SlideShare ist ein Scribd-Unternehmen logo

NIST Guideline - Help unravel conundrum over biometrics security

Als DOCX, PDF herunterladen
Hitoshi Kokumai
Hitoshi Kokumai

The document discusses a suggestion submitted to NIST regarding their digital authentication guidelines. The suggestion involved clarifying that using biometrics with a secondary authenticator via an OR operation provides lower security than using the secondary authenticator alone. However, NIST abruptly closed the discussion thread without clear explanation. The author is looking for help understanding NIST's perspective on allowing OR operations.

Technologie
1 von 10
- Help unravel the conundrum over NIST’s Guideline - I submitted the following suggestion on NIST's Draft Digital Authentication Guideline on August 2. …………………… 5.2.3 reads "(The biometric system SHALL allow no more than 10 consecutive failed authentication attempts.) Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret." It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "It should be noted that the security in such cases is necessarily lower than when the second authenticator alone is used". -------------------------- NIST abruptly closed the thread of my suggestion registered as #193 for the reasons which are just unintelligible to me after the exchange of a couple of odd messages as outlined below. -------------------------------------------------- First, a NIST person indicated in their reply that NIST allows or even forces the OR/Disjunction operation adding "it is still two-factor". I submitted a suggestion on the assumption that NIST allows OR/Disjunction operation. The person’s second reply said "If two-factors are required, 2-factors need to be authenticated or the claimant will not get access." It led me to assume that NIST does not allow OR/Disjunction and forces AND/Conjunction. I submitted a new suggestion accordingly. Then, the second NIST person abruptly stepped in and closed this thread after supposedly alleging that the OR/Disjunction operation is valid for security. My appeal for continuing the discussion was met with silence and the thread was finally locked.
------------------------------------------------------- I am unable to follow their logic for justifying the closure of this thread. I wonder if some of you can help unravel this conundrum for me. Hitoshi Kokumai < Epilogue > Following the abrupt closure of the above thread, I tried to submit a fresh suggestion reading "It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "This way of operating biometrics with a second authenticator by OR/Disjunction shall be recommend where convenience matters, not where security matter since the security in such cases is necessarily lower than when the second authenticator alone is used. It is convenience that is improved by this way of operating biometrics and a fallback means, and this improvement is obtained by the sacrifice of security". NIST closed this new thread (#286) the following day without any comment whatsoever. Attachments 1. The whole history of the #193 thread (P3) 2. The whole text of the new suggestion #286 (P9)
< The whole history of the #193 thread > hitoshikokumai commented 20 days ago Organization:3 Type: Security design Document (63-3, 63A, 63B, or 63C):63B Reference (Include section and paragraph number):5.2.3 Comment (Include rationale for comment): It reads "(The biometric system SHALL allow no more than 10 consecutive failed authentication attempts.) Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret." This implies that the second authenticator(factor) and the biometrics are used by OR/Disjunction, which necessarily makes the security lower than that of the second factor alone. In other words, the security is better when the second factor alone is used. There is a 2-minute video outlining the rationale. Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg This article may also help. Misuse of Biometrics Technology http://www.paymentsjournal.com/Content/Blogs/Industry_Blog/30986/ Biometrics authentications are good for physical security but ruin the security of password protection and generate a false sense of security in cyber space. Deployed with a fallback password against false rejection, they provide the level of security that is even poorer than a password-only authentication. Suggested Change: It is desirable to see the above sentence in 5.2.3 followed by such a
footnote as "It should be noted that the security in such cases is necessarily lower than when the second authenticator alone is used". Organization: 1 = Federal, 2 = Industry, 3 = Other hitoshikokumai referenced this issue 9 days ago Open Suggestion for AAL 2 #221 “A NIST person” commented 6 days ago Thank you for your review. The intention behind the draft of 800-63-3-B's inclusion of biometrics is that they are always used with a second factor. If the biometric check fails, a different second factor has to be used. In other words, if users/attackers are locked out of the biometric check, they could be offered an alternative second factor. It's still two factor. If the wording needs to be fixed to reflect this, please suggest an alternative because the interpretation that a failure of the biometric check means no second factor check is not what we were allowing in the text. hitoshikokumai commented 5 days ago Thanks for taking up my suggestion for consideration. There should be nothing wrong in operating biometrics with a second factor by OR/Disjunction PROVIDED the people concerned are all accurately aware of its consequences and all the users explicitly informed. Most important is to avoid the false sense of security trapping the users in it. If allowed, I would like to suggest such an alternative as follows: The biometric system SHALL allow no more than 10 consecutive failed authentication attempts. Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret. It should be noted, however, that the security in such cases is necessarily lower than when the second authenticator(factor) alone is used like a house with two entrances
placed in parallel (not in tandem) is more vulnerable to burglars than a house with one entrance. Remark: Two different factors can be operated in two ways - (1) by AND/Conjunction (we need to go through both of the two) or (2) by OR/Disjunction (we need only to go through either of the two). Operation of two factors by (1) AND/Conjunction provides higher security and lower convenience while that by (2) OR/Disjunction provides higher convenience and lower security. People who wish to use biometrics for achieving the level of security higher than passwords are advised to operate the biometrics and passwords by (1) AND/Conjunction and inform the users that they will be able to enjoy better security although they will have to give up the access altogether if rejected by biometrics even when they are able to feed the correct passwords. People who wish to use biometrics for better convenience are advised to operate the biometrics and passwords (fallback means against false rejection) by (2) OR/Disjunction and inform the users that they will be able to enjoy better convenience although the level of security that they can expect is necessarily lower than that of password-only authentication. Should you want to see a more comprehensive and explanatory alternative, I would be ready to compress my article published on the likes of Payments Journal. Please let me have your feedback. Hitoshi Kokumai PS I would appreciate it if you could also have a quick look at my recent short writing posted at http://www.slideshare.net/HitoshiKokumai/discussed-on-elseviers-btt-62502162?qid=8c c17e97-6fa9-4ac6-a470-bac14aada916&v=&b=&from_search=1 http://www.slideshare.net/HitoshiKokumai/appeal-to-media-writers-over-security-misco nception?qid=8cc17e97-6fa9-4ac6-a470-bac14aada916&v=&b=&from_search=3
