FIDO Certification Program Updates
•
1 like•426 views
FIDO’s certification programs are a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy FIDO Authentication solutions worldwide. FIDO manages functional certification programs for its core specifications (UAF, U2F and FIDO2) to ensure product interoperability, and more recently has introduced programs to delineate security capabilities of FIDO Certified Authenticators, and also to test and validate the efficacy of biometric components. These slides explain how to: - Learn how to take part in the FIDO Certified program and/or what to consider when licensing FIDO Certified solutions - Understand how FIDO’s new biometric certification program (a first of its kind in the industry) will help inform the marketplace on the accuracy of various biometric authentication components - See how FIDO’s Certified Authenticator Levels will help deploying organizations specify and support specific security capabilities and requirements for their end users
Report
Share
More Related Content
What's hot
What's hot (20)
Similar to FIDO Certification Program Updates
Similar to FIDO Certification Program Updates (20)
More from FIDO Alliance
More from FIDO Alliance (20)
Recently uploaded
Recently uploaded (20)
FIDO Certification Program Updates
- 1. All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO Certified Program Updates Authenticators, Biometrics & FIDO2
- 2. All Rights Reserved | FIDO Alliance | Copyright 2018 2 Agenda • The Value of FIDO Certification + Program Updates • FIDO Authenticator Certification Program • FIDO Biometric Certification Program • Getting Started with Your Certification • Q & A
- 3. All Rights Reserved | FIDO Alliance | Copyright 20183 CERTIFICATION GOALS • Enable implementations to be identified as officially FIDO certified • Ensure interoperability between FIDO officially recognized implementations • Promote the adoption of the FIDO ecosystem • Provide RPs with the ability to assess performance requirements for user authenticators • Provide the industry at large with a testing baseline for biometric component performance
- 4. All Rights Reserved | FIDO Alliance | Copyright 20184 FIDO CERTIFIED ECOSYSTEM (SAMPLE) PHONES & PCs 475 FIDO Certified Implementations Today SECURITY KEYS CLOUD/SERVER SOLUTIONS
- 5. All Rights Reserved | FIDO Alliance | Copyright 20185 LATEST CERTIFICATION UPDATES • Formal FIDO2 Interop occurred 20-23 August 2018 • Authenticator Certification Program Level 3 and 3+ • Utilizes the Companion Program for Certification • Biometric Certification Program • False Accept Rate • False Reject Rate • Presentation Attack Detection
- 6. 6 AGENDA • The Value of FIDO Certification + Program Updates • FIDO Authenticator Certification Program • FIDO Biometric Certification Program • Getting Started with Your Certification • Q & A
- 7. All Rights Reserved | FIDO Alliance | Copyright 20187 FIDO AUTHENTICATOR CERTIFICATION • The FIDO Authenticator Certification Program validates that Authenticators conform to the FIDO specifications (UAF/U2F/FIDO2) and allows vendors to certify the security characteristics of their implementations • After completing certification, vendors may use the FIDO logo on their products
- 8. All Rights Reserved | FIDO Alliance | Copyright 20188 LEVELS PICTORIAL NOTE: For Authenticators that use a biometric the Biometric Certification is required at L2+ and higher.
- 9. All Rights Reserved | FIDO Alliance | Copyright 20189 EXAMPLES
- 10. All Rights Reserved | FIDO Alliance | Copyright 201810 SECURITY EVALUATION Level 3rd Party Lab Work Required Evaluation Style L1 None – evaluation is solely by FIDO Alliance Security Secretariat • System design review L1+ (preliminary) Vendor must hire a FIDO-approved lab • System design review • Code review • SW penetration test / attack potential calculation L2 Vendor must hire a FIDO-approved lab • System design review L2+ (preliminary) Vendor must hire a FIDO-approved lab1 • System design review • Code review • SW penetration test / attack potential calculation L3 Vendor must hire a FIDO-approved lab1 • System design review • Code review • HW penetration test / attack potential calculation L3+ Vendor must hire a FIDO-approved lab1 • System design review �� Code review • HW penetration test / attack potential calculation 1 At level L2+ and higher, it should usually be the case that the platform HW and SW have already been certified and the FIDO vendor will only need to certify the FIDO-specific requirements (e.g. the authenticator is running on an already-certified TEE, Secure Element…)
- 11. All Rights Reserved | FIDO Alliance | Copyright 201811 NEW COMPANION PROGRAM • Companion Programs are independent testing programs which FIDO partners with to lessen the certification burden • Example: Common Criteria or ISO/IEC 15408 • The vendor uses a FIDO created mapping document that maps program requirements from companion program to FIDO security requirements • The authenticator is evaluated on the delta requirements only • Companion Programs are currently required for Authenticator Security levels 3 and 3+ More information can be found on the FIDO Alliance website: https://fidoalliance.org/fido-authenticator-certification-companion- program/
- 12. FIDO Alliance | All Rights Reserved | Copyright 201812 CHANGES AFTER INITIAL CERTIFICATION Delta Certification is a process to verify that a Certified implementation still meets requirements for the following cases: • Product upgrades • Version upgrade • Level downgrades • Security vulnerability • Post suspension
- 13. All Rights Reserved | FIDO Alliance | Copyright 201813 CHANGES AFTER INITIAL CERTIFICATION Derivative Certification: • Products or services that rely upon existing Certified implementations for conformance with FIDO specifications • A Derivative implementation may not modify, expand, or remove FIDO functionality from the Certified implementation on which it is based
