Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

Services financiers — Biométrie — Cadre de sécurité

General Information

Status
Published
Publication Date
01-Mar-2023
Current Stage
6060 - International Standard published
Start Date
02-Mar-2023
Due Date
13-May-2023
Completion Date
02-Mar-2023
Ref Project

Relations

Buy Standard

Standard
ISO 19092:2023 - Financial services — Biometrics — Security framework Released:2. 03. 2023
English language
65 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO 19092 - Financial services — Biometrics — Security framework Released:3/4/2022
English language
67 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO
STANDARD 19092
Second edition
2023-03
Financial services — Biometrics —
Security framework
Services financiers — Biométrie — Cadre de sécurité
Reference number
ISO 19092:2023(E)
© ISO 2023

---------------------- Page: 1 ----------------------
ISO 19092:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO 2023 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 19092:2023(E)
Contents Page
Foreword . vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Abbreviated terms . 8
5 Biometrics in financial service context . 8
5.1 General . 8
5.2 Generic security considerations . 10
5.3 Personal device vulnerabilities and controls strategy . 10
5.4 Biometric verification versus biometric identification . 10
6 Biometric modalities and core systems .11
6.1 General . 11
6.2 Modalities of biometrics. 11
6.2.1 General . 11
6.2.2 Fingerprint . . 11
6.2.3 Voice biometrics .12
6.2.4 Iris biometrics.12
6.2.5 Face biometrics .12
6.2.6 Signature biometrics . 13
6.2.7 Vein biometrics . 13
6.2.8 Palm print biometrics . 14
6.2.9 Keystroke biometrics . 14
6.3 Biometric system and its supporting systems . 14
6.3.1 Overview . 14
6.3.2 Core systems .15
6.3.3 Core biometric authentication usage scenarios . 16
7 Financial biometric authentication systems — usability considerations .20
7.1 General . 20
7.2 Properties of biometric modalities . 20
7.3 Properties and evaluation of biometric system . 21
7.3.1 Recognition performance . 21
7.3.2 Recognition performance evaluation . 22
7.3.3 Presentation attack detection . 23
7.3.4 Interoperability . 23
8 Financial biometric authentication systems – architectures .24
8.1 Overview . 24
8.2 Conceptual business architecture . 24
8.3 Technical architecture . 25
8.4 Registration architecture .25
8.5 PBP devices and associated biometric authentication architectures . 26
8.5.1 PBP device operators .26
8.5.2 PBP device types .28
8.5.3 Point of biometric presentation (PBP) .28
8.5.4 Biometric authentication architecture .30
9 Financial biometric authentication systems – threats and vulnerabilities .34
9.1 Generic threat considerations.34
9.2 Biometric presentation vulnerabilities . 35
9.2.1 Overview . 35
9.2.2 Synthetic biometric presentation attack vulnerabilities . 35
9.2.3 Improper PBP device calibration vulnerabilities .36
iii
© ISO 2023 – All rights reserved