“The same NIST person” commented 3 days ago We are not allowing biometrics to be used as a single factor for multiple reasons, summarized in 800-63-3. I believe your suggested text is allowing that by adding an option for "OR." Since we do not want to allow that, there is no need for the sentence to say "OR/Disjuntion" is lower security. If two-factors are required, 2-factors need to be authenticated or the claimant will not get access. hitoshikokumai commented 3 days ago • edited This latest comment of yours seems to make sense. But it does not appears to be compatible with your original draft which sounds to allow or even force the operation of two factors by OR/Disjunction. The original statement "the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret." appears to be forcing or allowing the claimant to use a second authenticator/factor as a fallback means against false rejection. This is no different to using the biometrics and the second authenticator/factor (as fallback means) by OR/Disjunction. If your intention was to allow the operation of biometrics and the second factor only by AND/Conjunction, your draft could simply be altered to "Once that limit has been reached, the claimant SHALL not get an access. Rescue means SHALL be considered separately from this particular process of access trials". It would also be desirable to refer to the merits and demerits of the operation of two factors by OR/Disjunction in view of the observation that we are actually watching many such cases on the market. hitoshikokumai commented 3 days ago Whether explicitly called as the fallback means or not, a fallback means for rescue of the claimant who gets rejected by the first factor is nothing but a second factor operated by
OR/Disjunction. I hope you are with me. “The second NIST person” commented 2 days ago While having two means of activating a multi-factor authenticator is theoretically weaker than having only one means of activation, the threat profiles of biometric vs. memorized secret activation are considerably different. For example, a user in a public place would probably be well advised to use a biometric to activate their mobile device rather than type a PIN to unlock it where it can be readily observed by others. Having a choice of activation methods is therefore not necessarily weaker than having a memorized secret only. Note also that the association of multiple authenticators with a subscriber account is encouraged. This could also be seen as being weaker than having only a single authenticator, but it mitigates the real-world problems of authenticator loss, breakage, and theft. Currently, account recovery practices are often a weak point in authentication systems and are rarely multi-factor. The benefit of making account recovery less frequent (and more stringent) outweighs the risks associated with having a reasonable number of authenticators associated with the account. In both cases, there is sufficient margin built into entropy, biometric performance, and throttling requirements to provide sufficient security given the existence of multiple authenticators and activation modes. “This NIST person” closed this 2 days ago hitoshikokumai commented 2 days ago I would appreciate it if you could reconsider about the closure of this thread for the following reasons. It would be fruitless to spend time for comparing the strength of biometrics used on its own with that of passwords used on its own. There are no objective data on the vulnerability of biometric products (not just false acceptance rate when false rejection is
sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that the entropy may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.) Even assuming that biometrics were though to be 10 times less vulnerable than memorized secrets despite the abovementioned observation, the operation of those two factors by OR/Disjunction would necessarily result in the overall security being lower than that of the memorized secrets as well as that of the biometrics. Given that the biometrics has the (x) vulnerability, a very weak fallback password has (y1) vulnerability and a very strong fallback password having (y2), the math of vulnerability (x + y - xy) > y leads us to (x + y1- xy1) > (y1) and (x + y2 - xy2) > (y2). This means that we are safer when we use only the very weak password than when we use the biometrics with the very weak fallback password, and that we are also safer when we use only the very strong password than when we use the biometrics with the very strong fallback password. We could consider the comparison between (x + y2 - xy2) and (y1) but it could lead us nowhere. Whoever can manage a very strong password together with biometrics must be able to manage the very strong password on its own. Then, again, we are safer when we use only the very strong password. Moreover, rarely used/recalled passwords tend to be very weak, i.e., what we actually get could well be (x + y1 - xy1) >>> (y2). As such it is not possible to count a case that the biometrics used together with a fallback password is stronger than a password used on its own. “The third NIST person” locked the thread. (The above was copied from the NIST site 6 days ago and persons’ names anonymized.)
< The whole text of the new suggestion #286 > Title: Security effects of operation of two-factors by OR/Disjunction **Reference (Include section and paragraph number)**: 5.2.3 **Comment (Include rationale for comment)**: It reads “The biometric system SHALL allow no more than 10 consecutive failed authentication attempts. Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret” at another place. There should be nothing wrong in operating biometrics with a second authenticator/factor by OR/Disjunction (we need only to go through either of the two) as against AND/Conjunction (we need to go through both of the two) PROVIDED the people concerned are all accurately aware of its consequences and all the users explicitly informed of them. It should be noted that the security in such cases is necessarily lower than when the second authenticator(factor) alone is used like a house with two entrances placed in parallel (not in tandem) is more vulnerable to burglars than a house with one entrance. This is logically proven as follows: It would be fruitless to spend time for comparing the strength of biometrics used on its own with that of passwords used on its own. There are no objective data on the vulnerability of biometric products (not just false acceptance rate when false rejection is sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that the entropy may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.) Even assuming that biometrics were thought to be 10 times less vulnerable than memorized secrets despite the abovementioned observation, the operation of those two factors by OR/Disjunction would necessarily result in the overall security being lower than that of the memorized secrets as well as that of the biometrics. Given that the biometrics has the (x) vulnerability, a very weak fallback password has (y1) vulnerability and a very strong fallback password having (y2), the math of vulnerability
(x + y - xy) > y leads us to (x + y1- xy1) > (y1) and (x + y2 - xy2) > (y2). This means that we are safer when we use only the very weak password than when we use the biometrics with the very weak fallback password, and that we are also safer when we use only the very strong password than when we use the biometrics with the very strong fallback password. We could consider the comparison between (x + y2 - xy2) and (y1) but it could lead us nowhere. Whoever can manage a very strong password together with biometrics must be able to manage the very strong password on its own. Then, again, we are safer when we use only the very strong password. Moreover, rarely used/recalled passwords tend to be very weak, i.e., what we actually get could well be (x + y1 - xy1) >>> (y2). As such it is not possible to count a case that the biometrics used together with a fallback password is stronger than a password used on its own. Should NIST disagree to the logic of this suggestion, NIST would be expected to logically demonstrate that a house with two entrances placed in parallel (not in tandem) is not less vulnerable against burglars than a house with one entrance. Most important is to avoid the false sense of security trapping the users in it. **Suggested Change**: It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "This way of operating biometrics with a second authenticator by OR/Disjunction shall be recommend where convenience matters, not where security matter since the security in such cases is necessarily lower than when the second authenticator alone is used. It is convenience that is improved by this way of operating biometrics and a fallback means, and this improvement is obtained by the sacrifice of security". This new thread (#286) was unilaterally closed without any comment whatsoever.

