The FIDO Alliance announced the expansion of its certification program to include multi-level security evaluations for authenticators such as physical security keys and biometrics in mobile devices and PCs. The Alliance also announced the first products certified under the new Authenticator Certification Levels program.
The new authenticator certifications will further increase consumer, enterprise, and service providers’ confidence that user credentials housed in standards-based FIDO Authentication devices are protected from targeted attacks against a user’s FIDO device. The new program incorporates traditional FIDO functional certification, which measures compliance and ensures interoperability among products and services that support FIDO specifications.
Available levels and security requirements:
The FIDO Alliance is now offering testing and certification for two security levels for all published specifications: FIDO Certified Level 1 (L1) Authenticator and FIDO Certified Level 2 (L2) Authenticator. Additional levels covering a full range of security requirements will be introduced at a later date.
All FIDO Certified L1 Authenticators must pass interoperability testing for compliance with the FIDO specifications. They also must pass a design review against FIDO Certification Requirements to ensure the authenticator uses the best security practice for the operating system it is running on.
The FIDO L2 Security Certification Requirements mandate that authenticators implement a restricted operating environment such as a Trusted Execution Environment (TEE) or Secure Element (SE) to protect biometric data and authentication credentials against operating system compromises that arise from app downloads, malicious website content, or similar threats. FIDO Certified L2 Authenticators also must pass a comprehensive design review by a FIDO-accredited third-party security certification laboratory. As with L1 Certification, the authenticator must pass interoperability testing.