Biometric PAD testing benefits from government certification and level playing field: iBeta’s Gail Audette
As in many competitive industries where livelihoods and businesses depend on technology to perform as expected, independent testing can play a critical role in helping customers navigate the biometrics market. Testing for presentation attack detection, as a new and powerful technology, is particularly in demand.
Gail Audette, biometrics project manager for iBeta Quality Assurance, tells Biometric Update in an interview that testing and standards for biometric presentation attack detection (PAD) and liveness detection are still in the process of maturing, and the market around them can be challenging for customers to navigate.
One area of confusion around PAD testing seems to be the levels that indicate the difficulty associated with each kind of attack at the presentation layer.
Originally, the company set up its testing levels based on the lettered levels (A, B and C) proposed by Stephanie Schuckers. The accreditation audit of iBeta’s lab to the ISO/IEC 30107-3 standard was even carried out with level 3 testing in mind.
“However, after going through the audit and talking with our NIST auditor – everything we do is approved by NIST, all of our procedures, processes, everything is provided to them, reviewed and approved – and when we discussed level, our NIST auditor said it’s definitely our business decision whether or not to sponsor level 3,” Audette recalls.
Level 3 will be reviewed and discussed with the auditor during next review, Audette says, but at least thus far it does not make sense to become experts in a single vendor’s application to the same extent as its developer, or patent holder, which would be necessary to perform effective testing of systems detecting those kinds of presentation attacks. The cost to the client would be prohibitive, Audette points out.
A related part of the reason iBeta has not launched level 3 testing is a concern that uniformity between vendors would be difficult to maintain.
Audette says iBeta’s NIST auditor put the difference between levels in perspective: “It’s a good level of testing for a NIST, or a MITRE, or a lab that truly has, as he put it ‘national technical means.’”
While Audette says that iBeta is always looking to the future, she does not see it offering level 3 testing in 2021.
“The last thing I want to do is charge a vendor too much, take too much time, and not be confident that we can repeat the process for the next vendor,” Audette states. “Part of what we strive so hard to do is treat all of our vendors equally, and test them all on the same level playing field.”
NIST and NVLAP
iBeta is accredited for independent testing by NIST under the National Voluntary Laboratory Accreditation Program (NVLAP), as an unbiased third-party testing and evaluation laboratory in compliance with ISO/IEC 17025 for standards testing.
For labs accredited by NIST, interaction with the agency is very periodic, moving to a two-year audit schedule after approval is granted. iBeta also talks to NIST when new standards are released, Audette notes, and interim audits are carried out as the NVLAP program evolves.
NIST even reviews and approves the wording on iBeta’s website where the company talks about presentation attack detection.
The NVLAP program operators are also concerned about misinformation, and worked with iBeta to counter it in the past.
“They’ve worked with us when a vendor said something that they were not supposed to,” Audette recounts. “And the NIST PR department actually reached out to the vendor to correct what was being stated on the vendor’s website.”
Still, incorrect claims are seen in the market, coming from customers who may be struggling with the terminology, and sometimes from vendors whose business it is to know better. Audette hopes the advance of sector-specific certifications and the adoption of the ISO standard and FIDO certification help bring some clarity to customers.
iBeta has played a central role in the adoption of PAD testing over the past several years. When the 30107-3 standard was released and iBeta became accredited to test to it by NVLAP, FIDO Alliance Biometric Component Certification had not yet launched. There was no Google Android certification program, and even the original Mastercard certification program had not yet launched.
The near-future of PAD
The future of biometric liveness detection, and presentation attack detection in particular, is far from clear. The technology appears likely to continue increasing in demand, and Audette sees an important role for independent testing to ensure it is met with PAD solutions that are not just robust, but also appropriate to the particular use they are being put to.
“I think the Google Android PAD process is going to potentially drive industry strongly towards their defined PAD testing,” Audette observes. “So I don’t know if our 30107-3 PAD testing to levels 1 and 2 will be in as much demand, as Android requires their certification program. And that would actually be my hope, is that there’s more uniformity.”
Uniformity only extends so far, however. Different tests are still needed to address the different kinds of technologies that are suited to particular subsets of applications. In present market conditions, labs and their certification or compliance programs need to be consumer advocates, and help organizations purchase good products that are appropriate to their needs, according to Audette. Helping customers navigate the market will guide iBeta’s future decisions around PAD testing.
“It’s the wild west, and I think that’s confusing for buyers. So, however the industry turns, we will follow.”
A cell phone biometric application for unlocking a game does not require a 1 in 100,000 false-match rate (FMR), Audette points out.
“I think ultimately it’s the consumers, the purchasers, who need help defining what they need,” she says. “Right now if it’s going to be on an Android device, Android is doing that for them, which is lovely.”
Mastercard may be able to do something similar in the financial services realm with its PAD testing. Because PAD attacks continually evolve with the technology, however, the standard must allow for change to remain a realistic indication of effectiveness.
One example of this kind of adaptation is the “readiness review” iBeta performs to define the species of attack before starting testing, based on the attack level being tested to and the specific application. The new FIDO PAD standard proscribes 10 of the 12 artifacts that must be used for level A and B testing, which Audette believes means the standard will have to be updated as time passes and the kinds of attacks encountered in the real world change, or the standard will lose its effectiveness. She cautions for 2021 that certifying agencies saying systems must work against very specific attacks, vendors design systems to beat those same systems, but then attackers will learn not to use those specific attacks.
Some companies, particularly startups, come to iBeta with no idea what they need, other than the validation of independent testing. Audette says the company guides them through their options, including other certifications like the DEA’s Electronic Prescription of Controlled Substances EPCS certification. Other iBeta customers request head-to-head ‘bake-offs’ between vendors, to test their technologies’ effectiveness for the particular solution or application they are delivering.
“Those are good customers,” Audette declares. “Those are the ones who have done their research, and their willing to take the time and make the investment to select the best product that works for their solution. And I think the buyers need to be more informed to make those decisions.”
If independent PAD testing can help biometrics customers make good decisions, it will reflect well on the vendors that deliver the right product to the customer, as well as the industry as a whole.