FIDO AUTHENTICATOR EVALUATION
CCLAB is one of the 12 laboratories in the world that can issue
FIDO certification in Authenticator Certification Level 2.
FIDO protocols use standard public key cryptography techniques to provide stronger authentication, see more at FIDO.
Find all of the necessary documents and information at the website of the Alliance.
Authenticator Certification Level 2 (L2) evaluates FIDO Authenticator protection against basic, scalable attacks.
In Authenticator Certification Level 1
any device HW or SW must defend against phishing, server credential breaches and MiTM attacks (better than passwords).
In Authenticator Certification Level 1+
any device HW or SW should apply White Box Cryptography to defend against OS compromise.
In Authentication Certification Level 2
the device must support allowed Restricted Operating Environment (ROE) (e.g., TEE, Secure Element...), or intrinsically be an ROE (e.g. a USB token or Smart Card). Must defend against device OS compromise.
Take a look at our valid accreditation HERE
How FIDO Works?
FIDO authentication follows a strictly standardized and evaluated process.
The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.
The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.
- Users are prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
- User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
- User’s device creates a new public/private key pair unique for the local device, online service and user’s account.
- Public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.
- Online service challenges the user to login with a previously registered device that matches the service’s acceptance policy.
- User unlocks the FIDO authenticator using the same method as at Registration time.
- Device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
- Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.
*Source: FIDO Alliance