iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 30107-1:2016

(Main)

Information technology — Biometric presentation attack detection — Part 1: Framework

Information technology — Biometric presentation attack detection — Part 1: Framework

Abstract: In recent years, there has been an increase in the availability and interest in using biometric sensors for authenticating users, but the potential for attacks on a system through the biometric sensor has limited the use of biometrics in applications which are unsupervised by an agent of the system owner, such as remote authentication over untrusted networks. Biometric data can be easily obtained directly from a person, online, or through existing databases and then used to create spoofs (or fakes) to mount an attack. The presentation of a biometric spoof (e.g. a facial image or video of a person on a tablet or a fake silicone or gelatin fingerprint) to a biometric sensor can be detected by methods broadly referred to as presentation attack detection, PAD. The purpose of ISO/IEC 30107-1 is to provide a foundation for PAD through defining terms and establishing a framework through which presentation attack events can be specified and detected so that they can be categorized, detailed and communicated for subsequent decision making and performance assessment activities. This foundation is intended to not only introduce and frame the topics of presentation attacks and PAD but also to benefit other standards projects. This standard does not advocate a specific standard PAD method. The scope is limited to describing attacks that take place at the sensor during the presentation and collection of biometric characteristics. There are two other parts of ISO/IEC 30107, under the general title Information Technology - Biometric presentation attack detection: - Part 2:Data Formats - Part 3: Testing and reporting. Keywords: Liveness, liveness detection, biometric liveness detection, spoof detection, biometric spoof, biometric spoof detection, fake, fake biometric, fake biometrics, arefact, artefact detection. .

Technologies de l'information — Détection d'attaque de présentation en biométrie — Partie 1: Structure

General Information

Status
Withdrawn
Publication Date
13-Jan-2016
ICS
35.040 - Information coding
35.240.15 - Identification cards. Chip cards. Biometrics
Technical Committee
ISO/IEC JTC 1/SC 37 - Biometrics
Drafting Committee
ISO/IEC JTC 1/SC 37 - Biometrics
Current Stage
9599 - Withdrawal of International Standard
Completion Date
10-Aug-2023
Ref Project

Relations

Revised
ISO/IEC 30107-1:2023 - Information technology — Biometric presentation attack detection — Part 1: Framework
Effective Date
06-Jun-2022

Buy Standard

ISO/IEC 30107-1:2016 - Information technology -- Biometric presentation attack detectionISO/IEC 30107-1:2016 - Information technology -- Biometric presentation attack detection
PreviousNext
Standard
ISO/IEC 30107-1:2016 - Information technology -- Biometric presentation attack detection
English language
11 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC 30107-1:2016 - Information technology -- Biometric presentation attack detectionISO/IEC 30107-1:2016 - Information technology -- Biometric presentation attack detection
PreviousNext
Standard
ISO/IEC 30107-1:2016 - Information technology -- Biometric presentation attack detection
English language
11 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 30107-1
First edition
2016-01-15
Information technology — Biometric
presentation attack detection —
Part 1:
Framework
Technologies de l’information — Détection d’attaque de présentation
en biométrie —
Partie 1: Structure
Reference number
ISO/IEC 30107-1:2016(E)
©
ISO/IEC 2016

---------------------- Page: 1 ----------------------
ISO/IEC 30107-1:2016(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 30107-1:2016(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Characterisation of presentation attacks . 3
5.1 General . 3
5.2 Presentation attack instruments . 4
6 Framework for presentation attack detection methods . 5
6.1 Types of presentation attack detection . 5
6.2 The role of challenge-response . 5
6.2.1 Challenge-response related to liveness . 6
6.2.2 Liveness not related to challenge-response . 6
6.2.3 Challenge-response not related to biometrics . 6
6.3 Presentation attack detection process . 6
6.4 Presentation attack detection within biometric system architecture . 7
6.4.1 Overview in terms of the generalized biometric framework . 7
6.4.2 PAD processing considerations relative to the other biometric subsystems. 8
6.4.3 PAD location implications regarding data interchange . 9
7 Obstacles to biometric imposter presentation attacks in a biometric system .9
Bibliography .11
© ISO/IEC 2016 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 30107-1:2016(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
ISO/IEC 30107-1 was prepared by Technical Committee ISO/TC JTC1, Information technology,
Subcommittee SC 37, Biometrics.
ISO/IEC 30107 consists of the following parts, under the general title Information technology —
Biometric presentation attack detection:
— Part 1: Framework
— Part 2: Data formats
— Part 3: Testing and reporting
iv © ISO/IEC 2016 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 30107-1:2016(E)

