For Consumer Electronics OEMs or other implementers that will be certifying a large number of implementations that are all based on the same FIDO® Certified implementation, FIDO offers derivative certification. The benefit of derivative certification is that the implementations are not required to go through interoperability testing and each derivative certification is subject to a lower fee than base certifications.
A pre-requisite to applying for a derivative certification is that each derivative must have the same FIDO implementation and configuration as a certified implementation. Any hardware and software that play a significant role in the FIDO implementation must not be changed, with the exception of critical bug fixes and security patches. There is currently no requirement that the derivative and base certification be registered by the same company.
Derivative Scenarios
The following scenarios are designed to help determine whether an implementation could qualify for a Derivative Certification before completing the FIAR.
Implementation | Derivative? |
Company B Using a FIDO® Certified SDK from Company A | Yes |
Company B Using a FIDO® Certified hardware module with FIDO software burned into it from Company A | Yes |
Mobile Phone that is FIDO® Certified releases a new model | Yes |
Mobile Phone that is FIDO® Certified has several variations (e.g. different colors, 32GB, 64 GB) | No. Variations that do not alter the implementation are covered under original certification. |
Website using a FIDO enabled authentication based on a FIDO® Certified server component licensed from another company | Yes |
Company with FIDO® Certified implementation [New Product 1.0] introduces a new product[New Product 1.0.1] that is the same as the previous implementation, except that is fixes some typos, fixes some bugs, and applies new security patches | No. Product is functionally the same and does not require new certification or derivative certification. |
Company with FIDO® Certified implementation [New Product 1.0.1] introduces new product [New Product 1.1] that adds some features unrelated to FIDO | No. Product is functionally the same and does not require new certification or derivative certification. |
Company with FIDO® Certified implementation [New Product 1.1] introduces new product [New Product 2.0] that is different from New Product 1.1, but the FIDO components have remained unchanged | Yes |
Company with FIDO® Certified implementation [New Product 2.0] introduces New Product 3.0 that adds/removes/modified FIDO functionality | No. Product must undergo the full certification process and receive a new certificate. |
Bulk Derivative (Optional)
More than one Derivative may be submitted using the Certification Registration Form, as long as the following requirements are met:
- All Derivatives must be from the same Base Certificate.
- At least one of the Derivatives in each Certification Registration Form must complete the Derivative Test Plan (including passing Conformance Self-Validation Testing). The Derivative that meets this requirement should be the information filled out in the form.
- For the remaining Derivatives being submitted, the Vendor must complete the Bulk Derivative Template (provided in Excel) and upload as the Bulk Derivative Submission in the Certification Registration Form.
- The information for Derivative that has completed the Derivative Test Plan must not be duplicated in the Bulk Derivative Submission.
By uploading the Bulk Derivative Submission, the Vendor is self-attesting that the Derivatives listed in the form and the Bulk Derivative Submission do not change FIDO functionality and could meet the requirements outlined in the Derivative Test Plan.
Submitting a Derivative Certification Request
When registering for a Derivative Certification, the Base Certification Certificate number must be submitted along with Derivative Test Plan Results. The Derivative Test Plan Results are intended to show that the FIDO implementation has gone through at least a minimal amount of testing to ensure that the implementation is correct and functional.
The following are required as part of the Derivative FIDO Certification submission:
- Certification Registration Form
- Completed Self-Conformance Test Results
- Derivative Test Plan
- FIDO Vendor Self-Assertion Checklist
- Certification Fees
- A completed FIAR report