PART THREE: Putting Trust to the Test
What Keeps Biometric Security Claims Honest?
Beyond in-house testing, third-party biometrics testing programs now exist that vendors can utilize to publicly validate their solutions.
Government and Industry-specific Regulations
Certain high risk sectors already have broad IT provisions concerning the protection of data and accountability. Historically, such provisions have shed light on the inflated marketing hype in the biometrics industry. HIPAA, the Health Insurance Portability and Accountability Act, for instance, is a generalized security standard in the healthcare market which has long been thought of as a space ripe for biometric adoption. The presence of this and other healthcare security standards, however, are often cited as reasons why biometric adoption has been slow in clinics and hospitals.
Similarly, government regulations like Europe’s Revised Payment Services Directive (PSD2) and the aforementioned GDPR mandate stronger-than-password authentication solutions with specific capabilities that enable control over user data and have strict penalties for non-compliance. Directives such as these are tangential to biometrics testing, but do attempt to set a high-water mark for security performance. However, the directives are too often written by non-biometrics experts and use language not specific enough to ensure the end goals are met.
Let’s take PSD2, for example. The directive reads:
“Strong customer authentication means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent.”
But the directive means:
Strong Customer Authentication dictates that certain industries require their customers to provide at least two of the three following factors:
- A mutually shared secret, like a password or security question answer
- A personal device unique to them, like a hardware token or mobile phone
- A face scan, voice recording or fingerprint photo matched to a server-side counterpart
While the original language leaves much detail to be desired, the spirit is clear and correct. It is time for industry best practices to be pushed far beyond the abilities of even highly sophisticated cyber criminals and these rules will drive rapid technology advancements, particularly in AI.
Collaboration is ingrained in the IT community, and bounties have long been a method of battle-testing the integrity of security systems with the goal of making them more robust. Open bounties for finding security vulnerabilities encourage researchers and hackers to report flaws in security systems to the vendor rather than exploit them.
Bounties have proven indispensable to large firms like Google and Microsoft that deal with vast amounts of valuable user data, but must be properly incentivised to work. As security becomes more sophisticated thanks to the introduction of biometrics and multiple factors, or modalities, vendors must ensure they are not essentially outbid by interested parties looking to buy zero-day vulnerabilities on the black market.
Unfortunately, since most biometrics security providers know their systems cannot even stand up to rigorous in-house testing, they have rarely offered external bounties, preferring plausible deniability while hoping their vulnerabilities aren’t highlighted on YouTube or exposed on nefarious dark-web sites.
The most visible standardized biometric testing has been conducted by NIST (the National Institute of Standards and Technology). Their algorithm evaluations include fingerprint, face recognition, iris and tattoo biometrics, in addition to multi-biometric solutions carried out in 2007 and 2009 during the technology’s nascency.
The NIST evaluations are conducted in accordance with set challenges and the organization’s schedule. Ongoing evaluations for fingerprint (MINEX) and iris (IREX) have long been touted by top performers as badges of excellence, particularly in the realms of law enforcement and border security. They test homogenized biometric modalities used by the law enforcement and surveillance industries using narrow testing criteria that does not include Presentation Attack Detection.
Unfortunately, since matching performance has been the sole focus of the NIST testing, it has created millions of armchair biometrics experts who love to ask “What’s the FAR?” (False Accept Rate) of every new algorithm they see, while having little understanding of several important factors, including FRR (False Recognition Rate) and training vs. test sets. Most importantly, they have essentially zero understanding of the liveness detection required for real-world authentication. This lack of liveness detection testing by NIST left the the biometrics industry focused on FAR and resulted in little attention paid to anti-spoofing until just a few years ago. It is encouraging to see the industry, and NIST certified labs, finally beginning to understand the critical importance of anti-spoofing, and new testing standards being created to provide insight into biometric authenticator security levels.
Based in Denver, Colorado, iBeta performs independent third-party testing and certification for all biometric modalities, and has created the world’s first certified Presentation Attack Detection (PAD) test based on the recently released ISO 30107-3 standard. Accredited by NVLAP (National Voluntary Laboratory Accreditation Program), iBeta is the only NIST-certified biometrics testing lab. iBeta’s equipment, experience and methodology are invaluable when determining the PAD security level of a biometric, and their test results carry significantly more weight than any in-house or private testing.
iBeta’s biometric testing programs are wide-ranging. The lab is equipped to test for:
- CBEFF, BioAPI, and data interchange
- Performance testing (FAR, FRR, FMR, FNMR)
- Spoofing and liveness testing
- Presentation attack detection
- Scenario testing
- Coordination Mil-Std 810 G
- DEA EPCS biometric subsystem certification
Important note: The ISO 30107-3 standard requires test subjects be “Fully Cooperative Users” and provide “any and all” biometric data requested by the testers. This makes the iBeta PAD test significantly harder than tests using only publicly available biometric data or non-cooperative subjects. The goal is to ensure the authenticator’s liveness detection is strong enough to combat complicit user fraud, synthetic ID fraud and phishing attacks.
In 2018, the FIDO Alliance introduced its own Biometric Component Certification Program. The intention is to address the historical lack of standards with unbiased accredited laboratory testing. A global benchmark indicating a biometric solution is fit for commercial use, FIDO’s Biometric Component Certification Program – based on the NIST-certified iBeta testing procedure – adheres to ISO standards (ISO/IEC 19795; ISO/IEC 30107), and tests for Presentation Attack Detection.
Important note: Though the testing criteria is not yet finalized, currently it does not appear that the FIDO PAD test will require the testers to be “Fully Cooperative Users” as the ISO standard requires. This means it is possible the test results may not be as definitive in its determination as to whether or not the authenticator is robust enough to prevent complicit user fraud and phishing attacks.
“Standardized Testing for Biometrics: Cutting Through the Hype and Finding Integrity in Digital Identity” is a FaceTec white paper. This version has been optimized for the web for educational purposes and published here with permission from the author.