- 14. 14 AGENDA • The Value of FIDO Certification + Program Updates • FIDO Authenticator Certification Program • FIDO Biometric Certification Program • Getting Started with Your Certification • Q & A
- 15. FIDO Alliance | All Rights Reserved | Copyright 201815 FIDO CERTIFICATION PURPOSE The FIDO Biometric Certification Program is intended to certify biometric components and/or subsystems and is independent from Authenticator Certification Program
- 16. All Rights Reserved | FIDO Alliance | Copyright 201816 TESTING STEP 1: BIOMETRIC SUBCOMPONENT
- 17. FIDO Alliance | All Rights Reserved | Copyright 201817 ALLOWED INTEGRATION DOCUMENT • Developed by vendor and submitted to lab • Used to document changes necessary to accommodate integration with authenticator • Must include explanation of possible software and hardware changes
- 18. All Rights Reserved | FIDO Alliance | Copyright 201818 TESTING STEP 2: AUTHENTICATOR
- 19. All Rights Reserved | FIDO Alliance | Copyright 201819 AUTHENTICATOR CERTIFICATION Using a Certified Biometric Subcomponent: • Optional for Authenticators using a Biometric at L1-L2. • The Security Requirements enforce Biometric Certification of the biometric at L3 and higher when a biometric is used in the authenticator. • Once L2+ is finalized Biometric Certification will also be required • Results in a “FIDO Certified” Authenticator
- 20. FIDO Alliance | All Rights Reserved | Copyright 201820 BIOMETRIC DEFINITIONS • False Accept Rate (FAR): The proportion of verification transactions with wrongful claims of identity that are incorrectly confirmed • False Reject Rate (FRR): The proportion of verification transactions with truthful claims of identity that are incorrectly denied • Impostor Attack Presentation Match Rate (IAPMR): Proportion of presentation attacks in which the target reference is matched
- 21. FIDO Alliance | All Rights Reserved | Copyright 201821 BIOMETRIC PERFORMANCE LEVELS • Biometric Requirements: • False Accept Rate (FAR): SHALL meet the requirement of less than 1:10,000 for the upper bound of a 80% confidence interval. FAR is measured at the transaction level. • False Reject Rate (FRR): SHALL meet the requirement of less than 3:100 for the upper bound of a 80% confidence interval. FRR is measured at the transaction level. • Presentation Attack Detection: SHALL be performed by the FIDO-accredited independent testing laboratory on the TOE provided by vendor. The evaluation measures the Impostor Attack Presentation Match Rate for each presentation attack type, as defined in ISO 30107 Part 3. NOTE: FIDO-accredited independent testing laboratory performs live subject scenario testing on the TOE provided by vendor using a combination of on-line/off-line testing, as well as presentation attack testing, based on ISO 19795-1 and ISO 30107-3.
- 22. FIDO Alliance | All Rights Reserved | Copyright 201822 SELF-ATTESTATION - OPTIONAL • Biometric Requirements: • False Accept Rate (FAR): The vendor SHALL attest to an FAR of [1:25,000 or 1:50,000 or 1:75,000 or 1:100,000] at an FRR of 3% or less. • False Reject Rate (FRR): The vendor SHALL attest to an FRR at no greater than 3% as measured when determining the self-attested FAR. In other words, self attestation for FRR is only possible when self attesting for FAR. NOTE: Self-attestation for FAR and FRR shall be supported by test data and documented in a report submitted to lab from vendor.
- 23. 23 AGENDA • The Value of FIDO Certification + Program Updates • FIDO Authenticator Certification Program • FIDO Biometric Certification Program • Getting Started with Your Certification • Q & A
- 24. FIDO Alliance | All Rights Reserved | Copyright 201824 ROLES AND RESPONSIBILITIES Working Groups Secretariats Security Review Team Certification Trouble Shooting Accredited Labs Vendors Partner Programs OEMs
- 25. All Rights Reserved | FIDO Alliance | Copyright 201625 GETTING STARTED: FUNCTIONAL CERTIFICATION Register for Self-Conformance Test Tool Access : https://fidoalliance.org/test-tool-access-request/ • For UAF, you will need to complete both automated and manual testing • UAF Authenticators only will need a Vendor ID: http://fidoalliance.org/vendor-id-request/ Complete Self-Conformance Testing at least two weeks prior to interoperability event. Elect to Participate in Pre-Testing in the two weeks prior to the interoperability event (recommended) Register for and attend the next interoperability event: https://fidoalliance.org/interop-registration/ Next Interoperability Event Host: Seoul, S. Korea, 12-15 November 2018 (Location TBD). Registration opening soon.
- 26. All Rights Reserved | FIDO Alliance | Copyright 201826 INTEROP TESTING OVERVIEW • Existing Process – Interop Testing • Interop every 90 days • Plan ahead! May impact product schedules… • New Process – On Demand Testing • Pick your testing date from a calendar • Servers: remote / virtual testing • Authenticators: ship device or in-person testing • Convenience and fast turn-around On Demand Testing Virtual Shipped In-Person
- 27. Functional Testing Security Evaluation Certification Issuance Trademark Licensing Agreement Metadata Submission 27 CERTIFICATION PROCESS OVERVIEW FIDO Alliance | All Rights Reserved | Copyright 2018
- 28. All Rights Reserved | FIDO Alliance | Copyright 201828 GETTING STARTED – BIOMETRIC CERTIFICATION Apply for Biometric component certification • Request an account: https://fidoalliance.org/certification/certification- account-request/ Select an Accredited Biometric Lab and agree to terms for testing • Biometric Accredited Lab list: https://fidoalliance.org/fido-accredited-biometric-laboratories/
- 29. Biometric Testing Laboratory Report Certification Request Certification Issuance (recommended) Authenticator Certification FIDO Alliance | All Rights Reserved | Copyright 201829 CERTIFICATION PROCESS OVERVIEW
- 30. All Rights Reserved | FIDO Alliance | Copyright 201830 Connect with FIDO fidoalliance.org