Introduction
Biometric technologies are used to recognize individuals based on biological and behavioural
characteristics and, consequently, are often used as a component in security systems. A biometric
technology assisted security system may attempt to recognize persons who are known as either friends
or foes, or may attempt to recognize persons who are unknown to the system as either.
Since the beginning of these technologies, the possibility of subversion of recognition by determined
adversaries has been widely acknowledged, as has the need for countermeasures to detect and defeat
subversive recognition attempts, or presentation attacks. Subversion of the intended function of a
biometric technology can take place at any point within a security system and by any actor, whether
a system insider or an external adversary. This International Standard (ISO/IEC 30107) will be
limited in scope, however, focusing on techniques for the automated detection of presentation attacks
undertaken by biometric capture subjects at the point of presentation and collection of the relevant
biometric characteristics. We will call these automated techniques “Presentation Attack Detection”
(PAD) methods.
The potential for subversion of biometric systems at the point of data collection by determined
individuals acting as biometric capture subjects has limited the use of biometrics in applications
which are unsupervised by an agent of the system owner, such as remote collections over untrusted
networks. Guidelines on e-authentication, for example, do not recommend the use of biometrics as an
authentication factor for this reason. In unattended applications, such as remote authentication over
open networks, automated presentation attack detection methods could be applied to mitigate the
risks of attack. Standards, best practices and independently evaluated techniques could improve the
security of all systems employing biometrics, whether using supervised or unsupervised data capture,
including those using biometric recognition to secure online transactions.
As is the case for biometric recognition, PAD techniques are subject to errors, both false positive and
false negative: false positive indications wrongly categorize routine presentations as attacks, thus
impairing the efficiency of the system, and false negative indications wrongly categorize presentation
attacks as routine, not preventing a security breach. Therefore, the decision to use a specific
implementation of PAD will depend upon the requirements of the application and consideration of the
trade-offs with respect to security and efficiency.
The purpose of this part of ISO/IEC 30107 is to provide a foundation for PAD through defining terms
and establishing a framework through which presentation attack events can be specified and detected
so that they can be categorized, detailed and communicated for subsequent biometric system decision
making and performance assessment activities. This foundation will also benefit other standards
projects in ISO/IEC committees and sub-committees. This International Standard does not advocate a
specific technique as a standard PAD tool.
There are two other parts of ISO/IEC 30107. Part 2 defines data formats for conveying the type of
approach used in biometric presentation attack detection and for conveying the results of presentation
attack detection methods. Part 3 establishes principles and methods for performance assessment of
presentation attack detection algorithms or mechanisms.
© ISO/IEC 2016 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 30107-1:2016(E)
Information technology — Biometric presentation attack
detection —
Part 1:
Framework
1 Scope
This part of ISO/IEC 30107 establishes terms and definitions that are useful in the specification,
characterization and evaluation of presentation attack detection methods.
Outside the scope are
— standardization of specific PAD detection methods;
— detailed information about countermeasures (i.e. anti-spoofing techniques), algorithms, or sensors;
and
— overall system-level security or vulnerability assessment.
The attacks to be considered in ISO/IEC 30107 are those that take place at the sensor during the
presentation and collection of the biometric characteristics.
Any other attacks are considered outside the scope of ISO/IEC 30107.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 2382-37:2012, Information technology — Vocabulary — Part 37: Biometrics
NOTE The electronic version of ISO/IEC 2382-37:2012 can be downloaded
for free from the ISO/IEC Information Technology Task Force (ITTF) web site:
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 2382-37:2012 and the
following apply.
3.1
artefact
artificial object or representation presenting a copy of biometric characteristics or synthetic
biometric patterns
3.2
liveness
quality or state of being alive, made evident by anatomical characteristics, involuntary reactions or
physiological functions, or voluntary reactions or subject behaviours
EXAMPLE 1 Absorption of illumination by the skin and blood are anatomical characteristics.
© ISO/IEC 2016 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 30107-1:2016(E)

