SlideShare a Scribd company logo

Nist is now with us on use of biometrics

Download as DOCX, PDF
Hitoshi Kokumai
Hitoshi Kokumai

We have for 15 years kept raising the issue of wrong usage of biometrics and passwords which come with nasty cases of false sense of security. Now NIST is with us; Biometrics used without another factor is no good for security. Reference URL NIST Digital Identity Guidelines https://pages.nist.gov/800-63-3/sp800-63b.html Live Coverage – While waiting for NIST’s view on “password-dependent biometrics http://www.slideshare.net/HitoshiKokumai/waiting-for-nists-view-on-passworddependent-biometrics?qid=336e2e38-154a-4c23-9789-9f8e01b915a7&v=&b=&from_search=3

Technology
1 of 4
NIST is now with us on Use of Biometrics The latest draft of NIST Digital Identity Guidelines now has a fresh sentence "Biometrics SHALL be used with another authentication factor (something you have)" added to [5.2.3 Use of Biometrics], which is tantamount to "Biometrics is no good when used without another factor" https://pages.nist.gov/800-63-3/sp800-63b.html I had submitted the following suggestion to NIST as reported in “Live Coverage – While waiting for NIST’s view on “password-dependent biometrics” http://www.slideshare.net/HitoshiKokumai/waiting-for-nists-view-on-passworddepende nt-biometrics?qid=336e2e38-154a-4c23-9789-9f8e01b915a7&v=&b=&from_search=3 [5.2.3 should contain such a sentence as "Biometrics shall not be operated together with a fallback password by OR/Disjunction (we need only to go through either of the two) WHERE people want the level of security higher than a password-only authentication. It could be operated, however, WHERE people want better convenience rather than better security.”] I understand that the above suggestion has been reflected in the updated draft guideline, indirectly but substantially. Most of the biometric products and solutions on the market and in commercial use are operated with an alternatively-used fallback password (by EITHER-OR/Disjunction = we need only to go through either of the two), not with an additionally-used password (by BOTH-AND/Conjunction = we need to go through both of the two). This outcome might appear too inconvenient for too many people. But the pains could be overcome quickly if tackled now. We have for 15 years kept raising this issue of wrong usage of biometrics and passwords which come with nasty cases of false sense of security. Now NIST is with us; Biometrics used without another factor is no good for security. Face the reality.
Quoted below for readers’ convenience is the whole text of 5.2.3 Use of Biometrics of the latest draft guideline. 5.2.3. Use of Biometrics For a variety of reasons, this document supports only limited use of biometrics for authentication. These include: Biometric False Match Rates (FMR) and False Non-Match Rates (FNMR) do not provide confidence in the authentication of the subscriber by themselves. In addition, FMR and FNMR do not account for spoofing attacks. Biometric matching is probabilistic, whereas the other authentication factors are deterministic. Biometric template protection schemes provide a method for revoking biometric credentials that are comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development. Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). While presentation attack detection (PAD) technologies such as liveness detection can mitigate the risk of these types of attacks, additional trust in the sensor is required to ensure that PAD is operating properly in accordance with the needs of the CSP and the subscriber. Therefore, the use of biometrics for authentication is supported with the following requirements and guidelines: Biometrics SHALL be used with another authentication factor (something you have). An authenticated protected channel between sensor (or endpoint containing a sensor that resists sensor replacement) and verifier SHALL be established and the sensor or endpoint authenticated prior to capturing the biometric sample from the claimant. Empirical testing of the biometric system to be deployed SHALL demonstrate an EER of 1 in 1000 or better with respect to matching performance. The biometric system SHALL operate with an FMR of 1 in 1000 or better.
The biometric system SHOULD implement PAD. Testing of the biometric system to be deployed SHOULD demonstrate at least 90% resistance to presentation attacks for each relevant attack type (aka species), where resistance is defined as the number of thwarted presentation attacks divided by the number of trial presentation attacks. Note: PAD is being considered as a mandatory requirement in future editions of this guideline. The biometric system SHALL allow no more than 5 consecutive failed authentication attempts or 10 consecutive failed attempts if PAD meeting the above requirements is implemented. Once that limit has been reached, the biometric authenticator SHALL either: Impose a delay of at least 30 seconds before the next attempt, increasing exponentially with each successive attempt, e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt, etc. OR Disable the biometric user verification and offer another factor (a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already implemented. Determination of sensor/endpoint performance, integrity, and authenticity can be accomplished in several different ways, any of which are acceptable under this guideline. These include but are not limited to: authentication of the sensor or endpoint, certification by an approved accreditation authority, or runtime interrogation of signed metadata (e.g., attestation) as described in Section 5.2.4. Biometric matching SHOULD be performed locally on claimant’s device or MAY be performed at a central verifier. If matching is performed centrally: Use of the biometric SHALL be limited to one or more specific devices that are identified using approved cryptography. Biometric revocation, referred to as biometric template protection in ISO/IEC 24745, SHALL be implemented.
All transmission of biometrics shall be over the authenticated protected channel. Biometric samples collected in the authentication process MAY be used to train matching algorithms or, with user consent, for other research purposes. Biometric samples (and any biometric data derived from the biometric sample such as a probe produced through signal processing) SHALL be erased from memory immediately after any training or research data has been derived. Biometrics are also used in some cases to prevent repudiation of registration and to verify that the same individual participates in all phases of the registration process as described in SP 800-63A.

