FIDO Alliance introduces multi-level authenticator certification program
The FIDO Alliance has expanded its certification program to include multi-level security evaluations for biometrics and other authenticators on mobile devices and PCs. Along with the Authenticator Certification Levels program, the organization has announced the program’s first 10 certified products.
The new certifications will further increase the confidence of consumers, enterprises, and service providers that credentials housed in FIDO Authentication devices are protected against attacks, according to the announcement.
“Our new multi-level evaluation program addresses an increasingly critical market requirement for a more transparent view into the security of FIDO Certified authenticators,” said Brett McDowell, executive director of the FIDO Alliance. “This new certification program, used in combination with the FIDO Metadata service, enables enterprises and online services to make better informed risk management decisions when registering credentials from FIDO-enabled devices, resulting in more accurate and reliable “scores” on the back-end while delivering better user experiences on the front end due to lower instances of intrusive “step up authentication” challenges.”
FIDO Certified Level 1 (L1) and Level 2 (L2) Authenticator security levels are now being offered for testing and certification by the Alliance, and additional levels will be introduced at a later date. L1 Authenticators must pass interoperability testing for compliance and a design review for best security practice for the operating system it runs on. L2 Authenticators must implement a restricted operating environment such as Trusted Execution Environment (TEE) or Secure Element (SE) to protect biometric data and authentication credentials against operating system compromises, and also pass a comprehensive design review by a FIDO-accredited third-party security certification laboratory.
Organizations that have achieved L1 certification include AuthenTrend Technology Inc., CANVASBIO, i-Sprint Innovations Pte Ltd, PixelPin LTD, SHARP CORPORATION, and Shenzhen National Engineering Laboratory of Digital Television Co. Ltd. Feitian Technologies Co. Ltd. has been certified as an L2 Authenticator.
Labs accredited to perform L2 certifications are Applus+ Laboratories, Beijing Unionpay Card Technology Co. Ltd., Brightsight B.V., DPLS Lab, Telecommunications Technology Association (TTA), and UL Verification Services Inc.
Adoption of FIDO authentication standards continues to grow, with notable success in Korea recently detailed by a blog post from the FIDO Korea Working Group. BioCatch recently pitched behavioural biometrics to compliment FIDO authentication as a method of continuous fraud prevention.