EXAMPLE 2 The reaction of the iris to light and heart activity (pulse) are involuntary reactions (also called
physiological functions).
EXAMPLE 3 Squeezing together one’s fingers in hand geometry and a biometric presentation in response to a
directive cue are both voluntary reactions (also called subject behaviours).
3.3
liveness detection
measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, in order
to determine if a biometric sample is being captured from a living subject present at the point of capture
Note 1 to entry: Liveness detection methods are a subset of presentation attack detection methods.
3.4
normal presentation
interaction of the biometric capture subject and the biometric data capture subsystem in the fashion
intended by the policy of the biometric system
Note 1 to entry: The term “normal” is analogous to “routine” when referring to a “normal presentation.” Any type
of presentation that is not an attack is considered a “normal presentation.”
3.5
presentation attack
presentation to the biometric data capture subsystem with the goal of interfering with the operation of
the biometric system
Note 1 to entry: Presentation attack can be implemented through a number of methods, e.g. artefact,
mutilations, replay, etc.
Note 2 to entry: Presentation attacks may have a number of goals, e.g. impersonation or not being recognized.
Note 3 to entry: Biometric systems may not be able to differentiate between biometric presentation attacks with
the goal of interfering with the systems operation and non-conformant presentations.
3.6
presentation attack detection
PAD
automated determination of a presentation attack
Note 1 to entry: PAD cannot infer the subject’s intent. In fact it may be impossible to derive that difference from
the data capture process or acquired sample.
3.7
presentation attack instrument
PAI
biometric characteristic or object used in a presentation attack
Note 1 to entry: The set of PAI includes artefacts but would also include lifeless biometric characteristics
(i.e. stemming from dead bodies) or altered biometric characteristics (e.g. altered fingerprints) that are used
in an attack.
4 Symbols and abbreviated terms
PAD Presentation Attack Detection
PAI Presentation Attack Instrument
2 © ISO/IEC 2016 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 30107-1:2016(E)

5 Characterisation of presentation attacks
5.1 General
Although attacks on a biometric system can occur anywhere and be instantiated by any actor,
ISO/IEC 30107 focuses on biometric-based attacks on the data capture subsystem by biometric capture
subjects attempting to subvert the intended operation of the system. Attacks by other actors and at
other points of the system have previously been considered in documents such as [2]. ISO/IEC 30107
does not address protecting the data capture subsystem, including the sensor itself, from modification,
replacement, or removal or protecting the communication between the data capture subsystem and
other subsystems.
Figure 1 illustrates several generic attacks against a biometric system. ISO/IEC 30107 only focuses on
attacks pointed out by arrow “1,” in which a biometric characteristic or PAI is presented to a sensor
which is operating properly within a biometric system.
Figure 1 — Examples of points of attack in a biometric system (inspired by [1])
Presentation attacks can be carried out by two types of subversive biometric capture subjects: a
biometric imposter, where the subversive biometric capture subject intends to be recognized as an
individual other than him/herself, or a biometric concealer, where the subversive biometric capture
subject intends to evade being recognized as any individual known to the system.
Biometric imposters may perform attacks in two different ways. In the first sub-type, the subversive
data subject intends to be recognized as a specific individual known to the system. In the second sub-
type, the subversive data subject intends to be recognized as any individual known to the system,
without specification as to which one.
In contrast, biometric concealers will be seeking to conceal his/her own biometric characteristics,
as opposed to modelling the characteristics of known individuals, e.g., using an artefact or through
disguise or alteration of natural biometric characteristics.
© ISO/IEC 2016 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 30107-1:2016(
...

INTERNATIONAL ISO/IEC
STANDARD 30107-1
First edition
Information technology — Biometric
presentation attack detection —
Part 1:
Framework
Technologies de l’information — Présentation détection d’attaque
en biométrie —
Partie 1: Structure
PROOF/ÉPREUVE
Reference number
ISO/IEC 30107-1:2015(E)
©
ISO/IEC 2015

