ISO/IEC 19989-3:2020

INTERNATIONAL ISO/IEC
STANDARD 19989-3
First edition
2020-09
Information security — Criteria and
methodology for security evaluation
of biometric systems —
Part 3:
Presentation attack detection
Sécurité de l'information — Critères et méthodologie pour
l'évaluation de la sécurité des systèmes biométriques —
Partie 3: Détection d'attaque de présentation
Reference number
ISO/IEC 19989-3:2020(E)
©
ISO/IEC 2020

---------------------- Page: 1 ----------------------
ISO/IEC 19989-3:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 19989-3:2020(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 4
5 General remark . 5
6 Overview of PAD testing in Class ATE and Class AVA . 5
6.1 Objectives and principles . 5
6.1.1 Class ATE. 5
6.1.2 Class AVA . 6
6.2 PAIs used in testing activities . 6
6.2.1 Class ATE. 6
6.2.2 Class AVA . 6
6.3 Testing activities . 6
6.3.1 Class ATE. 6
6.3.2 Class AVA . 7
6.4 Criteria of pass/failure . 7
7 Supplementary activities to ISO/IEC 18045 on tests (ATE) . 7
7.1 Testing approach toward PAD . 7
7.2 Metrics for PAD testing . 8
7.2.1 General. 8
7.2.2 Metrics used for PAD subsystem TOEs . 9
7.2.3 Metrics used for data capture subsystem TOEs . 9
7.2.4 Metrics used for other TOEs .10
7.3 Minimum test sizes and maximum error rates .10
8 Supplementary activities to ISO/IEC 18045 on vulnerability assessment (AVA) .11
8.1 Penetration testing using PAI variations .11
8.2 Potential vulnerabilities .12
8.3 Rating of vulnerabilities and TOE resistance .12
Annex A (informative) Examples of calculations of attack potential .13
Bibliography .18
© ISO/IEC 2020 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 19989-3:2020(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 19989 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 19989-3:2020(E)

Introduction
Biometric systems can be vulnerable to presentation attacks where attackers attempt to subvert the
system security policy by presenting their natural biometric characteristics or artefacts holding copied
or faked characteristics. Presentation attacks can occur during enrolment or identification/verification
events. Techniques designed to detect presentation artefacts are generally different from those to detect
attacks where natural characteristics are used. Defence against presentation attacks with natural
characteristics typically relies on the ability of a biometric system to discriminate between genuine
enrolees and attackers based on the differences between their natural biometric characteristics. This
ability is characterized by the biometric recognition performance of the system. Biometric recognition
performance and presentation attack detection have a bearing on the security of biometric systems.
Hence, the evaluation of these aspects of performance from a security viewpoint will become important
considerations for the procurement of biometric products and systems.
Biometric products and systems share many of the properties of other IT products and systems which
are amenable to security evaluation using the ISO/IEC 15408 series and ISO/IEC 18045 in the regular
way. However, biometric systems embody certain functionality that needs specialized evaluation
criteria and methodology which is not addressed by the ISO/IEC 15408 series and ISO/IEC 18045.
Mainly, these relate to the evaluation of biometric recognition and presentation attack detection. These
are the functions addressed in this document.
ISO/IEC 19792 describes these biometric-specific aspects and specifies principles to be considered
during the security evaluation of biometric systems. However, it does not specify the concrete criteria
and methodology that are needed for security evaluation based on the ISO/IEC 15408 series.
The ISO/IEC 19989 series provides a bridge between the evaluation principles for biometric products
and systems defined in ISO/IEC 19792 and the criteria and methodology requirements for security
evaluation based on the ISO/IEC 15408 series. The ISO/IEC 19989 series supplements the ISO/IEC 15408
series and ISO/IEC 18045 by providing extended security functional requirements together with
assurance activities related to these requirements. The extensions to the requirements and assurance
activities found in the ISO/IEC 15408 series and ISO/IEC 18045 relate to the evaluation of biometric
recognition and presentation attack detection which are particular to biometric systems.
This document provides guidance and requirements to the developer and the evaluator for the
supplementary activities on presentation attack detection specified in ISO/IEC 19989-1. It builds on
the general considerations described in ISO/IEC 19792 and the presentation attack detection testing
methodology described in ISO/IEC 30107-3 by providing additional guidance to the evaluator.
In this document, the term "user" is used to mean the term "capture subject" used in biometrics.
© ISO/IEC 2020 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 19989-3:2020(E)
Information security — Criteria and methodology for
security evaluation of biometric systems —
Part 3:
Presentation attack detection
1 Scope
For security evaluation of biometric verification systems and biometric identification systems,
this document is dedicated to security evaluation of presentation attack detection applying the
ISO/IEC 15408 series. It provides recommendations and requirements to the developer and the evaluator
for the supplementary activities on presentation attack detection specified in ISO/IEC 19989-1.
This document is applicable only to TOEs for single biometric characteristic type but for the selection of
a characteristic from multiple characteristics.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 15408-3:2008, Information technology — Security techniques — Evaluation criteria for IT
security — Part 3: Security assurance components
ISO/IEC 18045:2008, Information technology — Security techniques — Methodology for IT security
evaluation
,
ISO/IEC 19989-1:2020Information Technology — Security techniques — Criteria and methodology for
security evaluation of biometric systems – Part 1: framework
ISO/IEC 30107-3:2017, Information technology — Biometric presentation attack detection — Part 3:
Testing and reporting
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
attack presentation acquisition rate
APAR
proportion of attack presentations using the same PAI species (3.15) from which the data capture
subsystem acquires a biometric sample of sufficient quality
[SOURCE: ISO/IEC 30107-3: 2017, 3.2.5]
© ISO/IEC 2020 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 19989-3:2020(E)

