NIST 800-63B 50 biometric attempts before lock

biometricITC / cPP-biometrics

Contains the development of a Collaborative Protection Profile for biometrics

MIT License

10 stars 2 forks source link

NIST 800-63B 50 biometric attempts before lock #405

Closed woodbe closed 1 year ago

woodbe commented 1 year ago

https://github.com/biometricITC/cPP-biometrics/issues/401#issuecomment-1402145728

Section - 5.2.3

Page - 33

Line - 1290-1298

Comment

50 attempts without PAD seems very high if the system is on the low-end of acceptable FMR, even with it being part of MFA

Suggested Change

gfiumara commented 1 year ago

Suggested change: reduce the number of allowable attempts, or clarify why 50 attempts is an acceptable value.

woodbe commented 1 year ago

agree on the suggestion

gregott commented 1 year ago

I agree as well. Some sort of penalty should be invoked well before 50 failed attempts.

woodbe commented 1 year ago

Add possible tie to delays between attempts as part of the suggestion.

woodbe commented 1 year ago

Suggested Change:

The number of attempts allowed should be lowered or justified as to why the number of attempts and the included delays are acceptable. It seems that the number of attempts should be tied to the FAR/FMR value of the system, and not globally defined. Possibly a table showing acceptable FMR values and a range of allowed attempts.