---------------------- Page: 1 ----------------------
ISO/IEC 30107-1:2015(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 30107-1:2015(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Characterisation of presentation attacks . 3
5.1 General . 3
5.2 Presentation attack instruments . 4
6 Framework for presentation attack detection methods . 5
6.1 Types of presentation attack detection . 5
6.2 The role of challenge-response . 5
6.2.1 Challenge-response related to liveness . 6
6.2.2 Liveness not related to challenge-response . 6
6.2.3 Challenge-response not related to biometrics . 6
6.3 Presentation attack detection process . 6
6.4 Presentation attack detection within biometric system architecture . 7
6.4.1 Overview in terms of the generalized biometric framework . 7
6.4.2 PAD processing considerations relative to the other biometric subsystems. 8
6.4.3 PAD location implications regarding data interchange . 8
7 Obstacles to biometric imposter presentation attacks in a biometric system .9
Bibliography .10
© ISO/IEC 2015 – All rights reserved PROOF/ÉPREUVE iii

---------------------- Page: 3 ----------------------
ISO/IEC 30107-1:2015(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
ISO/IEC 30107-1 was prepared by Technical Committee ISO/TC JTC1, Information technology,
Subcommittee SC 37, Biometrics.
ISO/IEC 30107 consists of the following parts, under the general title Information technology —
Biometric presentation attack detection:
— Part 1: Framework
— Part 2: Data formats
— Part 3: Testing and reporting
iv PROOF/ÉPREUVE © ISO/IEC 2015 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 30107-1:2015(E)

Introduction
Biometric technologies are used to recognize individuals based on biological and behavioural
characteristics and, consequently, are often used as a component in security systems. A biometric
technology assisted security system may attempt to recognize persons who are known as either friends
or foes, or may attempt to recognize persons who are unknown to the system as either.
Since the beginnings of these technologies, the possibility of subversion of recognition by determined
adversaries has been widely acknowledged, as has the need for countermeasures to detect and defeat
subversive recognition attempts, or presentation attacks. Subversion of the intended function of a
biometric technology can take place at any point within a security system and by any actor, whether
a system insider or an external adversary. This International Standard (ISO/IEC 30107) will be
limited in scope, however, focusing on techniques for the automated detection of presentation attacks
undertaken by biometric capture subjects at the point of presentation and collection of the relevant
biometric characteristics. We will call these automated techniques “Presentation Attack Detection”
(PAD) methods.
The potential for subversion of biometric systems at the point of data collection by determined
individuals acting as biometric capture subjects has limited the use of biometrics in applications
which are unsupervised by an agent of the system owner, such as remote collections over untrusted
networks. Guidelines on e-authentication, for example, do not recommend the use of biometrics as an
authentication factor for this reason. In unattended applications, such as remote authentication over
open networks, automated presentation attack detection methods could be applied to mitigate the
risks of attack. Standards, best practices and independently evaluated techniques could improve the
security of all systems employing biometrics, whether using supervised or unsupervised data capture,
including those using biometric recognition to secure online transactions.
As is the case for biometric recognition, PAD techniques are subject to errors, both false positive and
false negative: false positive indications wrongly categorize routine presentations as attacks, thus
impairing the efficiency of the system, and false negative indications wrongly categorize presentation
attacks as routine, not preventing a security breach. Therefore, the decision to use a specific
implementation of PAD will depend upon the requirements of the application and consideration of the
trade-offs with respect to security and efficiency.
The purpose of this part of ISO/IEC 30107 is to provide a foundation for PAD through defining terms
and establishing a framework through which presentation attack events can be specified and detected
so that they can be categorized, detailed and communicated for subsequent biometric system decision
making and performance assessment activities. This foundation will also benefit other standards
projects in ISO/IEC committees and sub-committees. This International Standard does not advocate a
specific technique as a standard PAD tool.
There are two other parts of ISO/IEC 30107. Part 2 defines data formats for conveying the type of
approach used in biometric presentation attack detection and for conveying the results of presentation
attack detection methods. Part 3 establishes principles and methods for performance assessment of
presentation attack detection algorithms or mechanisms.
© ISO/IEC 2015 – All rights reserved PROOF/ÉPREUVE v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 30107-1:2015(E)
Information technology — Biometric presentation attack
detection —
Part 1:
Framework
1 Scope
This part of ISO/IEC 30107 establishes terms and definitions that are useful in the specification,
characterization and evaluation of presentation attack detection methods.
Outside the scope are
— standardization of specific PAD detection methods;
— detailed information about countermeasures (i.e. anti-spoofing techniques), algorithms, or sensors;
and
— overall system-level security or vulnerability assessment.
The attacks to be considered in ISO/IEC 30107 are those that take place at the sensor during the
presentation and collection of the biometric characteristics.
Any other attacks are considered outside the scope of ISO/IEC 30107.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 2382-37:2012, Information technology — Vocabulary — Part 37: Biometrics
NOTE The electronic version of ISO/IEC 2382-37:2012 can be downloaded for free from the ISO/IEC Information
Technology Task Force (ITTF) web site: http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html .
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 2382-37:2012 and the
following apply.
3.1
artefact
artificial object or representation presenting a copy of biometric characteristics or synthetic
biometric patterns
3.2
liveness
quality or state of being alive, made evident by anatomical characteristics, involuntary reactions or
physiological functions, or voluntary reactions or subject behaviours
EXAMPLE 1 Absorption of illumination by the skin and blood are anatomical characteristics.
© ISO/IEC 2015 – All rights reserved PROOF/ÉPREUVE 1

