Introducing the Partner Program Certification Concept (A20a)
The FIDO Alliance, a 250+ member association developing specifications and certification programs for simpler, stronger authentication, announced back in March 2018 the expansion of its certification program to include multi-level security evaluations for authenticators such as physical security keys and biometrics in mobile devices and PCs. The Alliance also announced the first products certified under the new Authenticator Certification Levels program. The new authenticator certifications will further increase consumer, enterprise and service providers’ confidence that user credentials housed in standards-based FIDO Authentication devices are protected from targeted attacks against a user’s FIDO device. The new program adds to the traditional FIDO functional certification (which measures compliance and ensures interoperability among products and services that support FIDO specifications), a security certification based on FIDO Authenticator security requirements addressing the threats model at different levels of security assurance. But most importantly, the framework introduced a state of the art approach of Partner Program Certification that relies on different existing certification frameworks such as Common Criteria and FIPS 140-2. The presentation outlines the way the FIDO Alliance defined this program, how this offers a practical solution addressing both commercial and technical needs in this market and the security expected by the replying parties and the end users. One of the key elements to such a solution is the reliance on a well established framework which is the Common Criteria, some of the Protection Profiles relevant to the technology and the AVA_VAN vulnerability assessment methodology to address high level of security assurance. The goal is to highlight the importance of such Partner Program approach to achieve the market needs across borders.