Document Authenticity Laboratory Accreditation Policy

1. Revision History

2. Introduction

This document gives an overview of the policies that govern Laboratory Requirements for those seeking Laboratory Accreditation for the FIDO Document Authenticity (DocAuth) Certification Program.

It also defines the relationship between FIDO and its Accredited Laboratories.

2.1. Audience

This policy document is intended for Laboratories seeking or maintaining FIDO Laboratory Accreditation for the DocAuth Certification Program.

2.2. Support

For help and support, contact the FIDO Certification Secretariat at certification@fidoalliance.org.

3. Overview

This document covers the DocAuth Laboratory Accreditation process and requirements for FIDO Certification. FIDO may issue other types of Laboratory Accreditation in the future, such Accreditation would be maintained as part of their own Accreditation Program and are outside the scope of this document.

Laboratories that have been Accredited by the FIDO Alliance via the process outlined herein will evaluate the verification of government-issued identity documents according to the Document Authenticity (DocAuth) Requirements [DA-Requirements], and the Document Authenticity (DocAuth) Certification Policy [DA-CertPolicy].

The FIDO Laboratory Accreditation process focuses on the necessary aspects of a Laboratory to evaluate a product for authenticity.

All Laboratories shall follow the process outlined in this document in order to apply for and maintain their Active status as an Accredited Document Authenticity (DocAuth) Laboratory.

3.1. Roles & Responsibilities

3.1.1. FIDO Alliance

The FIDO (Fast IDentity Online) Alliance is a 501(c)6 nonprofit organization nominally formed in July 2012 to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define open, scalable, and interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.

3.1.1.1. Certification Working Group (CWG)

The Document Authenticity (DocAuth) Laboratory Accreditation program is a responsibility of the FIDO Certification Working Group (CWG) in Companionship with the Identity Verification and Binding Working Group (IDWG), with necessary oversights and approvals from the FIDO Board and collaboration with other FIDO Working Groups where needed.

The CWG may, at the discretion of its members, create subcommittees and delegate responsibilities for all or some portion of the CWG’s certification program responsibilities to those subcommittees. The Certification Secretariat is responsible for implementing, operating, and managing the certification program defined by the CWG.

3.1.1.2. Identity Verification and Binding Working Group (IDWG)

The Identity Verification and Binding Working Group is responsible for defining and maintaining the Document Authenticity (DocAuth) Requirements for Document Authenticity (DocAuth) Certification and acts as Document Authenticity (DocAuth) Experts for FIDO.

3.1.1.3. Certification Secretariat

FIDO Staff responsible for implementing, operating, and managing FIDO Certification Programs.

3.1.1.4. Document Authenticity (DocAuth) Secretariat

FIDO Staff responsible for reviewing applications, evaluation reports, monitoring ecosystem for additional threats, and acting as an independent FIDO identity expert for the FIDO Certification Program. The FIDO Staff that make up the Document Authenticity (DocAuth) Secretariat are: Certification Director, Identity Certification Advisor, Certification Program Development, and individuals designated as Certification Secretariat.

The Document Authenticity (DocAuth) Secretariat will provide an unbiased assessment of the Laboratory Accreditation Application.

3.1.2. Laboratory

FIDO Laboratory Accreditation is available to public and private testing laboratories, including commercial laboratories; university laboratories; and federal, state, and local government laboratories.

3.1.2.1. Authorized Representative

Laboratory-appointed Representative to act as the main point of contact for FIDO.

3.1.2.2. Approved Evaluators

Accredited Document Authenticity (DocAuth) Laboratory personnel that have participated in FIDO Training and satisfactorily completed the Knowledge Test.

3.1.3. FIDO Certification Program

The FIDO Certification Program is intended to certify the authenticity characteristics of various government-issued identity documents and require evaluation and/or testing by a FIDO Accredited Document Authenticity (DocAuth) Laboratory.

4. Laboratory Requirements

Accreditation is granted following the successful completion of the Accreditation process which includes submission of an application, payment of fees, assessments, FIDO Training, and Knowledge Tests.

