800-63-3 icon indicating copy to clipboard operation
800-63-3 copied to clipboard

Published 20 hours ago verified publisher icon usnistgov

Zeroizing vs. reuse of activation factors

Open jimfenton opened this issue 4 years ago • 0 comments

-63B Section 5.1.9.1 says:

Each authentication operation using the authenticator SHOULD require the input of the additional factor.

This seems somewhat at odds with a later statement in the section:

The unencrypted key and activation secret or biometric sample — and any biometric data derived from the biometric sample such as a probe produced through signal processing — SHALL be zeroized immediately after an authentication transaction has taken place.

If the latter statement is a SHALL, it seems like the earlier one would need to be a SHALL as well. It's possible that the activation factor is resent from the host endpoint being authenticated, and that the zeroization requirement doesn't apply there. But this should be clarified.

jimfenton avatar Feb 27 '20 01:02 jimfenton