The FIDO Alliance has expanded its certification program to include multi-level security certifications for FIDO authenticators (such as physical security keys and biometrics).
With the authenticators, online service providers can choose the security level appropriate for their business, such as requiring higher FIDO certification for financial transactions than for general account information.
FIDO specifications for strong authentication incorporate public key cryptography and simple user experiences to help the world reduce its reliance on passwords. The certifications are available for Level 1 (L1) and Level 2 (L2) authenticators, with additional levels covering a full range of security requirements to be introduced at a later date.
“Our new multi-level evaluation program addresses an increasingly critical market requirement for a more transparent view into the security of FIDO-certified authenticators,” said Brett McDowell, executive director of the FIDO Alliance. “This new certification program, used in combination with the FIDO Metadata service, enables enterprises and online services to make better-informed risk management decisions when registering credentials from FIDO-enabled devices, resulting in more accurate and reliable ‘scores’ on the back end while delivering better user experiences on the front end due to lower instances of intrusive ‘step up authentication’ challenges.”
All FIDO-Certified L1 Authenticators must pass interoperability testing for compliance with the FIDO specifications. They also must pass a design review against FIDO requirements to ensure the authenticator uses the best security practice for the operating system it is running on.
The FIDO L2 Security Certification Requirements mandate that authenticators implement a restricted operating environment (such as a trusted execution environment (TEE) or secure element) to protect biometric data and authentication credentials against operating system compromises that arise from app downloads, malicious website content or similar threats. L2 authenticators also must pass a comprehensive design review by a FIDO-accredited third-party security certification laboratory.
The new program also incorporates traditional FIDO functional certification, which measures compliance and ensures interoperability among products and services that support FIDO specifications.
The FIDO ecosystem includes Intel, Microsoft, Google, PayPal, Bank of America, Amazon and others.