Laboratories are Accredited for a specific site location. Laboratories will be assessed based on the criteria listed in Laboratory Requirements depending on the requested Scope of Accreditation.

The Accreditation is formalized through issuance of a Certification of Accreditation.

Laboratories are required to maintain their Accreditation status through participation in the FIDO Alliance Accredited Document Authenticity (DocAuth) Laboratory Group, and successfully complete FIDO Training and Knowledge Testing as new requirements or specification versions are released.

Accreditation must be renewed with proof of continuous support of the latest standards and practices every 3 year(s).

There is be a public list of DocAuth Laboratories on the FIDO Website.

4.1. Third Party Accreditation Requirements

The DocAuth Certification Program is based on the defined Document Authenticity (DocAuth) Requirements document. Each lab requesting accreditation under this program is required to provide proof of baseline accreditations as identified below.

Compliance to ISO 17025 [[!ISO17025:2017]] is a prerequisite requirement for all laboratories and can be shown through a third-party accreditation program.

The Laboratory is responsible for maintaining the Third Party Accreditation listed in their Application, or obtaining a new Third Party Accreditation from the list above to maintain their Accredited status. The Document Authenticity Verification Secretariat will track the expiration date of the Third Party Accreditations, the Laboratory will be sent a notice by FIDO when the Third Party Accreditation is close to expiring if updated information has not been provided by the Laboratory. Updating Accreditation Requirements does not require a new Accreditation.

If a Laboratory fails to maintain their Accreditation to meet the Third Party Accreditation Requirements (or any other requirements within this Policy), the Biometric Secretariat will begin the Accreditation Revocation process.

In addition to the required compliance to [[!ISO17025:2017]], the laboratory shall also be able to perform in accordance with the following standards in Third Party Accreditation - Accepted Programs Table.

4.2. Business Requirements

This section describes the overall business requirements which a Laboratory must meet.

4.2.1. Legal

The Laboratory must be recognized as a legal entity and must be (or must be a part of) an organization that is registered as a tax-paying business or as having a tax-exempt status or as a legal entity in some form with a national body.

The Laboratory must be able to sign and abide by all FIDO legal agreements for Accredited Document Authenticity (DocAuth) Laboratories, including the FIDO Laboratory Evaluation Agreement.

4.2.2. Public Communications

The Laboratory agrees to abide by FIDO’s policy that evaluation and/or testing performed at any FIDO Accredited Document Authenticity (DocAuth) Laboratory is acceptable for Authenticator Certification and must make no claims to the contrary in its marketing material.

A Laboratory must not, under any circumstances, communicate nor disclose to any third party, including to the vendor or other entity submitting an implementation for testing, that an implementation has or has not been Certified by FIDO. FIDO, not the Laboratory, shall be the final party to determine whether a particular implementation conforms to the FIDO Specifications or FIDO Certification Program Policies.

4.2.3. Independence

The Laboratory must be able to demonstrate independence in test case analysis methodology and testing processes from the party involved in the design or manufacturing of the product under test.

• The Laboratory must not be owned by an product vendor without prior agreement from FIDO.

• The Laboratory must not evaluate an implementation that they have been involved in designing except that they may provide quality assurance testing (debug sessions) prior to the vendor submitting the product for official FIDO evaluation.

4.3. Security Requirements

This section describes the security requirements that a Laboratory must meet.

4.3.1. Physical

The Laboratory must maintain and comply with a physical security policy that includes, at a minimum, the following requirements.

4.3.1.1. Physical Layout

The Laboratory must have sufficient security measures to prevent unauthorized people from entering the building. If the Laboratory is part of a shared building or complex, there must be sufficient security measures to prevent unauthorized people from entering the Laboratory or offices.

4.3.1.2. Evaluation Areas

Areas in the Laboratory facilities in which products, components, or data are tested or stored must be restricted to authorized personnel. Authorized personnel are defined by the Laboratory as part of ISO 17025 [[!ISO17025:2017]].

4.3.1.3. Storage

Within the Laboratory there must be sufficient (according to ISO 17025 [[!ISO17025:2017]]) secure storage space to provide adequate protection for all ongoing work. Secure storage must be provided for all materials retained by the Laboratory after evaluation has been completed.