Recommended

Marco Gold Standard
Marco Gold StandardMarco Gold Standard
Marco Gold StandardMarcoTechnologies
 
8 Tips for Scaling Mobile Users in China by Edith Yeung
8 Tips for Scaling Mobile Users in China by Edith Yeung8 Tips for Scaling Mobile Users in China by Edith Yeung
8 Tips for Scaling Mobile Users in China by Edith YeungEdith Yeung
 
Top Rumors About Apple March 21 Big Event
Top Rumors About Apple March 21 Big EventTop Rumors About Apple March 21 Big Event
Top Rumors About Apple March 21 Big EventChromeInfo Technologies
 
Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)a16z
 
Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalAleyda Solís
 
Beyond the Gig Economy
Beyond the Gig EconomyBeyond the Gig Economy
Beyond the Gig EconomyJon Lieber
 
African Americans: College Majors and Earnings
African Americans: College Majors and Earnings African Americans: College Majors and Earnings
African Americans: College Majors and Earnings CEW Georgetown
 
The Online College Labor Market
The Online College Labor MarketThe Online College Labor Market
The Online College Labor MarketCEW Georgetown
 

Recommended

Marco Gold Standard
Marco Gold StandardMarco Gold Standard
Marco Gold StandardMarcoTechnologies
 
8 Tips for Scaling Mobile Users in China by Edith Yeung
8 Tips for Scaling Mobile Users in China by Edith Yeung8 Tips for Scaling Mobile Users in China by Edith Yeung
8 Tips for Scaling Mobile Users in China by Edith YeungEdith Yeung
 
Top Rumors About Apple March 21 Big Event
Top Rumors About Apple March 21 Big EventTop Rumors About Apple March 21 Big Event
Top Rumors About Apple March 21 Big EventChromeInfo Technologies
 
Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)a16z
 
Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalAleyda Solís
 
Beyond the Gig Economy
Beyond the Gig EconomyBeyond the Gig Economy
Beyond the Gig EconomyJon Lieber
 
African Americans: College Majors and Earnings
African Americans: College Majors and Earnings African Americans: College Majors and Earnings
African Americans: College Majors and Earnings CEW Georgetown
 
The Online College Labor Market
The Online College Labor MarketThe Online College Labor Market
The Online College Labor MarketCEW Georgetown
 
SXSW 2016 takeaways
SXSW 2016 takeawaysSXSW 2016 takeaways
SXSW 2016 takeawaysHavas
 