3.2
attack presentation classification error rate
APCER
proportion of attack presentations using the same PAI species (3.15) incorrectly classified as bona fide
presentations (3.5) in a specific scenario
[SOURCE: ISO/IEC 30107-3: 2017, 3.2.1]
3.3
attack presentation non-response rate
APNRR
proportion of attack presentations using the same PAI species (3.15) that cause no response at the PAD
subsystem or data capture subsystem
EXAMPLE A fingerprint system may not register or react to the presentation of a PAI due to the PAI’s lack of
realism.
[SOURCE: ISO/IEC 30107-3: 2017, 3.2.3]
3.4
attack type
element and characteristic of a presentation attack, including PAI species (3.15), concealer or impostor
attack, degree of supervision, and method of interaction with the capture device
[SOURCE: ISO/IEC 30107-3: 2017, 3.1.3]
3.5
bona fide presentation
interaction of the biometric capture subject and the biometric data capture subsystem in the fashion
intended by the policy of the biometric system
Note 1 to entry: Bona fide is analogous to normal or routine, when referring to a bona fide presentation.
Note 2 to entry: Bona fide presentations can include those in which the user has a low level of training or
skill. Bona fide presentations encompass the totality of good-faith presentations to a biometric data capture
subsystem.
[SOURCE: ISO/IEC 30107-3: 2017, 3.1.2]
3.6
bona fide presentation classification error rate
BPCER
proportion of bona fide presentations (3.5) incorrectly classified as presentation attacks in a specific
scenario
[SOURCE: ISO/IEC 30107-3: 2017, 3.2.2]
3.7
bona fide presentation non-response rate
BPNRR
proportion of bona fide presentations (3.5) that cause no response at the PAD subsystem or data capture
subsystem
[SOURCE: ISO/IEC 30107-3: 2017, 3.2.4]
2 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 19989-3:2020(E)

3.8
concealer attack presentation non-identification rate
CAPNIR
proportion of concealer presentation attacks using
the same PAI species (3.15) in which the reference identifier of the concealer is not among the identifiers
returned or, depending on intended use case, in which no identifiers are returned
Note 1 to entry: In a negative identification system, such as a black-list, the concealer can intend that no identifiers
are returned to avoid scrutiny by a human operator.
[SOURCE: ISO/IEC 30107-3: 2017, 3.2.9]
3.9
concealer attack presentation non-match rate
CAPNMR
proportion of concealer attack presentations using
the same PAI species (3.15) in which the reference of the concealer is not matched
[SOURCE: ISO/IEC 30107-3: 2017, 3.2.7]
3.10
false-negative identification-error rate
FNIR
proportion of identification transactions by users enrolled in the system in which the user’s correct
identifier is not among those returned
[SOURCE: ISO/IEC 19795-1:2006, 4.6.8]
3.11
false-positive identification-error rate
FPIR
proportion of identification transactions by users not enrolled in the system, where an identifier is
returned
[SOURCE: ISO/IEC 19795-1:2006, 4.6.9]
3.12
impostor attack presentation identification rate
IAPIR
proportion of impostor attack presentations using
the same PAI species (3.15) in which the targeted reference identifier is among the identifiers returned
or, depending on intended use case, at least one identifier is returned by the system
Note 1 to entry: An attacker can be both an impostor (trying to match an existing non-self enrolee) and a
concealer (obscuring his real biometric sample with a PAI).
[SOURCE: ISO/IEC 30107-3: 2017, 3.2.8]
3.13
impostor attack presentation match rate
IAPMR
proportion of impostor attack presentations using the
same PAI species (3.15) in which the target reference is matched
[SOURCE: ISO/IEC 30107-3: 2017, 3.2.6]
3.14
non-standard PAI
presentation attack instrument (PAI) not corresponding to a standard PAI species (3.18).
© ISO/IEC 2020 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 19989-3:2020(E)

