2025-06-12 IAWG Meeting Notes DRAFT

Hughes, Andrew

FaceTec

Present

Jung, Jimmy

Slandala 

Present

Silberstein, Yehoshua

Proof

Present

Wilsher, Richard

Zygma Inc. 

Present

Magrath, Michael

Easy Dynamics

Present

Stojkovski, Vladimir

CLEAR

Donald, India

GSA

Present

Brown, Wendy

FPKIMA

Present

Bachenheimer, Dan

Brown, Cynetheia

FPKIMA

Present

Jones, Scott

Present

Kay Chopard

Kantara

Present

Status of ‘comparable alternatives’

Waiting to gather a group of CSPs into the discussion.

Biometrics as a second factor

Jimmy

Biometrics as a second factor: In AAL2 you can use multifactor or a combination of two single-factor authenticators.  CSPs using a combination of two single-factor authenticators typically use a memorized secret and a second factor as described in 63B 4.2.1. and our criteria.  But, 4.2.1 also allows a biometric to be used, describing this in a complicated note.  Because our process for generating criteria generally extracted the shall statements, this did not make it into our criteria and may call for an update. 

 =====

Open

• What change to the IAWG criteria could be envisioned?

• Today, Kantara does not permit “biometrics” to be the second factor.

• 63B#070 (4.2.1 Note)

• The note seems to say that use of a biometric is not a full factor - it’s intended for device unlock.

• Note that 5.2.3 conformance is required regardless.

• Discussion about server-side vs device-side biometrics and relationship to single factor vs multi factor authenticators.

•  

From 63-4 draft:

The presentation of a biometric factor for authenticator activation SHALL be a separate operation from unlocking the host device (e.g., smartphone). However, the same activation factor used to unlock the host device MAY be used in the authentication operation. Agencies MAY lower this requirement for authenticators that are managed by or on behalf of the CSP (e.g., via mobile device management) and constrained to have short agency-determined inactivity timeouts and biometric systems that meet the above requirements

• ACTION: Jimmy to propose changes to criteria to accommodate the concern so that the IAWG can discuss.

Evidence analysis

Jimmy

2. Evidence analysis:  In 2023, in an effort to simplify the process of dealing with table T5-1, the IAWG decided to accept the NIST Notional Strength of Identity Evidence in the 800-63-3 Implementation Resources (Notice #23-01).  Sometime after that I through a casual note into the IAWG email threads noting that a closer look at the Notional Strength of Identity Evidence was not as helpful as we thought.  The Validation requirements (and in particular the lack of an AAMVA equivalent for any evidence besides DLs) makes confirming details by comparison with information held or published by the issuing source or authoritative source impossible in most cases.  One could argue that AAMVA validated evidence is the ONLY STRONG or STRONG+ evidence there is for unsupervised proofing; making TWO STRONG impossible.  I’m not sure what the right move is here; perhaps start with a review of typical evidence against the T5 criteria? an articulation of what qualifies as authoritative? Suggestions for compensating controls that might make help fill in the gaps?  This is front of mind for me, as I have had two clients reminding me that only 90% of Americans have driver’s licenses and not everyone plays in AAMVA.