A look at FIDO Certification program, including functional, authenticator and biometric; the value of certification for relaying parties and vendors, and how to get started.
3. FUNCTIONAL CERTIFICATION
• Available to members and non-members
• Measures compliance among products and services
that support FIDO specifications
• Validates interoperability within the ecosystem
• Certify products such as authenticators, servers,
clients, and combos
All Rights Reserved | FIDO Alliance | Copyright 2018
4. All Rights Reserved | FIDO Alliance | Copyright 20184
INTEROP TESTING OVERVIEW
• Existing Process – Interop Testing Events
• Interop every 90 days
• Plan ahead! May impact product schedules…
• New Process – On Demand Testing
• Pick your testing date from a calendar
• Servers: remote / virtual testing
• Authenticators: ship device or in-person testing
• Convenience and fast turn-around
FIOD
Testing
Virtual
Shipped
In-Person
Interop Events
5. All Rights Reserved | FIDO Alliance | Copyright 20185
FIDO AUTHENTICATOR CERTIFICATION
• The FIDO Authenticator Certification
Program validates that Authenticators
conform to the FIDO specifications
(UAF/U2F/FIDO2) and allows vendors to
certify the security characteristics of their
implementations
• After completing certification, vendors may
use the FIDO logo on their products
6. All Rights Reserved | FIDO Alliance | Copyright 20186
AUTHENTICATOR LEVELS PICTORIAL
NOTE: For Authenticators that use a biometric the Biometric Certification is required at L2+ and higher.
7. All Rights Reserved | FIDO Alliance | Copyright 20187
SECURITY EVALUATION
Level 3rd Party Lab Work Required Evaluation Style
L1 None – evaluation is solely by FIDO Alliance
Security Secretariat
• System design review
L1+
(preliminary)
Vendor must hire a FIDO-approved lab • System design review
• Code review
• SW penetration test / attack potential calculation
L2 Vendor must hire a FIDO-approved lab • System design review
L2+
(preliminary)
Vendor must hire a FIDO-approved lab1 • System design review
• Code review
• SW penetration test / attack potential calculation
L3 Vendor must hire a FIDO-approved lab1 • System design review
• Code review
• HW penetration test / attack potential calculation
L3+ Vendor must hire a FIDO-approved lab1 • System design review
• Code review
• HW penetration test / attack potential calculation
1 At level L2+ and higher, it should usually be the case that the platform HW and SW have already been certified and the FIDO vendor will only
need to certify the FIDO-specific requirements (e.g. the authenticator is running on an already-certified TEE, Secure Element…)
8. All Rights Reserved | FIDO Alliance | Copyright 20188
NEW COMPANION PROGRAM
• Companion Programs are independent testing programs which FIDO
partners with to lessen the certification burden
• Example: Common Criteria or ISO/IEC 15408
• The vendor uses a FIDO created mapping document that maps program
requirements from companion program to FIDO security requirements
• The authenticator is evaluated on the delta requirements only
• Companion Programs are currently required for Authenticator Security
levels 3 and 3+
More information can be found on the FIDO Alliance website:
https://fidoalliance.org/fido-authenticator-certification-companion-
program/
9. FIDO Alliance | All Rights Reserved | Copyright 20189
CHANGES AFTER INITIAL CERTIFICATION
Delta Certification is a process to verify that a Certified
implementation still meets requirements for the following
cases:
• Product upgrades
• Version upgrade
• Level downgrades
• Security vulnerability
• Post suspension
10. All Rights Reserved | FIDO Alliance | Copyright 201810
CHANGES AFTER INITIAL CERTIFICATION
Derivative Certification:
• Products or services that rely upon existing Certified
implementations for conformance with FIDO specifications
• A Derivative implementation may not modify, expand, or
remove FIDO functionality from the Certified
implementation on which it is based
11. FIDO Alliance | All Rights Reserved | Copyright 201811
FIDO BIOMETRIC CERTIFICATION
The FIDO Biometric Certification
Program is intended to certify biometric
components and/or subsystems and is
independent from Authenticator
Certification Program
12. All Rights Reserved | FIDO Alliance | Copyright 201812
BIOMETRIC AND AUTHENTICATOR CERTIFICATION
Using a Certified Biometric Subcomponent:
• Optional for Authenticators using a Biometric at L1-L2.
• The Security Requirements enforce Biometric Certification of the
biometric at L3 and higher when a biometric is used in the
authenticator.
