Certification process for FIDO Authenticators demystified by Veridium
Certification testing for FIDO Alliance standards is a topic of increasing focus around the industry, and for those preparing for or considering starting the process, a presentation at Authenticate 2022 provided ‘A Gentle Introduction to Certification of a Cross-Platform FIDO2 Authenticator.’
Veridium CTO John Callahan was joined by the company’s Alex Encica, a senior developer, in a pre-recorded video to explain what happens during the interoperability test.
FIDO Certification provides assurance that a given technology is conformant with the standards, that it meets customer requirements, as well as interoperability with other certified products, compliance with regulations, and validation.
Callahan outlined the benefits of FIDO certification for businesses and their customers, and provided an outline of the steps involved in becoming certified.
The technical aspects of that process, conformance self-validation and interoperability testing, were the focus of the presentation.
There are five levels for Authenticators. Software authenticators dealt with at Level 1, which is what Veridium went through for its iOS and Android SDKs.
While the conformance self-validation is the entry point to certification, “but before that, a lot of preparation is required,” Callahan cautions.
Registering for interop events, reviews of all relevant materials, and an implementation of the FIDO2 demonstration app with the SDK are necessary, metadata should be constructed and a vendor questionnaire submitted for each technology being certified. WebAuthN testing and downloading the self-validation testing tool are also important parts of the preparation.
Callahan demonstrated a walk-through of using the conformance testing tool, sharing details on what technology providers can expect and things to watch out for during the process. Videos demonstrating the setup and biometric authentication checks of the interop test, including how to register new keys, followed.
The resulting Interop report must be submitted, along with some additional paperwork, to apply to the FIDO Alliance for certification. Finally, metadata must also be posted to the FIDO registry.
The FIDO Alliance also recently launched a certification program for document authenticity checking.