About FIDO Authenticator Security Requirements_V1.4
61 views
Skip to first unread message
Steven li
Apr 13, 2023, 2:35:10 AM4/13/23
to FIDO Dev (fido-dev)
Hi guys,
I saw a document, FIDO Authenticator Security Requirements_V1.4, section 2.3 Authenticator’s Test for User Presence and User Verification,
Table content No. 3.9
Authenticators implementing user verification methods other than user presence check [FIDOGlossary], shall rate-limit user verification attempts in order to prevent brute-force attacks.
FIDO recommend
Allowing up to 3 failed user verification attempts without any penalty and then imposing a delay of at least 30 seconds before the 4th one, increasing exponentially with each successive attempt (e.g., 1 minute before the 5th one, 2 minutes before the 6th one), or
Disable the biometric user authentication and offer another factor (e.g., a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already available after the 16th failed user verification attempt.
Disabling the first user verification method and falling back to an alternative user verification method may take place at any time without imposing additional delays.
Table content No. 3.9
Authenticators implementing user verification methods other than user presence check [FIDOGlossary], shall rate-limit user verification attempts in order to prevent brute-force attacks.
FIDO recommend
Allowing up to 3 failed user verification attempts without any penalty and then imposing a delay of at least 30 seconds before the 4th one, increasing exponentially with each successive attempt (e.g., 1 minute before the 5th one, 2 minutes before the 6th one), or
Disable the biometric user authentication and offer another factor (e.g., a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already available after the 16th failed user verification attempt.
Disabling the first user verification method and falling back to an alternative user verification method may take place at any time without imposing additional delays.
May I ask what environment the authenticator is used in, is it designed according to FIDO suggestion?
Thanks,
Steven
Reply all
Reply to author
Forward
0 new messages