4.3.2. Logical Security

The Laboratory must maintain and comply with a logical security policy that includes, at a minimum, the following requirements.

4.3.2.1. Classified Materials and Information

Test samples and documents must be handled with care and the materials must be controlled and stored securely whether in electronic or paper format.

Classified material must be stored in secure containers, where unauthorized access is prevented by appropriate measures (e.g. alarms, surveillance, and sufficient mechanical protection).

Disclosure of FIDO or vendor data and documents to third parties must be authorized in writing by an officer of the company that owns the data or documents to be released. Classified documents must be stored according to their classification level. When a vendor grants permission to the Laboratory to release classified information concerning the vendor’s implementation to FIDO, this information may be released only to FIDO. The DocAuth, Biometric Component, Security or Certification Secretariat will release the information to appropriate working group members within FIDO.

4.3.2.2. Evaluation Reports

All Evaluation Reports must be stored securely.

The Laboratory must store samples and all reports and logs the test sessions (whether paper or electronic) for a period of three years from the date the FIDO Document Authenticity (DocAuth) Evaluation Report was submitted to FIDO.

When submitting electronic Evaluation Reports to FIDO, the report must, be PGP encrypted and securely uploaded using the FIDO Evaluation Report Submission Form. All FIDO Certification forms, and Evaluation Reports will be stored within an encrypted database only accessible by the DocAuth Secretariat, and will not be shared. Unless a previous agreement has been made between the Security Secretariat and the Laboratory, all evaluation reports sent via email will not be reviewed and will be deleted.

4.4. Administrative Requirements

This section describes the administrative requirements that a Laboratory must meet.

4.4.1. Quality Assurance

The Laboratory must have a quality system based upon ISO requirements, providing documented procedures defining processes to ensure a high quality of testing and test reproducibility. A Laboratory is required to comply with ISO 17025 [[!ISO17025:2017]], and must also comply with the requirements stated elsewhere in this document.

4.4.2. Personnel

The Laboratory must maintain a list of their FIDO-qualified test personnel consisting of a description of their role in the organization, their qualifications, and their experience. The Laboratory must have procedures in place to ensure a match between staff training and roles in the performance of FIDO activities.

The individual(s) performing the evaluation must be included on the Evaluation Reports submitted to FIDO. These Approved Evaluators will be required to maintain knowledge of FIDO Specifications and FIDO Certification Program Policies.

4.5. Technical Requirements

4.5.1. Technical Expertise

The Laboratory must have at least two years of experience of testing in the domain for which it is seeking Accreditation.

Prior experience with FIDO Specifications is strongly recommended as Laboratory employees that wish to be Approved Evaluators are required to pass a Knowledge Test in order to receive accreditation.

5. Laboratory Accreditation Process

This section introduces the process required to apply for a new FIDO Laboratory Accreditation.

5.1. New Accreditation Process

6. FIDO Accreditation Application

To officially start the accreditation process the Laboratory must complete the Accreditation Application by providing documentation for the following areas:

6.1. Proposed Scope of Accreditation

Proposed list of the FIDO Certification Programs within those Programs for which the Laboratory is applying for Accreditation.

Scope of Accreditation can be changed later following the Accreditation Scope Change process.

6.2. Authorized Representative

An applicant Laboratory must designate an Authorized Representative that will act as the main contact for FIDO.

6.3. Business Practices

The Laboratory should provide evidence of business practices in the form of a written report describing:

• Services of the organization

• Structure of the organization, demonstrating the isolation between the Laboratory and other areas of the organization (e.g. design area).

• Percentage of revenue received from each of the Laboratory’s top ten vendor customers relative to the total revenue of the Laboratory.

• Certificate of ownership and/or tax identification number.

6.4. Physical & Logical Security

The Laboratory should provide evidence of physical and logical security. This must be provided to FIDO either within the Laboratory procedures and documentation or a written report describing:

• Laboratory security policy with particular focus on the physical and logical network security measures.

• Personnel background check security policies.

• Confidential data protection practices.

6.5. Administrative Conformance

The Laboratory should provide evidence of administrative conformance in the form of a written report describing:

• Description of the Laboratory’s quality assurance system.

• Overview of the Laboratory personnel and the qualifications of Laboratory personnel involved in the performance of any testing or administrative duties connected with this Accreditation.

• Overview of the Laboratory equipment and techniques.

• Description of the Laboratory security policy with particular focus on the procedures for identification and recording of test samples.

• Overview of Laboratory asset management system for documentation and equipment.

6.6. Technical Expertise

Technical expertise summary describing:

• Experience with FIDO Specifications.

• List of and evidence of other Formal Accreditations held by the Laboratory relevant to the proposed Scope of Accreditation.

6.7. Application Review

The Document Authenticity (DocAuth) Secretariat will review the Laboratory Accreditation Application and will assess the Laboratory’s fulfillment of all applicable requirements within the proposed Scope of Accreditation.

The Document Authenticity (DocAuth) Secretariat will inform Laboratory if the Application meets FIDO requirements, by providing an Accreditation Assessment Report to the Laboratory, notifying the Laboratory if it may proceed with the Accreditation process.

7. Legal Agreements

7.1. Laboratory Evaluation Agreement

The Authorized Representative must sign the Laboratory Evaluation Agreement.

7.2. Confidentiality

No vendor, Laboratory, nor other third party may refer to a product, service, or facility as FIDO approved or accredited, nor otherwise state or imply that FIDO (or any agent of FIDO) has in whole or part approved, accredited, or certified a vendor, Laboratory, implementation, or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions, and restrictions expressly set forth within an Accreditation Certification or Certificate of Accreditation issued by FIDO.

7.3. Consistent Business Practices

It is mandatory that any evaluation and/or test results from any FIDO Accredited Document Authenticity (DocAuth) Laboratory be recognized by all other FIDO Accredited Security Laboratories without any further investigation.

8. FIDO Accreditation Training

8.1. Onboarding Call

An introduction to FIDO Requirements and FIDO Certification Programs will be given by the DocAuth Secretariat.

8.2. FIDO Training

FIDO Training will be conducted by FIDO for the Laboratory Personnel requesting recognition as Approved Evaluators. A minimum of one Approved Evaluator is required for Laboratory Accreditation. This training will prepare individuals to pass the Knowledge Test.

8.3. Knowledge Test

To become an Approved Evaluator, the Laboratory Personnel must pass a Knowledge Test on FIDO Specifications, Document Authenticity (DocAuth) Requirements, Document Authenticity (DocAuth) Test Procedures, and Program Policies.

9. Accreditation Issuance

9.1. Fees

Laboratories must pay all Accreditation fees before a Laboratory Accreditation Certificate will be issued.

9.2. Laboratory Accreditation Certificate

Once at least one individual from the Laboratory has satisfactorily completed the Knowledge Test, the Authorized Representative can file an Accreditation Certificate Application.

The Certification Secretariat will be responsible for verifying all submitted documentation and issuing Laboratory Accreditation Certificates.

Turn-around time for Accreditation Certificates will be as soon as reasonably possible and no more than 30 days from the submission of the Application.

When the Laboratory Accreditation Certificate is issued, it will contain the following information:

• The Company name of the Laboratory that has been Accredited

• The address of the Laboratory

• The Scope of Accreditation

• The version of the Document Authenticity (DocAuth) Laboratory Accreditation Policy at the time of Accreditation

• The Expiration Date of the Accreditation

• Any restrictions, as necessary

• The Issuance Date of the Accreditation

• The Certificate Number in the format LAPPPPPPYYYYMMDDNNN, where:

  • LA = Lab Accreditation

  • PPPPPP = Policy Version in the format MMNNRR where:

    • MM = Major Number,

    • NN = Minor Number,

    • RR = Revision Number

  • YYYY = Year Issued

  • MM = Month issued

  • DD = Day issued

  • NNN = Sequential Number of Certificates issued that day

The Laboratory’s Accreditation is valid for 3 years after the issuance date.

