FIDO Certification when using Platform Auth (e.g. Apple Face ID)

[John Smythe]

Hi 

If I build an Web Based SDK (e.g. javascript bundle) which calls the dependent APIs e.g. Web Auth but with limited scope of supporting only Platform Auths found in OS (Touch, Face etc.) -- do I require FIDO Certification for the client-side authenticator element? 

Or is the FIDO certification inherited through (presumably) the FIDO compliance the native platform authenticators go through by virtue of Apple, Google etc development?

Thanks!

[Shane Weeden]

You don’t *need* FIDO certification for anything. What are you trying to certify?

Second, platforms (including browsers and platform authenticators) aren’t certified at all so that definitely doesn’t apply. 

Regards,

Shane 

Sent from my iPhone

On 27 Jul 2021, at 8:17 pm, John Smythe <johnsm...@gmail.com> wrote:

Hi 

If I build an Web Based SDK (e.g. javascript bundle) which calls the dependent APIs e.g. Web Auth but with limited scope of supporting only Platform Auths found in OS (Touch, Face etc.) -- do I require FIDO Certification for the client-side authenticator element? 

Or is the FIDO certification inherited through (presumably) the FIDO compliance the native platform authenticators go through by virtue of Apple, Google etc development?

Thanks!

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b511d7c8-515b-410b-9aca-7f3179e66f66n%40fidoalliance.org.

[John Smythe]

Hi Shane, 

Yes, I understand that nothing really needs certified by FIDO (you can build based open the spec but then not get certified should you wish). 

I'll try and explain in more detail. 

The business case would be to have a Web-based-SDK which abstracts the complexities of integrating with FIDO dependent components for registration/authentication use cases. By abstraction I mean giving an organization and out-the-box SDK bundle which does all the dependent API calls for browser and FIDO2 server back-end service plus any other nice-ities above and beyond FIDO. You may think this as trivial but view it more of as an extension to an existing client side SDK capability. 

In this particular use case the Web SDK would support native platform authenticators. I had assumed that native platform authenticators provided by Google/Apple platforms would have been FIDO certified either through their authenticator and/or biometric certification process.

If I read the FIDO certification pages it mentions certifying authenticators, clients and servers. 

I'm looking for clarity of whether certification would be possible given the technical build and use case above. 

[Shane Weeden]

Currently it is not. Only authenticators that use the CTAP protocol can be certified. Also sdks are not certifiable by any existing process. 

Sent from my iPhone

On 29 Jul 2021, at 1:46 am, John Smythe <johnsm...@gmail.com> wrote:

Hi Shane, 

[John Bradley]

The android and Microsoft platform authenticators are both L1 certified.  

I believe they are listed in MDS2 now. 

As I recall it was a bit of a special process as they lack a CTAP2.0 API.  

In principal Apple could go through the same process.

Servers and Authenticators can get Fido certification.   If Fido elevated to it could set up certification for other components, however there would have to be enough demand to cover the costs of the program. 

John B. 

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/A1BA78FB-C26F-4337-AE90-0C795CB043F8%40gmail.com.