NIST Guidelines Require Second Auth Factor When Using Biometrics

| by Thomas Betts Follow 11 Followers on Feb 13, 2017. Estimated reading time: 1 minute |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

On January 30, the National Institute of Standards and Technology (NIST) released a public draft of new Digital Identity Guidelines. Described as "a significant update from past revisions," the new guidelines reflect evolving industry innovation and more advanced threats since the publication of the Electronic Authentication Guideline in August 2013.

One of the motivations for revising the guidelines was an Executive Order issued by President Obama in October 2014, requiring "…that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate."

The guidelines describe acceptable use of multi-factor authentication (MFA), comprised of a combination of something you know (ex. a password), something you have (ex. a cryptographic key) and/or something you are (biometric data). Furthermore, when using biometric data as one authentication factor, it must be combined with something you have.

During a call for feedback on the previous NIST guideline, Hitoshi Kokumai, President of Mnemonic Security, Inc., provided recommendations regarding safe use of biometrics. He appreciates the new requirement that does not permit falling back to a password.

Hitoshi Kokumai - "Users of biometric products, if they are security-conscious, are advised to turn off the biometrics when a password login is offered as a fallback means. The password-only authentication is securer. They could keep the biometrics with a fallback password activated only where they are happy with "below-password-only" security in return for better convenience."

The guidelines are available for a public comment period until . NIST is utilizing a GitHub repo for editor collaboration and public comment. The full text of the guidelines, and instructions for commenting are available at

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you