---------------------- Page: 6 ----------------------
ISO/IEC 30107-1:2015(E)

EXAMPLE 2 The reaction of the iris to light and heart activity (pulse) are involuntary reactions (also called
physiological functions).
EXAMPLE 3 Squeezing together one’s fingers in hand geometry and a biometric presentation in response to a
directive cue are both voluntary reactions (also called subject behaviours).
3.3
liveness detection
measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, in order
to determine if a biometric sample is being captured from a living subject present at the point of capture
Note 1 to entry: Liveness detection methods are a subset of presentation attack detection methods.
3.4
normal presentation
interaction of the biometric capture subject and the biometric data capture subsystem in the fashion
intended by the policy of the biometric system
Note 1 to entry: The term “normal” is analogous to “routine” when referring to a “normal presentation.” Any type
of presentation that is not an attack is considered a “normal presentation.”
3.5
presentation attack
presentation to the biometric data capture subsystem with the goal of interfering with the operation of
the biometric system
Note 1 to entry: Presentation attack can be implemented through a number of methods, e.g. artefact,
mutilations, replay, etc.
Note 2 to entry: Presentation attacks may have a number of goals, e.g. impersonation or not being recognized.
Note 3 to entry: Biometric systems may not be able to differentiate between biometric presentation attacks with
the goal of interfering with the systems operation and non-conformant presentations.
3.6
presentation attack detection
PAD
automated determination of a presentation attack
Note 1 to entry: PAD cannot infer the subject’s intent. In fact it may be impossible to derive that difference from
the data capture process or acquired sample.
3.7
presentation attack instrument
PAI
biometric characteristic or object used in a presentation attack
Note 1 to entry: The set of PAI includes artefacts but would also include lifeless biometric characteristics
(i.e. stemming from dead bodies) or altered biometric characteristics (e.g. altered fingerprints) that are used
in an attack.
Note 2 to entry:
4 Symbols and abbreviated terms
PAD Presentation Attack Detection
PAI Presentation Attack Instrument
2 PROOF/ÉPREUVE © ISO/IEC 2015 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 30107-1:2015(E)

5 Characterisation of presentation attacks
5.1 General
Although attacks on a biometric system can occur anywhere and be instantiated by any actor,
ISO/IEC 30107 focuses on biometric-based attacks on the data capture subsystem by biometric capture
subjects attempting to subvert the intended operation of the system. Attacks by other actors and at
other points of the system have previously been considered in documents such as [2]. ISO/IEC 30107
does not address protecting the data capture subsystem, including the sensor itself, from modification,
replacement, or removal or protecting the communication between the data capture subsystem and
other subsystems.
Figure 1 illustrates several generic attacks against a biometric system. ISO/IEC 30107 only focuses on
attacks pointed out by arrow “1,” in which a biometric characteristic or PAI is presented to a sensor
which is operating properly within a biometric system.
Figure 1 — Examples of points of attack in a biometric system (inspired by [1])
Presentation attacks can be carried out by two types of subversive biometric capture subjects: a
biometric imposter, where the subversive biometric capture subject intends to be recognized as an
individual other than him/herself, or a biometric concealer, where the subversive biometric capture
subject intends to evade being recognized as any individual known to the system.
Biometric imposters may perform attacks in two different ways. In the first sub-type, the subversive
data subject intends to be recognized as a specific individual known to the system. In the second sub-
type, the subversive data subject intends to be recogn
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 19785-3:2020(Main)
Information technology — Common Biometric Exchange Formats Framework — Part 3: Patron format specifications

This document specifies and publishes registered Common Biometric Exchange Formats Framework (CBEFF) patron formats defined by the CBEFF patron ISO/IEC JTC 1/SC 37, and specifies their registered CBEFF patron format types (see ISO/IEC 19785-1) and resulting full ASN.1 OIDs.

