SB.9.009 PIN and biometrics
PIN codes are a subset of passwords that usually have limitations to the complexity. Usage of PIN codes in place of passwords is only permitted in a one-to-one relation to physical access (to either hardware or locations). A PIN code is hardware specific, and where possible also user specific.
Biometrics can be used in place of a PIN code if processed on-device and offered as an optional usability feature, meaning a PIN code must be set. Biometric authentication is also subject to rate limiting, and needs to adhere to the guidelines set in NIST Special Publication 800-63 section 5.2.3: https://pages.nist.gov/800-63-3/sp800-63-3.html#sec5. There is no central processing of biometric information and the use is always optional.
Any other use of (centralized) biometric information being processed for authentication needs to be thoroughly and demonstrably assessed for proportionality and privacy risks.
The organisational policy applicable to PIN should contain:
- A PIN code must consist of at least 5 characters
- A PIN code is allowed to consist of only numerical characters
- The limitation that passwords cannot appear on leaked-password lists does not apply to PIN codes
- PIN codes do not need to be rotated periodically
- Rate limiting for PIN codes must be set at 20 consecutive attempts before lockout, or incremental lockout of the hardware device where the time between allowed attempts must be at least 1 minute and increase exponentially after every 5 unsuccessful attempts