ISO/IEC 19989-3:2020

INTERNATIONAL ISO/IEC
STANDARD 19989-3
First edition
2020-09
Information security — Criteria and
methodology for security evaluation
of biometric systems —
Part 3:
Presentation attack detection
Sécurité de l'information — Critères et méthodologie pour
l'évaluation de la sécurité des systèmes biométriques —
Partie 3: Détection d'attaque de présentation
Reference number
ISO/IEC 19989-3:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC 19989-3:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Abbreviated terms .............................................................................................................................................................................................. 4

5 General remark ...................................................................................................................................................................................................... 5

6 Overview of PAD testing in Class ATE and Class AVA ....................................................................................................... 5

6.1 Objectives and principles ............................................................................................................................................................... 5

6.1.1 Class ATE................................................................................................................................................................................. 5

6.1.2 Class AVA ................................................................................................................................................................................. 6

6.2 PAIs used in testing activities ..................................................................................................................................................... 6

6.2.1 Class ATE................................................................................................................................................................................. 6

6.2.2 Class AVA ................................................................................................................................................................................. 6

6.3 Testing activities .................................................................................................................................................................................... 6

6.3.1 Class ATE................................................................................................................................................................................. 6

6.3.2 Class AVA ................................................................................................................................................................................. 7

6.4 Criteria of pass/failure ..................................................................................................................................................................... 7

7 Supplementary activities to ISO/IEC 18045 on tests (ATE) ..................................................................................... 7

7.1 Testing approach toward PAD .................................................................................................................................................... 7

7.2 Metrics for PAD testing .................................................................................................................................................................... 8

7.2.1 General...................................................................................................................................................................................... 8

7.2.2 Metrics used for PAD subsystem TOEs ......................................................................................................... 9

7.2.3 Metrics used for data capture subsystem TOEs .................................................................................... 9

7.2.4 Metrics used for other TOEs ...............................................................................................................................10

7.3 Minimum test sizes and maximum error rates ........................................................................................................10

8 Supplementary activities to ISO/IEC 18045 on vulnerability assessment (AVA) ...........................11

8.1 Penetration testing using PAI variations .......................................................................................................................11

8.2 Potential vulnerabilities ...............................................................................................................................................................12

8.3 Rating of vulnerabilities and TOE resistance .............................................................................................................12

Annex A (informative) Examples of calculations of attack potential ...............................................................................13

Bibliography .............................................................................................................................................................................................................................18

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

Any trade name used in this document is information given for the convenience of users and does not

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Any feedback or questions on this document should be directed to the user’s national standards body. A

Biometric systems can be vulnerable to presentation attacks where attackers attempt to subvert the

system security policy by presenting their natural biometric characteristics or artefacts holding copied

or faked characteristics. Presentation attacks can occur during enrolment or identification/verification

events. Techniques designed to detect presentation artefacts are generally different from those to detect

attacks where natural characteristics are used. Defence against presentation attacks with natural

characteristics typically relies on the ability of a biometric system to discriminate between genuine

enrolees and attackers based on the differences between their natural biometric characteristics. This

ability is characterized by the biometric recognition performance of the system. Biometric recognition

performance and presentation attack detection have a bearing on the security of biometric systems.

Hence, the evaluation of these aspects of performance from a security viewpoint will become important

Biometric products and systems share many of the properties of other IT products and systems which

are amenable to security evaluation using the ISO/IEC 15408 series and ISO/IEC 18045 in the regular

way. However, biometric systems embody certain functionality that needs specialized evaluation

criteria and methodology which is not addressed by the ISO/IEC 15408 series and ISO/IEC 18045.

Mainly, these relate to the evaluation of biometric recognition and presentation attack detection. These

ISO/IEC 19792 describes these biometric-specific aspects and specifies principles to be considered

during the security evaluation of biometric systems. However, it does not specify the concrete criteria

and methodology that are needed for security evaluation based on the ISO/IEC 15408 series.

The ISO/IEC 19989 series provides a bridge between the evaluation principles for biometric products

and systems defined in ISO/IEC 19792 and the criteria and methodology requirements for security

evaluation based on the ISO/IEC 15408 series. The ISO/IEC 19989 series supplements the ISO/IEC 15408

series and ISO/IEC 18045 by providing extended security functional requirements together with

assurance activities related to these requirements. The extensions to the requirements and assurance

activities found in the ISO/IEC 15408 series and ISO/IEC 18045 relate to the evaluation of biometric

recognition and presentation attack detection which are particular to biometric systems.