  • Standard
    151 pages
    English language
    sale 15% off
  • Draft
    151 pages
    English language
    sale 15% off
ISO
ISO/IEC 24779-5:2020(Main)
Information technology — Cross-jurisdictional and societal aspects of implementation of biometric technologies — Pictograms, icons and symbols for use with biometric systems — Part 5: Face applications

The ISO/IEC 24779 series of standards focuses on communication with the data capture subject. This document contains a set of pictograms, icons and symbols to help the general public understand the concepts and procedures for using electronic systems that collect and/or evaluate facial images. Operators can use this document, with the possibility of using additional symbols and information. This set of pictograms, icons and symbols is designed to be used to: — identify the type of biometric sensor; — provide supporting instructions related to facial image collection. To provide this functionality, the set of pictograms, icons and symbols includes both directional pictograms, icons and symbols and action or feedback pictograms, icons and symbols. The facial image pictograms, icons and symbols include: — facial image capture; — single person; — no hat; — no sunglasses; — neutral expression; — hair up; — view direction. Although the pictograms, icons and symbols are presented individually, the pictograms, icons and symbols are intended to be combined to fully illustrate the facial image capture interaction. For example, in a customs or immigration environment, procedures constructed from the individual pictograms, icons and symbols could be presented as: — a series of posters while passengers are in the queue; — a series of transitional frames in a biometric booth; — an animated video or series of transitional frames while passengers are in the queue; — instructional leaflets for passengers to read in the queue.

  • Standard
    7 pages
    English language
    sale 15% off
ISO
ISO/IEC 30137-1:2019(Main)
Information technology — Use of biometrics in video surveillance systems — Part 1: System design and specification

The ISO 30137 series is applicable to the use of biometrics in VSS (also known as Closed Circuit Television or CCTV systems) for a number of scenarios, including real-time operation against watchlists and in post event analysis of video data. In most cases, the biometric mode of choice will be face recognition, but this document also provides guidance for other modalities such as gait recognition. This document: — defines the key terms for use in the specification of biometric technologies in a VSS, including metrics for defining performance; — provides guidance on selection of camera types, placement of cameras, image specification etc. for the operation of a biometric recognition capability in conjunction with a VSS; — provides guidance on the composition of the gallery (or watchlist) against which facial images from the VSS are compared, including the selection of appropriate images of sufficient quality, and the size of the gallery in relation to performance requirements; — makes recommendations on data formats for facial images and other relevant information (including metadata) obtained from video footage, used in watchlist images, or from observations made by human operators; — establishes general principles for supporting the operator of the VSS, including user interfaces and processes to ensure efficient and effective operation, and highlights the need to have suitably trained personnel; — highlights the need for robust governance processes to provide assurance that the implemented security, privacy and personal data protection measures specific to the use of biometric technologies with a VSS (e.g. internationally recognizable signage) are fit for purpose, and that societal considerations are reflected in the deployed system. This document also provides information on related recognition and detection tasks in a VSS such as: — estimation of crowd densities; — determining patterns of movement of individuals; — identification of individuals appearing in more than one camera; — use of other biometric modalities such as gait or iris; — use of specialized software to infer attributes of individuals, e.g. estimation of gender and age; — interfaces to other related functionality, e.g. video analytics to measure queue lengths or to alert for abandoned baggage.

