Year in Review: The Importance of Standards-based Third Party Testing

Innovatrics: Building a World Where People Can Trust People

With biometric technology becoming increasingly mainstream and the state of the art has continued to evolve, standardization has become a more and more prominent issue. With so many biometric solutions now being offered by a range of vendors, many now feel it’s important to look to standards-based metrics in evaluating and comparing the offerings.

This is clear from the results of Question 27 of FindBiometrics’ latest Year in Review survey, which asked whether respondents agreed with the statement, “I only trust biometric technology that has been tested by a third party to comply with international standards.” An overwhelming majority of 79.2 percent agreed, with almost half of all respondents – 47 percent – indicating that they strongly agree.

Some of these standards have been around for a while. The International Organization for Standardization, or ISO, for example, has standards pertaining to biometric security. And the FBI has had its own certification program for fingerprint sensors for quite some time – a program that has become the gold standard for fingerprint biometrics internationally.

The National Institute for Standards and Technology (NIST), meanwhile, doesn’t offer certification programs for biometric technologies, but does run prominent and ongoing evaluation programs that can illustrate the effectiveness (or deficiencies) of biometric solutions across a number of metrics, such as accuracy, speed, and so on. Innovatrics, which sponsored Question 27 of the FindBiometrics Year in Review survey, offers a recent example from this area, having attained the top ranking for 1:1 biometric matching in the “visa” photo category of NIST’s Face Recognition Vendor Test last autumn.

Other compliance testing programs have emerged more recently, at least partly as a result of the growing prominence and complexity of the biometrics landscape. The FIDO Alliance launched in 2013 with a mission to establish strong standards for authentication, with a particular focus on consumer-facing devices and solutions. For the first few years, its work tended to revolve around 2FA mechanisms like USB security keys and One-Time Passwords; but in 2018 it launched a Biometric Component Certification Program aimed primarily at testing the subcomponents of biometric systems against the ISO/IEC 19795 and ISO/IEC 30107 standards.

One of the testing labs accredited under FIDO’s Biometric Component Certification Program, Denver-based iBeta, is also responsible for what has become one of the most prominent standards-based evaluation programs in the world of facial recognition technology. The lab’s Presentation Attack Detection program is designed to test the ability of a given facial recognition system to detect spoofing attacks that attempt to trick the authentication system into validating false biometric credentials. Biometric ‘liveness detection’ systems are tested against two levels of compliance: Level 1 – which Innovatrics passed in October – involves resisting presentation attacks based on photos and videos of a legitimate end user; while Level 2 entails the use of sophisticated artefacts like latex and silicone masks.

The threat of spoofing in facial recognition illustrates the need for these kinds of third party testing programs in today’s biometrics landscape. Selfie-based authentication systems are now commonplace on smartphones, but are far from equal in their effectiveness: some, like Apple’s Face ID system, attain high accuracy through the use of laser-based 3D imaging; while others can be tricked by a black and white photo of the authorized user.

It’s no wonder that a similar majority of Year in Review respondents – 83.7 percent – agreed with Question 26’s statement, “Improved liveness detection should be a priority for the consumer facing biometrics industry.” And it’s no wonder that industry leaders are increasingly turning their attention to the third party testing organizations that can rigorously evaluate which biometric solutions are up to the job.

This dynamic doesn’t just apply to facial recognition, but to the entire biometrics industry. Solutions across a range of modalities have become more sophisticated in general, but the threat of spoofing, together with the need to meet increasingly complex regulatory frameworks covering things like consumer data privacy, means that standards-based third party testing is more important than ever.