231 – Implement a biometric verification component

Summary

Systems with critical information must implement a component for biometric verification during the authentication process.

Description

Biometric authentication relies on the unique biological characteristics of an individual and serves as an additional security measure for identity assertion. Critical systems must have specially restrictive access controls. Therefore, they should include a biometric verification component to increase the security of the authentication process. This component, however, should not be the only identity assertion mechanism in place, but rather only be a secondary factor.

Supported In

Essential: True

Advanced: True

References

• CWE-308. Use of single-factor authentication
• GDPR-R64. Identity verification
• HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
• HIPAA-164_312_d. Standard: person or entity authentication
• NIST80063-5_2_3. Use of biometrics
• SOC2-CC6_1. Logical and physical access controls
• SOC2-CC6_4. Logical and physical access controls
• FACTA-157-A. Study on the use of technology to combat identity theft
• NYSHIELD-5575_B_2. Personal and private information
• NYDFS-500_12. Multi-factor authentication
• MITRE-M1025. Privileged process integrity
• PADSS-3_1_4. Application employs methods to authenticate all users
• HITRUST-08_b. Physical entry controls
• FEDRAMP-PE-3. Physical access control
• WASC-W_01. Insufficient authentication
• NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
• ASVS-2_8_7. One time verifier
• PCI-9_4_1. Media with cardholder data is securely stored and accessed
• SIG-F_1_4_2. Physical and environmental security
• ASVS-2_2_2. General authenticator security
• ASVS-2_2_7. General authenticator security
• ASVS-2_3_2. Authenticator lifecycle
• ASVS-4_3_1. Other access control considerations
• CASA-4_3_1. Other Access Control Considerations
• RESOLSB-Art_28_5. Security in Electronic Channels - ATMs
• RESOLSB-Art_30_8. Security in Electronic Channels - Digital Banking
• OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
• OWASPMASVS-AUTH-2. The app performs local authentication securely according to the platform best practices
• OWASPMASVS-AUTH-3. The app secures sensitive operations with additional authentication

Weaknesses

• 240 – Authentication mechanism absence or evasion - OTP
• 241 – Authentication mechanism absence or evasion - AWS
• 242 – Authentication mechanism absence or evasion - WiFi
• 243 – Authentication mechanism absence or evasion - Admin Console
• 244 – Authentication mechanism absence or evasion - BIOS
• 298 – Authentication mechanism absence or evasion - Redirect
• 299 – Authentication mechanism absence or evasion - JFROG
• 300 – Authentication mechanism absence or evasion - Azure
• 365 – Authentication mechanism absence or evasion - Response tampering
• 370 – Authentication mechanism absence or evasion - Security Image
• 006 – Authentication mechanism absence or evasion
• 081 – Lack of multi-factor authentication

Last updated

2024/01/18