  • Standard
    46 pages
    English language
    sale 15% off
ISO
ISO/IEC 30106-1:2016/Amd 1:2019(Amendment)
Information technology — Object oriented BioAPI — Part 1: Architecture — Amendment 1: Additional specifications and conformance statements
  • Standard
    17 pages
    English language
    sale 15% off
ISO
ISO/IEC 20027:2018(Main)
Information technology — Guidelines for slap tenprint fingerprintture

This document provides guidelines to follow during the acquisition process of slap tenprints in order to obtain fingerprints of the best quality possible within acceptable time constraints. Non-cooperative users are out of the scope of this document. When using ten-fingerprint sensors, it is fundamental to know how to use them and how to proceed with the acquisition. This document describes how to capture fingerprints correctly by specifying best practices for slap tenprint captures. It gives recommendations on the following topics: 1) hardware of the fingerprint sensor and its deployment; 2) user guidance; 3) enrolment process including a sample workflow; 4) application software for developers and system integrators; 5) processing, compression and coding of the acquired fingerprint images; 6) operational issues and data logging; 7) evaluation of a solution and its components. Although this document primarily focuses on reaching optimal data quality for enrolment purposes, the recommendations given here are applicable for other purposes. All processes which rely on good quality tenprint slaps can take advantage of the best practices.

  • Standard
    16 pages
    English language
    sale 15% off
ISO
ISO/IEC TR 29196:2018(Main)
Information technology — Guidance for biometric enrolment

This document consolidates information relating to successful, secure and usable implementation of biometric enrolment processes, while indicating risk factors that organisations proposing to use biometric technologies will should address during procurement, design, deployment and operation. Much of the information is generic to many types of application, e.g. from national scale commercial and government applications, to closed systems for in-house operations, and to consumer applications. However, the intended application and its purpose often have influence on the necessary enrolment data quality and are intended to be taken into account when specifying an enrolment system and process. The document points out the differences in operation relating to specific types of application, e.g. where self-enrolment is more appropriate than attended operation. This document focuses on mandatory, attended enrolment at fixed locations. In summary, this document consolidates information relating to better practice implementation of biometric enrolment capability in various business contexts including considerations of process, function (system), and technology, as well as legal/privacy and policy aspects. The document provides guidance on collection and storage of biometric enrolment data and the impact on dependent processes of verification and identification. This document does not include material specific to forensic and law enforcement applications. This document does not contain any mandatory requirements. The following terms are used in this document to provide guidance. The terms "should" and "should not" indicate that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited. The term "may" indicates a course of action permissible within the limits of the publication. The terms "can" and "cannot" indicate a possibility and capability, whether material, physical or causal.

  • Technical report
    55 pages
    English language
    sale 15% off
ISO
ISO/IEC 19784-1:2018(Main)
Information technology — Biometric application programming interface — Part 1: BioAPI specification

ISO/IEC 19784-1:2018 defines the Application Programming Interface (API) and Service Provider Interface (SPI) for standard interfaces within a biometric system that support the provision of that biometric system using components from multiple vendors. It provides interworking between such components through adherence to this and to other International Standards. For use in a system that does not include a BioAPI Framework (called a framework-free BioAPI system), only the SPI interface is applicable, with applications interfacing directly to that in a platform-specific manner. NOTE 1 Many clauses and/or sub-clauses of this document are not applicable for implementation of a framework-free BioAPI system. These are identified at the head of the clause of sub-clause. The BioAPI specification is applicable to a broad range of biometric technology types. It is also applicable to a wide variety of biometrically enabled applications, from personal devices, through network security applications, to large complex identification systems. ISO/IEC 19784-1:2018 supports an architecture in which a BioAPI Framework supports multiple simultaneous biometric applications (provided by different vendors), using multiple dynamically installed and loaded (or unloaded) Biometric Service Provider (BSP) components and BioAPI Units (provided by other different vendors), possibly using one of an alternative set of BioAPI Function Provider (BFP) components (provided by other vendors) or by direct management of BioAPI Units. NOTE 2 Where BioAPI Units are provided by a different vendor fom a BSP, a standardised BioAPI Function Provider Interface (FPI) may be needed. This is outside the scope of this document, but is specified by later parts for the different categories of FPI. NOTE 3 Where a BioAPI Framework is not used in a system, the ability to support multiple applications and multiple BSPs is platform-dependent and depends on the nature of the system-integration techniques employed. ISO/IEC 19784-1:2018 is not required (and should normally not be referenced) when a complete biometric system is being procured from a single vendor, particularly if the addition or interchange of biometric hardware, services, or applications is not a feature of that biometric system. (Such systems are sometimes referred to as "embedded systems".) Standardisation of such systems is not in the scope of this document. ISO/IEC 19784-1:2018 does not define security requirements for biometric applications and biometric service providers. NOTE 4 ISO 19092 provides guidelines on security aspects of biometric systems[3]. The performance of biometric systems (particularly in relation to searches of a large population to provide the biometric identification capability) is not in the scope of this document. Trade-offs between interoperability and performance are not in the scope of this document. ISO/IEC 19784-1:2018 specifies a version of the BioAPI specification that is defined to have a version number described as Major 2, Minor 0, or version 2.0. It also specifies a version number described as Major 2, Minor 1, or version 2.1 that provides an enhanced Graphical User Interface. It also specifies a version number described as Major 2, Minor 2, or version 2.2 that provides features supporting fusion and security. Some clauses and sub-clauses apply only to one of these versions, some to two or more. This is identified at the head of the relevant clauses and sub-clauses. NOTE 5 Earlier versions of the BioAPI specification were not International Standards. NOTE 6 The differences between the requirements of the 2.0 specification and the 2.1 specification for framework-free operation relate only to the biometric type values and encodings. Conformance requirements are specified in Clause 5.