9.3. Decision Appeals

If FIDO decides that a Laboratory is initially denied Accreditation, FIDO shall notify the Laboratory of the decision and will provide the reasons for not granting Accreditation. If the Laboratory disagrees with the reasons given for not granting Accreditation, it may appeal the decision. Appeal actions shall be initiated within 30 days of the notification of the decision not to grant accreditation.

10. Accreditation Maintenance

10.1. Group Participation

Laboratories are required to participate in the Accredited Document Authenticity (DocAuth) Laboratory Group and maintain voting rights.

If a Laboratory loses its voting rights it will be issued a written warning by FIDO, and the Laboratory will be given the opportunity to regain voting rights. If the Laboratory fails to regain voting rights within the timeline specified in the written warning the Laboratory will be suspended.

10.2. Test Procedure Version Maintenance

The Laboratory will be required to maintain support of all active versions of the Document Authenticity (DocAuth) Test Procedures, included as part of the Document Authenticity (DocAuth) Requirements [DA-Requirements]. For new versions, Laboratories will be required to support the version 90 days after the public release of the version.

10.3. Transparency of Testing Practices and Results

Records of testing should include, at a minimum, the Reference Products used and the test configurations. All other information regarding testing should be included as required in the DocAuth Evaluation Report. FIDO may request more information on how testing was performed or reported, and detailed records should be kept for a minimum of three years from the date the FIDO Evaluation Report was submitted to FIDO.

10.4. Knowledge Tests

Training sessions and knowledge tests will be required as new requirements or specification versions are released. The knowledge test must be satisfactorily completed by at least one Approved Evaluator before completing an evaluation against the new version, or within 90 days of publication, whichever comes first.

In order to maintain Accreditation, Approved Evaluators are required to satisfactorily complete Knowledge Tests every three years as part of the renewal process.

10.5. Proficiency Assessments

At any time, at the discretion of FIDO, a Proficiency Assessment may be required.

FIDO will inform the Laboratory that the Proficiency Evaluation must be performed, the requirements of the assessment, and the date by which the assessment must be completed. The scope of the Proficiency Assessment will include a Laboratory’s capabilities and compliance with the Document Authenticity (DocAuth) Test Procedures.

If an Accredited Document Authenticity (DocAuth) Laboratory does not complete the assessment to the satisfaction of FIDO by the date required, FIDO may suspend or revoke its Accreditation.

A Proficiency Assessment follows the process outlined in the Renewal Assessment, but instead is initiated by FIDO.

11. Accreditation Renewal

A Laboratory must be validated through a Renewal Audit every 3 years to maintain FIDO Accreditation.

11.1. Renewal Assessment

The Renewal Audit must be completed before within 60 days of the expiration date of the Laboratory’s Accreditation. It is the responsibility of the Laboratory to renew its Accreditation before it expires. If a Laboratory does not renew its Accreditation, FIDO may revoke its Accreditation.

12. Modification or Termination of Accreditation

A Laboratory’s Accreditation may be modified or terminated.

The following sections outline reasons for modification or termination of Accreditation.

12.1. Laboratory Change in Testing Services Offered

At any time, a Laboratory may decide to change the testing services it offers. If this occurs, the Laboratory is required to notify FIDO.

If a Laboratory decides to cease offering one or more of many FIDO testing services, the Laboratory must send a notice to FIDO using the Accreditation Change Request Form. Upon receipt of such a request, FIDO will modify the Laboratory’s Scope of Accreditation accordingly, re-issue a Certificate of Accreditation (without changing the expiration date), and update the details in the list of Accredited Security Laboratories on the FIDO website.

If the Laboratory decides to cease offering their only FIDO testing service, FIDO Laboratory Accreditation will be Revoked.

12.2. Laboratory Change - Other

The Laboratory must notify FIDO immediately of any changes in personnel (including Approved Evaluators), ownership, legal status, location or other change that may impact the Accreditation. The Laboratory should use the FIDO Change Request to notify FIDO of these changes.

