Bringing clarity and assurance to FIDO authentication with passkeys
As passkey adoption expands worldwide, it’s important for service providers implementing passkeys and vendors building FIDO-compliant authenticators to understand the function of FIDO authenticators and the protection they offer for cryptographic credentials
FIDO Authenticator Security Levels provide a way for vendors to test and certify their authenticators according to the security protections they provide – including how credentials are generated, stored, and defended against attack. This clarity enables organizations to select appropriate authentication solutions and deploy passkeys in a way that aligns with their security, and regulatory requirements.
While all FIDO Certified authenticators meet baseline security requirements and protect against scalable remote attacks such as phishing and replay, higher security levels introduce progressively stronger protections to address different risk profiles, threat models, and regulatory needs.
Delivering Trust Across the Authentication Ecosystem
FIDO Authenticator Security Levels Certification strengthens trust across the FIDO ecosystem by providing clear, standards-based assurance for passkey-based authentication.
For relying parties, the program:
- Enables RFP and evaluation processes by making authenticator security properties transparent and comparable
- Provides confidence in the security properties of FIDO authenticators
- Supports consistent security expectations across devices, platforms, and vendors
- Helps deploy secure, privacy-preserving authentication at scale
For vendors, the program:
- Offers a globally recognized certification program to validate security claims
- Provides independent assurance aligned with real-world threat models
- Enables differentiation through measurable, interoperable security levels
- Supports broader adoption of passkeys across the ecosystem
Available FIDO Authenticator Security Levels
The chart below outlines the available FIDO Authenticator Security Levels, the types of authenticators eligible for each level, and the protections provided – from baseline phishing resistance to the highest assurance hardware-backed security.
Vendors may choose to certify their authenticators at the level appropriate to their authenticator type and target markets. Organizations can, in turn, select certified authenticators at the appropriate level for their intended use cases.
| Level | Eligible Authenticator Types | Description | Lab involvement | Companion Program | Benefit to RP | |
| HW | SW | |||||
| L3+ | Hardware | – | Builds on L3 by providing the highest assurance level, requiring smartcard-grade secure elements designed to withstand invasive hardware attacks, with advanced countermeasures against fault injection, micro-probing, and high-resolution side-channel analysis. | Vulnerability Testing by FIDO accredited laboratory | Yes- Common Criteria Certified Secure Element (through Java Card PP, or IC Platform PP, or 3S in SoC PP) – GlobalPlatform FIDO2 SE PP* | Independent third-party evaluation Highest level of defense against remote software attacks and local hardware attacks Appropriate for regulated, high-assurance, and sensitive use cases |
| L3 | Hardware | – | Builds on L2 by adding resistance to physical attacks, ensuring credential secrets remain protected even if an attacker gains physical access to the device (e.g., against probing, basic fault injection, or side-channel analysis). | Vulnerability Testing by FIDO accredited laboratory | Yes-GlobalPlatform TEE Protection Profile Certification- Common Criteria Certified Secure Element (through Java Card PP, or IC Platform PP, or 3S in SoC PP)- GlobalPlatform FIDO2 SE PP* | Independent third-party evaluation Protection against remote software attacks, and local physical attacks Assurance that credentials remain secure even with device access Enables stronger authentication policies for sensitive applications |
| L2 | Hardware | – | Requires execution within a hardware-backed Restricted Operation Environment (ROE), offering strong isolation from the rich OS and resilience against malware.A list of allowed ROE (AROE) is available. | Document Review by FIDO accredited laboratory | N/A | Strong isolation of credential operations from the operating system Protection against remote software attacks, malware and OS-level compromise Suitable for higher-risk enterprise and workforce sign-in scenarios |
| L1+ | – | Software | Enhances software-based authenticators with additional hardening techniques based on software only protection techniques- like white-box cryptography for handling secrets, or various anti-xxx techniques for protecting Authenticator usage- to improve resistance against large-scale software attacks. | Vulnerability Testing by FIDO accredited laboratory thanks to a dedicated evaluation methodology inspired from Common Criteria. | N/A | Independent third-party evaluation Increased resistance to large-scale remote software attacks State-of-the-art software protection. Improved protection for software-based authenticators Greater confidence deploying passwordless authentication without hardware dependencies |
| L1 | Any device, software or hardware.Mandatory for Authenticator certification | Provides baseline protection against scalable remote attacks such as phishing or replay, ensuring proper protocol implementation and basic security hygiene through security best practices. | NoneReview by FIDO security secretariat | N/A | Protection against scalable remote attacks such as phishing and replay Assurance of correct FIDO protocol implementation Establishes a consistent security baseline across all certified authenticators through security best practices. | |
* Only available for CTAP 2.1
Authenticator Certification Process
The Authenticator Certification follows the Functional Certification process, and the Authenticator Certification process adds the evaluation of a completed Vendor Questionnaire at L1 or L2, or a completed Mapping Table at L3 or L3+. The Vendor Questionnaire is how a vendor documents their implementation meets the Authenticator Security Requirements.If you already have a certified authenticator and made modifications, or are trying to obtain a Derivative certification, please refer to our Certification Maintenance and Updates page for the correct process to follow. Otherwise, please follow the steps below for Authenticator Certification.