  • Standard
    234 pages
    English language
    sale 15% off
ISO
ISO/IEC 30136:2018(Main)
Information technology — Performance testing of biometric template protection schemes

ISO/IEC 30136:2018 supports evaluation of the accuracy, secrecy, and privacy of biometric template protection schemes. It establishes definitions, terminology, and metrics for stating the performance of such schemes. Particularly, this document establishes requirements for the measurement and reporting of: - theoretical and empirical accuracy of biometric template protection schemes, - theoretical and empirical probability of a successful attack on biometric template protection schemes (single or multiple), and - the information leaked about the original biometric when one or more biometric template protection schemes are compromised. ISO/IEC 30136:2018 also gives guidance on measuring and reporting diversity and unlinkability of templates. ISO/IEC 30136:2018 does not: - establish template protection schemes; - address testing of traditional encryption schemes.

  • Standard
    23 pages
    English language
    sale 15% off
ISO
ISO/IEC 19794-13:2018(Main)
Information technology — Biometric data interchange formats — Part 13: Voice data

ISO/IEC 19794-13:2018 specifies a data interchange format that can be used for storing, recording, and transmitting digitized acoustic human voice data (speech) assumed to be from a single speaker recorded in a single session. This format is designed specifically to support a wide variety of Speaker Identification and Verification (SIV) applications, both text-dependent and text-independent, with minimal assumptions made regarding the voice data capture conditions or the collection environment. Other uses for the data encapsulated in this format, such as automated speech recognition (ASR), may be possible, but are not addressed in this documnet. This document also does not address handling of data that has been processed to the feature or voice model levels. No application-specific requirements, equipment, or features are addressed in this document. This document supports the optional inclusion of non-standardized extended data. This document allows both the original data captured and digitally-processed (enhanced) voice data to be exchanged. A description of any processing of the original source input is intended to be included in the metadata associated with the voice representations (VRs). This document does not address data streaming. Provisions that stored and transmitted biometric data be time-stamped and that cryptographic techniques be used to protect their authenticity, integrity and confidentiality are out of the scope of this document. Information formatted in accordance with this document can be recorded on machine-readable media or can be transmitted by data communication between systems. A general content-oriented subclause describing the voice data interchange format is followed by a subclause addressing an XML schema definition. ISO/IEC 19794-13:2018 includes vocabulary in common use by the speech and speaker recognition community, as well as terminology from other ISO standards.

  • Standard
    26 pages
    English language
    sale 15% off
ISO
ISO/IEC TR 24741:2018(Main)
Information technology — Biometrics — Overview and application

ISO/IEC TR 24741:2018 describes the history of biometrics and what biometrics does, the various biometric technologies in general use today (for example, fingerprint recognition and face recognition) and the architecture of the systems and the system processes that allow automated recognition using those technologies. It also provides information about the application of biometrics in various business domains such as border management, law enforcement and driver licensing, the societal and jurisdiction considerations that are typically taken into account in biometric systems, and the international standards that underpin their use.

  • Technical report
    33 pages
    English language
    sale 15% off