---------------------- Page: 3 ----------------------
ISO 19092:2023(E)
9.2.4 Fault injection .36
9.3 Comparison, decision and storage subsystem vulnerabilities .36
9.3.1 Overview . 36
9.3.2 Improper threshold settings vulnerability . 37
9.3.3 Score and threshold vulnerabilities . 37
9.3.4 Reference refinement vulnerabilities . 37
9.3.5 Self-targeted match search vulnerabilities .38
9.3.6 Other-party targeted match search vulnerabilities .38
9.3.7 Match collision vulnerabilities .38
9.3.8 Authentication result transmission vulnerabilities .38
9.3.9 Biometric storage vulnerabilities .38
10 Financial biometric authentication systems — security requirements .38
10.1 General .38
10.2 Generic security requirements .38
10.2.1 Physical security requirements .38
10.2.2 Logical security requirements .39
10.3 Identity registration .40
10.3.1 Overview .40
10.3.2 Security requirements .40
10.4 Presentation .40
10.4.1 Overview .40
10.4.2 Security requirements .40
10.5 Data storage and handling .40
10.5.1 Overview .40
10.5.2 Reference splitting procedure .40
10.6 Comparison and decision . 42
10.6.1 Overview . 42
10.6.2 Security requirements . 42
10.7 Enrolment . 42
10.7.1 Overview . 42
10.7.2 Security requirements . 42
10.8 Re-enrolment . 43
10.8.1 Overview . 43
10.8.2 Security requirements . 43
10.9 Refinement . 43
10.9.1 Overview . 43
10.9.2 Security requirements . 43
10.10 V erification . . 43
10.10.1 Overview . 43
10.10.2 Security requirements .44
10.11 Identification .44
10.11.1 Overview .44
10.11.2 Security requirements .44
10.12 Termination . 45
10.12.1 Overview . 45
10.12.2 Security requirements . 45
10.13 Suspension and reactivation . 45
10.13.1 Overview . 45
10.13.2 Security requirements . 45
10.14 Archiving .46
10.14.1 Overview .46
10.14.2 Security requirements .46
10.15 Security compliance verification .46
Annex A (informative) Threats and vulnerabilities for biometric environments .47
Annex B (informative) Biometric implementation scenarios .50
Annex C (normative) Biometric security controls checklist .59
iv
  © ISO 2023 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 19092:2023(E)
Bibliography .64
v
© ISO 2023 – All rights reserved

---------------------- Page: 5 ----------------------
ISO 19092:2023(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Financial Services, security.
This second edition cancels and replaces the first edition (ISO 19092:2008), which has been technically
revised.
The main changes are as follows:
— technical developments since the first edition reflected;
— newer use cases fitting current use of biometrics in the financial industry and related security
considerations included;
— built on a newer set of ISO standards for biometrics, created by ISO/IEC JTC 1/SC 37.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
vi
  © ISO 2023 – All rights reserved

---------------------- Page: 6 ----------------------
ISO 19092:2023(E)
Introduction
Retail transaction authentication using card- and PIN-based technologies has historically been
central to the protection of retail electronic transactions. However, the advent of new technologies
and the evolution of old technologies has introduced the possibility of using personal biometrics as an
alternative or supplementary method of transaction authentication.
Biometrics as a mechanism for recognizing individuals includes the use of fingerprints and iris and
facial images.
The wide use of a biometric system with the public depends on a number of factors:
— convenience and ease of use;
— level of appropriate security;
— performance;
— non-invasiveness.
This document provides security guidelines for the integration of biometrics into the retail payment
sector using card or other technologies in the financial industry from component to system level and
includes recommendations regarding compliance verification. Nonetheless, the guidelines set out in
this document do not guarantee that a particular implementation will be secure against all threats.
It is the responsibility of the financial institutions deploying such technology, via their security risk
management processes, to ensure adequate controls are in place to mitigate threats in accordance with
institutional policy.
vii
© ISO 2023 – All rights reserved