This document provides guidance and requirements to the developer and the evaluator for the

supplementary activities on presentation attack detection specified in ISO/IEC 19989-1. It builds on

the general considerations described in ISO/IEC 19792 and the presentation attack detection testing

methodology described in ISO/IEC 30107-3 by providing additional guidance to the evaluator.

In this document, the term "user" is used to mean the term "capture subject" used in biometrics.

For security evaluation of biometric verification systems and biometric identification systems,

this document is dedicated to security evaluation of presentation attack detection applying the

ISO/IEC 15408 series. It provides recommendations and requirements to the developer and the evaluator

for the supplementary activities on presentation attack detection specified in ISO/IEC 19989-1.

This document is applicable only to TOEs for single biometric characteristic type but for the selection of

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 15408-3:2008, Information technology — Security techniques — Evaluation criteria for IT

ISO/IEC 18045:2008, Information technology — Security techniques — Methodology for IT security

ISO/IEC 19989-1:2020Information Technology — Security techniques — Criteria and methodology for

ISO/IEC 30107-3:2017, Information technology — Biometric presentation attack detection — Part 3:

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

proportion of attack presentations using the same PAI species (3.15) from which the data capture

proportion of attack presentations using the same PAI species (3.15) incorrectly classified as bona fide

proportion of attack presentations using the same PAI species (3.15) that cause no response at the PAD

EXAMPLE A fingerprint system may not register or react to the presentation of a PAI due to the PAI’s lack of

element and characteristic of a presentation attack, including PAI species (3.15), concealer or impostor

interaction of the biometric capture subject and the biometric data capture subsystem in the fashion

Note 1 to entry: Bona fide is analogous to normal or routine, when referring to a bona fide presentation.

Note 2 to entry: Bona fide presentations can include those in which the user has a low level of training or

skill. Bona fide presentations encompass the totality of good-faith presentations to a biometric data capture

proportion of bona fide presentations (3.5) incorrectly classified as presentation attacks in a specific

proportion of bona fide presentations (3.5) that cause no response at the PAD subsystem or data capture

proportion of concealer presentation attacks using

the same PAI species (3.15) in which the reference identifier of the concealer is not among the identifiers

returned or, depending on intended use case, in which no identifiers are returned

Note 1 to entry: In a negative identification system, such as a black-list, the concealer can intend that no identifiers

proportion of concealer attack presentations using

the same PAI species (3.15) in which the reference of the concealer is not matched

proportion of identification transactions by users enrolled in the system in which the user’s correct

proportion of identification transactions by users not enrolled in the system, where an identifier is

proportion of impostor attack presentations using

the same PAI species (3.15) in which the targeted reference identifier is among the identifiers returned

or, depending on intended use case, at least one identifier is returned by the system

Note 1 to entry: An attacker can be both an impostor (trying to match an existing non-self enrolee) and a

proportion of impostor attack presentations using the

presentation attack instrument (PAI) not corresponding to a standard PAI species (3.18).

class of presentation attack instruments created using a common production method and based on

EXAMPLE 1 A set of fake fingerprints all made in the same way with the same materials but with different

EXAMPLE 2 A specific type of alteration made to the fingerprints of several data capture subjects would

Note 1 to entry: The term “recipe” is often used to refer to how to make a PAI species.

Note 2 to entry: Presentation attack instruments of the same species may have different success rates due to

testing used in vulnerability analysis for vulnerability assessment, trying to reveal vulnerabilities of

the TOE based on the information about the TOE gathered during the relevant evaluation activities

Note 1 to entry: In the ISO/IEC 15408 series, this term is used without definition.

PAI species (3.15) determined and specified as standard by a certification body or a technical community

Note 1 to entry: If standard PAI species are not specified, the developer as well as the evaluator prepare non-

requirement, DV for development. The class name is defined in this way in ISO/IEC 15408.

AVA_VAN security assurance requirement (SAR) family for vulnerability analysis in class AVA

In addition to the requirements and recommendations provided in this document, those in

The definitions of biometric (adjective), biometric capture, biometric capture device, biometric

characteristic, biometric concealer, biometric enrolment, biometric identification, biometric impostor,

biometric recognition, biometric system, biometric verification, comparison, enrol, failure-to-acquire

rate, failure-to-enrol rate, false match rate, false non-match rate, identify and threshold (noun) are

NOTE 1 In this document, the expression "capture device" is sometimes used instead of "biometric capture

NOTE 2 In this document, the expression "concealer" is sometimes used instead of "biometric concealer".

NOTE 3 In this document, the expression "enrolment" is sometimes used instead of "biometric enrolment".