Empfohlen

Presentacion id h i
Presentacion id h iPresentacion id h i
Presentacion id h iIsmael Dominguez
 
S4 tarea4 garea
S4 tarea4 gareaS4 tarea4 garea
S4 tarea4 gareaAlejandraGarduno
 
Green GPS Tracking
Green GPS TrackingGreen GPS Tracking
Green GPS TrackingACGlobal Systems
 
бренд консалтинг
бренд консалтингбренд консалтинг
бренд консалтингdesper
 
Till Altmann - Industrial Designer in Unisto (Switzerland)
Till Altmann - Industrial Designer in Unisto (Switzerland)Till Altmann - Industrial Designer in Unisto (Switzerland)
Till Altmann - Industrial Designer in Unisto (Switzerland)Ramses Cabello
 
Contracts_literature_review-JVidaurre
Contracts_literature_review-JVidaurreContracts_literature_review-JVidaurre
Contracts_literature_review-JVidaurreJavier Vidaurre
 
Time period during chanakya
Time period during chanakyaTime period during chanakya
Time period during chanakyaRameen khan
 
Visual Summary of Egocentric Photostreams by Representative Keyframes
Visual Summary of Egocentric Photostreams by Representative KeyframesVisual Summary of Egocentric Photostreams by Representative Keyframes
Visual Summary of Egocentric Photostreams by Representative KeyframesMarc Bolaños Solà
 

Empfohlen

Presentacion id h i
Presentacion id h iPresentacion id h i
Presentacion id h iIsmael Dominguez
 
S4 tarea4 garea
S4 tarea4 gareaS4 tarea4 garea
S4 tarea4 gareaAlejandraGarduno
 
Green GPS Tracking
Green GPS TrackingGreen GPS Tracking
Green GPS TrackingACGlobal Systems
 
бренд консалтинг
бренд консалтингбренд консалтинг
бренд консалтингdesper
 
Till Altmann - Industrial Designer in Unisto (Switzerland)
Till Altmann - Industrial Designer in Unisto (Switzerland)Till Altmann - Industrial Designer in Unisto (Switzerland)
Till Altmann - Industrial Designer in Unisto (Switzerland)Ramses Cabello
 
Contracts_literature_review-JVidaurre
Contracts_literature_review-JVidaurreContracts_literature_review-JVidaurre
Contracts_literature_review-JVidaurreJavier Vidaurre
 
Time period during chanakya
Time period during chanakyaTime period during chanakya
Time period during chanakyaRameen khan
 
Visual Summary of Egocentric Photostreams by Representative Keyframes
Visual Summary of Egocentric Photostreams by Representative KeyframesVisual Summary of Egocentric Photostreams by Representative Keyframes
Visual Summary of Egocentric Photostreams by Representative KeyframesMarc Bolaños Solà
 
Эффективность применения гидрогеля в Зауралье
Эффективность применения гидрогеля в ЗауральеЭффективность применения гидрогеля в Зауралье
Эффективность применения гидрогеля в Зауральеkulibin
 
Waterveiligheid
WaterveiligheidWaterveiligheid
WaterveiligheidSwimCare
 
Apple - Steve Jobs
Apple - Steve Jobs Apple - Steve Jobs
Apple - Steve Jobs adeel990
 
