This TD addresses 2 issues:  

 1.    The MDFPPv3 includes FIA_UAU.5.1 which allows a selection of alternate authentication mechanisms such as biometrics.  FIA_UAU.5 is not identified as extended (e.g., FIA_UAU_EXT.5) and as such it appeared FIA_UAU.5.2 from the CC is missing.

2.      The application note for FIA_UAU.5.1, implied that if the TSF supported hybrid authentication, it must also support a biometric fingerprint separately. If a PIN must be used to protect the authentication template (FDP_PBA_EXT.1), thus hybrid authentication, a biometric fingerprint cannot be used separately.

FIA_UAU.5.1 The TSF shall provide password and [selection: biometric fingerprint, hybrid, no other mechanism] to support user authentication.

Application Note: The TSF must support a Password Authentication Factor and may optionally implement a Biometric Authentication Factor, in the form of a fingerprint. A hybrid authentication factor is where a user has to submit a combination of PIN and biometric sample where both have to pass and if either fail the user is not made aware of which factor failed.

If “hybrid” is selected, “biometric fingerprint” does not need to be selected, but should be selected if the biometric fingerprint can be used separate of hybrid authentication, i.e., without having to enter a PIN.

If “biometric fingerprint” or “hybrid” is selected, then FIA_BMG_EXT.1 and FDP_PBA_EXT.1 must be included in the ST.

If “using a PIN as an additional factor” is selected in FDP_PBA_EXT.1.1, then “hybrid” shall be selected.

In the future, additional biometric modalities may be included as approved authentication mechanisms. These other modalities may be present on the TOE, but will not be evaluated in this version.

The Password Authentication Factor is configured according to FIA_PMG_EXT.1.

FIA_UAU.5.2 The TSF shall authenticate any user's claimed identity according to the [assignment: rules describing how each authentication mechanism provides authentication].

Application Note: For all authentication mechanisms specified in FIA_UAU.5.1, the TSS shall describe the rules as to how each authentication mechanism is used. Example rules are how the authentication mechanism authenticates the user (i.e. how does the TSF verify that the correct password or biometric fingerprint was entered), the result of a successful authentication (i.e. is the user input used to derive or unlock a key) and when each authentication mechanism can be used (i.e. if there are times, for example, after a reboot, that only specific authentication mechanisms can be used).

Assurance Activity:

The evaluator shall ensure that the TSS describes each mechanism provided to support user authentication and the rules describing how the authentication mechanism(s) provide authentication.

The evaluator shall verify that configuration guidance for each authentication mechanism is addressed in the AGD guidance.

Test 1: For each authentication mechanism selected, the evaluator shall enable that mechanism and verify that at lock screen the user can authenticate using that mechanism.

Test 2: For each authentication mechanism rule the evaluator shall ensure that the authentication mechanisms behave accordingly.

1.      FIA_UAU.5.2 from the CC was missing.

2.      Modified application note for FIA_UAU.5.1 to allow biometric fingerprint and/or hybrid to be selected.