Strength of biometric authentication

1. Intro

The identity ecosystem has matured to the point where it is appropriate to undertake the work of building measurement science for application in the market—a critical step in further aiding expansion and innovation of the identity ecosystem. Building off of January’s workshop, NIST intends to delve more deeply into each of the topic areas: Strength of Identity Proofing, Strength of Authentication, and Attribute Metadata & Confidence.

This charter provides a high level understanding of the work which NIST’s Applied Cybersecurity Division will undertake to advance a standardized approach for measuring the strength of authentication methods by focusing on biometric authentication first, to document vulnerabilities and mitigation strategies specific to this form factor.  The intention is to use this work and the body of work on other form factors at a later stage to address strength of authentication for any form factor.

2. Purpose

The purpose of this project will be to produce a document that contains guidance for measuring and evaluating the strength of a biometric authentication system. This document will provide a greater understanding of the confidence that can be placed in different types of biometrics based authentication systems and allow for more informed, risk based decisions when selecting, building, or implementing biometric authentication solutions. Its overall objective is to promote more efficient and secure identity practices within the federal government and across the identity ecosystem as a whole. To enable this latter objective, NIST is considering the possibility of providing the NISTIR as a contribution to a standards organization to catalyze the development of a voluntary consensus standard. A final approach to standardization will be identified as work and stakeholder engagement progress.

3. Scope

NIST will undertake the development of a framework for scoring the strength of biometric authentication methods. This document will initially take the form of a draft NIST Internal Report (NIST IR).  Through public review comments, workshops, and other public engagement opportunities, NIST will gather information to determine whether to publish the document as a NIST IR and/or whether to submit the document to another forum.

This document will build off of the previously published white paper, “Measuring Strength of Authentication” and explore a vulnerabilities based approach to assessing, evaluating, and scoring the strength of a biometric authentication system. The NISTIR will—likely—be modality (e.g., finger print, iris, voice) agnostic and explore the possibility of multiple modalities being employed in a single system.

The NIST IR will only address biometric authentication systems. It will, however, be developed with the intent to enable application of the vulnerabilities based model to other methods of authentication in the future.

4. Development Approach

This IR will be developed using an iterative approach that engages community stakeholders early and often during the drafting period—taking advantage of more frequent, but shorter comment periods to enable rapid production of the document. All processes will be conducted in a way that preserves and reflects NIST’s traditions of openness and transparency. The proposed phases are outlined below:

• Phase I- Draft Sprint #1: This phase will focus on building out additional content to support the conceptual approach outlined in the “Strength of Authentication” white paper. Early efforts will revolve around identifying specific threat mitigations. This phase will conclude with an initial draft of such content which will be presented at the International Biometric Performance Testing Conference (IBPC) in May.
• Phase II- Draft Sprint #2: This phase will focus on leveraging input from IBPC and expanding the content to incorporate determinations of relative effectiveness of mitigation strategies and how these can play into an overall assessment framework. This phase will conclude with a draft ready for the iterative comment period. 
• Phase III- Draft Iterations: This phase will focus on gaining input through successive open comment periods and iterations of the IR draft. It is envisioned that this phase will include a minimum of three public comment periods of approximately 3-6 weeks in length, followed by 3-6 week periods for the authoring team to make appropriate updates to the document. This phase will conclude with a finalized framework for assessing the strength of biometric authentication mechanisms and a publication strategy (NIST IR or contribution to a SDO).  As this phase progresses, additional iterations may be added.
• Phase IV – Document Finalization: NIST will adjudicate and resolve all in-scope comments and post the final NISTIR to the NIST website.

5. Engagement, Communications, Input

Throughout the course of this project, ACD intends to engage with a broad spectrum of different stakeholders. Those interested in engaging with, contributing to, and influencing this work should seek out opportunities in the following ways:

• Comment & Contribute: Drafts of the IR will be published for comment on an iterative basis and feedback on each version is welcome and encouraged. Comments will be collected, posted, and managed either via a GitHub page or the traditional CSRC page—the final approach on this will be communicated in advance of the first comment period. Additionally, despite the focus on federal guidance, comments from all sectors are welcome, encouraged, and will be considered.
• Follow: Keep up to date with the progress of the work by following regular updates through the NSTIC website (www.NSTIC.gov), blog (http://nstic.blogs.govdelivery.com/), and on twitter (@NSTICNPO).

In addition to facilitating comments on the IR and its draft. ACD is also seeking input on the concepts and ideas proposed in this charter—we want to know if we are heading in the correct direction. Comments can be provided by emailing to NSTICworkshop [at] nist.gov (NSTICworkshop[at]nist[dot]gov).

6. Proposed Timeline & Milestones

Below are high level milestones, by phase for the development of the IR.

• Phase I- Drafting Sprint #1
  • Initial IR Draft Completed
  • IBPC Presentation
• Phase II- Drafting Sprint #2
  • Public Comment Draft Complete
• Phase III- Iterative Comment Period
  • Comment Period One Open
  • Comment Period One Closed
  • IR Update One Completed
  • Comment Period Two Open
  • Comment Period Two Closed
  • IR Update Two Complete
  • Comment Period Three Open
  • Comment Period Three Close
  • Final IR Update
  • IR Publication Strategy
• Phase V – Final Document
  • Comment Period Closed
  • Final IR Released