Trenchless Technology.Pps
Trenchless Technology.PpsTrenchless Technology.Pps
Trenchless Technology.Ppsguesta7b431e
 
말의여행
말의여행말의여행
말의여행mil23
 
QMS comunicación triunfa en los premios de Cannes 2015
QMS comunicación triunfa en los premios de Cannes 2015 QMS comunicación triunfa en los premios de Cannes 2015
QMS comunicación triunfa en los premios de Cannes 2015 QMS Comunicación
 
Diversos tipos de simuladores
Diversos tipos de simuladores Diversos tipos de simuladores
Diversos tipos de simuladores danielAngelvnzla
 
資料庫使用方法
資料庫使用方法資料庫使用方法
資料庫使用方法sophiya
 
IRJET-Blockchain the New Era of Technology
IRJET-Blockchain the New Era of TechnologyIRJET-Blockchain the New Era of Technology
IRJET-Blockchain the New Era of TechnologyIRJET Journal
 
A survey on security and policy aspects of blockchain technology
A survey on security and policy aspects of blockchain technologyA survey on security and policy aspects of blockchain technology
A survey on security and policy aspects of blockchain technologyTELKOMNIKA JOURNAL
 
Blockchain Technology Overview
Blockchain Technology OverviewBlockchain Technology Overview
Blockchain Technology OverviewIRJET Journal
 
IRJET- Whistle Blower Protection using Block Chain
IRJET- Whistle Blower Protection using Block ChainIRJET- Whistle Blower Protection using Block Chain
IRJET- Whistle Blower Protection using Block ChainIRJET Journal
 
Blockchain based Asset Registration & Management System
Blockchain based Asset Registration & Management SystemBlockchain based Asset Registration & Management System
Blockchain based Asset Registration & Management SystemIRJET Journal
 
IRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger TechnologyIRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger TechnologyIRJET Journal
 
Scaling up Banking Operations: Harnessing the power of block chain Technology
Scaling up Banking Operations: Harnessing the power of block chain TechnologyScaling up Banking Operations: Harnessing the power of block chain Technology
Scaling up Banking Operations: Harnessing the power of block chain TechnologyIRJET Journal
 
Deployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BDeployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BHitoshi Kokumai
 
IRJET- Electronic Health Records
IRJET- Electronic Health RecordsIRJET- Electronic Health Records
IRJET- Electronic Health RecordsIRJET Journal
 
IRJET- Smart Contracts for Insurance based on Hyperledger Fabric
IRJET- Smart Contracts for Insurance based on Hyperledger FabricIRJET- Smart Contracts for Insurance based on Hyperledger Fabric
IRJET- Smart Contracts for Insurance based on Hyperledger FabricIRJET Journal
 
IRJET- An Overview of the Security of Blockchain
IRJET- An Overview of the Security of BlockchainIRJET- An Overview of the Security of Blockchain
IRJET- An Overview of the Security of BlockchainIRJET Journal
 
IRJET- Security Threats on Blockchain and its Countermeasures
IRJET- Security Threats on Blockchain and its CountermeasuresIRJET- Security Threats on Blockchain and its Countermeasures
IRJET- Security Threats on Blockchain and its CountermeasuresIRJET Journal
 
A decentralized consensus application using blockchain ecosystem
A decentralized consensus application using blockchain ecosystem A decentralized consensus application using blockchain ecosystem
A decentralized consensus application using blockchain ecosystem IJECEIAES
 
IRJET- Blockchain-A Secure Mode for Transaction
IRJET- Blockchain-A Secure Mode for TransactionIRJET- Blockchain-A Secure Mode for Transaction
IRJET- Blockchain-A Secure Mode for TransactionIRJET Journal
 

Weitere ähnliche Inhalte

Andere mochten auch

Эффективность применения гидрогеля в Зауралье
Эффективность применения гидрогеля в ЗауральеЭффективность применения гидрогеля в Зауралье
Эффективность применения гидрогеля в Зауральеkulibin
 
Waterveiligheid
WaterveiligheidWaterveiligheid
WaterveiligheidSwimCare
 
Apple - Steve Jobs
Apple - Steve Jobs Apple - Steve Jobs
Apple - Steve Jobs adeel990
 
Trenchless Technology.Pps
Trenchless Technology.PpsTrenchless Technology.Pps
Trenchless Technology.Ppsguesta7b431e
 
말의여행
말의여행말의여행
말의여행mil23
 
QMS comunicación triunfa en los premios de Cannes 2015
QMS comunicación triunfa en los premios de Cannes 2015 QMS comunicación triunfa en los premios de Cannes 2015
QMS comunicación triunfa en los premios de Cannes 2015 QMS Comunicación
 
Diversos tipos de simuladores
Diversos tipos de simuladores Diversos tipos de simuladores
Diversos tipos de simuladores danielAngelvnzla
 
資料庫使用方法
資料庫使用方法資料庫使用方法
資料庫使用方法sophiya
 

Andere mochten auch (8)

Эффективность применения гидрогеля в Зауралье
Эффективность применения гидрогеля в ЗауральеЭффективность применения гидрогеля в Зауралье
Эффективность применения гидрогеля в Зауралье
 