3.15
PAI species
class of presentation attack instruments created using a common production method and based on
different biometric characteristics
EXAMPLE 1 A set of fake fingerprints all made in the same way with the same materials but with different
friction ridge patterns would constitute a PAI species.
EXAMPLE 2 A specific type of alteration made to the fingerprints of several data capture subjects would
constitute a PAI species.
Note 1 to entry: The term “recipe” is often used to refer to how to make a PAI species.
Note 2 to entry: Presentation attack instruments of the same species may have different success rates due to
variability in the production process.
[SOURCE: ISO/IEC 30107-3: 2017, 3.1.6]
3.16
penetration testing
testing used in vulnerability analysis for vulnerability assessment, trying to reveal vulnerabilities of
the TOE based on the information about the TOE gathered during the relevant evaluation activities
Note 1 to entry: In the ISO/IEC 15408 series, this term is used without definition.
3.17
standard PAI
PAI in standard PAI species (3.18)
3.18
standard PAI species
PAI species (3.15) determined and specified as standard by a certification body or a technical community
for the purpose of conducting evaluations
Note 1 to entry: If standard PAI species are not specified, the developer as well as the evaluator prepare non-
standard PAIs (3.14) to use in evaluation activities.
4 Abbreviated terms
ADV security assurance requirement (SAR) class of development
NOTE The class name is defined in ISO/IEC 15408-3. Here, A stands for assurance
requirement, DV for development. The class name is defined in this way in ISO/IEC 15408.
ATE security assurance requirement (SAR) class of tests
AVA security assurance requirement (SAR) class of vulnerability assessment
AVA_VAN security assurance requirement (SAR) family for vulnerability analysis in class AVA
FMR false match rate
FNIR false-negative identification-error rate
FNMR false non-match rate
FPIR false-positive identification-error rate
FTAR failure to acquire rate
FTER failure to enrol rate
4 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 19989-3:2020(E)

PAD presentation attack detectioin
PAI presentation attack instrument
PP protection profile
SFR security functional requirement
ST security target
TOE target of evaluation
5 General remark
In addition to the requirements and recommendations provided in this document, those in
ISO/IEC 15408-3 and ISO/IEC 18045 shall be applied.
The definition of authentication is available in ISO/IEC 2382.
The definitions of biometric (adjective), biometric capture, biometric capture device, biometric
characteristic, biometric concealer, biometric enrolment, biometric identification, biometric impostor,
biometric recognition, biometric system, biometric verification, comparison, enrol, failure-to-acquire
rate, failure-to-enrol rate, false match rate, false non-match rate, identify and threshold (noun) are
available in ISO/IEC 2382-37.
NOTE 1 In this document, the expression "capture device" is sometimes used instead of "biometric capture
device".
NOTE 2 In this document, the expression "concealer" is sometimes used instead of "biometric concealer".
NOTE 3 In this document, the expression "enrolment" is sometimes used instead of "biometric enrolment".
NOTE 4 In this document, the expression "impostor" is sometimes used instead of "biometric impostor".
The definition of assurance, attack potential, class, component, confirm, delivery, describe, determine,
developer, development, ensure, evaluation, family, Protection Profile, Security Target, target of
evaluation and vulnerability are available in ISO/IEC 15408-1.
The definitions of activity, methodology and report are available in ISO/IEC 18045:2008.
The definitions of presentation attack, presentation attack detection and presentation attack
instrument are available in ISO/IEC 30107-1.
6 Overview of PAD testing in Class ATE and Class AVA
6.1 Objectives and principles
6.1.1 Class ATE
The activities in Class ATE focus on the question whether the provided PAD mechanisms work as
specified. Functional testing can demonstrate the existence of PAD vulnerabilities in the TOE (i.e. non-
zero error rates) but it cannot prove that no vulnerabilities exist.
Functional testing of the effectiveness of the PAD capability of the TOE is done by measuring the
successes and failures of detection by the TOE of PAIs using a statistically based test methodology (i.e.
the measurement of PAD success and error rates), in order to demonstrate that PAD capability exists
and that the PAD error rates meet the specification in the ATE_FUN documentation. ATE_IND may or
may not include statistical testing depending on the evaluation context.
© ISO/IEC 2020 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 19989-3:2020(E)

