ONR CEN/TS 18099:2025

Biometric data injection attack detection

This document provides an overview of: - Definitions of biometric data injection attacks; - Use cases for injection attacks with biometric data on essential hardware components of biometric systems used for enrollment and verification; - Tools for injection attacks on systems using one or more biometric modalities. This document provides guidance for: - Injection Attack Instrument Detection System (defined in 3.12); - adequate risk mitigation for injection attack tools; - Creation of a test plan for the evaluation of an injection attack detection system (defined in 3.9). Although presentation attack testing is generally outside the scope of this document, the following two characteristics are within the scope of this document: - Presentation attack detection systems that can be used as a mechanism to defend against injection attack instruments and/or as a mechanism to defend against injection attack methods. However, no presentation attack testing will be performed by the laboratory to establish compliance with this document (out of scope); - Reviews of bona fide presentations to verify the evaluation subject's ability to correctly classify legitimate users. The following aspects are outside the scope: - Presentation attack tests (as covered in the ISO/IEC 30107 series standards); - Biometric attacks not classified as Type 2 attacks (see Figure 1); - Evaluate the implementation of cryptographic mechanisms such as security elements; - Injection attack instruments rejected due to quality issues.