaluation.
Biometric Component Certification and Authenticator Certification Relationship
Implementations completing Authenticator Certification Level 3 or above that use biometric authentication is required to complete the Biometrics Certification prior to starting Authenticator Certification (including the Security Evaluation).
All L3 implementers must create an account for FIDO Certification; you can request an account, or login.
L3 Certification Fees
Fees are per implementation certified and must be paid before a Certificate will be issued.
For an overview of the different Certification options and fees, please review the Authenticator Certification Scenarios page.
Functional Certification Fees
FIDO Alliance Member: $6,000 USD
Non-Member: $7,800 USD
L3 Certification Fees
FIDO Member: $9,000 USD
FIDO Member Derivative: $1,000 USD
FIDO Member Delta: $1,200 USD
Non-Member: $15,600 USD
Non-Member Derivative: $1,250 USD
Non-Member Delta: $2,100 USD
Laboratory Security Evaluation Fees
There is no FIDO Alliance Fee for a Laboratory Evaluation. The cost for the Security Evaluation will depend on the Accredited Security Laboratory used by the Vendor.
Document Authenticity (DocAuth) Certification Program for Remote Identity Verification
Sign up for updates!Get news from FIDO Alliance in your inbox.
By submitting this form, you are consenting to receive communications from: FIDO Alliance, 3855 SW 153rd Drive, Beaverton, OR 97003, US, http://www.fidoalliance.org. You can revoke your consent to receive emails at any time by using the unsubscribe link found at the bottom of every email.
