Implement a biometric verification component
Summary
Systems with critical information must implement a component for biometric verification during the authentication process.
Description
Biometric authentication relies on the unique biological characteristics of an individual and serves as an additional security measure for identity assertion. Critical systems must have specially restrictive access controls. Therefore, they should include a biometric verification component to increase the security of the authentication process. This component, however, should not be the only identity assertion mechanism in place, but rather only be a secondary factor.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CWEâ„¢-308. Use of single-factor authentication
- GDPR-R64. Identity verification
- HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
- HIPAA-164_312_d. Standard: person or entity authentication
- NIST 800-63B-5_2_3. Use of biometrics
- SOC2®-CC6_1. Logical and physical access controls
- SOC2®-CC6_4. Logical and physical access controls
- FACTA-157-A. Study on the use of technology to combat identity theft
- NY SHIELD Act-5575_B_2. Personal and private information
- NYDFS-500_12. Multi-factor authentication
- MITRE ATT&CK®-M1025. Privileged process integrity
- PA-DSS-3_1_4. Application employs methods to authenticate all users
- HITRUST CSF-08_b. Physical entry controls
- FedRAMP-PE-3. Physical access control
- WASC-W_01. Insufficient authentication
- NIST 800-171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- OWASP ASVS-2_8_7. One time verifier
- PCI DSS-9_4_1. Media with cardholder data is securely stored and accessed
- SIG Core-F_1_4_2. Physical and environmental security
- OWASP ASVS-2_2_2. General authenticator security
- OWASP ASVS-2_2_7. General authenticator security
- OWASP ASVS-2_3_2. Authenticator lifecycle
- OWASP ASVS-4_3_1. Other access control considerations
- CASA-4_3_1. Other Access Control Considerations
- Resolution SB 2021 2126-Art_28_5. Security in Electronic Channels - ATMs
- Resolution SB 2021 2126-Art_30_8. Security in Electronic Channels - Digital Banking
- OWASP MASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
- OWASP MASVS-AUTH-2. The app performs local authentication securely according to the platform best practices
- OWASP MASVS-AUTH-3. The app secures sensitive operations with additional authentication
Vulnerabilities
- 006.Authentication mechanism absence or evasion
- 081.Lack of multi-factor authentication
- 240.Authentication mechanism absence or evasion - OTP
- 241.Authentication mechanism absence or evasion - AWS
- 242.Authentication mechanism absence or evasion - WiFi
- 243.Authentication mechanism absence or evasion - Admin Console
- 244.Authentication mechanism absence or evasion - BIOS
- 298.Authentication mechanism absence or evasion - Redirect
- 299.Authentication mechanism absence or evasion - JFROG
- 300.Authentication mechanism absence or evasion - Azure
- 365.Authentication mechanism absence or evasion - Response tampering
- 370.Authentication mechanism absence or evasion - Security Image
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.