Authentication - Acceptable Use of Biometrics, v1.0

Biometrics used as a factor in multi-factor authentication must adhere to numerous requirements to be effective and safe.

Assessment Steps (8)

1
Physical Authenticator (PhysicalAuthenticator)
Does the multi-factor authentication use a physical authenticator for biometrics?
Artifact
A1
Provide evidence (e.g. policies, operational details, processes) that biometrics are used with a physical authenticator
2
Protected Channel (ProtectedChannel)
Is an authenticated protected channel between sensor and verifier established before the biometric sample is taken?
Artifact
A1
Provide evidence (e.g. policies, operational details, processes) that an authenticated protected channel sensor and verifier is used.
3
False Match Rate (FalseMatchRate)
Is the false match rate better than 1 in 1000?
Artifact
A1
Provide evidence (e.g. policies, operational details, processes) that false match rate is better than 1 in 1000 and resistant to attacks.
4
Presentation Attack Detection (PresentationAttackDetection)
Does the system implement presentation attack detection (PAD), for example is it able to differentiate between a picture of a person's face and their real face with high accuracy?
Artifact
A1
Provide evidence (e.g. policies, operational details, processes) that the biometric system implements PAD.
5
Rate Limiting (RateLimiting)
Does the system implement appropriate rate limiting for repeated failures and offer alternative means of authentication?
Artifact
A1
Provide evidence (e.g. policies, operational details, processes) that the biometric system implements rate limiting for consecutive failures.
6
Sensor Viability (SensorViability)
Does the biometric verifier make a determination about viability of a sensor based on appropriate data about the sensor and endpoint? Including authentication results, certifications, or attestation.
Artifact
A1
Provide evidence (e.g. policies, operational details, processes) that the biometric verifier makes a determination regarding sensor and endpoint performance, integrity, and authenticity.
7
Centralized Verifiers (CentralizedVerifiers)
If biometric comparison is not done locally (not on the claimants device), then for safety sakes it must support biometric revocation, limit collection to specific approved devices, and all biometrics must be transmitted over a secured channel.
Artifact
A1
Provide evidence (e.g. policies, operational details, processes) that the biometric verifier is on the device or if centralized is done correctly.
8
Training (Training)
If biometric samples are used for training or research, is user consent requested and the data appropriately zeroized after training/research is complete? If no samples are used for training or research, then this requirement is satisfied.
Artifact
A1
Provide evidence (e.g. policies, operational details, processes) that if any samples are to be used for training that user consent is given and that the data is zeroized immediately after training.

Conformance Criteria (8)

C1
Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have).
Citation
NIST SP 800-63B
Section 5.2.3, Paragraph 4
C2
An authenticated protected channel between sensor (or an endpoint containing a sensor that resists sensor replacement) and verifier SHALL be established and the sensor or endpoint SHALL be established and the sensor or endpoint authenticated prior to capturing the biometric sample from the claimant.
Citation
NIST SP 800-63B
Section 5.2.3, Paragraph 5
C3
The biometric system SHALL operate with a false match rate (FMR) [ISO/IEC 2382-37] of 1 in 1000 or better. This FMR SHALL be achieved under conditions of a conformant attack (i.e., zero-effort impostor attempt) as defined in ISO/IEC 30107-1.
Citation
NIST SP 800-63B
Section 5.2.3, Paragraph 6
C4
The biometric system SHOULD implement presentation attack detection (PAD). Testing of the biometric system to be deployed SHOULD demonstrate at least 90% resistance to presentation attacks for each relevant attack type (i.e., species), where resistance is defined as the number of thwarted presentation attacks divided by the number of trial presentation attacks. Testing of presentation attack resistance SHALL be in accordance with Clause 12 of ISO/IEC 30107-3.
Citation
NIST SP 800-63B
Section 5.2.3, Paragraph 7
C5
The biometric system SHALL allow no more than 5 consecutive failed authentication attempts or 10 consecutive failed attempts if PAD meeting the above requirements is implemented. Once that limit has been reached, the biometric authenticator SHALL either: Impose a delay of at least 30 seconds before the next attempt, increasing exponentially with each successive attempt (e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt), or Disable the biometric user authentication and offer another factor (e.g., a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already available.
Citation
NIST SP 800-63B
Section 5.2.3, Paragraph 8
C6
The verifier SHALL make a determination of sensor and endpoint performance, integrity, and authenticity. Acceptable methods for making this determination include, but are not limited to: Authentication of the sensor or endpoint; Certification by an approved accreditation authority; or Runtime interrogation of signed metadata (e.g., attestation).
Citation
NIST SP 800-63B
Section 5.2.3, Paragraph 9
C7
Biometric comparison can be performed locally on claimant's device or at a central verifier. Since the potential for attacks on a larger scale is greater at central verifiers, local comparison is preferred. If comparison is performed centrally: (1) Use of the biometric as an authentication factor SHALL be limited to one or more specific devices that are identified using approved cryptography. Since the biometric has not yet unlocked the main authentication key, a separate key SHALL be used for identifying the device. (2) Biometric revocation, referred to as biometric template protection in ISO/IEC 24745, SHALL be implemented. (3) All transmission of biometrics SHALL be over the authenticated protected channel.
Citation
NIST SP 800-63B
Section 5.2.3, Paragraphs 10 and 11
C8
Biometric samples collected in the authentication process MAY be used to train comparison algorithms or -- with user consent -- for other research purposes. Biometric samples and any biometric data derived from the biometric sample such as a probe produced through signal processing SHALL be zeroized immediately after any training or research data has been derived.
Citation
NIST SP 800-63B
Section 5.2.3, Paragraph 12