Waterveiligheid
WaterveiligheidWaterveiligheid
Waterveiligheid
 
Apple - Steve Jobs
Apple - Steve Jobs Apple - Steve Jobs
Apple - Steve Jobs
 
Trenchless Technology.Pps
Trenchless Technology.PpsTrenchless Technology.Pps
Trenchless Technology.Pps
 
말의여행
말의여행말의여행
말의여행
 
QMS comunicación triunfa en los premios de Cannes 2015
QMS comunicación triunfa en los premios de Cannes 2015 QMS comunicación triunfa en los premios de Cannes 2015
QMS comunicación triunfa en los premios de Cannes 2015
 
Diversos tipos de simuladores
Diversos tipos de simuladores Diversos tipos de simuladores
Diversos tipos de simuladores
 
資料庫使用方法
資料庫使用方法資料庫使用方法
資料庫使用方法
 

Ähnlich wie NIST Guideline - Help unravel conundrum over biometrics security

IRJET-Blockchain the New Era of Technology
IRJET-Blockchain the New Era of TechnologyIRJET-Blockchain the New Era of Technology
IRJET-Blockchain the New Era of TechnologyIRJET Journal
 
A survey on security and policy aspects of blockchain technology
A survey on security and policy aspects of blockchain technologyA survey on security and policy aspects of blockchain technology
A survey on security and policy aspects of blockchain technologyTELKOMNIKA JOURNAL
 
Blockchain Technology Overview
Blockchain Technology OverviewBlockchain Technology Overview
Blockchain Technology OverviewIRJET Journal
 
IRJET- Whistle Blower Protection using Block Chain
IRJET- Whistle Blower Protection using Block ChainIRJET- Whistle Blower Protection using Block Chain
IRJET- Whistle Blower Protection using Block ChainIRJET Journal
 
Blockchain based Asset Registration & Management System
Blockchain based Asset Registration & Management SystemBlockchain based Asset Registration & Management System
Blockchain based Asset Registration & Management SystemIRJET Journal
 
IRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger TechnologyIRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger TechnologyIRJET Journal
 
Scaling up Banking Operations: Harnessing the power of block chain Technology
Scaling up Banking Operations: Harnessing the power of block chain TechnologyScaling up Banking Operations: Harnessing the power of block chain Technology
Scaling up Banking Operations: Harnessing the power of block chain TechnologyIRJET Journal
 
Deployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BDeployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BHitoshi Kokumai
 
IRJET- Electronic Health Records
IRJET- Electronic Health RecordsIRJET- Electronic Health Records
IRJET- Electronic Health RecordsIRJET Journal
 
IRJET- Smart Contracts for Insurance based on Hyperledger Fabric
IRJET- Smart Contracts for Insurance based on Hyperledger FabricIRJET- Smart Contracts for Insurance based on Hyperledger Fabric
IRJET- Smart Contracts for Insurance based on Hyperledger FabricIRJET Journal
 
IRJET- An Overview of the Security of Blockchain
IRJET- An Overview of the Security of BlockchainIRJET- An Overview of the Security of Blockchain
IRJET- An Overview of the Security of BlockchainIRJET Journal
 
IRJET- Security Threats on Blockchain and its Countermeasures
IRJET- Security Threats on Blockchain and its CountermeasuresIRJET- Security Threats on Blockchain and its Countermeasures
IRJET- Security Threats on Blockchain and its CountermeasuresIRJET Journal
 
A decentralized consensus application using blockchain ecosystem
A decentralized consensus application using blockchain ecosystem A decentralized consensus application using blockchain ecosystem
A decentralized consensus application using blockchain ecosystem IJECEIAES
 
IRJET- Blockchain-A Secure Mode for Transaction
IRJET- Blockchain-A Secure Mode for TransactionIRJET- Blockchain-A Secure Mode for Transaction
IRJET- Blockchain-A Secure Mode for TransactionIRJET Journal
 
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!Steven Rhyner
 
Doing Business of Blockchain in India
Doing Business of Blockchain in IndiaDoing Business of Blockchain in India
Doing Business of Blockchain in IndiaEquiCorp Associates
 
Blockchain a deep dive
Blockchain a deep diveBlockchain a deep dive
Blockchain a deep divehypeprofitbiz
 
Secure and Transparent Insurance Application using Blockchain Technology
Secure and Transparent Insurance Application using Blockchain TechnologySecure and Transparent Insurance Application using Blockchain Technology
Secure and Transparent Insurance Application using Blockchain TechnologyIRJET Journal
 
IRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET Journal
 
IRJET- Bitcoin - The Future Currency
IRJET- Bitcoin - The Future CurrencyIRJET- Bitcoin - The Future Currency
IRJET- Bitcoin - The Future CurrencyIRJET Journal
 

Ähnlich wie NIST Guideline - Help unravel conundrum over biometrics security (20)

IRJET-Blockchain the New Era of Technology
IRJET-Blockchain the New Era of TechnologyIRJET-Blockchain the New Era of Technology
IRJET-Blockchain the New Era of Technology
 
A survey on security and policy aspects of blockchain technology
A survey on security and policy aspects of blockchain technologyA survey on security and policy aspects of blockchain technology
A survey on security and policy aspects of blockchain technology
 
Blockchain Technology Overview
Blockchain Technology OverviewBlockchain Technology Overview
Blockchain Technology Overview
 
IRJET- Whistle Blower Protection using Block Chain
IRJET- Whistle Blower Protection using Block ChainIRJET- Whistle Blower Protection using Block Chain
IRJET- Whistle Blower Protection using Block Chain
 
