FIDO Government Deployments and Recognitions

Australian Signals Directorate (ASD)

ASD “Essential Eight”

MFA is one of 8 critical controls recommended. MFA section list “U2F Security Keys” as one recommended technology and directs implementers to use FIDO-certified keys – and links to the FIDO certification site.

Canadian Digital Service

Internal security

Everyone at CDS has security keys

CZ.NIC

MojeID

CZ.NIC is the DNS registry in the Czech Republic and they operate the national identity provider (idP) called mojeID with 800,000+ users. In August 2020, the Czech CZ.NIC received accreditation from the Czech Ministry that their IdP mojeID with support for FIDO is approved as eIDAS eID scheme on Level of Assurance (LoA) Substantial for services integrated with Czech eGovernment system. In September 2020, they launched their service in full production.

In March 2021, the Czech ministry also issued eIDAS accreditation for mojeID’s IdP with eIDAS LoA High, under the following conditions:

– Username and password are used

– The FIDO2 authenticator is FIDO certified at Level 2 (or higher)

– The FIDO2 authenticator is based on a secure element that is certified for FIPS 140-2 Level 3 or Common criteria EAL4 + AVA_VAN5

– The FIDO2 authenticator must have PIN set and PIN is required for all transactions at LoA High

Other Sources:

https://www.nic.cz/page/4180/cznic-received-accreditation-to-manage-a-qualified-electronic-identification-system-from-the-moi-cr/

https://www.nic.cz/page/4187/cznic-launches-a-project-to-interconnect-the-mojeid-service-with-nia/

ANSSI (Agence nationale de la sécurité des systèmes d’information)

Guide to a Zero Trust model (LE MODÈLE ZERO TRUST)

ANSSI’s guide to a Zero Trust model mentions use of FIDO. Among the elements they recommend be integrated are: a use of means of authentication to the state of the art, since two-factor authentication is generally a prerequisite for the implementation of the model Zero Trust, it is recommended to be careful in choosing factors authentication and favor, for example, certificates generated by a trusted key management infrastructure (PKI) or FIDO tokens.

Securities and Futures Commission

Government Agency

e-government services (authentication and transaction signing) for the national cyber security services and management. Involves government, city council and selected industry such as bank, telco, transport and etc.

Norwegian healthcare sector

Targeting the pharmacies, and it is mainly built on Windows technology. The FIDO authenticator is used by the pharmacist to login to her account at the Windows workstation, which gives access to the proper applications and systems. This system is in production at one pharmacy group.

HelseNorge

Providing mobile authentication solutions for the medical staff. In this case, FIDO is used as authentication solution using Android and Apple iOS smartphone apps. This will be tested and evaluated in a proof of concept during the rest of 2020.

Tax Service

Korea National Intelligence Service

Korea National Intelligence Service (a.k.a. KCIA) published its 3rd version of Security Requirements for Government Agencies, which recommends FIDO Authentication as a strong cryptographic 2nd factor option for end user security.

SUNET (Swedeish University Computer Nework)

EduID

Authentication service for university students in Sweden. FIDO is an authentication option, in production.

Ministry of Interior, Ministry of Finance

Taiwan Fido

Taiwan FidO is a mobile authentication service deployed by Ministry of Interior. The citizen can register Taiwan FidO service with personal citizen certificate, and log in to many e-government services using the registered Taiwan FidO account.

Electronic Transactions Development Agency (ETDA)

“Development and Installation of Registration System on Mobile Devices for Use as Authenticator (TOR released in August 2020)”

ETDA is developing a FIDO UAF system which will provide enterprise or organizations as an reference to deploy their mobile authentication application.

National Health Service

NHS Identity Authentication Service

NHS Identity currently authenticates against around 1 million care worker identities in its repository; registered and checked to a high level of confidence several new methods of verifying the subject, such as one time passwords, push notifications, knowledge based secrets, biometric touch id, Windows Hello, cryptographic certificates, FIDO2 supported devices and OIDC Smartcards

Cabinet Office, Government Digital Service

GPG 44 – Using authenticators to protect an online service

The U.K.’s Government Digital Service published updated guidance, Using authenticators to protect an online service (GPG 44). Following NIST, the term ‘credential’ has been replaced with “authenticator”. Transaction monitoring is noted and “High Quality Authenticators” is defined if it has been independently tested to prove it meets industry standards, such as the Common Criteria guidelines, FIDO or FIPS 140-2.

General Services Administration

Login.gov

US system for single sign-on across different agency applications. Use of FIDO is one option.

National Cybersecurity Center of Excellence

Mobile Single Sign-On for Public Safety/First Responders

NIST Cybersecurity Practice Guide demonstrates how commercially available technologies, standards, and best practices implementing SSO, identity federation, and MFA can meet the needs of public safety first responder communities when accessing services from mobile devices.

NIST

Digital Identity Guidelines: Implementation Resources for SP 800-63-3

July 2020 publication highlights use of FIDO in meeting AAL2 requirements for single factor cryptographic

Office of Management & Budget

Implementation of OMB memo M-19-17 – FICAM Policy

Update policy includes: Innovate capabilities and update Federal Public Key Infrastructure (PKI)27 to provide government with a trust framework and infrastructure to administer digital certificates and other authentication solutions, such as those based on public key cryptography. This includes updating the PKI shared service provider approach to enable strong government oversight of service providers, including procurement and cost controls through GSA acquisition solutions as applicable

Drug Enforcement Administration

Electronic Prescribing of Controlled Substances

April 2020 Request for Information included questions about FIDO U2F.