SXSW 2016: The Need To Knows
SXSW 2016: The Need To KnowsSXSW 2016: The Need To Knows
SXSW 2016: The Need To KnowsOgilvy Consulting
 
Digitized Student Development, Social Media, and Identity
Digitized Student Development, Social Media, and IdentityDigitized Student Development, Social Media, and Identity
Digitized Student Development, Social Media, and IdentityPaul Brown
 
GAME ON! Integrating Games and Simulations in the Classroom
GAME ON! Integrating Games and Simulations in the Classroom GAME ON! Integrating Games and Simulations in the Classroom
GAME ON! Integrating Games and Simulations in the Classroom Brian Housand
 
Responding to Academically Distressed Students
Responding to Academically Distressed StudentsResponding to Academically Distressed Students
Responding to Academically Distressed StudentsMr. Ronald Quileste, PhD
 
Creative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsCreative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsTommaso Di Bartolo
 
IT in Healthcare
IT in HealthcareIT in Healthcare
IT in HealthcareNetApp
 
The Physical Interface
The Physical InterfaceThe Physical Interface
The Physical InterfaceJosh Clark
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?InterQuest Group
 
Network Effects
Network EffectsNetwork Effects
Network Effectsa16z
 
Dear NSA, let me take care of your slides.
Dear NSA, let me take care of your slides.Dear NSA, let me take care of your slides.
Dear NSA, let me take care of your slides.Emiland
 
Guided Reading: Making the Most of It
Guided Reading: Making the Most of ItGuided Reading: Making the Most of It
Guided Reading: Making the Most of ItJennifer Jones
 
Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)
Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)
Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)Stephanie Alejandra Hernández Morales
 
Data Value Creation in the Industrial IoT
Data Value Creation in the Industrial IoTData Value Creation in the Industrial IoT
Data Value Creation in the Industrial IoTSemyon Teplisky
 
Image-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxImage-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxHitoshi Kokumai
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Hitoshi Kokumai
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Hitoshi Kokumai
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryHitoshi Kokumai
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password systemHitoshi Kokumai
 
Intriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneIntriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneHitoshi Kokumai
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsHitoshi Kokumai
 

More Related Content

Viewers also liked

SXSW 2016 takeaways
SXSW 2016 takeawaysSXSW 2016 takeaways
SXSW 2016 takeawaysHavas
 
SXSW 2016: The Need To Knows
SXSW 2016: The Need To KnowsSXSW 2016: The Need To Knows
SXSW 2016: The Need To KnowsOgilvy Consulting
 
Digitized Student Development, Social Media, and Identity
Digitized Student Development, Social Media, and IdentityDigitized Student Development, Social Media, and Identity
Digitized Student Development, Social Media, and IdentityPaul Brown
 
GAME ON! Integrating Games and Simulations in the Classroom
GAME ON! Integrating Games and Simulations in the Classroom GAME ON! Integrating Games and Simulations in the Classroom
GAME ON! Integrating Games and Simulations in the Classroom Brian Housand
 
Responding to Academically Distressed Students
Responding to Academically Distressed StudentsResponding to Academically Distressed Students
Responding to Academically Distressed StudentsMr. Ronald Quileste, PhD
 
Creative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsCreative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsTommaso Di Bartolo
 
IT in Healthcare
IT in HealthcareIT in Healthcare
IT in HealthcareNetApp
 
The Physical Interface
The Physical InterfaceThe Physical Interface
The Physical InterfaceJosh Clark
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?InterQuest Group
 
Network Effects
Network EffectsNetwork Effects
Network Effectsa16z
 
Dear NSA, let me take care of your slides.
Dear NSA, let me take care of your slides.Dear NSA, let me take care of your slides.
Dear NSA, let me take care of your slides.Emiland
 
Guided Reading: Making the Most of It
Guided Reading: Making the Most of ItGuided Reading: Making the Most of It
Guided Reading: Making the Most of ItJennifer Jones
 
Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)
Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)
Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)Stephanie Alejandra Hernández Morales
 
Data Value Creation in the Industrial IoT
Data Value Creation in the Industrial IoTData Value Creation in the Industrial IoT
Data Value Creation in the Industrial IoTSemyon Teplisky
 

Viewers also liked (14)

SXSW 2016 takeaways
SXSW 2016 takeawaysSXSW 2016 takeaways
SXSW 2016 takeaways
 
SXSW 2016: The Need To Knows
SXSW 2016: The Need To KnowsSXSW 2016: The Need To Knows
SXSW 2016: The Need To Knows
 
Digitized Student Development, Social Media, and Identity
Digitized Student Development, Social Media, and IdentityDigitized Student Development, Social Media, and Identity
Digitized Student Development, Social Media, and Identity
 
GAME ON! Integrating Games and Simulations in the Classroom
GAME ON! Integrating Games and Simulations in the Classroom GAME ON! Integrating Games and Simulations in the Classroom
GAME ON! Integrating Games and Simulations in the Classroom
 
Responding to Academically Distressed Students
Responding to Academically Distressed StudentsResponding to Academically Distressed Students
Responding to Academically Distressed Students
 
Creative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsCreative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage Startups
 
IT in Healthcare
IT in HealthcareIT in Healthcare
IT in Healthcare
 
The Physical Interface
The Physical InterfaceThe Physical Interface
The Physical Interface
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?
 
Network Effects
Network EffectsNetwork Effects
Network Effects
 
Dear NSA, let me take care of your slides.
Dear NSA, let me take care of your slides.Dear NSA, let me take care of your slides.
Dear NSA, let me take care of your slides.
 
Guided Reading: Making the Most of It
Guided Reading: Making the Most of ItGuided Reading: Making the Most of It
Guided Reading: Making the Most of It
 
Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)
Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)
Firewall diapositivas (Stephanie Hernández ) ( Tercer grado de Secundaria)
 
Data Value Creation in the Industrial IoT
Data Value Creation in the Industrial IoTData Value Creation in the Industrial IoT
Data Value Creation in the Industrial IoT
 

More from Hitoshi Kokumai

Image-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxImage-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxHitoshi Kokumai
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Hitoshi Kokumai
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Hitoshi Kokumai
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryHitoshi Kokumai
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password systemHitoshi Kokumai
 
Intriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneIntriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneHitoshi Kokumai
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsHitoshi Kokumai
 
Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Hitoshi Kokumai
 
Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Hitoshi Kokumai
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryHitoshi Kokumai
 
Deployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BDeployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BHitoshi Kokumai
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Hitoshi Kokumai
 
Help unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guidelineHelp unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guidelineHitoshi Kokumai
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password SystemHitoshi Kokumai
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceHitoshi Kokumai
 

More from Hitoshi Kokumai (16)

Image-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxImage-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptx
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic Memory
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password system
 
Intriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneIntriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to One
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password Systems
 
Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018
 
Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and Memory
 
Deployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BDeployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63B
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
 
Help unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guidelineHelp unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guideline
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password System
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity Assurance
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Nist is now with us on use of biometrics

