search

biometricITC / cPP-biometrics

Contains the development of a Collaborative Protection Profile for biometrics
MIT License
10 stars 2 forks source link

NIST 800-63B Mobile Device as multi-factor? #403

Closed woodbe closed 1 year ago

woodbe commented 1 year ago

https://github.com/biometricITC/cPP-biometrics/issues/401#issuecomment-1402115111

Section - 5.2.3

Page - 32

Line - 1278-1279

Comment

Would a mobile device be considered a multi-factor authentication device if the user uses a biometric to unlock the device and a key that is stored on the device (since this is something you are and something you have in one)?

Suggested Change

gfiumara commented 1 year ago

I think the comment is good as-is.

Suggested change: clarify if a mobile device with biometric authentication capabilities is considered multi-factor.

woodbe commented 1 year ago

Comment

The document states that biometrics shall only be used as part of multi-factor authentication. A mobile device may contain keys that can only be unlocked by authenticating with a biometric (and initially some sort of password/PIN/pattern). Would such as system be considered a multi-factor authentication to enable access to another system (not to the mobile device itself).

The full sequence to meet the requirements would be:

  1. The user must enter a "something you know" to initially unlock the device and enable the biometric use
  2. The user could use a biometric (such as a face or fingerprint) to unlock the device
  3. The action of unlocking the device would allow access to a key that could be used to unlock a remote service (or another function such as a key to be transmitted over UWB)

As the mobile device is the "something you have" this would seem to meet the expectations of multiple separate components, but in this case they are self-contained into one device to provide access to the external (to the mobile device) system.

Clarification as to whether a mobile device used in this fashion would be acceptable to meet multi-factor authentication would be good to have (either that it is allowed or that it is not). If it would be allowed, it is likely that additional requirements may need to be provided on how the keys are released and used for remote authentication.

gregott commented 1 year ago

This seems similar to a physical access control system where the user presents both a biometric sample and also enters a PIN before the door is unlocked to allow access to resources within the room. This system is considered multifactor.

woodbe commented 1 year ago

I agree that is what a normal multifactor system is, but a mobile device can meet those as biometric and physical factors combined. There are some other tokens that do this.