Note that the functional testing described in this document is distinct from the functional testing
of biometric recognition performance using the natural biometric characteristics of test subjects
described in ISO/IEC 19989-2 following intended use of the TOE.
6.1.2 Class AVA
Class AVA evaluation includes penetration testing activities. Penetration testing involves investigating
the potential vulnerabilities of a TOE to presentation attacks which may not have been uncovered
by previous functional testing (class ATE). This can include standard PAIs and variants of standard
PAIs used in functional testing, and new PAIs which are created to expose possible PAD weaknesses
in the capture hardware or software algorithms used, for example, in signal processing and biometric
comparison. Penetration testing does not involve the statistical testing approach used for functional
testing (class ATE).
Note that testing with PAIs is subject to presentation variability and PAI preparation variability.
Testing should be continued until an appropriate level of confidence in the results of the test is achieved
corresponding to the level of the assurance family AVA_VAN specified in the ST of the TOE.
6.2 PAIs used in testing activities
6.2.1 Class ATE
Standard PAIs shall be prepared and used in accordance with specifications and instructions, if
provided. Standard PAIs may be supplied to the developer and the evaluator by the certification
body or a technical community, or prepared by the developer and the evaluator in accordance with
specifications and instructions of the standard PAI species. If standard PAIs are not provided, then non-
standards PAIs shall be constructed and used by the developer and the evaluator.
NOTE The use of natural biometrics as PAI is included in testing activities if SFR(s) such as FPT_BCP.1, FIA_
EBR.1, FIA_BVR.4 and FIA_BID.4 specified in ISO/IEC 19989-1 are selected in the ST. Even if those SFRs are not
selected, natural biometric PAIs can be part of the standard PAIs. As described in ISO/IEC 19989-1:2020, 6.4.2.1,
7.5.1.1, 7.5.6.1, and 7.5.10.1, natural biometric PAIs include natural biometric characteristics presented with
movements, rotations, or distances against the specification of the capture device. This also applies to Class AVA.
If standard PAIs are not provided, non-standard PAIs shall be prepared by the developer and supplied
to the evaluator by the developer.
The PAIs used by the evaluator for ATE vary with the information available to the evaluator because it
is one of the key factors of the determination of the PAIs used by the evaluator. By default, the evaluator
should rely on the standard PAI species. Additionally, the evaluator should rely on state-of-the-art
attack information to determine whether the PAIs used for the functional testing are representative of
the PAIs that can be used on the TOE by attackers.
6.2.2 Class AVA
Non-standard PAIs shall be created and used by the evaluator in penetration testing.
6.3 Testing activities
6.3.1 Class ATE
It is the objective of any functional testing activity conducted in Class ATE to determine whether the
PAD mechanism is able to detect PAIs with sufficient reliability. In ATE_FUN.1 and ATE_FUN.2, the
developer shall conduct functional testing using standard PAIs at least or non-standard PAIs depending
on whether standard PAI species are provided or not. The developer may prepare non-standard PAIs to
conduct additional functional testing which gives information on the nature of the PAIs the evaluator
should focus on in order to reduce the evaluator’s evaluation activities.
6 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 19989-3:2020(E)

The evaluator shall conduct independent testing using PAIs selected from standard PAIs, if standard
PAI species are provided, or non-standard PAIs.
The values for maximum error rates to be validated in the evaluation are specified in the TOE ATE_FUN
documentation and the implications of the values to the test sizes are further discussed in 6.3.
The error rates shall be reported independently for each PAI species tested. The maximum error rate of
all PAI species tested is the main indicator on how well the TOE performs in detecting given PAI species.
NOTE ADV documents are disclosed only to the evaluator and the certification body while the ST is
publicized when the TOE is certified.
6.3.2 Class AVA
Functional testing clearly does not provide any information on the PAD effectiveness against untested
PAI species. It falls to the vulnerability assessment to evaluate whether the use of additional PAIs that
have not been part of the standard PAI species or variations of PAIs from the standard PAI species can
lead to exploitable vulnerabilities.
During the vulnerability analysis, the evaluator should use information and knowledge gained during
the evaluation of the other assurance classes for penetration testing. Any information found in the
previous evaluation activities shall be made available as input to the activities for the AVA evaluation
activities described in this document.
Penetration testing depends on the evaluator’s expertise, skill, and knowledge on potential PAD
vulnerabilities, such as identification of possible areas of weakness, iteratively p
...