An effective means of verifying identification, the use of biometrics is increasingly widespread and ensuring its security is, therefore, essential.
Threats to biometric systems can come in the form of presentation attacks, where an attempt to subvert the system security policy is made by presenting natural biometric characteristics or artefacts holding copied or faked characteristics.
The series of standards ISO/IEC 19989, Information security – Criteria and methodology for security evaluation of biometric systems, has just been published to help ensure they are protected from such attacks. This series provides a bridge between ISO/IEC 19792, which defines the evaluation principles for biometric products and systems, and the ISO/IEC 15408 series and ISO/IEC 18045, which define the criteria and methodology requirements for security evaluation.
ISO/IEC 19989-1, Information security – Criteria and methodology for security evaluation of biometric systems – Part 1: Framework, sets the general framework for the security evaluation of biometric systems, including extended security functional components, and supplementary activities to methodology.
ISO/IEC 19989-2, Information security – Criteria and methodology for security evaluation of biometric systems – Part 2: Biometric recognition performance, provides requirements and recommendations to the developer and the evaluator of biometric systems for the supplementary activities on biometric recognition performance specified in ISO/IEC 19989-1.
ISO/IEC 19989-3, Information security – Criteria and methodology for security evaluation of biometric systems – Part 3: Presentation attack detection, is dedicated to security evaluation of presentation attack detection applying the ISO/IEC 15408 series. It provides recommendations and requirements to the developer and the evaluator for the supplementary activities on presentation attack detection specified in ISO/IEC 19989-1.
The ISO/IEC 19989 series was developed by subcommittee SC 27, Information security, cybersecurity and privacy protection, of joint technical committee ISO/IEC JTC 1, the information technology arm of ISO and the International Electrotechnical Commission (IEC). The secretariat of SC 27 is held by DIN, ISO’s member for Germany.
All of these standards can be purchased from your national ISO member or the ISO Store.