search

biometricITC / cPP-biometrics

Contains the development of a Collaborative Protection Profile for biometrics
MIT License
10 stars 2 forks source link

NIST 800-63B Timeout period after initial auth limit #404

Closed woodbe closed 1 year ago

woodbe commented 1 year ago

https://github.com/biometricITC/cPP-biometrics/issues/401#issuecomment-1402144931

Section - 5.2.3

Page - 33

Line - 1290-1298

Comment

Timeout period of forced 30 seconds after initial limit has been reached

Suggested Change

woodbe commented 1 year ago

Comment

The timeout period after 10 consecutive attempts being fixed at 30 seconds seems to be limiting of alternative possible solutions that are available on different systems. For example many systems implement blocks of allowed attempts with increasing timeouts between authentication failures (such as every 5 attempts the delay grows in a geometric progression).

Suggested Change

Instead of requiring a minimum fixed 30 second timeout after each attempt, provide more flexibility with a minimum time set initially and then some expectations for attempts over time that could be met in a variety of ways (for example 5 attempts need to take at least 2.5 minutes after the initial 10).