CMFA Use Case - Device Authentication

[woodbe]

The general use case for CMFA is to keep the device unlocked when specific conditions are met automatically. After the user has performed an initial unlock event (such as after the device boots/starts), CMFA maintains the authentication state for the user automatically to allow the device to be unlocked without further input as long as the user.

[woodbe]

Unlocking of the device can also mean unlocking of other capabilities on the device. For example:

• unlocking of CMFA-aware apps without user intervention
• unlocking of keys that may be used for external services (such as a key that can be sent over NFC to unlock a door)

[n-kai]

In this use case, we can define the same security requirements as described in biometricITC/cPP-CMFA#1. However, actual smart locks products are simple to use so "Configuration function" may be unnecessary for this use case (so "Configuration function should be optional requirements)

However, if we need to consider the use case in the field as I described in biometricITC/Administration#10, we may need to add additional security requirements as optional requirements (e.g. the configuration function so that user can configure the primary sensor (e.g. Wi-Fi) and secondary sensor (e.g. gait))

[woodbe]

A possible scenario for this that came up indirectly in a conversation:

CMFA + something else (like a fingerprint) is required for authentication where CMFA replaces a password (i.e. a 2FA)

So for example, the fingerprint may be used as part of an initial authentication along with say a password (and other inputs) to set a score to login, but immediately after (or within a short period of say a few minutes) the fingerprint and password score is removed, such that CMFA score sits below that needed to allow direct access to the device. But the user could use the fingerprint to quickly get above the threshold and login.

While the user could technically just use a fingerprint under normal circumstances, here the discussion was related to a classified use case where-in another factor was needed (currently it is all password-based and biometric on its own would not be considered acceptable). So the CMFA would provide the user identity (from say a wearable and/or other biometric sensor data) so that by using a fingerprint the device would be able to be unlocked easily, but with higher assurance.

So in short, this scenario wouldn't be able allowing the device to remain unlocked at all times, but to allow the user to utilize something like a biometric on its own (from their perspective) that they wouldn't be able to use normally in the classification scenario they are working under.