Skip to content

FIDO - discovered, explained

FIDO

Testing in accordance with FIDO security standards

Authenticators and biometric user verifications are designed to make authentication for users on the Internet more secure, faster and easier - provided they fulfil certain security standards themselves. The FIDO Alliance has developed open standards specifically for these authentication solutions, which manufacturers can use to objectively prove their security.

What is FIDO?

The FIDO Alliance (Fast Identity Online), founded in 2013, has set itself the goal of significantly improving online security through simpler and more secure authentication procedures. To this end, mechanisms have been defined in the form of standards to reduce dependence on passwords and ensure stronger authentication.

Secure authentication

Possible test subjects according to FIDO

Biometric Components

We are currently the only laboratory in Germany to test the security of biometric-based authentication solutions. We use globally recognised performance standards for testing biometric components and carry out both online and offline live tests.

Authenticator

How well is the private key on the authenticator protected against unauthorised access and manipulation? We investigate this question intensively as part of laboratory tests. The focus here is on authenticator security, which must fulfil certain security standards in order to receive a certificate.

Special features of FIDO

  • There are three FIDO standards: FIDO UAF, FIDO U2F and FIDO 2 (WebAuthN/CTAP2)
  • The FIDO standards pave the way for a passwordless future

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin
To the consulting services Contact us
Goal achieved?

We check that

TÜV Informationstechnik I Essen
To the test offers Contact us

Frequently Asked Questions (FAQ)

What you need to know about FIDO

Examination by the FIDO Alliance itself:

Level 1:

  • Evaluation of the authenticator with regard to protection against simple attacks
  • Protection against phishing, breaches of server credentials and man-in-the-middle attacks (MiTM)

Level 1+:

  • Evaluation of the authenticator with regard to protection against simple attacks
  • Use of white-box cryptography and other techniques to protect the operating system from interference

Testing by an accredited security laboratory such as TÜVIT:

FIDO: Level 2

  • TÜVIT services: Design review
  • Evaluation of the authenticator with regard to protection against interference with the device operating system and against major attacks
  • Hardware and software requirements: The device must support a Restricted Operating Environment (ROE) or be inherently a Restricted Operating Environment, such as a Trusted Execution Environment (TEE).
  • Examples: Apps in combination with the use of a FIDO Level 2 certified mobile phone; USB, BLE or NFC token

FIDO: Level 2+

  • TÜVIT services: Carrying out penetration tests, calculating the attack potential
  • Evaluation of the authenticator with regard to protection against interference with the device operating system and against major attacks
  • Hardware and software requirements: The device must support a Restricted Operating Environment (ROE) or be inherently a Restricted Operating Environment, such as a Trusted Execution Environment (TEE).
  • Examples: Apps in combination with the use of a mobile phone certified to FIDO Level 2; USB, BLE or NFC tokens

FIDO: Level 3

  • TÜVIT services: Design review, performance of penetration tests, calculation of the attack potential
  • Evaluation of the authenticator with regard to protection against advanced software and hardware attacks
  • Protection of detected devices against attacks on the circuit board
  • Hardware and software requirements: Encapsulation of the circuit board, programme packages are on the memory module, encrypted RAM...
  • Examples: USB, BLE or NFC security tokens that use appropriate security elements or other means of defence against hardware attacks

FIDO: Level 3+

  • TÜVIT services: Design review, performance of penetration tests, calculation of attack potential
  • Evaluation of the authenticator with regard to protection against advanced software and hardware attacks
  • Defence of detected devices against attacks at chip level
  • Hardware and software requirements: Protection against fault injection (chip) and invasive attacks
  • Examples: USB, BLE or NFC security tokens that use appropriate security elements or other means to defend against hardware attacks

Factors that can be combined with each other:

  • Knowledge of the user, e.g. passwords or personal identification numbers
  • Possession of the user, e.g. security token
  • Biometrics of the user, e.g. fingerprint, voice, appearance

User verification: Factors that can be combined with each other:

  • Knowledge of the user, e.g. passwords or personal identification numbers
  • Possession of the user, e.g. security token
  • Biometrics of the user, e.g. fingerprint, voice, appearance

User verification: Factors that can be combined with each other:

  • Knowledge of the user, e.g. passwords or personal identification numbers
  • Possession of the user, e.g. security token
  • Biometrics of the user, e.g. fingerprint, voice, appearance

Haven't found what you're looking for yet?

ISO 27001
Information security for KRITIS