Update on 2/Feb/2017. NIST is now with us, with its latest draft saying "Biometrics SHALL be used with another authentication factor (something you have)" at 5.2.3, which is tantamount to "Biometrics is no good when used without another factor". -- Biometrics used with a fallback password brings down the security to the level that is lower than a password-only authentication “because of the larger attack surface (to borrow NIST's word)”. I posted an article “NIST Conundrum Unraveled” on 27/Oct, in which I referred to my latest suggestion submitted to NIST that was labeled as "Public Draft". The public draft had been scheduled to be released on 13/Oct. It was already past due 14days on 27/Oct and it is now overdue by over a month and 10 days past the election. We could see it released anytime soon. < References > NIST Conundrum Unraveled http://www.slideshare.net/HitoshiKokumai/nist-conundrum-unraveled DRAFT NIST Special Publication 800-63B Digital Authentication Guideline https://pages.nist.gov/800-63-3/sp800-63b.html Suggestion #374: Factors for Authentication Assurance Level 2 need to be clearly defined https://github.com/usnistgov/800-63-3/issues/374#event-804359364 Public Draft https://github.com/usnistgov/800-63-3/milestone/5 < Videos > Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg Six Reasons to Believe Biometrics Don't Ruin Cyber Security https://youtu.be/lODTiO2k8ws Password Predicament and Expanded Password System https://youtu.be/-KEE2VdDnY0

1. Live Coverage
Waiting for NIST’s view on “password-dependent biometrics”
I posted an article “NIST Conundrum Unraveled” on 27/Oct, in which I referred to my
latest suggestion submitted to NIST that was labeled as "Public Draft".
The change I suggested was [5.2.3 should contain such a sentence as "Biometrics shall
not be operated together with a fallback password by OR/Disjunction (we need only to
go through either of the two) WHERE people want the level of security higher than a
password-only authentication. It could be operated, however, WHERE people want
better convenience rather than better security.”]
In the comment/rationale I added [In view of the observation that most of the biometric
products and solutions on the market and in commercial use are operated with a
fallback password by OR/Disjunction, this outcome might appear too inconvenient for
too many people. But the pains could be overcome soon if tackled right now. Should the
current worrying situation be left as it is, however, the damages that the people
concerned and the public at large have to suffer in the future would certainly be far
more devastating.]
The public draft had been scheduled to be released on 13/Oct. It was already past due
15 days on 28/Oct and it is now overdue by over a month and 10 days past the election.
We could see it released anytime soon.

2. < Whole text of the suggestion submitted on 15/Sep (#374) >
Reference (Include section and paragraph number): 4.2 and 5.2.3
Comment (Include rationale for comment): 4.2 Authenticator Assurance Level 2
apparently reads that both two factors are required (= we need to go through both of the
two = AND/Conjunction hereafter), whereas 5.2.3 explicitly reads “The biometric system
SHALL allow no more than 10 consecutive failed authentication attempts. Once that
limit has been reached, the claimant SHALL be required to use a different
authenticator or to activate their authenticator with a different factor such as a
memorized secret ( = we need only to go through either of the two = OR/Disjunction
hereafter).
It seems that there are two critical problems here. Firstly, the AND/Conjunction
requirement of 4.2 is just contradictory to the OR/Disjunction requirement of 5.2.3.
Here NIST is far away from having a clearly-defined and consistent criterion.
Secondly, judging from the views that NIST expressed in the thread of my earlier
now-closed suggestion #334, the OR/Disjunction requirement is justified by the issue of
vulnerable account recovery/reset. The vulnerable account recovery/reset is indeed a
major problem in itself but it is wrong to exploit it as a pretext to justify weakening the
user authentication.
Intriguingly, the talk by NIST of vulnerable account recovery/reset destroys the view of
NIST that OR/Disjunction should be encouraged, as specifically analyzed below.
The talk of vulnerable account recovery/reset would appear valid when applied to the
cases of two factors (biometrics and passwords) used by AND/Conjunction, since
biometrics, one of the factors to be invariably passed, is known for frequent rejections
when run at a near-zero false acceptance rates. This results in the necessity of notably
frequent account recovery/reset, which are there for criminals to exploit as NIST
correctly points out. Ironically the conclusion of this discussion is that NIST is wrong in
4.2 which require two factors used by AND/Conjunction.

3. The above does not mean, however, that the same talk of account recovery/reset would
be valid in the cases of two factors (biometrics and fallback passwords) used by
OR/Disjunction, since logic tells that it is impossible to demonstrate that the
authentication of “either of a password or a rejection-prone biometrics” brings notably
fewer chances of account recovery/reset than a password-only authentication.
As such the talk of vulnerable account recovery/reset does not give any positive effect on
the issue of “the larger attack surfaces” brought about by “being able to use either of two
authenticators is less secure than only having one”.
The remaining fact is that the security of biometrics used with a fallback password by
OR/Disjunction is clearly lower than that of a password-only authentication. It should
be viewed as “below-one” factor authentication.
A shortage of security is not so serious a problem when people are aware of it as it is.
But the false sense of security (we wrongly feel safer when we are actually less safe) is
different. What I wish to see the least is NIST not only failing to prevent it but working
as a major source of it.
In view of the observation that most of the biometric products and solutions on the
market and in commercial use are operated with a fallback password by OR/Disjunction,
this outcome might appear too inconvenient for too many people. But the pains could be
overcome soon if tackled right now. Should the current worrying situation be left as it is,
however, the damages that the people concerned and the public at large have to suffer in
the future would certainly be far more devastating.
Being aware of this now, NIST is expected to act most quickly”.
Suggested Change: 5.2.3 should contain such a sentence as "Biometrics shall not be
operated together with a fallback password by OR/Disjunction (we need only to go
through either of the two) WHERE people want the level of security higher than a
password-only authentication. It could be operated, however, WHERE people want
better convenience rather than better security.”

4. < References >
NIST Conundrum Unraveled
http://www.slideshare.net/HitoshiKokumai/nist-conundrum-unraveled
DRAFT NIST Special Publication 800-63B Digital Authentication Guideline
https://pages.nist.gov/800-63-3/sp800-63b.html
Suggestion #374: Factors for Authentication Assurance Level 2 need to be clearly
defined
https://github.com/usnistgov/800-63-3/issues/374#event-804359364
Public Draft
https://github.com/usnistgov/800-63-3/milestone/5