Blockchain based Asset Registration & Management System
Blockchain based Asset Registration & Management SystemBlockchain based Asset Registration & Management System
Blockchain based Asset Registration & Management System
 
IRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger TechnologyIRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger Technology
 
Scaling up Banking Operations: Harnessing the power of block chain Technology
Scaling up Banking Operations: Harnessing the power of block chain TechnologyScaling up Banking Operations: Harnessing the power of block chain Technology
Scaling up Banking Operations: Harnessing the power of block chain Technology
 
Deployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BDeployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63B
 
IRJET- Electronic Health Records
IRJET- Electronic Health RecordsIRJET- Electronic Health Records
IRJET- Electronic Health Records
 
IRJET- Smart Contracts for Insurance based on Hyperledger Fabric
IRJET- Smart Contracts for Insurance based on Hyperledger FabricIRJET- Smart Contracts for Insurance based on Hyperledger Fabric
IRJET- Smart Contracts for Insurance based on Hyperledger Fabric
 
IRJET- An Overview of the Security of Blockchain
IRJET- An Overview of the Security of BlockchainIRJET- An Overview of the Security of Blockchain
IRJET- An Overview of the Security of Blockchain
 
IRJET- Security Threats on Blockchain and its Countermeasures
IRJET- Security Threats on Blockchain and its CountermeasuresIRJET- Security Threats on Blockchain and its Countermeasures
IRJET- Security Threats on Blockchain and its Countermeasures
 
A decentralized consensus application using blockchain ecosystem
A decentralized consensus application using blockchain ecosystem A decentralized consensus application using blockchain ecosystem
A decentralized consensus application using blockchain ecosystem
 
IRJET- Blockchain-A Secure Mode for Transaction
IRJET- Blockchain-A Secure Mode for TransactionIRJET- Blockchain-A Secure Mode for Transaction
IRJET- Blockchain-A Secure Mode for Transaction
 
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
 
Doing Business of Blockchain in India
Doing Business of Blockchain in IndiaDoing Business of Blockchain in India
Doing Business of Blockchain in India
 
Blockchain a deep dive
Blockchain a deep diveBlockchain a deep dive
Blockchain a deep dive
 
Secure and Transparent Insurance Application using Blockchain Technology
Secure and Transparent Insurance Application using Blockchain TechnologySecure and Transparent Insurance Application using Blockchain Technology
Secure and Transparent Insurance Application using Blockchain Technology
 
IRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using Blockchain
 
IRJET- Bitcoin - The Future Currency
IRJET- Bitcoin - The Future CurrencyIRJET- Bitcoin - The Future Currency
IRJET- Bitcoin - The Future Currency
 

Mehr von Hitoshi Kokumai

Image-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxImage-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxHitoshi Kokumai
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Hitoshi Kokumai
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Hitoshi Kokumai
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryHitoshi Kokumai
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password systemHitoshi Kokumai
 
Intriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneIntriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneHitoshi Kokumai
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsHitoshi Kokumai
 
Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Hitoshi Kokumai
 
Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Hitoshi Kokumai
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryHitoshi Kokumai
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Hitoshi Kokumai
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password SystemHitoshi Kokumai
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceHitoshi Kokumai
 

Mehr von Hitoshi Kokumai (14)

Image-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxImage-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptx
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic Memory
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password system
 
Intriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneIntriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to One
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password Systems
 
Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018
 
Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and Memory
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password System
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity Assurance
 

Kürzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Kürzlich hochgeladen (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

