Closed woodbe closed 1 year ago
PAD testing program comment
Are mobile devices considered multi-factor when used as a biometric and something you have?
Timeout period of forced 30 seconds after initial limit has been reached
50 attempts without PAD seems very high if the system is on the low-end of acceptable FMR, even with it being part of MFA
What are the expectations for proof on PAD (beyond the 90% success at detection)? Self-attest or validated?
How is the relation between no-PAD and PAD (the 1:2 relation) determined? Is this the correct ratio?
sp800-63-4-suite-ipd-comment-BIO-iTC.xlsx
Initial version of the comment sheet.
sp800-63-4-suite-ipd-comment-BIO-iTC-0222.xlsx
I have updated the comments based on the latest update from @n-kai. Please take a look.
I don't have any issue putting forward Comments 1-8.
Comment 7
Comment 9
In lieu of published standards on how to achieve statistically-sound demographic biometric performance testing, testing reports of biometric authentication technologies SHALL provide information about the demographic breakdown of test subjects whose biometrics were used in performance analysis.
sp800-63-4-suite-ipd-comment-BIO-iTC-0303.xlsx
I have made the changes as suggested by @gfiumara in this version of the document.
The comments look ok to me.
We can add that in 63A lines 943 and 948 are duplicates. This is in section 5.1.8., page 22.
sp800-63-4-suite-ipd-comment-BIO-iTC-0307.xlsx
Updated with @gregott comment
Comments sent
Place to record draft comments
Comments that everyone agrees with will be submitted as from the iTC. Others should be submitted individually.