FIDO Authenticator Certification – FIPS 140-2 Companion Program (C21c)
The FIDO Alliance, a 250+ member association developing specifications and certification programs for simpler, stronger authentication, announced back in March 2018 the expansion of its certification program to include multi-level security evaluations for authenticators such as physical security keys and biometrics in mobile devices and PCs. The Alliance also announced the first products certified under the new Authenticator Certification Levels program.
The new authenticator certifications will further increase consumer, enterprise and service providers’ confidence that user credentials housed in standards-based FIDO Authentication devices are protected from targeted attacks against a user’s FIDO device.
The new program adds to the traditional FIDO functional certification (which measures compliance and ensures interoperability among products and services that support FIDO specifications), a security certification based on FIDO Authenticator security requirements addressing the threats model at different levels of security assurance.
But most importantly, the framework introduced a state of the art approach of Companion Program Certification that relies on different existing certification frameworks such as FIPS 140-2.
The Companion Program covers typically the underlying platform which provides security functionalities to the Authenticator Application. The intention is to ensure that the security policy of the FIDO Authenticator does not contradict the security policy of the underlying platform and that the final product does fulfill the FIDO security requirements as defined for each level of security assurance.
The presentation outlines the way the FIDO Alliance defined this program, how this offers a practical solution addressing both commercial and technical needs in this market and the security expected by the replying parties and the end users.
One of the key elements to such a solution is the reliance on a well established framework which is the FIPS 140-2 to deliver high level of security assurance which will be addressed in details in this presentation.
The goal is to highlight the importance of such Companion Program approach to achieve the market needs across borders.