12.3. Accreditation Scope Change

In the case where a Laboratory requests to add a new type of Accreditation evaluation and/or testing (i.e. add to the Scope of Accreditation), an Accreditation Scope Assessment is required. The existing renewal date for the Laboratory’s Accreditation does not change.

The requirements for an Accreditation Scope Assessment are determined by FIDO at the time of the Assessment. The scope of the Assessment is a whole or subset of the Accreditation Assessment.

The Accreditation Scope Change process follows the Accreditation Assessment process, but instead starts by completing a Change Request available on the FIDO Laboratory Dashboard.

12.4. Laboratory Termination of Accreditation

At any time, a Laboratory may request termination of its Evaluation Agreement with FIDO.

The Laboratory should complete an Accreditation Change Request to notify FIDO. Upon receipt of such request, FIDO will confirm termination of the Accreditation and Evaluation Agreement and remove the Laboratory’s name from the FIDO website.

12.5. Non-conformance

Non-conformance refers to an Accredited Document Authenticity Verification Laboratory’s failure to conform to the policies or requirements listed herein.

If FIDO finds a Laboratory to be in non-conformance the Laboratory will be contacted and given a deadline to provide further information or correct the non-conformance. If the Laboratory fails to respond to FIDO or does not adequately correct the non-conformance the Accreditation will be suspended for further investigation or to allow the Laboratory to correct their non-conformance. Accreditation may be revoked if the non-conformance is not resolved.

If the Laboratory disagrees with a non-conformance decision the Laboratory has the option to file a FIDO Dispute Report to be reviewed by the Crisis Response Team.

13. Accreditation Status

13.1. Pending

Laboratory that has started the Accreditation process but has not yet received an Accreditation Certificate or notice of a decision not to Accredit the Laboratory.

13.2. Active

Accredited Security Laboratory in good standing with FIDO.

13.3. Inactive

Inactive status is given to a Laboratory that has voluntarily requested in writing that their Accreditation be placed on hold due to unforeseen or unavoidable circumstances that temporarily prevent the Laboratory from adhering to the FIDO Laboratory Accreditation policy.

Inactive Laboratories will not be listed on the FIDO Accredited Document Authenticity (DocAuth) Laboratories list.

A Laboratory may have an Inactive status for no longer than one year.

If the Laboratory does not become Active after one year the Laboratory Accreditation shall be Suspended.

13.4. Suspended

At any time, at FIDO’s discretion, FIDO may suspend a Laboratory’s Accreditation:

• Based on the results of an Assessment

• Due to a Laboratory’s Non-conformance

• If a Laboratory fails to complete a Proficiency Assessment

If the Laboratory is suspended:

• The Laboratory will receive written notice of the suspension along with the actions required to return to Active status.

• The Laboratory will be removed from the FIDO Website.

• FIDO will set the requirements and date by which a Proficiency Assessment must be completed.

If the Laboratory remains in a suspended state for a period of 180 days the Laboratory Accreditation will be Revoked. 90, 60, and 30 days prior to this deadline notices will be sent to the Suspended Laboratory.

13.5. Revoked

At any time, at FIDO’s discretion, FIDO may revoke a Laboratory’s accreditation:

• Based on the results of an Assessment

• Due to a Laboratory’s Non-conformance

• If a Laboratory fails to renew its Accreditation before the expiration date.

• If a Laboratory has not performed testing on FIDO products within the last 3 years.

If the Laboratory is revoked:

• The Laboratory will receive written notice of the Revocation.

• The Laboratory will be removed from the FIDO Website.

• The Laboratory Evaluation Agreement will be terminated.

• The Laboratory must make available to FIDO all evaluation reports for implementations already certified by FIDO or currently in testing for Certification within 30 days of the notice of revocation.

• The Laboratory must promptly return to FIDO all FIDO property and all confidential information. Alternatively, if so directed by FIDO, the Laboratory must destroy all confidential information, and all copies thereof, in the Laboratory’s possession or control, and must provide a certificate signed by the Authorized Representative of the Laboratory that certifies such destruction in detail acceptable to FIDO.

Appendix A: Terms & Abbreviations

Appendix B: Program Artifacts