NIST Guideline - Help unravel conundrum over biometrics security

  • 1. - Help unravel the conundrum over NIST’s Guideline - I submitted the following suggestion on NIST's Draft Digital Authentication Guideline on August 2. …………………… 5.2.3 reads "(The biometric system SHALL allow no more than 10 consecutive failed authentication attempts.) Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret." It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "It should be noted that the security in such cases is necessarily lower than when the second authenticator alone is used". -------------------------- NIST abruptly closed the thread of my suggestion registered as #193 for the reasons which are just unintelligible to me after the exchange of a couple of odd messages as outlined below. -------------------------------------------------- First, a NIST person indicated in their reply that NIST allows or even forces the OR/Disjunction operation adding "it is still two-factor". I submitted a suggestion on the assumption that NIST allows OR/Disjunction operation. The person’s second reply said "If two-factors are required, 2-factors need to be authenticated or the claimant will not get access." It led me to assume that NIST does not allow OR/Disjunction and forces AND/Conjunction. I submitted a new suggestion accordingly. Then, the second NIST person abruptly stepped in and closed this thread after supposedly alleging that the OR/Disjunction operation is valid for security. My appeal for continuing the discussion was met with silence and the thread was finally locked.
  • 2. ------------------------------------------------------- I am unable to follow their logic for justifying the closure of this thread. I wonder if some of you can help unravel this conundrum for me. Hitoshi Kokumai < Epilogue > Following the abrupt closure of the above thread, I tried to submit a fresh suggestion reading "It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "This way of operating biometrics with a second authenticator by OR/Disjunction shall be recommend where convenience matters, not where security matter since the security in such cases is necessarily lower than when the second authenticator alone is used. It is convenience that is improved by this way of operating biometrics and a fallback means, and this improvement is obtained by the sacrifice of security". NIST closed this new thread (#286) the following day without any comment whatsoever. Attachments 1. The whole history of the #193 thread (P3) 2. The whole text of the new suggestion #286 (P9)
  • 3. < The whole history of the #193 thread > hitoshikokumai commented 20 days ago Organization:3 Type: Security design Document (63-3, 63A, 63B, or 63C):63B Reference (Include section and paragraph number):5.2.3 Comment (Include rationale for comment): It reads "(The biometric system SHALL allow no more than 10 consecutive failed authentication attempts.) Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret." This implies that the second authenticator(factor) and the biometrics are used by OR/Disjunction, which necessarily makes the security lower than that of the second factor alone. In other words, the security is better when the second factor alone is used. There is a 2-minute video outlining the rationale. Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg This article may also help. Misuse of Biometrics Technology http://www.paymentsjournal.com/Content/Blogs/Industry_Blog/30986/ Biometrics authentications are good for physical security but ruin the security of password protection and generate a false sense of security in cyber space. Deployed with a fallback password against false rejection, they provide the level of security that is even poorer than a password-only authentication. Suggested Change: It is desirable to see the above sentence in 5.2.3 followed by such a
  • 4. footnote as "It should be noted that the security in such cases is necessarily lower than when the second authenticator alone is used". Organization: 1 = Federal, 2 = Industry, 3 = Other hitoshikokumai referenced this issue 9 days ago Open Suggestion for AAL 2 #221 “A NIST person” commented 6 days ago Thank you for your review. The intention behind the draft of 800-63-3-B's inclusion of biometrics is that they are always used with a second factor. If the biometric check fails, a different second factor has to be used. In other words, if users/attackers are locked out of the biometric check, they could be offered an alternative second factor. It's still two factor. If the wording needs to be fixed to reflect this, please suggest an alternative because the interpretation that a failure of the biometric check means no second factor check is not what we were allowing in the text. hitoshikokumai commented 5 days ago Thanks for taking up my suggestion for consideration. There should be nothing wrong in operating biometrics with a second factor by OR/Disjunction PROVIDED the people concerned are all accurately aware of its consequences and all the users explicitly informed. Most important is to avoid the false sense of security trapping the users in it. If allowed, I would like to suggest such an alternative as follows: The biometric system SHALL allow no more than 10 consecutive failed authentication attempts. Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret. It should be noted, however, that the security in such cases is necessarily lower than when the second authenticator(factor) alone is used like a house with two entrances
  • 5. placed in parallel (not in tandem) is more vulnerable to burglars than a house with one entrance. Remark: Two different factors can be operated in two ways - (1) by AND/Conjunction (we need to go through both of the two) or (2) by OR/Disjunction (we need only to go through either of the two). Operation of two factors by (1) AND/Conjunction provides higher security and lower convenience while that by (2) OR/Disjunction provides higher convenience and lower security. People who wish to use biometrics for achieving the level of security higher than passwords are advised to operate the biometrics and passwords by (1) AND/Conjunction and inform the users that they will be able to enjoy better security although they will have to give up the access altogether if rejected by biometrics even when they are able to feed the correct passwords. People who wish to use biometrics for better convenience are advised to operate the biometrics and passwords (fallback means against false rejection) by (2) OR/Disjunction and inform the users that they will be able to enjoy better convenience although the level of security that they can expect is necessarily lower than that of password-only authentication. Should you want to see a more comprehensive and explanatory alternative, I would be ready to compress my article published on the likes of Payments Journal. Please let me have your feedback. Hitoshi Kokumai PS I would appreciate it if you could also have a quick look at my recent short writing posted at http://www.slideshare.net/HitoshiKokumai/discussed-on-elseviers-btt-62502162?qid=8c c17e97-6fa9-4ac6-a470-bac14aada916&v=&b=&from_search=1 http://www.slideshare.net/HitoshiKokumai/appeal-to-media-writers-over-security-misco nception?qid=8cc17e97-6fa9-4ac6-a470-bac14aada916&v=&b=&from_search=3