NOTE 4 In this document, the expression "impostor" is sometimes used instead of "biometric impostor".

The definition of assurance, attack potential, class, component, confirm, delivery, describe, determine,

developer, development, ensure, evaluation, family, Protection Profile, Security Target, target of

The definitions of activity, methodology and report are available in ISO/IEC 18045:2008.

The definitions of presentation attack, presentation attack detection and presentation attack

The activities in Class ATE focus on the question whether the provided PAD mechanisms work as

specified. Functional testing can demonstrate the existence of PAD vulnerabilities in the TOE (i.e. non-

Functional testing of the effectiveness of the PAD capability of the TOE is done by measuring the

successes and failures of detection by the TOE of PAIs using a statistically based test methodology (i.e.

the measurement of PAD success and error rates), in order to demonstrate that PAD capability exists

and that the PAD error rates meet the specification in the ATE_FUN documentation. ATE_IND may or

Note that the functional testing described in this document is distinct from the functional testing

of biometric recognition performance using the natural biometric characteristics of test subjects

Class AVA evaluation includes penetration testing activities. Penetration testing involves investigating

the potential vulnerabilities of a TOE to presentation attacks which may not have been uncovered

by previous functional testing (class ATE). This can include standard PAIs and variants of standard

PAIs used in functional testing, and new PAIs which are created to expose possible PAD weaknesses

in the capture hardware or software algorithms used, for example, in signal processing and biometric

comparison. Penetration testing does not involve the statistical testing approach used for functional

Note that testing with PAIs is subject to presentation variability and PAI preparation variability.

Testing should be continued until an appropriate level of confidence in the results of the test is achieved

corresponding to the level of the assurance family AVA_VAN specified in the ST of the TOE.

Standard PAIs shall be prepared and used in accordance with specifications and instructions, if

provided. Standard PAIs may be supplied to the developer and the evaluator by the certification

body or a technical community, or prepared by the developer and the evaluator in accordance with

specifications and instructions of the standard PAI species. If standard PAIs are not provided, then non-

NOTE The use of natural biometrics as PAI is included in testing activities if SFR(s) such as FPT_BCP.1, FIA_

EBR.1, FIA_BVR.4 and FIA_BID.4 specified in ISO/IEC 19989-1 are selected in the ST. Even if those SFRs are not

selected, natural biometric PAIs can be part of the standard PAIs. As described in ISO/IEC 19989-1:2020, 6.4.2.1,

7.5.1.1, 7.5.6.1, and 7.5.10.1, natural biometric PAIs include natural biometric characteristics presented with

movements, rotations, or distances against the specification of the capture device. This also applies to Class AVA.

If standard PAIs are not provided, non-standard PAIs shall be prepared by the developer and supplied

The PAIs used by the evaluator for ATE vary with the information available to the evaluator because it

is one of the key factors of the determination of the PAIs used by the evaluator. By default, the evaluator

should rely on the standard PAI species. Additionally, the evaluator should rely on state-of-the-art

attack information to determine whether the PAIs used for the functional testing are representative of

Non-standard PAIs shall be created and used by the evaluator in penetration testing.

It is the objective of any functional testing activity conducted in Class ATE to determine whether the

PAD mechanism is able to detect PAIs with sufficient reliability. In ATE_FUN.1 and ATE_FUN.2, the

developer shall conduct functional testing using standard PAIs at least or non-standard PAIs depending

on whether standard PAI species are provided or not. The developer may prepare non-standard PAIs to

conduct additional functional testing which gives information on the nature of the PAIs the evaluator

The evaluator shall conduct independent testing using PAIs selected from standard PAIs, if standard

The values for maximum error rates to be validated in the evaluation are specified in the TOE ATE_FUN

documentation and the implications of the values to the test sizes are further discussed in 6.3.

The error rates shall be reported independently for each PAI species tested. The maximum error rate of

all PAI species tested is the main indicator on how well the TOE performs in detecting given PAI species.

NOTE ADV documents are disclosed only to the evaluator and the certification body while the ST is

Functional testing clearly does not provide any information on the PAD effectiveness against untested

PAI species. It falls to the vulnerability assessment to evaluate whether the use of additional PAIs that

have not been part of the standard PAI species or variations of PAIs from the standard PAI species can

During the vulnerability analysis, the evaluator should use information and knowledge gained during

the evaluation of the other assurance classes for penetration testing. Any information found in the

previous evaluation activities shall be made available as input to the activities for the AVA evaluation

Penetration testing depends on the evaluator’s expertise, skill, and knowledge on potential PAD

vulnerabilities, such as identification of possible areas of weakness, iteratively p