---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO 19092:2023(E)
Financial services — Biometrics — Security framework
1 Scope
This document specifies the security framework for using biometrics for authentication of customers
in financial services, focusing exclusively on retail payments. It introduces the most common types of
biometric technologies and addresses issues concerning their application. This document also describes
representative architectures for the implementation of biometric authentication and associated
minimum control objectives.
The following are within the scope of this document:
— use of biometrics for the purpose of:
— verification of a claimed identity;
— identification of an individual;
— biometric authentication threats, vulnerabilities and controls;
— validation of credentials presented at enrolment to support authentication;
— management of biometric information across its life cycle, comprising enrolment, transmission and
storage, verification, identification and termination processes;
— security requirements for hardware used in conjunction with biometric capture and biometric data
processing;
— biometric authentication architectures and associated security requirements.
The following are not within the scope of this document:
— detailed specifications for data collection, feature extraction and comparison of biometric data and
the biometric decision-making process;
— use of biometric technology for non-financial transaction applications, such as physical or logical
system access control.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 9796 (all parts), Information technology — Security techniques — Digital signature schemes
giving message recovery
ISO/IEC 9797 (all parts), Information technology — Security techniques — Message Authentication Codes
(MACs)
ISO 11568, Financial services — Key management (retail)
ISO 13491-1, Financial services — Secure cryptographic devices (retail) — Part 1: Concepts, requirements
and evaluation methods
ISO 13491-2, Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance
checklists for devices used in financial transactions
1
© ISO 2023 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 19092:2023(E)
ISO/IEC 15408-3, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 3: Security assurance components
ISO/IEC 14888 (all parts), IT Security techniques — Digital signatures with appendix
ISO/IEC 18033 (all parts), Information security — Encryption algorithms
ISO/IEC 19772, Information security — Authenticated encryption
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
biometric authentication
authentication where biometric verification or biometric identification is applied and the identity is
linked to the biometric reference
[SOURCE: ISO/IEC 24745:2022, 3.3]
3.2
biometric capture
obtaining and recording of, in a retrievable form, signal(s) of biometric characteristic(s) directly from
individual(s), or from representation(s) of biometric characteristic(s)
[SOURCE: ISO/IEC 2382-37:2022, 37.06.03, modified — Notes to entry removed.]
3.3
biometric capture device
device that collects a signal from a biometric characteristic and converts it to a captured biometric
sample
[SOURCE: ISO/IEC 2382-37:2022, 37.04.01, modified — Notes to entry removed.]
3.4
biometric data
biometric sample or aggregation of biometric samples at any stage of processing
[SOURCE: ISO/IEC 2382-37:2022, 37.03.06, modified — Notes to entry and example removed.]
3.5
biometric enrolment
act of creating and storing a biometric enrolment data record in accordance with an enrolment policy
[SOURCE: ISO/IEC 2382-37:2022, 37.05.03, modified — Notes to entry removed.]
3.6
biometric enrolment database
database of biometric enrolment data record(s)
[SOURCE: ISO/IEC 2382-37:2022, 37.03.09, modified — Notes to entry removed.]
2
  © ISO 2023 – All rights reserved

---------------------- Page: 9 ----------------------
ISO 19092:2023(E)
3.7
biometric feature extraction
process applied to a biometric sample with the intent of isolating and outputting repeatable and
distinctive numbers or labels which can be compared to those extracted from other biometric samples
[SOURCE: ISO/IEC 2382-37:2022, 37.05.04, modified — Notes to entry removed.]
3.8
biometric identification
process of searching against a biometric enrolment database to find and return the biometric reference
identifier(s) attributable to
...

DRAFT INTERNATIONAL STANDARD
ISO/DIS 19092
ISO/TC 68/SC 2 Secretariat: BSI
Voting begins on: Voting terminates on:
2022-04-29 2022-07-22
Financial services — Biometrics — Security framework
Services financiers — Biométrie — Cadre de sécurité
ICS: 35.240.40; 03.060
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 19092:2022(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. © ISO 2022