  • 6. “The same NIST person” commented 3 days ago We are not allowing biometrics to be used as a single factor for multiple reasons, summarized in 800-63-3. I believe your suggested text is allowing that by adding an option for "OR." Since we do not want to allow that, there is no need for the sentence to say "OR/Disjuntion" is lower security. If two-factors are required, 2-factors need to be authenticated or the claimant will not get access. hitoshikokumai commented 3 days ago • edited This latest comment of yours seems to make sense. But it does not appears to be compatible with your original draft which sounds to allow or even force the operation of two factors by OR/Disjunction. The original statement "the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret." appears to be forcing or allowing the claimant to use a second authenticator/factor as a fallback means against false rejection. This is no different to using the biometrics and the second authenticator/factor (as fallback means) by OR/Disjunction. If your intention was to allow the operation of biometrics and the second factor only by AND/Conjunction, your draft could simply be altered to "Once that limit has been reached, the claimant SHALL not get an access. Rescue means SHALL be considered separately from this particular process of access trials". It would also be desirable to refer to the merits and demerits of the operation of two factors by OR/Disjunction in view of the observation that we are actually watching many such cases on the market. hitoshikokumai commented 3 days ago Whether explicitly called as the fallback means or not, a fallback means for rescue of the claimant who gets rejected by the first factor is nothing but a second factor operated by
  • 7. OR/Disjunction. I hope you are with me. “The second NIST person” commented 2 days ago While having two means of activating a multi-factor authenticator is theoretically weaker than having only one means of activation, the threat profiles of biometric vs. memorized secret activation are considerably different. For example, a user in a public place would probably be well advised to use a biometric to activate their mobile device rather than type a PIN to unlock it where it can be readily observed by others. Having a choice of activation methods is therefore not necessarily weaker than having a memorized secret only. Note also that the association of multiple authenticators with a subscriber account is encouraged. This could also be seen as being weaker than having only a single authenticator, but it mitigates the real-world problems of authenticator loss, breakage, and theft. Currently, account recovery practices are often a weak point in authentication systems and are rarely multi-factor. The benefit of making account recovery less frequent (and more stringent) outweighs the risks associated with having a reasonable number of authenticators associated with the account. In both cases, there is sufficient margin built into entropy, biometric performance, and throttling requirements to provide sufficient security given the existence of multiple authenticators and activation modes. “This NIST person” closed this 2 days ago hitoshikokumai commented 2 days ago I would appreciate it if you could reconsider about the closure of this thread for the following reasons. It would be fruitless to spend time for comparing the strength of biometrics used on its own with that of passwords used on its own. There are no objective data on the vulnerability of biometric products (not just false acceptance rate when false rejection is
  • 8. sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that the entropy may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.) Even assuming that biometrics were though to be 10 times less vulnerable than memorized secrets despite the abovementioned observation, the operation of those two factors by OR/Disjunction would necessarily result in the overall security being lower than that of the memorized secrets as well as that of the biometrics. Given that the biometrics has the (x) vulnerability, a very weak fallback password has (y1) vulnerability and a very strong fallback password having (y2), the math of vulnerability (x + y - xy) > y leads us to (x + y1- xy1) > (y1) and (x + y2 - xy2) > (y2). This means that we are safer when we use only the very weak password than when we use the biometrics with the very weak fallback password, and that we are also safer when we use only the very strong password than when we use the biometrics with the very strong fallback password. We could consider the comparison between (x + y2 - xy2) and (y1) but it could lead us nowhere. Whoever can manage a very strong password together with biometrics must be able to manage the very strong password on its own. Then, again, we are safer when we use only the very strong password. Moreover, rarely used/recalled passwords tend to be very weak, i.e., what we actually get could well be (x + y1 - xy1) >>> (y2). As such it is not possible to count a case that the biometrics used together with a fallback password is stronger than a password used on its own. “The third NIST person” locked the thread. (The above was copied from the NIST site 6 days ago and persons’ names anonymized.)
  • 9. < The whole text of the new suggestion #286 > Title: Security effects of operation of two-factors by OR/Disjunction **Reference (Include section and paragraph number)**: 5.2.3 **Comment (Include rationale for comment)**: It reads “The biometric system SHALL allow no more than 10 consecutive failed authentication attempts. Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorized secret” at another place. There should be nothing wrong in operating biometrics with a second authenticator/factor by OR/Disjunction (we need only to go through either of the two) as against AND/Conjunction (we need to go through both of the two) PROVIDED the people concerned are all accurately aware of its consequences and all the users explicitly informed of them. It should be noted that the security in such cases is necessarily lower than when the second authenticator(factor) alone is used like a house with two entrances placed in parallel (not in tandem) is more vulnerable to burglars than a house with one entrance. This is logically proven as follows: It would be fruitless to spend time for comparing the strength of biometrics used on its own with that of passwords used on its own. There are no objective data on the vulnerability of biometric products (not just false acceptance rate when false rejection is sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that the entropy may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.) Even assuming that biometrics were thought to be 10 times less vulnerable than memorized secrets despite the abovementioned observation, the operation of those two factors by OR/Disjunction would necessarily result in the overall security being lower than that of the memorized secrets as well as that of the biometrics. Given that the biometrics has the (x) vulnerability, a very weak fallback password has (y1) vulnerability and a very strong fallback password having (y2), the math of vulnerability
  • 10. (x + y - xy) > y leads us to (x + y1- xy1) > (y1) and (x + y2 - xy2) > (y2). This means that we are safer when we use only the very weak password than when we use the biometrics with the very weak fallback password, and that we are also safer when we use only the very strong password than when we use the biometrics with the very strong fallback password. We could consider the comparison between (x + y2 - xy2) and (y1) but it could lead us nowhere. Whoever can manage a very strong password together with biometrics must be able to manage the very strong password on its own. Then, again, we are safer when we use only the very strong password. Moreover, rarely used/recalled passwords tend to be very weak, i.e., what we actually get could well be (x + y1 - xy1) >>> (y2). As such it is not possible to count a case that the biometrics used together with a fallback password is stronger than a password used on its own. Should NIST disagree to the logic of this suggestion, NIST would be expected to logically demonstrate that a house with two entrances placed in parallel (not in tandem) is not less vulnerable against burglars than a house with one entrance. Most important is to avoid the false sense of security trapping the users in it. **Suggested Change**: It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "This way of operating biometrics with a second authenticator by OR/Disjunction shall be recommend where convenience matters, not where security matter since the security in such cases is necessarily lower than when the second authenticator alone is used. It is convenience that is improved by this way of operating biometrics and a fallback means, and this improvement is obtained by the sacrifice of security". This new thread (#286) was unilaterally closed without any comment whatsoever.