The current requirements for authentication (here I'm not talking about biometrics, but the primary device authentication) requires a password and has no other options. The specifics of the password are open, but it is stated that a PIN is not allowed. NIST SP 800-63B states that memorized secrets should be 8 characters if self-chosen or 6 characters if assigned, and that a PIN (i.e. all numeric) is acceptable as long as it meets those length requirements.
While the specific requirements for the high-security use case may be more strict than this, it does seem that the PP should be in alignment with best practices for authentication as published by NIST.
There isn't an explicit prohibition on PINs in the document other than the statement in the glossary that it isn't considered a stand-alone authentication mechanism (which is probably not the best place to set a restriction since it isn't in an SFR).
The proposal here would be to remove the statement in the glossary and to then add some additional requirements around the minimum length that is acceptable, for example 6 characters for a password, 8 for a PIN as a selection in FIA_PMG_EXT.1.
FIA_PMG_EXT.1.2: The TSF shall support [selection:passwords of at least 6 characters, PINs of at least 8 digits, [assignment: other length requirements]] as the minimum acceptable length for the Password Authentication Factor.
This may require an update to the high security use case if there is a specific minimum above the NIST 800-63B requirement to be specified.
The current requirements for authentication (here I'm not talking about biometrics, but the primary device authentication) requires a password and has no other options. The specifics of the password are open, but it is stated that a PIN is not allowed. NIST SP 800-63B states that memorized secrets should be 8 characters if self-chosen or 6 characters if assigned, and that a PIN (i.e. all numeric) is acceptable as long as it meets those length requirements.
While the specific requirements for the high-security use case may be more strict than this, it does seem that the PP should be in alignment with best practices for authentication as published by NIST.
There isn't an explicit prohibition on PINs in the document other than the statement in the glossary that it isn't considered a stand-alone authentication mechanism (which is probably not the best place to set a restriction since it isn't in an SFR).
The proposal here would be to remove the statement in the glossary and to then add some additional requirements around the minimum length that is acceptable, for example 6 characters for a password, 8 for a PIN as a selection in FIA_PMG_EXT.1.
This may require an update to the high security use case if there is a specific minimum above the NIST 800-63B requirement to be specified.