NIST 800-53 REV 5 • ACCESS CONTROL

AC-7(3)Biometric Attempt Limiting

Limit the number of unsuccessful biometric logon attempts to {{ insert: param, ac-07.03_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many factors, including matching performance and presentation attack detection mechanisms. Organizations select the appropriate number of attempts for users based on organizationally-defined factors.

Practitioner Notes

Biometric authentication (fingerprint, face recognition) also needs a failure limit. After too many failed biometric attempts, the system should fall back to a knowledge-based factor and potentially lock the account.

Example 1: In Windows Hello for Business, configure the GPO at Computer Configuration → Administrative Templates → Windows Components → Windows Hello for Business → "Use biometrics". Windows automatically falls back to PIN entry after 5 failed biometric attempts, and the PIN is subject to the account lockout policy.

Example 2: In Intune, create a device restriction profile that limits biometric unlock attempts. For Android Enterprise, configure Device password → Number of sign-in failures before wiping device to cover both biometric and PIN failures.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management