---------------------- Page: 1 ----------------------
ISO/DIS 19092:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO 2022 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/DIS 19092:2022(E)
Contents Page
Foreword . vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Symbols and abbreviated terms.8
5 Biometrics in financial service context . 9
5.1 General . 9
5.2 Generic security considerations . 10
5.3 Personal device vulnerabilities and controls strategy . 11
5.4 Biometric verification versus biometric identification . 11
6 Biometric modalities and core systems .11
6.1 General . 11
6.2 Modalities of biometrics. 12
6.2.1 General .12
6.2.2 Fingerprint . . 12
6.2.3 Voice biometrics .13
6.2.4 Iris biometrics.13
6.2.5 Face biometrics .13
6.2.6 Signature biometrics . 14
6.2.7 Vein biometrics . 14
6.2.8 Palm print biometrics . 14
6.2.9 Keystroke biometrics . 15
6.3 Biometric system and its supporting systems . 15
6.3.1 Overview . 15
6.3.2 Core systems . 16
6.3.3 Core biometric authentication usage scenarios . 17
7 Financial biometric authentication systems - usability considerations .22
7.1 General .22
7.2 Properties of biometric modalities . 22
7.3 Properties and evaluation of biometric system . 23
7.3.1 Recognition performance . 23
7.3.2 Recognition performance evaluation . 24
7.3.3 Presentation attack detection . 25
7.3.4 Interoperability . 25
8 Financial biometric authentication systems – architectures .26
8.1 Overview . 26
8.2 Conceptual business architecture . 26
8.3 Technical architecture . 27
8.4 Registration architecture . 27
8.5 PBP devices and associated biometric authentication architectures .28
8.5.1 PBP device operators .28
8.5.2 PBP device types .30
8.5.3 Point of biometric presentation (PBP) .30
8.5.4 Biometric authentication architecture . 32
9 Financial biometric authentication systems – threats and vulnerabilities .36
9.1 Generic threat considerations. 36
9.2 Biometric presentation vulnerabilities . 37
9.2.1 Overview . 37
9.2.2 Synthetic biometric presentation attack vulnerabilities . 37
9.2.3 Improper PBP device calibration vulnerabilities .38
iii
© ISO 2022 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/DIS 19092:2022(E)
9.2.4 Fault injection .38
9.3 Comparison, decision and storage subsystem vulnerabilities .38
9.3.1 Overview .38
9.3.2 Improper threshold settings vulnerability .39
9.3.3 Score and threshold vulnerabilities .39
9.3.4 Reference refinement vulnerabilities .39
9.3.5 Self-targeted match search vulnerabilities .40
9.3.6 Other-party targeted match search vulnerabilities .40
9.3.7 Match collision vulnerabilities .40
9.3.8 Authentication result transmission vulnerabilities .40
9.3.9 Biometric storage vulnerabilities .40
10 Financial biometric authentication systems - security requirements .40
10.1 General .40
10.2 Generic security requirements .40
10.2.1 Physical security requirements .40
10.2.2 Logical security requirements . 41
10.3 Identity registration . 42
10.3.1 Overview . 42
10.3.2 Security requirements . 42
10.4 Presentation . 42
10.4.1 Overview . 42
10.4.2 Security requirements . 42
10.5 Data storage and handling . 42
10.5.1 Overview . 42
10.5.2 Reference splitting procedure . 42
10.6 Comparison and decision .44
10.6.1 Overview .44
10.6.2 Security requirements .44
10.7 Enrolment .44
10.7.1 Overview .44
10.7.2 Security requirements .44
10.8 Re-enrolment . 45
10.8.1 Overview . 45
10.8.2 Security requirements . 45
10.9 Refinement . 45
10.9.1 Overview . 45
10.9.2 Security requirements . 45
10.10 Verification . . 45
10.10.1 Overview . 45
10.10.2 Security requirements .46
10.11 Identification .46
10.11.1 Overview .46
10.11.2 Security requirements .46
10.12 Termination . 47
10.12.1 Overview . 47
10.12.2 Security requirements . 47
10.13 Suspension and reactivation . 47
10.13.1 Overview . 47
10.13.2 Security requirements .48
10.14 Archiving .48
10.14.1 Overview .48
10.14.2 Security requirements .48
10.15 Security compliance verification .48
Annex A (Informative) Threats and vulnerabilities for biometric environments .50
Annex B (Informative) Biometric implementation scenarios .53
Annex C (Normative) Biometric security controls checklist .62
iv
  © ISO 2022 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/DIS 19092:2022(E)
Bibliography .66
v
© ISO 2022 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/DIS 19092:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 19092 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Security management and general banking operations.
The second edition of ISO 19092 replaces ISO 19092:2008. Biometrics, and biometrics as used in
payments in particular, has undergone tremendous development since 2008 when the previous
revision of this document was published. The current revision takes this development into account,
describing newer use cases fitting today's use of biometrics and the security considerations associated.
It also builds on a newer set of ISO standards for biometrics, created by ISO/IEC SC 37. Thus, the current
revision substantially revises and/or replaces most parts of the previous revision.
vi
  © ISO 2022 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/DIS 19092:2022(E)
Introduction
Retail transaction authentication using card and PIN-based technologies has historically been central to
the protection of retail electronic transactions. However, the advent of new technologies and evolution
of old technologies has introduced the possibility of using personal biometrics as an alternative or
supplementary method of transaction authentication.
Biometrics as a mechanism for recognizing individuals includes the use of fingerprints, iris and facial
images.
The wide use of a biometric system with the public depends on a number of factors:
— convenience and ease of use;
— level of appropriate security;
— performance;
— non-invasiveness.
This document seeks to provide security guidelines for the integration of biometrics into the retail
payments sector using card or other technologies in the financial industry from component to system
level, and including making recommendations regarding compliance evaluation. Nonetheless, the
guidelines set out into this document do not guarantee that a particular implementation will be secure
against all threats. It is the responsibility of the financial institutions deploying such technology, via
their security risk management processes, to ensure adequate controls are in place to mitigate threats
in accord with institutional policy.
This document replaces ISO 19092-1:2006. When ISO 19092-1:2006 was published, it was expected
that a second part of ISO 19092 (ISO 19092-2, Financial services — Biometrics — Part 2: Message
syntax and cryptographic requirements) would subsequently be published. However, ISO 19092-2 was
not completed due to a lack of consensus. As a result, ISO 19092-1:2006 has been updated into this
document, removing all references to ISO 19092-2 and incorporating some significant new text.
vii
© ISO 2022 – All rights reserved

