ATARC Derived FIDO2 Credentials (DFC) Lab
ATARC is a non-profit organization that provides a collaborative forum for Federal government, academia and industry to identify, discuss, and resolve emerging technology challenges.
ATARC’s Identity Management Working Group is currently focused on and requesting vendor demonstrations to show the feasibility of the issuance and lifecycle management of a Derived FIDO2 Credential (DFC) based upon previous guidance for the issuance of X.509 based Derived PIV Credentials.
By leveraging this workflow, vendors will demonstrate how to assert organizational attestation of the FIDO2 hardware token, strong identity binding tying a user’s existing PIV or CAC smartcard to the issuance of the DFC, and leveraging attribute based access control (ABAC) to provide attestation of the assurance level of the DFC during authentication. These controls are established practices that minimize the risk of impersonation, and allow for managing which resources an End User can interact with while leveraging a DFC. Currently, no such guidance exists for the issuance and management of FIDO2 credentials, and enterprise use of these credentials has been limited for this reason.
The Working Group Leadership includes:
Ross Foard, Working Group Government Chair, CISA
Cheryl Jenkins, Working Group Government Vice Chair, GSA
Kelvin Brewer, Working Group Industry Co-Chair, ForgeRock
Bryan Rosensteel, Working Group Industry Co-Chair, Ping Identity
David Treece, Industry Co-Vice Chair, Yubico
Brian Dack, Industry Co-Vice Chair, Okta
Gurpreet Manes, Industy Co-Vice Chair, ImproveID
Please view the full Request for Demonstrations document by clicking on the button below, and submit your interest form here.
ATARC DFC Lab Participation Process
- Initiate intake process by filling out the form below
- Participate in a vendor kick-off call
- Prepare an up to 30-min demonstration (live demo, slide materials and/or video)
- Vendor must demonstrate all three capabilities (DFC Issuance, DFC Lifecycle Management, and DFC Authentication). Multi-vendor collaboration is expected to accomplish this.
- Only one vendor is required to register.