FDO Certification Process Overview
FDO Certification is independent of other FIDO Alliance certification programs.
The path to achieving FDO certification begins following product development. Product development is out of the scope of the FDO Certification. Read all FDO specifications, certification requirements, and policies prior to applying for certification. Implementer guidance documentation and the FDO Developer Forum are available resources for product development support.
The following table indicates the required steps for certification of each product. Select a step for more information.
FDO Implementation Class
|Device Onboarding (DO) Service||Device/FDO-Enabled Device||Rendezvous Server (RV)|
|Step 1: Application||✅||✅||✅|
|Step 2: Conformance Testing||✅||✅||✅|
|Step 3: Interoperability Testing||✅||✅||✅|
|Step 4: Security Evaluation||✅||✅||Not Applicable|
|Level 1 (L1) VQ||✅||✅||Not Applicable|
|Step 5: Certification Request||✅||✅||✅|
|Certification Fee Invoicing and Payment||✅||✅||✅|
|Step 6: Certificate Issuance||✅||✅||✅|
|Step 7: Certification Maintenance||✅||✅||✅|
Step 1: Application
To begin the FDO Certification process, the Vendor must complete the FDO Certification Application, and the FIDO Certification Secretariat will approve and confirm receipt. The application is intended to provide FIDO Certification with administrative details about the certifying Vendor, as well as provide general information about the implementation(s) seeking FDO Certification.
The certification application is available here.
Additionally, if not already completed by the certifying Company, the Vendor must complete and submit a FIDO Certification Non-Disclosure Agreement (NDA) to the Certification Secretariat at: email@example.com.
Step 2: Conformance Testing
The Vendor self-administers and successfully completes FDO Conformance Testing by using the test tools and submitting results to the FIDO Certification Secretariat for any implementation seeking FDO Certification.
Please reference the Functional Certification program page for more information about FDO Conformance Testing.
Step 3: Interoperability Testing
Following successful completion of FDO Conformance Testing, the Vendor registers and successfully completes FDO Interoperability Testing for any implementation seeking FDO Certification.
Please reference the Functional Certification program page for more information about FDO Interoperability Testing, including a schedule for upcoming FDO Interoperability Testing Events and a link for event registration.
Step 4: Security Evaluation
The Security Evaluation step is required for certifying Device Onboarding Services and Devices. Rendezvous Servers are exempt from completing Security Certification.
After completing FDO Interoperability Testing, the Vendor must complete one FDO Vendor Questionnaire (VQ) per certifying product. Completed VQ(s) are to be submitted to: firstname.lastname@example.org.
The FIDO Security Secretariat will confirm submission receipt and review each VQ based on the order for which it was received. The Security Secretariat might request additional clarification and sometimes details. Upon successful evaluation, the Security Secretariat will mark the VQ approved and notify the Vendor and the Certification Secretariat.
Step 5: Certification Request
The Vendor is requested by the FIDO Certification Secretariat to submit a Certification Request once all applicable certification testing and/or evaluation steps are completed.
Following successful completion of Functional Certification requirements, the Certification Secretariat will send an email verifying all completed certification steps and request the Vendor to complete a Certification Request.
Device Onboarding Services and FDO-Enabled Devices
Following the successful completion of Functional and Security Requirements, the Certification Secretariat will send an email verifying all completed certification steps and request the Vendor to complete a Certification Request.
Certification Requests trigger an invoicing process to be completed between the Vendor and FIDO Alliance. Upon receipt of payment by the Vendor, the Certification Secretariat will complete Certificate Issuance.
Step 6: Certificate Issuance
Upon receipt of payment, the Certification Secretariat will assemble an FDO Certificate per certified product and issue each certificate to the Vendor by email. At this time, and if not already completed by the certifying Company, the Vendor is requested to complete a FIDO Trademark License Agreement (TMLA) in the event the Vendor wishes to use FIDOⓇ Certified logos. A fully executed TMLA is required per company per version of the TMLA. The Certification Secretariat will also request the Vendor to confirm the accuracy of the product and company fields that are enclosed as part of the FDO Certificate(s). If changes are required, the Vendor is asked to respond within 3 business days by email, noting any modifications.
Following confirmation of the FDO Certificate details, the Certification Secretariat will upload the FDO Certified Product Certificate to the FIDO Certified Product Database.
