Implement a biometric verification component
Summary
Systems with critical information must implement a component for biometric verification during the authentication process.
Description
Biometric authentication relies on the unique biological characteristics of an individual and serves as an additional security measure for identity assertion. Critical systems must have specially restrictive access controls. Therefore, they should include a biometric verification component to increase the security of the authentication process. This component, however, should not be the only identity assertion mechanism in place, but rather only be a secondary factor.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CWE™-308. Use of single-factor authentication
- GDPR-R64. Identity verification
- HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
- HIPAA-164_312_d. Standard: person or entity authentication
- NIST 800-63B-5_2_3. Use of biometrics
- SOC2®-CC6_1. Logical and physical access controls
- SOC2®-CC6_4. Logical and physical access controls
- FACTA-157-A. Study on the use of technology to combat identity theft
- NY SHIELD Act-5575_B_2. Personal and private information
- NYDFS-500_12. Multi-factor authentication
- MITRE ATT&CK®-M1025. Privileged process integrity
- PA-DSS-3_1_4. Application employs methods to authenticate all users
- HITRUST CSF-08_b. Physical entry controls
- FedRAMP-PE-3. Physical access control
- WASC-W_01. Insufficient authentication
- OWASP MASVS-V4_8. Authentication and session management requirements
- NIST 800-171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- OWASP ASVS-2_8_7. One time verifier
- PCI DSS-9_4_1. Media with cardholder data is securely stored and accessed
- SIG Core-F_1_4_2. Physical and environmental security
- OWASP ASVS-2_2_2. General authenticator security
- OWASP ASVS-2_2_7. General authenticator security
- OWASP ASVS-2_3_2. Authenticator lifecycle
- OWASP ASVS-4_3_1. Other access control considerations
- CASA-4_3_1. Other Access Control Considerations
- Resolution SB 2021 2126-Art_28_5. Security in Electronic Channels - ATMs
- Resolution SB 2021 2126-Art_30_8. Security in Electronic Channels - Digital Banking
Vulnerabilities
- 006. Authentication mechanism absence or evasion
- 081. Lack of multi-factor authentication
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.