What could happen where a subordinate concept is represented by a generic concept?
I attended a FIDO Alliance seminar on 7/Dec in Tokyo, where I heard FIDO staff confirm that, when they said “Password-less Authentication”, “Password” actually meant “Password Used Online” That is, at FIDO Alliance, “Password-less Authentication” means “OnlinePassword-less Authentication”
Passwords used locally on devices are outside the scope of FIDO’s “Password-less Authentication”. As a matter of fact, FIDO people are apparently aware that the password is heavily relied upon and is actually being broadly used as a fallback means against false rejection of biometrics as well as on its own.
It is not certain, though, whether vendors of FIDO-certified products are aware and accordingly explain to consumers that the biometrics used with a fallback password brings down the security that the password-only authentication has so far provided.
I could not find on FIDO-related publications a clear-cut distinction between “multi-entrance/in-stead-of/in-parallel/disjunction/EitherOr” and “multi-layer/in-addition-to/in-series/conjunction/AllAnd” for the deployment of multiple authentication factors.
Anyway, where “OnlinePassword-less Authentication is represented by “Password-less Authentication”, “Elderly People” could be represented by “People” and “Cybercrime” by “Crime”, couldn’t it?. Leaving this kind of awkward rhetoric to smalltime politicians, I would expect the people in charge to do the needful to sort out this confusing situation.
Remark: The phrase 'in addition to' used in NIST Guidelines (*) obviously has the same meaning as 'multi-layer/in-series/conjunction/AllAnd'.
On Page 17
* "When biometric authentication meets the requirements in Section 5.2.3, the device has to be authenticated in addition to the biometric — a biometric is recognized as a factor, but not recognized as an authenticator by itself."
On Page 37
5.2.3 Use of Biometrics The use of biometrics (something you are) in authentication includes both measurement of physical characteristics (e.g., fingerprint, iris, facial characteristics) and behavioral characteristics (e.g., typing cadence). Both classes are considered biometric modalities, although different modalities may differ in the extent to which they establish authentication intent as described in Section 5.2.9. For a variety of reasons, this document supports only limited use of biometrics for authentication. These reasons include:
- *The biometric False Match Rate (FMR) does not provide confidence in the authentication of the subscriber by itself. In addition, FMR does not account for spoofing attacks.*
- *Biometric comparison is probabilistic, whereas the other authentication factors are deterministic. *
- *Biometric template protection schemes provide a method for revoking biometric credentials that is comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development. *
- *Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). While presentation attack detection (PAD) technologies (e.g., liveness detection) can mitigate the risk of these types of attacks, additional trust in the sensor or biometric processing is required to ensure that PAD is operating in accordance with the needs of the CSP and the subscriber *
Therefore, the limited use of biometrics for authentication is supported with the following requirements and guidelines: Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have).