Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Value of FIDO Certification

1,586 views

Published on

This presentation details the FIDO Alliance Certification Program - including an overview of the programs, process and the value of certification for both vendors and relying parties.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Value of FIDO Certification

  1. 1. All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO Certification Programs
  2. 2. 2 AGENDA • The Value of FIDO Certification • FIDO Certification Programs • Functional • Authenticator • Biometric • Getting Started Dr. Rae Hayward, Certification Director, FIDO Alliance
  3. 3. All Rights Reserved | FIDO Alliance | Copyright 20183 BENEFITS TO CERTIFICATION Validation Interoperability Rigorous testing Trust Competitive edge Market expansion
  4. 4. All Rights Reserved | FIDO Alliance | Copyright 20184 FIDO CERTIFIED ECOSYSTEM (SAMPLE) PHONES & PCs Over 525 FIDO Certified Solutions Available Today SECURITY KEYS CLOUD/SERVER SOLUTIONS
  5. 5. 5 FIDO METADATA SERVICE • Web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download • Provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators • Validate the integrity of a device population by periodically downloading a digitally signed metadata to verify individual metadata statements All Rights Reserved | FIDO Alliance | Copyright 2018
  6. 6. All Rights Reserved | FIDO Alliance | Copyright 20186
  7. 7. 7 AGENDA • The Value of FIDO Certification • FIDO Certification Programs • Functional • Authenticator • Biometric • Getting Started
  8. 8. FUNCTIONAL CERTIFICATION • Available to members and non-members • Measures compliance among products and services that support FIDO specifications • Validates interoperability within the ecosystem • Certify products such as authenticators, servers, clients, and combos All Rights Reserved | FIDO Alliance | Copyright 2018
  9. 9. All Rights Reserved | FIDO Alliance | Copyright 2018 9 INTEROP TESTING OVERVIEW • Existing Process – Interop Testing Events • Interop every 90 days • Plan ahead! May impact product schedules… • New Process – On Demand Testing • Pick your testing date from a calendar • Servers: remote / virtual testing • Authenticators: ship device or in-person testing • Convenience and fast turn-around FIOD Testing Virtual Shipped In-Person Interop Events
  10. 10. All Rights Reserved | FIDO Alliance | Copyright 2018 10 FIDO AUTHENTICATOR CERTIFICATION • The FIDO Authenticator Certification Program validates that Authenticators conform to the FIDO specifications (UAF/U2F/FIDO2) and allows vendors to certify the security characteristics of their implementations • After completing certification, vendors may use the FIDO logo on their products
  11. 11. 11 A COMPREHENSIVE SET OF LEVELS FOR ALL USES CASES SAMPLE DEVICE HARDWARE & SOFTWARE REQUIREMENTS DEFENDS AGAINST Protection against chip fault injection, invasive attacks… L3+ Captured devices (chip-level attacks) Circuit board potting, package on package memory, encrypted RAM… L3 Captured devices (circuit board level attacks) Restricted Operating Environment (ROE) (e.g., TEE or Secure Element in a phone, USB token or Smart Card which are intrinsically ROEs, other…) L2+ Device OS compromise (defended by ROE) L2 Any device HW or SW L1+ Device OS compromise (defended by white-box cryptography) L1 Phishing, server credential breaches & MiTM attacks (better than passwords)
  12. 12. All Rights Reserved | FIDO Alliance | Copyright 201812 LEVEL 1 Examples • Android or IoS applications • Platform built-in authenticators • Level 2- or Level 3-capable authenticators that yet been certified at Level 2 or Level 3 Certification Process Vendor documents their design in detail L1+ only: Evaluation by FIDO-accredited lab, penetration testing (L1+ program still in development) Evaluation by FIDO Alliance Security Secretariat • Better than passwords • FIDO is unfishable and biometrics are more convenient • Keys and biometric templates are protected similar to passwords stored by a browser or password manager app • Requires best facilities offered by hosting OS • L1+ adds white-box cryptography (obfuscation and other techniques) to defend against compromise of hosting OS
  13. 13. All Rights Reserved | FIDO Alliance | Copyright 201813 LEVEL 2 In addition to L1 • A restricted operating environment like a TEE gives security even if OS is compromised. • Separate USB, BLE and NFC authenticators are considered to use a restricted operating environment • Gives defense against larger scale attacks • Additional assurance at L2+ Certification Process Vendor documents their design in detail L2+ only: Vendor submits source code (L2+ program still in development) Evaluation by a FIDO-accredited lab L2+ only: Attack potential calculation, pen testing Examples • Android apps using FIDO Level 2 certified phone (there aren’t any yet) • USB, BLE and NFC Security Keys • Level 3-capable authenticators that haven’t yet been certified at Level 3
  14. 14. All Rights Reserved | FIDO Alliance | Copyright 201814 LEVEL 3 In addition to L2 • Defends against physically captured authenticators • Defenses against disassembling, probing, glitch and other such physical attacks • L3+ adds defense against chip-level physical attacks, such as decapping and probing the chip Certification Process Vendor documents their design in detail Vendor submits source code Evaluation by a FIDO-accredited lab (L3, L3+) Attack potential calculation and penetration testing L3+ only: Higher attack potential requirements Examples • USB, BLE and NFC Security Keys using Secure Elements or other means of defending HW attacks • In some case phone or platform authenticators may achieve L3, but is difficult
