OWASP
v5.0.0: 6.5.7 conflict with NIST SP 800-63B-4
V6.5 General Multi-factor authentication requirements (as of time of this issue):
| # | Description | Level |
|---|---|---|
| 6.5.7 | Verify that biometric authentication mechanisms are only used as secondary factors together with either something you have or something you know. | 3 |
NIST SP 800-63B-4; 3.2.3. Use of Biometrics: (last paragraph, no changes between 2nd public draft and final)
Biometrics SHALL only be used as part of multi-factor authentication with a physical authenticator (i.e., “something you have”). The biometric characteristic SHALL be presented and compared for each authentication operation. An alternative non- biometric authentication option SHALL always be provided to the subscriber. Biometric data SHALL be treated and secured as sensitive personal information.
I have bolded only the direct contradiction above, but the full paragraph adds more context to NIST's rationale, which I'm happy to extrapolate if necessary, but it seems obvious enough.
