INFO5301 NIST Digital Identity Guidelines
6. False- In the absence of a trusted statement that it is a multi-factor device, the verifier
shall treat the authenticator as a SF.
Exercise 8:
Briefly explain why rate limiting on authentication attempts is required, and how to reduce
the likelihood of a legitimate user being locked out as a result of rate limiting (throttling).
Answer: The verifier shall limit consecutive failed authentication attempts on a single
account to no more than 100 to protect against online guessing attacks.
• Requiring the claimant to complete a CAPTCHA before authentication
• Accepting only authentication requests coming from a whitelist of IP addresses from
which the subscriber has successfully authenticated before
• Requiring the claimant to wait following a failed attempt for a period of time that
increases as the account approaches its maximum allowance of consecutive failed at-
tempts
• Leveraging other risk-based or adaptive authentication techniques. Eg; IP address,
geolocation, browser metadata and timing of request patterns
Exercise 9:
Briefly explain why NIST guidelines only support limited use of biometrics, and list three
conditions under which biometrics may be used in the authentication process.
Answer: Due to the following reasons, only a limited use is supported for biometrics.
• Biometric comparison is probabilistic, unlike other authentication factors that are de-
terministic
• Biometric characteristics do not constitute secrets
• Biometric false match rate doesn’t account for spoofing attacks, and does not provide
confidence in the authentication of the subscriber by itself.
Therefore biometrics for authentication is supported under the following guidelines and
requirements
• Shall be used as a part of multi-factor authentication with a physical authenticator
• Shall operate with an FMR of 1 in 1000 or better
• An authenticated protected channel between sensor and verifier shall be established
and the sensor endpoint shall be authenticated prior to capturing the biometric sample
from the claimant
Information Security Management Page 5of 9