[Question] Can “Soft FIDO2 Authenticator”（on android or iOS）pass L2 authentication?

chopperhl

unread,

Jun 28, 2022, 4:06:41 AM6/28/22

to FIDO Dev (fido-dev), choppe...@trustasia.com

I find some information on

https://fidoalliance.org/certification/authenticator-certification-levels/authenticator-level-2/

It says as following:

Examples of implementations that will NOT meet Level 2 Security Requirements:

Pure Rich OS software implementations of Authenticators that do not have a restricted operating environment.
Authenticators that do not support attestation.

So,It means that Soft FIDO2 Authenticator implemented on iOS or Android can not pass L2 authentication?

da...@fidoalliance.org

unread,

Jul 6, 2022, 7:00:28 PM7/6/22

to chopperhl, FIDO Dev (fido-dev), choppe...@trustasia.com

Yes, that is correct.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d3b9b175-2540-4de5-af9b-26d1eec7857en%40fidoalliance.org.

chopperhl

unread,

Jul 6, 2022, 9:46:05 PM7/6/22

to FIDO Dev (fido-dev), David Turner, choppe...@trustasia.com, chopperhl

Thanks for reply.

We store the attestation key and credential key in KeyStore(Android). It still can't meet l2?

John Bradley

unread,

Jul 6, 2022, 11:08:59 PM7/6/22

to chopperhl, FIDO Dev (fido-dev), David Turner, choppe...@trustasia.com, chopperhl

The entire authenticator would need to be running in the TEE not just the key protection to meet the L2 requirements.

Sent from my iPhone

On Jul 6, 2022, at 9:46 PM, 'chopperhl' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:

Thanks for reply.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/50727796-9220-4f3b-995a-c18395aca681n%40fidoalliance.org.

Arshad Noor

unread,

Jul 7, 2022, 10:24:35 AM7/7/22

to da...@fidoalliance.org, chopperhl, FIDO Dev (fido-dev), choppe...@trustasia.com

David,

If the software implementation explicitly took advantage of a secure element or the TEE, and was able to provide proof of that, would that not meet the requirements for the ROE and thus, the L2 certification?

Arshad

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/00f301d8918c%2429fbdad0%247df39070%24%40fidoalliance.org.

David Turner

unread,

Jul 7, 2022, 5:58:03 PM7/7/22

to Arshad Noor, chopperhl, FIDO Dev (fido-dev), choppe...@trustasia.com

Arshad,

I assumed the original question was regarding a pure software-based authenticator. Regarding your question, I'll leave that to someone who is more familiar with our certification requirements and processes.

David

Reply all

Reply to author

Forward