FIDO: Proving the security of the authenticator and biometric components in accordance with the relevant standards
Authenticators and biometric user verification are supposed to make authentication faster and more secure for internet users – provided that they themselves fulfill certain security standards. The FIDO Alliance has developed open standards especially for these authentication solutions, allowing manufacturers to objectively demonstrate the security of their products. As a security laboratory recognized by the FIDO Alliance, TÜVIT is entitled to perform corresponding evaluations.
Testing & certification of biometric components
We are currently the only laboratory in Germany to test the security of biometric-based authentication solutions. To do this, we use globally recognized performance standards for the testing of biometric components, carry out both online and offline live tests and, if necessary, support you on your path to certification.
Authenticator testing & certification
How well is the private key on the authenticator protected against unauthorized access and manipulation? This is a question we investigate intensively through laboratory testing. At the center of this is the Authenticator Security, which must meet certain security standards defined by the FIDO Alliance in order to receive certification.
Clarification of all FIDO security issues
Independently of our FIDO audits, we support companies on all issues relating to the FIDO standard. Do you need further information? We are happy to help!
FIDO: Our services in the field of authenticator security
Do you want to protect your Authenticator from device operating system, PCB or chip-level attacks? We offer the appropriate FIDO security level for each of these hazards. As part of a certification process, which follows the corresponding evaluation, the FIDO Alliance will assess based on the evaluation report whether the authenticator can be listed as certified product.
We perform tests according to the following certification levels:
FIDO: Level 2
- TÜVIT services: Design Review
- Evaluation of the Authenticator with regard to protection against device operating system malfunctions and against major attacks
- Hardware and software requirements: Device must support allowed Restricted Operating Environment (ROE) (e.g. TEE) or intrinsically be an ROE (e.g. a USB token or Smart Card)
- Examples: Apps using FIDO Level 2 certified phone; USB, BLE and NFC Security Keys
FIDO: Level 2+
- TÜVIT services: Penetration testing, Attack potential calculation
- Evaluation of the Authenticator with regard to protection against device operating system malfunctions and against major attacks
- Hardware and software requirements: Device must support allowed Restricted Operating Environment (ROE) (e.g. TEE) or intrinsically be an ROE (e.g. a USB token or Smart Card)
- Examples: Apps using FIDO Level 2 certified phone; USB, BLE and NFC Security Keys
FIDO: Level 3
- TÜVIT services: Design Review, Penetration testing, Attack potential calculation
- Evaluation of the Authenticator with regard to protection against advanced software and hardware attacks
- Protection of captured devices against board attacks
- Hardware and software requirements: Circuit board potting, package on package memory, encrypted RAM…
- Examples: USB, BLE and NFC Security Keys using Secure Elements or other means of defending hardware attacks
FIDO: Level 3+
- TÜVIT services: Design Review, Penetration testing, Attack potential calculation
- Evaluation of the Authenticator with regard to protection against advanced software and hardware attacks
- Protection of captured devices against chip-level physical attacks
- Hardware and software requirements: Protection against chip fault injection and invasive attacks
- Examples: USB, BLE and NFC Security Keys using Secure Elements or other means of defending hardware attacks
Successfully certified products can be marked with the “FIDO certified” logo.
The benefits of a FIDO assessment
- Increasing the security of the authenticator and minimizing security risks
- Objective verification of the security of the authenticator with the “FIDO certified” marking
- With following certification, improved market positioning through differentiation from the competition
About FIDO
The FIDO Alliance was founded in 2013, and has set itself the objective of fundamentally improving online security through simpler and more secure authentication methods. To this end, mechanisms have been defined in the form of standards, with the intention of reducing dependence on passwords and ensuring stronger authentication.
The (security) key to success: an authenticator that needs to be unlocked locally by the user, for example by means of a fingerprint scanner or by physically activating a security token. Only then does the private key stored securely on the authenticator interact with the public key stored on a server to open the online door to a website or app. In this manner, logins that were previously based only on passwords are replaced by Universal 2nd Factor (U2F) authentication.