The FIDO Alliance outlines its certification programs aimed at validating compliance and interoperability among products that support FIDO specifications, focusing on authenticators, biometric components, and security evaluations. The document details the certification process, including new testing options, levels of security evaluation, and updates following initial certification. It emphasizes the importance of certification in promoting the adoption of the FIDO ecosystem and ensuring interoperability among certified solutions.

1. All Rights Reserved | FIDO Alliance | Copyright 2018
FIDO Certified
Program
Value of Certification
®

2. 2
FIDO Certification Programs
Functional Authenticator Biometric

3. FUNCTIONAL CERTIFICATION
• Available to members and non-members
• Measures compliance among products and services
that support FIDO specifications
• Validates interoperability within the ecosystem
• Certify products such as authenticators, servers,
clients, and combos
All Rights Reserved | FIDO Alliance | Copyright 2018

4. All Rights Reserved | FIDO Alliance | Copyright 20184
INTEROP TESTING OVERVIEW
• Existing Process – Interop Testing Events
• Interop every 90 days
• Plan ahead! May impact product schedules…
• New Process – On Demand Testing
• Pick your testing date from a calendar
• Servers: remote / virtual testing
• Authenticators: ship device or in-person testing
• Convenience and fast turn-around
FIOD
Testing
Virtual
Shipped
In-Person
Interop Events

5. All Rights Reserved | FIDO Alliance | Copyright 20185
FIDO AUTHENTICATOR CERTIFICATION
• The FIDO Authenticator Certification
Program validates that Authenticators
conform to the FIDO specifications
(UAF/U2F/FIDO2) and allows vendors to
certify the security characteristics of their
implementations
• After completing certification, vendors may
use the FIDO logo on their products

6. All Rights Reserved | FIDO Alliance | Copyright 20186
AUTHENTICATOR LEVELS PICTORIAL
NOTE: For Authenticators that use a biometric the Biometric Certification is required at L2+ and higher.

7. All Rights Reserved | FIDO Alliance | Copyright 20187
SECURITY EVALUATION
Level 3rd Party Lab Work Required Evaluation Style
L1 None – evaluation is solely by FIDO Alliance
Security Secretariat
• System design review
L1+
(preliminary)
Vendor must hire a FIDO-approved lab • System design review
• Code review
• SW penetration test / attack potential calculation
L2 Vendor must hire a FIDO-approved lab • System design review
L2+
(preliminary)
Vendor must hire a FIDO-approved lab1 • System design review
• Code review
• SW penetration test / attack potential calculation
L3 Vendor must hire a FIDO-approved lab1 • System design review
• Code review
• HW penetration test / attack potential calculation
L3+ Vendor must hire a FIDO-approved lab1 • System design review
• Code review
• HW penetration test / attack potential calculation
1 At level L2+ and higher, it should usually be the case that the platform HW and SW have already been certified and the FIDO vendor will only
need to certify the FIDO-specific requirements (e.g. the authenticator is running on an already-certified TEE, Secure Element…)

8. All Rights Reserved | FIDO Alliance | Copyright 20188
NEW COMPANION PROGRAM
• Companion Programs are independent testing programs which FIDO
partners with to lessen the certification burden
• Example: Common Criteria or ISO/IEC 15408
• The vendor uses a FIDO created mapping document that maps program
requirements from companion program to FIDO security requirements
• The authenticator is evaluated on the delta requirements only
• Companion Programs are currently required for Authenticator Security
levels 3 and 3+
More information can be found on the FIDO Alliance website:
https://fidoalliance.org/fido-authenticator-certification-companion-
program/

9. FIDO Alliance | All Rights Reserved | Copyright 20189
CHANGES AFTER INITIAL CERTIFICATION
Delta Certification is a process to verify that a Certified
implementation still meets requirements for the following
cases:
• Product upgrades
• Version upgrade
• Level downgrades
• Security vulnerability
• Post suspension

10. All Rights Reserved | FIDO Alliance | Copyright 201810
CHANGES AFTER INITIAL CERTIFICATION
Derivative Certification:
• Products or services that rely upon existing Certified
implementations for conformance with FIDO specifications
• A Derivative implementation may not modify, expand, or
remove FIDO functionality from the Certified
implementation on which it is based

11. FIDO Alliance | All Rights Reserved | Copyright 201811
FIDO BIOMETRIC CERTIFICATION
The FIDO Biometric Certification
Program is intended to certify biometric
components and/or subsystems and is
independent from Authenticator
Certification Program

12. All Rights Reserved | FIDO Alliance | Copyright 201812
BIOMETRIC AND AUTHENTICATOR CERTIFICATION
Using a Certified Biometric Subcomponent:
• Optional for Authenticators using a Biometric at L1-L2.
• The Security Requirements enforce Biometric Certification of the
biometric at L3 and higher when a biometric is used in the
authenticator.
• Once L2+ is finalized Biometric Certification will also be required
• Results in a “FIDO Certified” Authenticator

