NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-5(17)Presentation Attack Detection for Biometric Authenticators

Employ presentation attack detection mechanisms for biometric-based authentication.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Biometric characteristics do not constitute secrets. Such characteristics can be obtained by online web accesses, taking a picture of someone with a camera phone to obtain facial images with or without their knowledge, lifting from objects that someone has touched (e.g., a latent fingerprint), or capturing a high-resolution image (e.g., an iris pattern). Presentation attack detection technologies including liveness detection, can mitigate the risk of these types of attacks by making it difficult to produce artifacts intended to defeat the biometric sensor.

Practitioner Notes

This enhancement requires presentation attack detection for biometric authenticators — the system must be able to detect spoofing attempts like using a photo or fake fingerprint.

Example 1: Use Windows Hello Enhanced Sign-in Security cameras with IR sensors that detect whether a live face is present rather than a photograph or mask.

Example 2: Select fingerprint readers with liveness detection that can distinguish between a real finger and a silicone replica or printed fingerprint.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts