FIDO Certification is currently available for UAF 1.0 and 1.1, U2F 1.0 and 1.1, and FIDO2 2.0 Specifications for Server, Client, and Authenticator implementations. For U2F, the transport may be Bluetooth Low Energy, NFC, or USB.
All implementations completing the FIDO Certification process are required to pass Functional Certification requirements, including Conformance Self-Validation and Interoperability Testing.
Note that Authenticators, as the key to FIDO security, are able to certify to different levels. Higher levels provide higher assurance of security and privacy. Currently Level 1, Level 2, Level 3, and Level 3+ are available, see Authenticator Certification Levels for more information. Additional process steps are required for L1, L2, L3, and L3+ Certification after Functional requirements are met. Authenticators must be certified to at least Authenticator Certification Level 1 (L1) for UAF, U2F, and FIDO2 implementations.
Supported Specification Versions
The FIDO Certification program upholds the latest standards developed by the FIDO Alliance.
When a new FIDO Specification version is approved as a Proposed Standard, and test tools are available for the new version, any implementations applying for FIDO Certification may implement the new version. A new version refers to a version within the same specification family, so for example, UAF 1.0 upgrading to UAF 1.1.
A specification version is considered Available for Certification (Certification Availability Date) when the first Interoperability Event can be held for the new version. In order for a valid, official, interoperability test there must be two of each implementation class, where each of the two implementations in each class must be from a different implementer company.
The minimum time period between the Certification Availability Date of the new specification version and the Sunset Date of the previous specification version is:
- Servers: At least 6 months after the Certification Availability Date.
- Clients/Authenticators: At least 18 months after the Certification Availability Date.
After this deadline, the previous specification version will be Sunset (retired) from the Functional Certification Program and applications for implementations based on retired versions will no longer be accepted for Functional Certification.
Certification is currently supported for the following specification versions:
|Specification||Implementation Class||Version||Proposed Standard Date||Certification Availability Date||Sunset Date|
Functional Certification Policy Versions
The following table includes links to the current and previous versions of the Functional Certification Policy.
When the policy document is updated, changes are mandatory for new certifications 18 months after the publication date for major versions, and 90 days after the publication date for minor versions.
Active versions indicate the versions currently available for Certification.
|Policy Version||Publication Date||Mandatory for New Certifications Date||Version Summary|
|1.3.7||2019-02-28||2019-03-01 – Active||Added modifications for internal authenticator combo certification. Moved FIDO2 Reference Implementations section to 4.2.1, under previous reference implementation section.|
|1.3.6||2018-09-04||2018-11-23 (Replaced by v1.3.7)||Modified derivative test procedures for changes below the matcher level for L1 and test tool failures. Added note that authenticator must past conformance and interop testing for all transports that the authenticator supports.|
Added additional Reference Implementations not previously addressed in the Policy document.
(Replaced by v1.3.6)
|Added changes to include FIDO2 Certification and updates to address Authenticator Certification Security levels 3 and 3+|
(Replaced by v1.3.4)
|Clarifications to the Specification Version Retirement regarding the Certification Availability Date and Sunset Date|
(Replaced by v1.3.3)
|Added a step to the Revocation process which requires approval from the Board Certification Committee prior to revoking a Certification.|
(Replaced by v1.3.3)
|Added the option to list multiple Derivatives on one Certification Request as long as they are from the same Base Certificate. Added Revocation section within Certification Issuance. Removed of some L1 Interoperability Requirements as decided by SRWG.|
(Replaced by v1.3.3)
|Changes to support Authenticator Certification Levels. New Requirement for Authenticators to complete L1 or L2 Certification.|
|1.2.5||2017-03-09||2017-06-07 – Active||Transport Certification requirements updated from Mandatory to Optional.|
|1.2.4||2017-02-07||2017-05-08||Clarified that Derivatives are bound to the Functional Certification Policy for which the original (base) certification was certified against.|
|1.2.3||2016-12-01||2017-03-01||Added the requirement for U2F Authenticators to submit Metadata.|
|1.2.2||2016-09-08||2016-12-07||Added the requirement for Derivatives to complete Conformance Self-Validation Testing.|
|1.2.1||2016-07-28||2016-10-26||Added Specification Version Retirement and Certification Version Maintenance sections.|
|1.2.0||2016-05-18||2016-08-16||Added the option for On Demand Interoperability Testing.|
|1.1.1||2016-03-17||2016-06-15||Deprecation of FIDO ReadyTM, Non-Member Access Agreement and Fee removed, changes to support Interoperability Events with a high number of attendees. Vendor Self-Assertion checklist added as a Certification Request requirement.|
|1.1.0||2015-09-03||2015-12-02||Minor program clarifications.|
Authenticator Certification Policy Versions
The following table includes links to the current and previous versions of the Authenticator Certification Policy.
|Policy Version||Publication Date||Active Date||Version Summary|
|1.1.1||2018-05-17||2018-05-17 – Active||Added details to include FIDO2 Specification.|
(Replaced by v1.1.1)
|Initial version for FIDO Authenticator Certification Levels|