v5.0.0: 6.5.7 conflict with NIST SP 800-63B-4

[narfbg]

V6.5 General Multi-factor authentication requirements (as of time of this issue):

#	Description	Level
6.5.7	Verify that biometric authentication mechanisms are only used as secondary factors together with either something you have or something you know.	3

NIST SP 800-63B-4; 3.2.3. Use of Biometrics:
(last paragraph, no changes between 2nd public draft and final)

Biometrics SHALL only be used as part of multi-factor authentication with a physical
authenticator (i.e., “something you have”). The biometric characteristic SHALL be
presented and compared for each authentication operation. An alternative non-
biometric authentication option SHALL always be provided to the subscriber. Biometric
data SHALL be treated and secured as sensitive personal information.

I have bolded only the direct contradiction above, but the full paragraph adds more context to NIST's rationale, which I'm happy to extrapolate if necessary, but it seems obvious enough.

[elarlang]

Note that version 4 of NIST SP 800-63 was released after ASVS v5.0.0 was released.

But when I look into version 3, it had pretty much the same message

Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have).

The current requirement comes from v4.0.3-2.8.7

Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know.

From the issue #1421 and the proposal, it seems to be resulted in the commit bea3a23 as

Verify that biometric authenticators are only used as secondary factors together with either something you have and something you know.

Later, only the word "mechanism" was added:

Verify that biometric authentication mechanisms are only used as secondary factors together with either something you have or something you know.

---

So the summary is, I don't see the argumentation or rationale why it should not be aligned with NIST, and it should be fixed for the next (major) release.

The problematic part here is that it could be a breaking change and can not be done with a patch release. See https://github.com/OWASP/ASVS/blob/master/CONTRIBUTING.md#release-strategy

[narfbg]

Yeah, SemVer rules are inconvenient like that. Many software projects eventually end up releasing major versions every other month because of this.

I would say though, I highly doubt that there is any knowledge+biometric implementation in existence, especially not one already ASVS5-compliant. There are people who may claim to have that, but not realizing that whatever OTS biometric authenticator they have is actually unlocking a TPM-backed private key (something you have).
That's where "Biometric data SHALL be treated and secured as sensitive personal information." comes handy as additional context - that's mere alignment with privacy laws, and vendors don't play loose with the law where it categorizes data as "sensitive".

[tghosth]

@narfbg can you propose updated wording here and then when we figure out how we are going to handle breaking changes we can try and get it in

[narfbg]

Just taking out the conflicting part should suffice, and keeping it as simple as possible is also a benefit IMO:

Verify that biometric authentication is only used as secondary factor to something you have.

[tghosth]

Maybe:

"Verify that biometric authentication is only used as secondary factor together with something you have."

[narfbg]

I might be unnecessarily nitpicking, but "together with" has a slight chance of misinterpretation: something you know still alowed as the primary factor as long as both biometrics and something you have are used as secondary factors.

[randomstuff]

Technically, it does not conflict, right? In the sense that your application can comply with both ASVS 6.5.7 and NIST SP 800-63B-4; 3.2.3.

[tghosth]

I might be unnecessarily nitpicking, but "together with" has a slight chance of misinterpretation: something you know still alowed as the primary factor as long as both biometrics and something you have are used as secondary factors.

Does that matter? I mean, as long as the biometric and the something you have are used together, does it matter if there is also another "something you know" factor?