Biometric Security – Help Unravel The Conundrum Over NIST’s Guideline
I submitted the following suggestion on NIST’s Draft Digital Authentication Guideline on August 2.
5.2.3 reads “(The biometric system SHALL allow no more than 10 consecutive failed authentication attempts.) Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret.”
It is desirable to see the above sentence in 5.2.3 followed by such a footnote as “It should be noted that the security in such cases is necessarily lower than when the second authenticator alone is used”.
NIST abruptly closed the thread of my suggestion registered as #193 for the reasons which are just unintelligible to me after the exchange of a couple of odd messages as outlined below.
First, a NIST person indicated in their reply that NIST allows or even forces the OR/Disjunction operation adding “it is still two-factor”. I submitted a suggestion on the assumption that NIST allows OR/Disjunction operation.
The person’s second reply said “If two-factors are required, 2-factors need to be authenticated or the claimant will not get access.” It led me to assume that NIST does not allow OR/Disjunction and forces AND/Conjunction. I submitted a new suggestion accordingly.
Then, the second NIST person abruptly stepped in and closed this thread after supposedly alleging that the OR/Disjunction operation is valid for security. My appeal for continuing the discussion was met with silence and the thread was finally locked.
I am unable to follow their logic for justifying the closure of this thread. I wonder if some of you can help unravel this conundrum for me.
Following the abrupt closure of the above thread, I tried to submit a fresh suggestion reading
“It is desirable to see the above sentence in 5.2.3 followed by such a footnote as “This way of operating biometrics with a second authenticator by OR/Disjunction shall be recommend where convenience matters, not where security matter since the security in such cases is necessarily lower than when the second authenticator alone is used. It is convenience that is improved by this way of operating biometrics and a fallback means, and this improvement is obtained by the sacrifice of security”.
NIST closed this new thread (#286) the following day without any comment whatsoever.
- The whole history of the #193 thread (P3)
- The whole text of the new suggestion #286 (P9)
- Description for publication on Slide Share (P11)
The whole history of the #193 thread
hitoshikokumai commented 20 days ago Organization:3
Type: Security design
Document (63-3, 63A, 63B, or 63C):63B
Reference (Include section and paragraph number):5.2.3
Comment (Include rationale for comment): It reads “(The biometric system SHALL allow no more than 10 consecutive failed authentication attempts.) Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret.”
This implies that the second authenticator(factor) and the biometrics are used by OR/Disjunction, which necessarily makes the security lower than that of the second factor alone. In other words, the security is better when the second factor alone is used.
There is a 2-minute video outlining the rationale.
Biometrics in Cyber Space – “below-one” factor authentication https://youtu.be/wuhB5vxKYlg
This article may also help.
Misuse of Biometrics Technology http://www.paymentsjournal.com/Content/Blogs/Industry_Blog/30986/
Biometrics authentications are good for physical security but ruin the security of password protection and generate a false sense of security in cyber space. Deployed with a fallback password against false rejection, they provide the level of security that is even poorer than a password-only authentication.
Suggested Change: It is desirable to see the above sentence in 5.2.3 followed by such a
footnote as “It should be noted that the security in such cases is necessarily lower than when the second authenticator alone is used”.
Organization: 1 = Federal, 2 = Industry, 3 = Other
hitoshikokumai referenced this issue 9 days ago Open Suggestion for AAL 2 #221
“A NIST person” commented 6 days ago
Thank you for your review. The intention behind the draft of 800-63-3-B’s inclusion of biometrics is that they are always used with a second factor. If the biometric check fails, a different second factor has to be used. In other words, if users/attackers are locked out of the biometric check, they could be offered an alternative second factor. It’s still two factor. If the wording needs to be fixed to reflect this, please suggest an alternative because the interpretation that a failure of the biometric check means no second factor check is not what we were allowing in the text.
hitoshikokumai commented 5 days ago
Thanks for taking up my suggestion for consideration.
There should be nothing wrong in operating biometrics with a second factor by OR/Disjunction PROVIDED the people concerned are all accurately aware of its consequences and all the users explicitly informed. Most important is to avoid the false sense of security trapping the users in it.
If allowed, I would like to suggest such an alternative as follows:
The biometric system SHALL allow no more than 10 consecutive failed authentication attempts. Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret.
It should be noted, however, that the security in such cases is necessarily lower than when the second authenticator(factor) alone is used like a house with two entrances
placed in parallel (not in tandem) is more vulnerable to burglars than a house with one entrance.
Remark: Two different factors can be operated in two ways – (1) by AND/Conjunction (we need to go through both of the two) or (2) by OR/Disjunction (we need only to go through either of the two). Operation of two factors by (1) AND/Conjunction provides higher security and lower convenience while that by (2) OR/Disjunction provides higher convenience and lower security.
People who wish to use biometrics for achieving the level of security higher than passwords are advised to operate the biometrics and passwords by (1) AND/Conjunction and inform the users that they will be able to enjoy better security although they will have to give up the access altogether if rejected by biometrics even when they are able to feed the correct passwords.
People who wish to use biometrics for better convenience are advised to operate the biometrics and passwords (fallback means against false rejection) by (2) OR/Disjunction and inform the users that they will be able to enjoy better convenience although the level of security that they can expect is necessarily lower than that of password-only authentication.
Should you want to see a more comprehensive and explanatory alternative, I would be ready to compress my article published on the likes of Payments Journal.
Please let me have your feedback.
PS I would appreciate it if you could also have a quick look at my recent short writing posted at
“The same NIST person” commented 3 days ago
We are not allowing biometrics to be used as a single factor for multiple reasons, summarized in 800-63-3. I believe your suggested text is allowing that by adding an option for “OR.” Since we do not want to allow that, there is no need for the sentence to say “OR/Disjuntion” is lower security. If two-factors are required, 2-factors