Use this presentation to learn about FIDO's certification process.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
3. • Ensure interoperability between FIDO officially
recognized implementations
Certification Goals
• Enable implementations to be identified
as officially FIDO certified
• Promote the adoption of the FIDO ecosystem
4. 4
ü Available to anyone
ü Ensures interoperability
ü Promotes the FIDO ecosystem
Steps to certification:
1. Conformance Self-Validation
2. Interoperability Testing
3. Certification Request
4. Trademark License (optional)
fidoalliance.org/certification
5. Getting Ready
• Standards: UAF and U2F
• UAF & U2F 1.0 implementations certified and
in market now
• Strongly encourage servers to support
both UAF & U2F
• Prep note to UAF Authenticators
• Get a Vendor ID
• Register your metadata
• Only required for UAF Authenticators!
6. Self-Conformance
• Goal: test implementations using online tools to ensure
conformance with specifications
• Both positive and negative testing
• Check corner-cases that might occur only rarely in the real world
• Self-Conformance Validation Process
• Request access to test tools
• Review online help
• Run tests – as many as you would like
• Perform official test and submit results
• Next step: interop interoperability testing
• Pro tip:
• UTHS – code development required
• UTHS - Requires registration with gmail account: create one for your
team
• UAF – partners required for generating messages
7. Interoperability Testing
• Goals: implementations work together, no problems in the
“real world”
• Separate events for UAF and U2F, same format
• Interop Logistics
• Registration open ~4-6 weeks ahead of time
• Registration closes 14 days ahead of event
• Must pass self-conformance validation first
• In-person attendance preferred, remote attendance if necessary
8. Interop Criteria
• What happens at interoperability event
• Test with every other implementer at the event
(interoperability)
• Perform normal, real-world actions: register,
authenticate, etc.
• How to pass
• Show that each action with every other
implementer works
• Should issues arise: adjust and retest
• After passing interop: Certification registration
• Pro-tip:
• Pre-testing is the key to success – don’t wait for the interop to start testing
• Pre-testing opt-in available during registration and begins 14 days ahead
of event
9. Testing Matrix
Example) UAF Interop Event on Apr. 30th, 2015
Server Client Authenticator
Yahoo Japan ETRI NTT DOCOMO
(Fujitsu)
Yahoo Japan Nok Nok Labs QualComm
Yahoo Japan Egistec NTT DOCOMO
(Sharp)
Yahoo Japan Samsung Egistec
Yahoo Japan Samsung SDS Crucialtec
Yahoo Japan Raonsecure Nok Nok Labs
… … …
Real experiences:
• Performed testing with other
participants who I met for the
first time at the event.
• difficult to form a combination
(with client and authenticator)
smoothly.
• Co-worked together with
participants to solve some
problems we met.
10. Certification
• Requires passing the test tool
and attending an interop
• Certificate will be granted
ASAP, pending
documentation verification;
plan on 10 business days to
be conservative
• All certifications will be public
(on FIDO website) unless
confidentiality is requested
11. Test is a good opportunity
Tips from real experiences:
1. Self-checking is very important. Validating your
implementation on schema/protocol level is needed
before in-person testing.
2. Interoperability testing is effective to demonstrate the
conformance of your implementation to the specs.
3. Your certification is appealing all over the world.
12. Derivatives
• Same implementation, different product
• Reasonable caveats apply: bug fixes, etc.
• Designed to lower cost and effort in FIDO
certification
• Hundreds of SKUs; not hundreds of interops
• Lower registration fee for derivatives (next slide)
• Self-Validation and Interop not required
• Uses “derivative test plan” instead
• Must reference original certificate
13. Certification Fees
• Certification:
• Member: $5,000
• Non-Member: $6,500
• Per certification
• Derivatives:
• Member: $500
• Non-Member: $750
• Per Derivative
• Vendor ID : $3,000 (one-time)
• Credited towards first
certification if used in first 12
months
• Interop: Free!
• Test Tools: Free!
CERTIFICATION FEES OTHER FEES
14. Certification Mark Usage
• Authenticators / Clients
• Execute Trademark Licensing Agreement (TMLA)
• Relying parties
• “Clickless” license for logo usage
• Enables millions of logo users without the logistical overhead
• One logo, two badges:
15. What to with your FIDO logos
• Put FIDO logos on your website
• Write a press release
• Put FIDO in your apps
• Put FIDO on your product briefs
• Put FIDO in your tradeshow booth
21. Call To Action
• Get certified now!
• Get started with specifications at:
https://fidoalliance.org/specifications/download/
• Register for Test Tool access:
http://fidoalliance.org/test-tool-access-request/
• Next interops:
• UAF, December9-10, NTT DOCOMO to host at: DOCOMO Innovations,
Inc., 3240 Hillview Ave, Palo Alto, CA 94304
• U2F, December8, Google to host at: 1300 Crittenden Ln, Mountain
View, CA 94043
• Thank you to our generous interop hosts!
• Registration open now: https://fidoalliance.org/interop-registration/
• Contact us for help and answers:
info@fidoalliance.org
22. FAQ
• Do I need a Vendor ID?
• Only if you are a UAF Authenticator
• U2F implementers and UAF Servers / Clients do not require a Vendor ID
• Where do I find the form for…?
• https://fidoalliance.org/certification/
• What is the cost for…?
• Test Tools: free (non-memberaccess: $3,000)
• Interop Events: free
• Certification: $5,000 member, $6,500 non-member
• Derivative Certification: $500 member, $750 non-member
• TrademarkLicense Agreement: free
• Where do I start?
• Registerfor test tool access here:
https://fidoalliance.org/test-tool-access-request/