IBIA advises NIST to give biometrics a bigger role
27 May 2015 15:24 GMT

The International Biometrics and Identification Association (IBIA) has asked the National Institute of Standards and Technology (NIST) to consider handing biometrics an expanded role in updates to NIST’s electronic authentication guidance publication.

On April 19, NIST issued a call for comments on NIST Special Publication 800-63-2 Electronic Authentication Guideline which was last updated in August 2013.

IBIA has directed comments towards the following question raised by NIST in the Call for Comments: “What requirements, processes, standards, or technologies are currently excluded from 800-63-2 that should be considered for future inclusion?”

IBIA believes that 800-63-2, and its predecessor versions, defined a very narrow role for biometrics in e-authentication, and that biometrics should have a greater role – including server-based matching – in light of changes that have occurred since SP 800-63 was first published.

IBIA’s rationale included the following:

Advances in biometric technology make it possible to design effective systems that include biometrics as a recognized authentication token.

PINs and passwords are more likely to be compromised than biometrics.

Server-based biometric verification has been included by NIST in a successful pilot demonstration under the National Strategies for Trusted Identities in Cyberspace (NSTIC) program.

Biometrics are being included today in multi-factor authentication applications that demonstrate similar (if not better) risk profiles than other NIST-approved methods.

Biometric verification has been found to provide a very quick and easy user experience which serves to encourage its use.

According to Walter Hamilton, IBIA’s Vice Chairman, “There has been a surge in the use of biometric technologies for mobile banking and other e-authentication applications. We believe that NIST should support this trend by providing guidance on how to ensure the effective implementation of biometrics as an authentication token rather than narrowly limiting its use.”