FIDO Alliance’s Biometric Component Certification Program is independent of its other certification programs. There are no FIDO certification prerequisites to apply for biometric component certification for a subsystem. Once a biometric subsystem has been certified, there are rules for how it can be integrated into an authenticator seeking FIDO Authenticator Certification. These rules are described in the Allowed Integration Document and are defined by the biometric vendor during the biometric component certification process.
The use of a certified biometric component is optional for level 1 and level 2 FIDO authenticator. At level 3 and higher an authenticator shall use a certified biometric component if a biometric modality is used for authentication.
The following figure and paragraphs explain the overall process certification of a biometric component.
Application
In order to apply for an application for a biometric component, the developer first needs to apply for an account via the account request form. After this account has been created, the developer can login to the Biometric Dashboard and issue a request for certification.
FIDO Alliance’s biometric component certification secretariat reviews the application, notifies the Vendor if it is approved, rejected, or requires clarification.
Biometric Testing
In this step of the overall process the vendor submits the biometric component to a FIDO accredited biometric laboratory along with its required documentation. A time estimate is provided by the accredited laboratory; vendor and laboratory agree on the cost involved for testing.
The FIDO Accredited biometric laboratory is responsible for testing against the requirements through a combination of online and offline live subject testing. The first step in the certification process is demonstrated below.
An allowed integration document is used to document the changes that may be necessary to accommodate integration of the biometric component into an authenticator. The allowed integration document must be drafted by the vendor and provided to the accredited biometric laboratory.
A list of FIDO Accredited Biometric Laboratories is available on the FIDO website.
Laboratory Reports
The accredited laboratory performs testing and returns a laboratory report to the vendor and to FIDO’s biometric certification secretariat. The report also includes the review of the allowed integration document. The laboratory must validate that the changes will not impact fulfilling the requirements.
FIDO Alliance’s biometric component certification secretariat reviews the laboratory report and makes a decision to approve, reject, or ask for clarification.
Certification Request
After the laboratory report has been approved, the vendor completes a certification request. The certification request also includes metadata to be added to the metadata service to describe the certified biometric subsystem (see FIDO Metadata Service).
FIDO Alliance provides information to relying parties regarding FIDO authenticators through the FIDO Metadata Service. This information can be used by relying parties for purposes such as determining whether it accepts the authenticator or enables certain privileges (e.g., checking an account balance vs. transferring funds).
The biometric-related information that the FIDO Metadata Service provides includes the following:
- Biometric Certification Level
- Self-Attested False Accept Rate (FAR)
- Self-Attested False Reject Rate (FRR)
Submitting metadata to the FIDO Metadata Service is optional. However, metadata must be submitted during the biometric component certification process and will be verified for accuracy and completeness during the laboratory evaluation.
Certification Issuance
FIDO Alliance reviews and, if complete, approves the certification request and issues a biometric compontent certificate.
Metadata Submission to MDS (Optional)
The vendor has the option to submit Metadata to the FIDO Metadata Service (MDS).