PART FOUR: The iBeta Test
Testing Biometrics Across the Board, Without Bias
“Our NVLAP-accredited lab and ISO-guided program provides the level of verifiability and consistency needed to help providers create products that can be more easily assessed and targeted for specific use cases,” said Dr. Kevin Wilson, Director of Biometrics at iBeta.
iBeta testing can be conducted on a production version of an authenticator, but it is recommended that it be conducted on a modified version. The modifications should include the ability to perform liveness on enrollment (the very foundation of the “trust chain”), and to allow thousands of attempts, with “lockout”, and have “anti-reverse-engineering” mechanisms removed. However, when a production version lockout would have been triggered, the app should inform testers of the consequences of the lockout (e.g., to retry in five minutes or one hour). This helps testers better understand how many attempts they would have in the real world, and how long they would have to wait for additional attempts or if they would have to re-download the app.
“The iBeta test makes it much easier to differentiate between marketing hype and objectively-verified security. To us, there is no doubt that formalized, standards-backed PAD tests like iBeta’s should be a prerequisite for every biometric vendor.”– Kevin Alan Tussy, CEO, FaceTec
Testing is typically conducted over two-to-three weeks on two contemporary smart devices, and in accordance with the level of spoofing and techniques needed to create artifacts of the genuine biometric for use in the presentation attack. The test subjects used in the test effort are “fully cooperative, ” meaning they willingly provide any and all biometric samples, including high quality photos and videos of their likenesses. If the test includes liveness on enrollment, then only non-living artifacts are used to try to fool the system into enrolling an inanimate object in place of a living person. The test time for each subject is approximately eight hours. At least 5-6 species of presentation attacks (PAs) are expected and will be attempted five times each for each subject, for a total of approximately 1500 presentation attack attempts.
At the conclusion of the PAD testing, the real, living test subject returns and authenticates three times successfully to verify that the authenticator application is still able to recognize the genuine subject, and hasn’t just been altered to rebuff all attempts.
“Standardized Testing for Biometrics: Cutting Through the Hype and Finding Integrity in Digital Identity” is a FaceTec white paper. This version has been optimized for the web for educational purposes and published here with permission from the author.