• Once L2+ is finalized Biometric Certification will also be required
• Results in a “FIDO Certified” Authenticator
13. FIDO Alliance | All Rights Reserved | Copyright 201813
BIOMETRIC DEFINITIONS
• False Accept Rate (FAR): The proportion of verification transactions with
wrongful claims of identity that are incorrectly confirmed
• The requirement of less than 1:10,000 for the upper bound of a 80% confidence
interval
• False Reject Rate (FRR): The proportion of verification transactions with
truthful claims of identity that are incorrectly denied
• the requirement of less than 3:100 for the upper bound of a 80% confidence
interval
• Impostor Attack Presentation Match Rate (IAPMR): Proportion of
presentation attacks in which the target reference is matched
• evaluation measures the Impostor Attack Presentation Match Rate for each
presentation attack type, as defined in ISO 30107 Part 3
14. FIDO Alliance | All Rights Reserved | Copyright 201814
SELF-ATTESTATION - OPTIONAL
Biometric Requirements:
• False Accept Rate (FAR): The vendor SHALL attest to an FAR of [1:25,000 or
1:50,000 or 1:75,000 or 1:100,000] at an FRR of 3% or less.
• False Reject Rate (FRR): The vendor SHALL attest to an FRR at no greater than 3%
as measured when determining the self-attested FAR. In other words, self
attestation for FRR is only possible when self attesting for FAR.
NOTE: Self-attestation for FAR and FRR shall be supported by test data and
documented in a report submitted to lab from vendor.
16. All Rights Reserved | FIDO Alliance | Copyright 201816
CERTIFICATION VALUE
• Enable implementations to be identified as officially FIDO certified
• Ensure interoperability between FIDO officially recognized
implementations
• Promote the adoption of the FIDO ecosystem
• Provide RPs with the ability to assess performance requirements for
user authenticators
• Provide the industry at large with a testing baseline for biometric
component performance
17. All Rights Reserved | FIDO Alliance | Copyright 201817
FIDO CERTIFIED ECOSYSTEM (SAMPLE)
PHONES & PCs
Over 480 FIDO Certified Solutions Available Today
SECURITY KEYS CLOUD/SERVER SOLUTIONS
18. All Rights Reserved | FIDO Alliance | Copyright 201818
FIDO METADATA SERVICE
• Web-based tool where FIDO authenticator vendors can
publish metadata statements for FIDO servers to
download
• Provides organizations deploying FIDO servers with a
centralized and trusted source of information about
FIDO authenticators
• Validate the integrity of a device population by
periodically downloading a digitally signed metadata
to verify individual metadata statements
20. All Rights Reserved | FIDO Alliance | Copyright 201620
GETTING STARTED: FUNCTIONAL CERTIFICATION
Register for Self-Conformance Test Tool Access :
https://fidoalliance.org/test-tool-access-request/
• For UAF, you will need to complete both automated and manual testing
• UAF Authenticators only will need a Vendor ID:
http://fidoalliance.org/vendor-id-request/
Complete Self-Conformance Testing at least two weeks prior to
interoperability event.
Elect to Participate in Pre-Testing in the two weeks prior to the
interoperability event (recommended)
Register for and attend the next interoperability event:
https://fidoalliance.org/interop-registration/
Next Interoperability Event Host: Seoul, S. Korea, 12-15 November 2018
(Location TBD). Registration is open.
22. All Rights Reserved | FIDO Alliance | Copyright 201822
GETTING STARTED – BIOMETRIC CERTIFICATION
Apply for Biometric component certification
• Request an account: https://fidoalliance.org/certification/certification-
account-request/
Select an Accredited Biometric Lab and agree to terms for testing
• Biometric Accredited Lab list:
https://fidoalliance.org/fido-accredited-biometric-laboratories/
23. All Rights Reserved | FIDO Alliance | Copyright 201823
BIOMETRIC SUBCOMPONENT TESTING
24. FIDO Alliance | All Rights Reserved | Copyright 201824
ALLOWED INTEGRATION DOCUMENT
• Developed by vendor and submitted to lab
• Used to document changes necessary to accommodate integration with
authenticator
• Must include explanation of possible software and hardware changes
25. All Rights Reserved | FIDO Alliance | Copyright 201825
TESTING STEP 2: AUTHENTICATOR
26. All Rights Reserved | FIDO Alliance | Copyright 201826
Connect with FIDO
fidoalliance.org