MENU

FIDO: Testing under the FIDO security standards

    1. Services
    2. Hardware & Software Evaluation
    3. FIDO

Authenticators are supposed to make authentication faster and more secure for internet users – provided that they themselves fulfill certain security standards. The FIDO Alliance has developed open standards especially for these authentication solutions, allowing manufacturers to objectively demonstrate the security of their products. As a security laboratory accredited by the FIDO Alliance, TÜViT is entitled to perform corresponding evaluations.

    

Different security levels of certification

During the certification process, it is assessed whether the authenticator and its functionality conform to the specifications defined by FIDO. Here we offer companies evaluation services tailored to different security levels:
  

  • Hardware and software requirements: Device must support allowed Restricted Operating Environment (ROE) (e.g. TEE) or intrinsically be an ROE (e.g. a USB token or Smart Card)
  • Evaluation of the Authenticator with regard to protection against device operating system malfunctions and against major attacks
  • Services: Design Review
  • Examples: Apps using FIDO Level 2 certified phone; USB, BLE and NFC Security Keys

    

  • Hardware and software requirements: Device must support allowed Restricted Operating Environment (ROE) (e.g. TEE) or intrinsically be an ROE (e.g. a USB token or Smart Card)
  • Evaluation of the Authenticator with regard to protection against device operating system malfunctions and against major attacks
  • Services: Penetration testing, Attack potential calculation
  • Examples: Apps using FIDO Level 2 certified phone; USB, BLE and NFC Security Keys

   

  • Hardware and software requirements: Circuit board potting, package on package memory, encrypted RAM…
  • Evaluation of the Authenticator with regard to protection against advanced software and hardware attacks - Protection of captured devices against board attacks
  • Services: Design Review, Penetration testing, Attack potential calculation
  • Examples: USB, BLE and NFC Security Keys using Secure Elements or other means of defending hardware attacks

    

  • Hardware and software requirements: Protection against chip fault injection and invasive attacks 
  • Evaluation of the Authenticator with regard to protection against advanced software and hardware attacks 
  • Protection of captured devices against chip-level physical attacks - Services: Design Review, Penetration testing, Attack potential calculation
  • Examples: USB, BLE and NFC Security Keys using Secure Elements or other means of defending hardware attacks

Successfully certified products can be marked with the “FIDO certified” logo.

Do you require a consultation regarding FIDO? We can also provide you with various consulting services, independently of our testing.

About FIDO

The FIDO Alliance was founded in 2013, and has set itself the objective of fundamentally improving online security through simpler and more secure authentication methods. To this end, mechanisms have been defined in the form of standards, with the intention of reducing dependence on passwords and ensuring stronger authentication.

The (security) key to success: an authenticator that needs to be unlocked locally by the user, for example by means of a fingerprint scanner or by physically activating a security token. Only then does the private key stored securely on the authenticator interact with the public key stored on a server to open the online door to a website or app. In this manner, logins that were previously based only on passwords are replaced by Universal 2nd Factor (U2F) authentication.

Your benefits at a glance

  • Minimizing security risks
  • Objective verification of the security of the authenticator with the “FIDO certified” marking
  • Improved market positioning through differentiation from the competition

Christoph Bayer

Evaluation & Validation

+49 201 8999 557
Fax: +49 201 8999-666

c.bayer@tuvit.de

Further services

Evaluation Body for IT Security

With its evaluation body for IT security, TÜViT is one of the world's leading providers of testing services for IT products and systems. The evaluation body has been recognized by the German Federal Office for Information Security (BSI) since 1991 and accredited by the DAkkS, the German Accreditation Body, according to DIN EN ISO/IEC 17025.
Read more

Common Criteria

Globally-recognized security evaluations for IT components, products and systems: TÜViT is one of the world's leading testing service providers for Common Criteria. With our 50 licensed evaluators, we have successfully completed over 600 evaluation projects according to CC (from EAL1 to EAL6+).
Read more

Hardware

Hardware tests for more security: Hardware security modules or chip cards are used for the protection of sensitive data. TÜViT evaluates these IT products and their components in accordance with recognized international security standards and performs the necessary penetration tests in its own hardware test laboratory.
Read more

Software

Making software subsequently secure is always complicated and expensive. This is why it is important to consider the subject of IT security at the beginning and throughout the entire life cycle within the framework of a Common Criteria (CC) evaluation.
Read more

Site Certification

Audit of development and production environments: If IT products are certified in accordance with the Common Criteria IT security standard or EMVCo, audits of development and production environments represent an integral part of the evaluation process. For many years now, TÜViT has been successfully carrying out site audits for production and development environments.
Read more

Technical Guidelines of the BSI

Security for government applications and health data: TÜViT is recognized by the German Federal Office for Information Security (BSI) as an evaluation body for Technical Guidelines (TR).
Read more

FIPS 140-2

Testing of crypto modules and crypto algorithms: The TÜViT test laboratory is approved by the National Institute of Standards and Technology (NIST, USA) for testing and validation according to FIPS PUB 140-2.
Read more

Electronic Payments

Components that are used within electronic payment systems must fulfil specific security standards and require corresponding approvals. TÜViT performs these approval procedures in its capacity as an accredited security assessor.
Read more
Cookie Settings
We would like to adapt the information on this website and our available services to your needs. For this purpose we use so-called cookies. Please decide which types of cookies you accept when using our website. The types of cookies that we use are described under "Details". Further information can be found in our privacy policy declaration.
Show details