Standards for secure biometrics systems

Biometrics includes physical or behavioural human characteristics such as fingerprints, facial patterns, voice or signature, which are unique to individuals. They can be used digitally to identify and allow people access to countries, buildings, systems and devices.

Fingerprint scanner at US airport
US-VISIT mechanism records all 10 fingerprint images (Photo: wikimedia, U.S. Customs and Border Protection)

For people who struggle to remember passwords or have certain physical disabilities, biometrics can simplify life. They are being used in a growing number of applications and offer contactless solutions, which are helping to stop the spread of COVID-19.

There are many examples. Used in airports and border control systems, facial recognition scans identify nationals and allow them to leave one country and enter another. In other situations, this technology can open doors and give approved users access to high-level security areas. In homes, voice recognition is used to control heating, lighting and entertainment systems, and many of us use it to do rapid information searches. Fingerprints offer a quick way to open smartphones and iPads.

Though biometrics characteristics are harder to replicate, there are some security concerns surrounding systems that use them. One of the challenges with biometric systems capture devices is that if someone wants to breech them, no knowledge of the internal operating system is required.

For example, someone could use a fake fingerprint of facial covering to gain access to a system, either to impersonate someone else or conceal his or her own identity. This is known as a presentation attack.

e-tech spoke with Mike Thieme, editor of two international standards, developed by IEC and ISO joint technical committee for biometrics. The standards include ISO/IEC 30107-3, which covers testing and reporting for biometric presentation attack detection (PAD), and ISO/IEC 30107-4, which looks at the approach taken for new requirements related to PAD testing in mobile devices.

What is biometric presentation attack detection?

Many people are familiar with the idea that a fake fingerprint, a mask, or even a voice recording can be used to gain unauthorized access to a biometric system. For most of the history of commercial biometric technologies, biometric devices, such as fingerprint sensors, have claimed to be able to detect when these "attacks" occur. However, some devices are much better than others. We refer to the ability to detect attacks as biometric presentation attack detection (PAD). We call the item used to conduct an attack a presentation attack instrument (PAI).

Also, this concept is not limited just to fake or artificial attacks like a mask. It also includes cases where individuals damage their biometric characteristics. The classic example of this is people who damage their fingerprints to avoid detection in a search against a fingerprint database, such as in criminal applications.

What are some of the challenges?

Attackers with access to biometric hardware and software, and with time and money, can build highly realistic fake biometrics that are difficult to detect. For example, a fingerprint device might look for certain ways that the finger absorbs and reflects light. With enough time, attackers can reverse-engineer the aspects that are relevant to biometric presentation attack detection.

However, this is only part of the challenge. Maybe a bigger issue is that biometric attacks are rare. Most biometric transactions are normal in the sense that it's just the authorized person using the device (for example, trying to unlock an iPhone).

This means that biometric system developers cannot make presentation attack detection too aggressive or sensitive. If they did, legitimate users would be rejected too often, which would be unacceptable. Finding the right trade-off here is difficult.

What does Part 4 of the standard do?

ISO/IEC 30107- 3 sets presentation attack detection (PAD) performance assessment methodologies for the entire realm of biometric systems, which ranges from national ID to desktop security. Part 3 also considers cases where the presentation attack detection is a separate, standalone subsystem.

Mobile devices are a small but important subset of the overall PAD problem space. We needed a profile that pulls out the sections and requirements of Part 3 which are applicable to mobile devices and makes it easier for testers who want to focus on mobile devices.

For example, mobile devices are complete systems - you can't reasonably take them apart and figure out which part of the device is working well. The test needs to evaluate the full system, with real-time interaction. This is a special case.

ISO/IEC 30107- 4 does this and establishes additional requirements, not included in Part 3. For each requirement, it defines an approach for PAD testing for mobile devices.

What are some of the additional requirements for testing mobile devices?

For mobile devices, the evaluation is almost always limited to a small number of subjects, perhaps a couple hundred, due to the real-time requirement. This small sample size means that it would be difficult to validate performance down to very low error rates, such as 0.01%.

Further, if a presentation attack instrument (PAI) “fails” – meaning that it does not match against its intended target – it is difficult to determine whether the failure was due to a biometric mismatch or due to detection of a PAI. So specific metrics are needed that combine these two failure cases into one. 

Can you talk about the different roles in PAD testing?

One of the most interesting aspects of PAD testing is the different roles that individuals might occupy. These roles can be ambiguous and complex. The individual presenting the PAI to a mobile device – the PAI presenter – might affect PAD performance if their real biometric characteristic can be detected underneath the PAI, or if they are not skilled at using the mobile device. An additional role is the PAI source, or the individual whose biometric characteristics are used to create the PAI. This is the “donor” of the fake fingerprint, for example. And perhaps the most important role is that of the PAI creator, who builds or formulates PAIs using both creativity and engineering skills. Each role contributes to the overall assessment methodology and needs to be taken into careful consideration.