Biometric IT security standards are published by ISO and IEC. They cover Security evaluation of biometrics, Authentication context for biometrics, and Biometric information protection.
This document specifies general principles, requirements and guidance for a security evaluation of a biometric system. This document provides an overview of the main biometric-specific aspects, i.e. recognition performance, presentation attack detection and privacy, and specifies principles to consider for the security evaluation of a biometric system. This document does not address the non-biometric aspects which can form part of the overall security evaluation of a system using biometric technology (e.g. requirements on databases or communication channels).
This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-time information of presentation attack detection is not provided in this document. Only the assurance information of presentation attack detection (PAD) mechanism can be contained in the BPU report. Biometric identification is out of the scope of this document. This document specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is defined in this document applying a data structure specified in Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using a compact binary encoding. This document does not define protocols to be used between entities such as BPUs, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.
This document covers the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer. It also provides requirements and recommendations for the secure and privacy-compliant management and processing of biometric information. This document specifies the following: — analysis of the threats to and countermeasures inherent to biometrics and biometric system application models; — security requirements for securely binding between a biometric reference (BR) and an identity reference (IR); — biometric system application models with different scenarios for the storage and comparison of BRs; — guidance on the protection of an individual's privacy during the processing of biometric information. This document does not include general management issues related to physical security, environmental security and key management for cryptographic techniques.