Authenticator's Test for User Presence and User Verification

[Tyler Gajewski (Tyler)]

My team and I are working through the FIDO certification questionairre and we are having a difficult time agreeing on what the  requirement Authenticator's Test for User Presence and User Verification section 3.9 is supposed to mean.

the requirement Is "Authenticators implementing user verification methods other than user presence check [FIDOGlossary], shall rate-limit user verification attempts in order to prevent brute-force attacks. [FIDOMetadataStatement], sections 3.1, 3.2, 3.3 and [UAFAuthnrCommands], Appendix A Security Guidelines, entry "Matcher"."

the calibration section says "For a biometric, the FAR times the number of allowed attempts must be smaller than 0.017 for the first 12.8 days. After those 12.8 days, the allowed chance will increase." 

To us this means that every attempt to use the fingerprint sensor has a chance to trigger the false positive, good or bad scans.  So were interpreting this as you only get X attempt to use the device in the 12.8 day period, for our FAR that means we get to use the device 170 times before we have to lock it (or switch to backup).  This seems wrong given that I we hit 170 earlier than day 12.8, we have to wait for day 13.8 to get 13.3 more attempts.

The recommended says  "Allowing up to 3 failed user verification attempts without any penalty and then imposing a delay of at least 30 seconds before the 4th one, increasing exponentially with each successive attempt (e.g., 1 minute before the 5th one, 2 minutes before the 6th one),"  This specifically calls out failed attempts, not all attempts, and the sample questionnaire says that after 10 attempts it resets the device to default state.

Does this requirement mean to say that 170 failed attempts In a 12.8 day period would lock the device until the 13.8 day and give you 13.3 more fail attempts to try, or is it based on any attempt since the FAR applies to all attempts not just pass/fail.