  15. 15. All Rights Reserved | FIDO Alliance | Copyright 201815 COMPANION PROGRAMS Re use as much as possible from other programs like Common Criteria • Reduces time, effort and cost of certification for authenticator vendors, sometimes by quite a lot Companion programs never cover all FIDO requirements; they were not developed specifically for authenticators • Even with advanced companion programs, vendors will have to go through additional certification with the FIDO Alliance Companion Program FIDO Security Level Program Status Common Criteria AVA_VAN 3 L3 Operating Common Criteria AVA_VAN 4 L3+ Operating FIPS L2+, L3 In development Global Platform TEE Protection Profile L2+ In development Authentication- specific Companion program AllFIDOSecurityRequirements End-device configuration Cryptographic algorithms FIDOSpecific
  16. 16. All Rights Reserved | FIDO Alliance | Copyright 201816 FIDO ACCREDITED LABS L2 L3, L3+ All labs that do FIDO certification must pass accreditation by the FIDO Alliance Biometric
  17. 17. All Rights Reserved | FIDO Alliance | Copyright 201817 EXPIRATION, DERIVATIVE & DELTA CERTIFICATION xPhone Asteroid1 32GB Authenticator v1 xPhone Asteroid1 64GB Authenticator v1 xPhone Asteroid2 32GB Authenticator v1 xPhone Asteroid3 32GB Authenticator v2 Security Requirements 1.2 Security Requirements 1.3 xPhone Asteroid1 64GB Authenticator v1 Delta Certification • When the FIDO functionality changes • Recertification against new requirements • After fix to close a vulnerability • Reevaluation of security is required Derivative certification • No change to FIDO functionality allowed • Surrounding functionality may change • Packaging & product name may change • No re evaluation of security No Expiration • Certification of a given product never expires • Recertification against new versions of the requirements is optional Derivative Delta Derivative Delta xPhone Asteroid1 64GB Authenticator v1.1 (fixed) Delta
  18. 18. FIDO Alliance | All Rights Reserved | Copyright 201818 FIDO BIOMETRIC CERTIFICATION The FIDO Biometric Certification Program is intended to certify biometric components and/or subsystems and is independent from Authenticator Certification Program
  19. 19. 19 BIOMETRIC AND AUTHENTICATOR CERTIFICATION Using a Certified Biometric Subcomponent: • Optional for Authenticators using a Biometric at L1-L2. • The Security Requirements enforce Biometric Certification of the biometric at L3 and higher when a biometric is used in the authenticator. • Once L2+ is finalized Biometric Certification will also be required • Results in a “FIDO Certified” Authenticator
  20. 20. 20 BIOMETRIC DEFINITIONS • False Accept Rate (FAR): The proportion of verification transactions with wrongful claims of identity that are incorrectly confirmed • The requirement of less than 1:10,000 for the upper bound of a 80% confidence interval • False Reject Rate (FRR): The proportion of verification transactions with truthful claims of identity that are incorrectly denied • the requirement of less than 3:100 for the upper bound of a 80% confidence interval • Impostor Attack Presentation Match Rate (IAPMR): Proportion of presentation attacks in which the target reference is matched • evaluation measures the Impostor Attack Presentation Match Rate for each presentation attack type, as defined in ISO 30107 Part 3
  21. 21. FIDO Alliance | All Rights Reserved | Copyright 201821 SELF-ATTESTATION - OPTIONAL Biometric Requirements: • False Accept Rate (FAR): The vendor SHALL attest to an FAR of [1:25,000 or 1:50,000 or 1:75,000 or 1:100,000] at an FRR of 3% or less. • False Reject Rate (FRR): The vendor SHALL attest to an FRR at no greater than 3% as measured when determining the self-attested FAR. In other words, self attestation for FRR is only possible when self attesting for FAR. NOTE: Self-attestation for FAR and FRR shall be supported by test data and documented in a report submitted to lab from vendor.
  22. 22. 22 AGENDA • The Value of FIDO Certification • FIDO Certification Programs • Functional • Authenticator • Biometric • Getting Started
  23. 23. All Rights Reserved | FIDO Alliance | Copyright 201623 GETTING STARTED: FUNCTIONAL CERTIFICATION Register for Self-Conformance Test Tool Access : https://fidoalliance.org/test-tool-access-request/ • For UAF, you will need to complete both automated and manual testing • UAF Authenticators only will need a Vendor ID: http://fidoalliance.org/vendor-id-request/ Complete Self-Conformance Testing at least two weeks prior to interoperability event. Elect to Participate in Pre-Testing in the two weeks prior to the interoperability event (recommended) Register for and attend the next interoperability event: https://fidoalliance.org/interop-registration/ Next Interoperability Event Host: Seoul, S. Korea, 12-15 November 2018 (Location TBD). Registration is open.
  24. 24. Functional Testing Security Evaluation Certification Issuance Trademark Licensing Agreement Metadata Submission 24 CERTIFICATION PROCESS OVERVIEW FIDO Alliance | All Rights Reserved | Copyright 2018
  25. 25. All Rights Reserved | FIDO Alliance | Copyright 201825 GETTING STARTED – BIOMETRIC CERTIFICATION Apply for Biometric component certification • Request an account: https://fidoalliance.org/certification/certification- account-request/ Select an Accredited Biometric Lab and agree to terms for testing • Biometric Accredited Lab list: https://fidoalliance.org/fido-accredited-biometric-laboratories/
  26. 26. All Rights Reserved | FIDO Alliance | Copyright 201826 BIOMETRIC SUBCOMPONENT TESTING
  27. 27. FIDO Alliance | All Rights Reserved | Copyright 2018 27 ALLOWED INTEGRATION DOCUMENT • Developed by vendor and submitted to lab • Used to document changes necessary to accommodate integration with authenticator • Must include explanation of possible software and hardware changes
  28. 28. All Rights Reserved | FIDO Alliance | Copyright 201828 TESTING STEP 2: AUTHENTICATOR
  29. 29. All Rights Reserved | FIDO Alliance | Copyright 201829 Connect with FIDO fidoalliance.org

×