Step 7: Certification Maintenance
From time to time, there are changes that can occur with a FIDO® Certified Product. Rendezvous Servers might be licensed or sold, resulting in a requirement to complete Derivative certification maintenance. Device Onboarding Services and FDO-Enabled Devices might be affected by changes related to FDO Security Requirements, resulting in a requirement to complete an evaluation of such changes that are classified as non-interfering, minor, or major and relate to Derivative, Delta, and Recertification.
Certification Maintenance includes requirements for all FIDO® Certified Products, lasting their full product lifecycle. Vendors of FIDO® Certified Products must adhere to and maintain their certifications through certification maintenance. Reference certification program policy documentation for complete certification maintenance, vendor obligations, and certification revocation information.
Certification Maintenance processes are delineated by FDO Implementation Class.
Certification Maintenance for FIDO® Certified Rendezvous Servers comprises a process that verifies changes classified as non-interfering, relating to, and requiring Derivative certification for RV Server components. This process is made up of one step. The benefit of derivative certification is that the certifying implementations are not required to go through Functional Certification testing, and each derivative certification is subject to a lower fee than base certifications.
The following scenarios are designed to help determine whether an implementation could qualify for a Derivative Certification:
|FIDO® Certified Implementation – Rendezvous Server||Derivative?|
|Company B using a publicly available FIDO® Certified Rendezvous Server from Company A, the company that completed the base certification, and the implementation used by Company B remains unchanged||Yes|
|Company B using a FIDO® Certified Rendezvous Server that was licensed or sold by Company A, the company that completed the base certification, and the implementation used by Company B remains unchanged||Yes|
|Company B using a FIDO® Certified Logo on their website relating to a FIDO® Certified Rendezvous Server component from another company||Yes|
|Company with FIDO® Certified implementation [Product v1.0] and introduces new product [New Product v2.0] that is different from Product 1.0, but the FIDO® Certified Rendezvous Server components have remained unchanged||Yes|
|Company with FIDO® Certified implementation [Product v1.0] and introduces new product [New Product v2.0] that is different from Product 1.0, including changes made to the FIDO® Certified Rendezvous Server components||No|
To apply for Derivative certification of a FIDO® Certified Rendezvous Server, the Vendor must complete a Rendezvous Server Derivative Certification Request Form, including the base certificate number of the certified product.
Device Onboarding Services and FDO-Enabled Devices
Certification Maintenance for FIDO® Certified Device Onboarding Services and FDO-Enabled Devices comprises multistep processes that verify changes classified as either non-interfering, minor, or major. These changes may affect the FDO Security Requirements. Such a change might be a patch designed to correct a discovered flaw, an enhancement to a feature, add a new feature or any other change to the FIDO® Certified FDO Hardware and/or Software.
Step #1: Certification Maintenance Evaluation
To evaluate the impact of these types of changes, the Vendor is required to complete the FDO Impact Analysis Report (FIAR) Form. A description of changes and the source certificate number of the certified product are submitted as part of the FIAR Form, which the FIDO Security Secretariat then evaluates. The described changes are analyzed, and their impact on the FDO Security Requirements coverage is determined. The Security Secretariat will provide a judgment based on the characteristics of the changes made to the certifying product. The outcome would be either that the changes are NON-INTERFERING, MINOR, or MAJOR, resulting in Derivative, Delta, or Recertification, respectively.
To apply for Device Onboarding Services and FDO-Enabled Devices certification maintenance, the Vendor must complete a FIAR Form.
The Security Secretariat will confirm submission receipt and review each FIAR Form based on the order for which it was received. The Security Secretariat might request additional clarification and sometimes details. Upon completion of the evaluation, the Security Secretariat will mark and specify the type of classified changes, noting approval or denial.
Step #2: Certification Maintenance Request
Based on the results of the FIAR evaluation:
For Derivative certification, the Vendor is requested to complete a Derivative/Delta Certification Request Form.
For Delta certification, the Vendor is requested to first complete Conformance and Interoperability Testing steps to confirm that the evaluated changes do not impact the functional characteristics of the product. Upon successful completion, the Vendor is requested to complete a Derivative/Delta Certification Request Form.
For Recertification, the Vendor is requested to begin the certification process at the start.
Derivative/Delta Certification Requests trigger an invoicing process to be completed between the Vendor and FIDO Alliance. Upon receipt of payment by the Vendor, the Certification Secretariat will complete Certificate Issuance.