Testing for biometric identity verification still maturing
Biometrics testing is a rapidly maturing field, but there is more to effective identity verification than an accurate matching algorithm, Dr. Chris Allgrove, director and co-founder of Ingenium Biometric Laboratories explained during a presentation for the EAB. The Lunch Talk “Exploring the Spectrum of Identity Verification Technology Testing” delved into the standards used in IDV testing and the gaps between them.
Allgrove began by defining identity verification and its primary function of binding an individual and their identity evidence. He reviewed the standards and processes around identity document authentication, and the types of documents that can be used. The differences in the quality of biometric reference images and other data collected can be quite significant, particularly between those documents with embedded machine-readable chips and those which must be captured optically.
He then ran through the remote identity verification process, including checks for biometric data quality and presentation attack detection, the genuineness and integrity of the document, and the biometric match.
Reference images gathered from electronic chips are more consistent in their quality, due to specified minimums for image size and the preservation of image quality from digital transmission, compared to a photo of the document. But Allgrove notes that it is still a single, two-dimensional image, which can pose still pose a challenge for selfie biometric matching.
The ultimate goal of biometrics testing, Allgrove says, is the assessment of risk. The risk could be an inability to accurately and reliably process the document, or to perform the biometric match, each of which raises the risk that the system will not bind the individual to their document, undermining the system’s function.
Allgrove breaks the tests for identity verification systems into functional and security elements of the biometric and document authentication components. Security tests include presentation and injection attacks protection, for both the document and biometric, while functional testing evaluates characteristics like the accuracy of matching and capture reliability.
Established standards and new guidelines
He describes the ISO/IEC 19795 (biometric performance) and ISO/IEC 30107 (PAD) standards as “mature” and “well established,” and says “they work broadly pretty well, they provide a good framework to tell us how we should go about testing. They don’t tell us what to test to, or what the evaluation needs to measure, it tells us how to go about measuring those.”
Following them, he says, establishes a strong foundation of trust.
Allgrove discussed test schemes like those from the FIDO Alliance, the Android compatibility definition document and common criteria biometrics evaluations, and how they support a level playing field for vendors.
The presentation moved on to the measurements used.
Vendors tell Allgrove they are confident in their PAD capabilities, but new holes are appearing in the security landscape even as that one closes.
ISO 19795 defines technology, scenario and operational biometrics testing types, and Allgrove explained how they apply to different areas of identity verification, as well as the three levels of presentation attack species.
There is no standards framework for testing document authentication, however, and national guidelines for conformity assessment are the closest thing available. Performance testing standards for document authentication are on the way, however, Allgrove says, and the FIDO Alliance published a standard for document authentication requirements.
He reviewed the FIDO Alliance’s work on testing, including the new biometrics certification program. FIDO’s document authentication testing requirements define assessment criteria, including document security features, attack vectors and performance measurements. So far, FIDO addresses only optical document capture, but NFC scanning is due to be added in the next update, which could be just weeks away, according to Allgrove. FIDO defines levels of document security and attack instruments.
A practical challenge for document authentication testing, he points out, is that possession of forged ID documents is illegal in many places.
Injection attacks and the deepfakes they deliver are the emerging threat vendors are focused on, Allgrove notes. While deepfakes for documents are still relatively weak, with Allgrove giving the example of an ID document that states someone’s birthday is the 43rd of July, that will change, he says.
As it does, testing will have to change too.
Allgrove recently joined iBeta’s David Yambay and BixeLab’s Ted Dunstone for a Biometric Update webinar on how biometrics testing can help technology developers and their customers. The webinar is available to stream for free on-demand with registration.
Article Topics
biometric testing | digital identity | EAB | EAB 2024 | identity verification | Ingenium Biometrics | ISO standards | research and development
Comments