How/What to prompt user for fingerprint login using smartcard?

Question

We are using a PIV smartcard that has biometric information (fingerprint) of the user encoded on the card to login into our application. We have the capability to read the fingerprint from a reader and extract and build the minutiae data from it for the on-card comparison.

During the encoding of the card, all the 10 fingerprint minutiae are encoded, and also the user chooses any 2 fingers that he/she wishes to use for the authentication in our application. So our application has captured this information.

Since all 10 fingerprints are available, any finger can be used for authentication. And the card only has a certain number of tries for the authentication before it gets locked out, we wanted to make sure the user is using the right finger to log in.

To support this, we have 2 ways to do it:

Have a dropdown of all the fingers (RightIndex, LeftIndex, ...) on our login page to choose from so that the user can tell the authentication mechanism which finger he/she is presenting, which he chose prior, and our application would know which finger to compare against the card.
Only show the 2 fingers the user chose in the dropdown (by identifying the user from the card identification number).

Prompting the users for which finger to present is stated in the NIST document here, Section 5.5.1 (below table 8).

It states:

PIV readers involved in on-card and off-card authentication attempts shall heed Table 8 to correctly prompt users for which finger to present.

My question is, what does the above statement mean? Is it stating the approach 1 or 2 from above?

I think approach 2 may be a security risk, as we are giving out what fingers the user has chosen for authentication.

Or ask for all 5 in a sequence and only check the relevant fingers... — schroeder, Sep 07 '21 at 13:40
Are you asking about what NIST means or which UI logic to use? The former is easy to answer. The latter is more of a UX question. — schroeder, Sep 07 '21 at 13:48
@schroeder We are trying to figure out which UI logic to use that wouldn't violate any security standards. From reading the NIST doc, I understand that there has to be a prompt to the user to choose the finger, but we are stuck on deciding what values to show in the drop-down. Show all the finger types or just the 2 user-selected fingerprints chosen during the user enrollment (different values for different users)? From our basic security understanding, we are under the assumption that showing the 2 fingers the user chose is a security gap, so we are trying to see if NIST has answer to this. — always_a_rookie, Sep 07 '21 at 14:13
I've answered below about how what you've quoted applies (it doesn't). Asking for specific fingers is not a "security gap" as you call it. It might be a weakness, depending on your threat profile. But if I can duplicate one finger, then I can duplicate them all, except in very corner cases. — schroeder, Sep 07 '21 at 14:34

score 0 · Answer 1 · answered Sep 07 '21 at 13:46

Given the rest of the context of the NIST document, I'm not sure it means anything you've suggested.

I think your quoted text is simply saying that the prompt should be consistent with the wording used in table 8.

It doesn't make sense that NIST would dictate the logic for you to implement certain prompts, but rather, it would dictate the wording used on those prompts so that there is system interoperability (i.e. wording) and users don't get confused when you come up with your own wording (e.g. "pinky finger").

That whole section is about normative values for interoperability between systems.

The names in table 8 are not the normative part: it's about the numerical encodings. I can't find anything in that standard about the wording that should be presented to users. — Gilles 'SO- stop being evil', Sep 07 '21 at 17:09

score 0 · Accepted Answer · answered Sep 07 '21 at 17:08

PIV readers involved in on-card and off-card authentication attempts shall heed Table 8 to correctly prompt users for which finger to present.

Table 8 lists the encodings for finger selection in a fingerprint database. For example, if a PIV reader is going to do on-card comparison, the database encodes the finger selection in ISO/IEC 19785-3:2007, so if the database entry lists fingers 0x05 and 0x06, this means the left and right thumb respectively.

“correctly prompt users for which finger to present” indicates that the PIV reader is supposed to let the user know which finger to present. You're supposed to only use two specific fingers chosen at enrollment time, not to let the user choose any of the ten fingers at authentication time.

Furthermore, you're only expected to ask for one of those two fingers each time. I can't find this stated explicitly, but the text from §5.5.1 quoted above does state “which finger” (singular), and §10.3 table 16 discusses false match rates for a single finger. §10.5 explicitly allows requiring two fingers to match (instead of the default, which would implicitly be a single finger) for higher security, but also allows expecting only one of two fingers to match in combination with a more stringent comparison threshold.

Makes sense, and the quoted statement doesn't give out the specific way like you said. As a matter of fact, me and my colleague interpreted the exact statement in two different ways. I guess for us, it could depend on what our customer is comfortable with. Do you think prompting the users with their chosen fingers will not be considered a security gap? — always_a_rookie, Sep 08 '21 at 14:48

How/What to prompt user for fingerprint login using smartcard?

2 Answers2