We are using a PIV smartcard that has biometric information (fingerprint) of the user encoded on the card to login into our application. We have the capability to read the fingerprint from a reader and extract and build the minutiae data from it for the on-card comparison.
During the encoding of the card, all the 10 fingerprint minutiae are encoded, and also the user chooses any 2 fingers that he/she wishes to use for the authentication in our application. So our application has captured this information.
Since all 10 fingerprints are available, any finger can be used for authentication. And the card only has a certain number of tries for the authentication before it gets locked out, we wanted to make sure the user is using the right finger to log in.
To support this, we have 2 ways to do it:
- Have a dropdown of all the fingers (RightIndex, LeftIndex, …) on our login page to choose from so that the user can tell the authentication mechanism which finger he/she is presenting, which he chose prior, and our application would know which finger to compare against the card.
- Only show the 2 fingers the user chose in the dropdown (by identifying the user from the card identification number).
Prompting the users for which finger to present is stated in the NIST document here, Section 5.5.1 (below table 8).
PIV readers involved in on-card and off-card authentication attempts shall heed Table 8 to correctly prompt users for which finger to present.
My question is, what does the above statement mean? Is it stating the approach 1 or 2 from above?
I think approach 2 may be a security risk, as we are giving out what fingers the user has chosen for authentication.