  • 1. NIST is now with us on Use of Biometrics The latest draft of NIST Digital Identity Guidelines now has a fresh sentence "Biometrics SHALL be used with another authentication factor (something you have)" added to [5.2.3 Use of Biometrics], which is tantamount to "Biometrics is no good when used without another factor" https://pages.nist.gov/800-63-3/sp800-63b.html I had submitted the following suggestion to NIST as reported in “Live Coverage – While waiting for NIST’s view on “password-dependent biometrics” http://www.slideshare.net/HitoshiKokumai/waiting-for-nists-view-on-passworddepende nt-biometrics?qid=336e2e38-154a-4c23-9789-9f8e01b915a7&v=&b=&from_search=3 [5.2.3 should contain such a sentence as "Biometrics shall not be operated together with a fallback password by OR/Disjunction (we need only to go through either of the two) WHERE people want the level of security higher than a password-only authentication. It could be operated, however, WHERE people want better convenience rather than better security.”] I understand that the above suggestion has been reflected in the updated draft guideline, indirectly but substantially. Most of the biometric products and solutions on the market and in commercial use are operated with an alternatively-used fallback password (by EITHER-OR/Disjunction = we need only to go through either of the two), not with an additionally-used password (by BOTH-AND/Conjunction = we need to go through both of the two). This outcome might appear too inconvenient for too many people. But the pains could be overcome quickly if tackled now. We have for 15 years kept raising this issue of wrong usage of biometrics and passwords which come with nasty cases of false sense of security. Now NIST is with us; Biometrics used without another factor is no good for security. Face the reality.
  • 2. Quoted below for readers’ convenience is the whole text of 5.2.3 Use of Biometrics of the latest draft guideline. 5.2.3. Use of Biometrics For a variety of reasons, this document supports only limited use of biometrics for authentication. These include: Biometric False Match Rates (FMR) and False Non-Match Rates (FNMR) do not provide confidence in the authentication of the subscriber by themselves. In addition, FMR and FNMR do not account for spoofing attacks. Biometric matching is probabilistic, whereas the other authentication factors are deterministic. Biometric template protection schemes provide a method for revoking biometric credentials that are comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development. Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). While presentation attack detection (PAD) technologies such as liveness detection can mitigate the risk of these types of attacks, additional trust in the sensor is required to ensure that PAD is operating properly in accordance with the needs of the CSP and the subscriber. Therefore, the use of biometrics for authentication is supported with the following requirements and guidelines: Biometrics SHALL be used with another authentication factor (something you have). An authenticated protected channel between sensor (or endpoint containing a sensor that resists sensor replacement) and verifier SHALL be established and the sensor or endpoint authenticated prior to capturing the biometric sample from the claimant. Empirical testing of the biometric system to be deployed SHALL demonstrate an EER of 1 in 1000 or better with respect to matching performance. The biometric system SHALL operate with an FMR of 1 in 1000 or better.
  • 3. The biometric system SHOULD implement PAD. Testing of the biometric system to be deployed SHOULD demonstrate at least 90% resistance to presentation attacks for each relevant attack type (aka species), where resistance is defined as the number of thwarted presentation attacks divided by the number of trial presentation attacks. Note: PAD is being considered as a mandatory requirement in future editions of this guideline. The biometric system SHALL allow no more than 5 consecutive failed authentication attempts or 10 consecutive failed attempts if PAD meeting the above requirements is implemented. Once that limit has been reached, the biometric authenticator SHALL either: Impose a delay of at least 30 seconds before the next attempt, increasing exponentially with each successive attempt, e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt, etc. OR Disable the biometric user verification and offer another factor (a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already implemented. Determination of sensor/endpoint performance, integrity, and authenticity can be accomplished in several different ways, any of which are acceptable under this guideline. These include but are not limited to: authentication of the sensor or endpoint, certification by an approved accreditation authority, or runtime interrogation of signed metadata (e.g., attestation) as described in Section 5.2.4. Biometric matching SHOULD be performed locally on claimant’s device or MAY be performed at a central verifier. If matching is performed centrally: Use of the biometric SHALL be limited to one or more specific devices that are identified using approved cryptography. Biometric revocation, referred to as biometric template protection in ISO/IEC 24745, SHALL be implemented.
  • 4. All transmission of biometrics shall be over the authenticated protected channel. Biometric samples collected in the authentication process MAY be used to train matching algorithms or, with user consent, for other research purposes. Biometric samples (and any biometric data derived from the biometric sample such as a probe produced through signal processing) SHALL be erased from memory immediately after any training or research data has been derived. Biometrics are also used in some cases to prevent repudiation of registration and to verify that the same individual participates in all phases of the registration process as described in SP 800-63A.