The Fido Alliance, the 250+ member association developing specifications and certification programs for simpler, stronger authentication, announced today the expansion of its certification program to include multi-level security evaluations for authenticators such as physical security keys and biometrics in mobile devices and PCs.
The Alliance also announced the first products certified under the new Authenticator Certification Levels program.
The new authenticator certifications will further increase consumer, enterprise and service providers’ confidence that user credentials housed in standards-based FIDO Authentication devices are protected from targeted attacks against a user's FIDO device. The new program incorporates traditional FIDO functional certification, which measures compliance and ensures interoperability among products and services that support FIDO specifications.
“Our new multi-level evaluation program addresses an increasingly critical market requirement for a more transparent view into the security of FIDO Certified authenticators," said Brett McDowell, executive director of the FIDO Alliance. "This new certification program, used in combination with the FIDO Metadata service, enables enterprises and online services to make better informed risk management decisions when registering credentials from FIDO-enabled devices, resulting in more accurate and reliable “scores” on the back-end while delivering better user experiences on the front end due to lower instances of intrusive “step up authentication” challenges.”
Available levels and security requirements
The FIDO Alliance is now offering testing and certification for two security levels for all published specifications: FIDO Certified Level 1 (L1) Authenticator and FIDO Certified Level 2 (L2) Authenticator. Additional levels covering a full range of security requirements will be introduced at a later date.
All FIDO Certified L1 Authenticators must pass interoperability testing for compliance with the FIDO specifications. They also must pass a design review against FIDO Certification Requirements to ensure the authenticator uses the best security practice for the operating system it is running on.
The FIDO L2 Security Certification Requirements mandate that authenticators implement a restricted operating environment such as a Trusted Execution Environment (TEE) or Secure Element (SE) to protect biometric data and authentication credentials against operating system compromises that arise from app downloads, malicious website content or similar threats. FIDO Certified L2 Authenticators also must pass a comprehensive design review by a FIDO-accredited third-party security certification laboratory. As with L1 Certification, the authenticator must pass interoperability testing.
Benefits to consumers, web service providers and technology providers
FIDO specifications for strong authentication incorporate public key cryptography and simple user experiences to help the world reduce its reliance on passwords. The use of public key cryptography, where the private key is stored on and never leaves the device, ensures that FIDO credentials are not susceptible to scalable attacks such as phishing -- the most common form of attack against password credentials. This makes all FIDO Certified implementations inherently more secure than password-based systems.
FIDO Authenticator Certification levels take strong security even further by ensuring that authenticators keep cryptographic key “secrets” (and in some cases, biometric information) safe and confirm privacy principles are met.
Web service providers that accept FIDO credentials for strong authentication benefit from an expanded program that allows them to easily assess, set requirements for, and increase their level of assurance in the FIDO authenticators used by consumers. Technology providers with FIDO authenticators on the market report with confidence that their implementations meet service providers’ requirements and elevate their products in the marketplace. Today, service providers including Aetna, Facebook, Google, eBay and Bank of America are enjoying the benefits of FIDO Authentication.
Newly-certified companies, accredited labs and additional resources
Organisations announced today that have achieved L1 and L2 certifications include:
FIDO Certified L1 Authenticator: AuthenTrend Technology Inc.; CANVASBIO; i-Sprint Innovations Pte Ltd; PixelPin LTD; SHARP CORPORATION; Shenzhen National Engineering Laboratory of Digital Television Co., Ltd.
FIDO Certified L2 Authenticator: Feitian Technologies Co., Ltd.
Labs accredited to perform L2 certifications are: Applus+ Laboratories; Beijing Unionpay Card Technology Co.,Ltd; Brightsight B.V.; DPLS Lab; Telecommunications Technology Association (TTA); and UL Verification Services Inc. The FIDO Alliance is currently accepting applications for additional labs seeking accreditation. To view the process, visit https://fidoalliance.org/certification/accredited-security-laboratories/.