FIDO Authenticator Certification Companion Program

Companion Programs are independent testing programs which FIDO partners with to lessen the certification burden on vendors. Companion Programs can be found within Security Level 3 and above.

The vendor will be given access to a document prepared by FIDO Alliance’s Security Requirements Working Group to aid a vendor completing L3 or L3+ Certification. The Companion Program Mapping Table maps requirements from the Companion Program to the FIDO Security Requirements.

The Companion Program covers typically the underlying platform which provides security functionalities to the Authenticator Application. The intention is to ensure that the security policy of the FIDO Authenticator does not contradict the security policy of the underlying platform (e.g. IC + Java Card OS) and that the final product (IC + OS + FIDO Authenticator) does fulfill the FIDO security requirements as defined for L3 and L3+.

The vendor should complete this mapping table by referencing their Partner Program evidence or add new evidence to fulfill all FIDO security requirements relevant to the Target of Evaluation.

One way to achieve this is by following the 3 steps below:

1. Formulate a Security Target (ST) for the Authenticator Application independently from the underlying platform.

2. Use the mapping spreadsheet to identify the intersection between the ST of the Authenticator Application and the certified Platform ST by analyzing and comparing their security functionality and complete this table by adding a coverage rationale column.

3. Identify under which conditions the application can trust in and rely on the certified platform security functionality being used by the composite TOE without re-evaluating them and provide a justification.

4. Submit the Companion Program evidence to a FIDO Accredited Lab as requested for the certification level aimed.

Current Approved FIDO Authenticator Certification Companion Programs:

Common Criteria Companion Program

  • Common Criteria or ISO/IEC 15408, with Protection Profiles covering Smart Cards, TPMs and Similar Devices claiming an AVA_VAN.3 (or higher) vulnerability assessment.

FIPS 140-2 level 3 and above (available soon)