---------------------- Page: 7 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/DIS 19092:2022(E)
Financial services — Biometrics — Security framework
1 Scope
This document specifies the security framework for using biometrics for authentication of customers
in financial services, focusing exclusively on retail payments. It introduces the most common types of
biometric technologies and addresses issues concerning their application. This document also describes
representative architectures for the implementation of biometric authentication, and associated
minimum control objectives.
The following are within the scope of this document:
— usage of biometrics for purpose of
— verification of a claimed identity;
— identification of an individual;
— biometric authentication threats, vulnerabilities and controls
— validation of credentials presented at enrolment to support authentication;
— management of biometric information across its life cycle comprising enrolment, transmission and
storage, verification, identification and termination processes;
— security requirements for physical hardware used in conjunction with biometric capture and
biometric data processing
— biometric authentication architectures and associated security requirements
The following are not within the scope of this document:
— privacy and legal requirements; however, if any of the requirements contained in this document
conflict with country, state, or local laws, the country, state, or local law will apply.
— detailed specifications for data collection, feature extraction and comparison of biometric data, and
the biometric decision-making process;
— usage of biometric technology for non-financial transaction applications such as physical or logical
system access control.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 9796, Information technology — Security techniques — Digital signature schemes giving message
recovery
ISO/IEC 9797, Information technology — Security techniques — Message Authentication Codes (MACs)
ISO 11568, Banking — Key management (retail)
ISO 13491, Financial services — Secure cryptographic devices (retail)
ISO/IEC 14888, IT Security techniques — Digital signatures with appendix
1
© ISO 2022 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/DIS 19092:2022(E)
ISO/IEC 18033, Information security — Encryption algorithms
ISO/IEC 19772, Information security — Authenticated encryption
ISO/IEC 19790, Information technology — Security techniques — Security requirements for cryptographic
modules
ISO/IEC 24745, Information security, cybersecurity and privacy protection — Biometric information
protection
ISO/IEC 30107, Information technology — Biometric presentation attack detection
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
biometric authentication
authentication where biometric verification or biometric identification is applied and the identity is
linked to the biometric reference
[SOURCE: ISO/IEC 24745, 3.3]
3.2
biometric capture
obtain and record, in a retrievable form, signal(s) of biometric characteristic(s) directly from
individual(s), or from representation(s) of biometric characteristic(s)
[SOURCE: ISO/IEC 2382-37:2017, 3.6.3]
3.3
biometric capture device
device that collects a signal from a biometric characteristic and converts it to a captured biometric
sample
Note 1 to entry: A signal can be generated by the biometric characteristic or generated elsewhere and affected by
the biometric characteristic, for example, face illuminated by incident light.
Note 2 to entry: A biometric capture device can be any piece of hardware (and supporting software and firmware).
Note 3 to entry: A biometric capture device may comprise components such as an illumination source, one or
more biometric sensors, etc.
[SOURCE: ISO/IEC 2382-37:2017, 3.4.1]
3.4
biometric data
biometric sample or aggregation of biometric samples at any stage of processing, e.g. biometric
reference, biometric probe, biometric feature or biometric property
[SOURCE: ISO/IEC 2382-37:2017, 3.3.6]
3.5
biometric enrolment
act of creating
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.