Hello,
This is the second post in the “Ten Reasons to Love Passwordless” blog series. Last time, we talked about the flexibility and multi-platform benefits of FIDO2 open standards based techn...
Updated Aug 19, 2021
Version 5.0
Blog Post
Ehud_Itshaki
Microsoft
MicrosoftAjitHatti, these are great questions.
NIST standards covering biometrics as authentication factors:
NIST includes under biometrics physical characteristics (e.g., fingerprint, iris, facial characteristics) and behavioral characteristics (e.g., typing cadence).
Both classes are considered biometric modalities, although they may differ in the extent to which they establish authentication intent as described in NIST SP 800-63B Section 5.2.9.
Due to reasons listed under NIST SP 800-63B Section 5.2.3 the use of biometrics is restricted to be used only as part of a multi-factor authentication with a physical authenticator (something you have) and not accepted as an authenticator by itself.
In addition NIST SP 800-207 Zero Trust Architecture details the role behavioral attributes in dynamic policies for determining access.
FIPS 140-2 validation for FIDO2 security keys:
FIDO2 security keys are classified as multi-factor cryptographic hardware authenticator and as such can be used at AAL3.
To be used at AAL3 the FIDO2 security keys need to be FIPS 140 Level 2 overall (or higher) and FIPS 140 Level 3 Physical Security (or higher)
To be used at AAL2 by government agencies FIDO2 security keys are required to be FIPS 140 Level 1 overall. This is not a requirement for non-governmental agencies.