13. FIDO Alliance | All Rights Reserved | Copyright 201813
BIOMETRIC DEFINITIONS
• False Accept Rate (FAR): The proportion of verification transactions with
wrongful claims of identity that are incorrectly confirmed
• The requirement of less than 1:10,000 for the upper bound of a 80% confidence
interval
• False Reject Rate (FRR): The proportion of verification transactions with
truthful claims of identity that are incorrectly denied
• the requirement of less than 3:100 for the upper bound of a 80% confidence
interval
• Impostor Attack Presentation Match Rate (IAPMR): Proportion of
presentation attacks in which the target reference is matched
• evaluation measures the Impostor Attack Presentation Match Rate for each
presentation attack type, as defined in ISO 30107 Part 3

14. FIDO Alliance | All Rights Reserved | Copyright 201814
SELF-ATTESTATION - OPTIONAL
Biometric Requirements:
• False Accept Rate (FAR): The vendor SHALL attest to an FAR of [1:25,000 or
1:50,000 or 1:75,000 or 1:100,000] at an FRR of 3% or less.
• False Reject Rate (FRR): The vendor SHALL attest to an FRR at no greater than 3%
as measured when determining the self-attested FAR. In other words, self
attestation for FRR is only possible when self attesting for FAR.
NOTE: Self-attestation for FAR and FRR shall be supported by test data and
documented in a report submitted to lab from vendor.

15. 15
The Value of FIDO Certification

16. All Rights Reserved | FIDO Alliance | Copyright 201816
CERTIFICATION VALUE
• Enable implementations to be identified as officially FIDO certified
• Ensure interoperability between FIDO officially recognized
implementations
• Promote the adoption of the FIDO ecosystem
• Provide RPs with the ability to assess performance requirements for
user authenticators
• Provide the industry at large with a testing baseline for biometric
component performance

17. All Rights Reserved | FIDO Alliance | Copyright 201817
FIDO CERTIFIED ECOSYSTEM (SAMPLE)
PHONES & PCs
Over 480 FIDO Certified Solutions Available Today
SECURITY KEYS CLOUD/SERVER SOLUTIONS

18. All Rights Reserved | FIDO Alliance | Copyright 201818
FIDO METADATA SERVICE
• Web-based tool where FIDO authenticator vendors can
publish metadata statements for FIDO servers to
download
• Provides organizations deploying FIDO servers with a
centralized and trusted source of information about
FIDO authenticators
• Validate the integrity of a device population by
periodically downloading a digitally signed metadata
to verify individual metadata statements

19. 19
Getting Started

20. All Rights Reserved | FIDO Alliance | Copyright 201620
GETTING STARTED: FUNCTIONAL CERTIFICATION
Register for Self-Conformance Test Tool Access :
https://fidoalliance.org/test-tool-access-request/
• For UAF, you will need to complete both automated and manual testing
• UAF Authenticators only will need a Vendor ID:
http://fidoalliance.org/vendor-id-request/
Complete Self-Conformance Testing at least two weeks prior to
interoperability event.
Elect to Participate in Pre-Testing in the two weeks prior to the
interoperability event (recommended)
Register for and attend the next interoperability event:
https://fidoalliance.org/interop-registration/
Next Interoperability Event Host: Seoul, S. Korea, 12-15 November 2018
(Location TBD). Registration is open.

21. Functional
Testing
Security
Evaluation
Certification
Issuance
Trademark
Licensing
Agreement
Metadata
Submission
21
CERTIFICATION PROCESS OVERVIEW
FIDO Alliance | All Rights Reserved | Copyright 2018

22. All Rights Reserved | FIDO Alliance | Copyright 201822
GETTING STARTED – BIOMETRIC CERTIFICATION
Apply for Biometric component certification
• Request an account: https://fidoalliance.org/certification/certification-
account-request/
Select an Accredited Biometric Lab and agree to terms for testing
• Biometric Accredited Lab list:
https://fidoalliance.org/fido-accredited-biometric-laboratories/

23. All Rights Reserved | FIDO Alliance | Copyright 201823
BIOMETRIC SUBCOMPONENT TESTING

24. FIDO Alliance | All Rights Reserved | Copyright 201824
ALLOWED INTEGRATION DOCUMENT
• Developed by vendor and submitted to lab
• Used to document changes necessary to accommodate integration with
authenticator
• Must include explanation of possible software and hardware changes

25. All Rights Reserved | FIDO Alliance | Copyright 201825
TESTING STEP 2: AUTHENTICATOR

26. All Rights Reserved | FIDO Alliance | Copyright 201826
Connect with FIDO
fidoalliance.org