Getting Started

FIDO Certification is currently available for UAF v1.1, U2F v1.2, and FIDO2 1.0 Specifications for Server, Client, and Authenticator implementations. For FIDO2 and U2F, the transport may be Bluetooth Low Energy, NFC, or USB.

All implementations completing the FIDO Certification process are required to pass Functional Certification requirements, including Conformance Self-Validation and Interoperability Testing.

Note that Authenticators, as the key to FIDO security and privacy, are able to certify to different levels. Higher levels provide higher assurance of security and privacy. Currently Level 1, Level 1+, Level 2, Level 3, and Level 3+ are available, see Authenticator Certification Levels for more information. Additional process steps are required for L1, L1+, L2, L3, and L3+ Certification after Functional requirements are met. Authenticators must be certified to at least Authenticator Certification Level 1 (L1) for UAF, U2F, and FIDO2 implementations.


Supported Specification Versions

The FIDO Certification program upholds the latest standards developed by the FIDO Alliance.

When a new FIDO Specification version is approved as a Proposed Standard, and test tools are available for the new version, any implementations applying for FIDO Certification may implement the new version. A new version refers to a version within the same specification family, so for example, UAF 1.0 upgrading to UAF 1.1.

A specification version is considered Available for Certification (Certification Availability Date) when the first Interoperability Event can be held for the new version. In order for a valid, official, interoperability test there must be two of each implementation class, where each of the two implementations in each class must be from a different implementer company.

The minimum time period between the Certification Availability Date of the new specification version and the Sunset Date of the previous specification version is:

  • Servers: At least 6 months after the Certification Availability Date.
  • Clients/Authenticators: At least 18 months after the Certification Availability Date.

After this deadline, the previous specification version will be Sunset (retired) from the Functional Certification Program and applications for implementations based on retired versions will no longer be accepted for Functional Certification.

Certification is currently supported for the following specification versions:

SpecificationImplementation ClassVersionProposed Standard DateCertification Availability DateSunset Date
FIDO2Server1.02018-08-15
FIDO2Authenticator1.02018-08-15
UAFServer1.12017-08-152018-07-13
UAFClients/Authenticators1.12017-08-152018-07-13
UAFServer1.02015-04-022015-04-292019-03-01
UAFClients/Authenticators1.02015-04-022015-04-292020-01-31
U2FServer1.02015-04-022015-04-292019-12-31
U2FAuthenticator1.02015-04-022015-04-292019-12-31
U2FServer1.12016-12-072017-11-132021-05-21
U2FAuthenticator1.12016-12-072017-11-132022-05-21
U2F Authenticator1.22017-04-112020-11-19
U2FServer1.22017-04-112020-11-19

Functional Certification Policy Versions

The following table includes links to the current and previous versions of the Functional Certification Policy.

When the policy document is updated, changes are mandatory for new certifications 18 months after the publication date for major versions, and 90 days after the publication date for minor versions.

Active versions indicate the versions currently available for Certification.

Policy VersionPublication DateMandatory for New Certifications DateVersion Summary
1.3.92021-10-102021-10-10 – ActiveProgram clarifications as they relate to CTAP1 and CTAP2, and other FIDO2 certification guidance.
Adding profile to certificate (i.e., Consumer, Enterprise, etc.)
Removal of Interoperability types shipped and in-person.
1.3.82021-03-103/10/21 – SunsetRemoval of U2F Server requirement for Universal Server.
1.3.72019-02-282019-03-01 Added modifications for internal authenticator combo certification. Moved FIDO2 Reference Implementations section to 4.2.1, under previous reference implementation section.
1.3.62018-09-042018-11-23 (Replaced by v1.3.7)Modified derivative test procedures for changes below the matcher level for L1 and test tool failures. Added note that authenticator must past conformance and interop testing for all transports that the authenticator supports.

 

Added additional Reference Implementations not previously addressed in the Policy document.

1.3.42018-05-172018-11-23
(Replaced by v1.3.6)
Added changes to include FIDO2 Certification and updates to address Authenticator Certification Security levels 3 and 3+
1.3.32017-11-162018-11-23
(Replaced by v1.3.4)
Clarifications to the Specification Version Retirement regarding the Certification Availability Date and Sunset Date
1.3.22017-07-272018-11-23
(Replaced by v1.3.3)
Added a step to the Revocation process which requires approval from the Board Certification Committee prior to revoking a Certification.
1.3.12017-06-152018-11-23
(Replaced by v1.3.3)
Added the option to list multiple Derivatives on one Certification Request as long as they are from the same Base Certificate. Added Revocation section within Certification Issuance. Removed of some L1 Interoperability Requirements as decided by SRWG.
1.3.02017-05-232018-11-23
(Replaced by v1.3.3)
Changes to support Authenticator Certification Levels. New Requirement for Authenticators to complete L1 or L2 Certification.

Authenticator Certification Policy and Requirements

All vendors seeking Authenticator Certification, please visit the Authenticator Certification pages for current and up-to-date program policies and requirements