International biometrics standards development focus turns to PAD
Several new publications and events in 2022 advanced the gradually building body of international standards for biometrics.
As that standardization work continues, so do efforts to communicate those standards to the community, Dr. Christoph Busch of Hochschule Darmstadt and ATHENE (National Research Center for Applied Cybersecurity) tells Biometric Update in an interview.
The forthcoming update to the ‘Handbook of Biometric Anti-Spoofing’ will feature a chapter on ‘Standards for Biometric Presentation Attack Detection,’ written by Busch. He also contributes to the formation and dissemination of standards in several ways.
There are ISO/IEC biometrics standards for harmonized definitions, data interchange format, interoperability, testing and reporting, and now presentation attack detection.
The standards are then instantiated in specifications like ICAO’s biometric passport standard (9303).
Busch is convener of the working group on Biometric Data Interchange Formats within ISO/IEC Sub-Committee 37 of the Joint Technical Committee (JTC 1) and various other groups. Particularly active of late among those efforts are work on PAD standardization. Busch says the ISO/IEC 30107 framework revision is close to publication, which may come as soon as January. He describes this as the “top current activity” in the field, and highly relevant for uncontrolled biometrics capture scenarios.
While metrics like false match rate and false non-match rate apply to accuracy of algorithms, the PAD metrics in 30107-3 “determine the robustness of a capture device against attacks.”
Biometric capture systems use a cameras RGB signal often, but if robust PAD is needed, other sensors and signals need to be considered, and algorithms applied, Busch says.
Algorithms are never specified in biometrics standards, however, except in the case of sample quality.
“We have the objective of the recognition accuracy of a biometric system,” Busch explains. “We define metrics, and then we have a framework to certify that a system has a certain accuracy.”
The 29794-4 standard, which could be considered an ISO equivalent to NFIQ, is also currently being revised, with an update likely next year, according to Busch.
Standardization bodies and process
Biometrics standards endorsed by ISO and IEC are largely developed by JTC1 SC37. Industry, academic and research, and government groups are represented within SC37, and join through their national standards bodies.
National standards bodies are typically independent, Busch explains. They cover everything from biometrics to electrical cables.
Government ministries are represented as members, along with businesses, academics and researchers like Busch, and operators, who may for instance by a police department.
“Pragmatically everyone who is interested in the standardization process is welcome” in biometrics, Busch says. “Everyone who has a contribution and wants to join can join.”
He is also on IT security mirror committee in German association, which meets twice yearly on topics like “post-quantum crypto.” The membership process there is different and more formal, he says.
Once a member of their national mirror committee, individuals can join SC37.
The 20th anniversary of the group is coming up, and will be observed at a meeting in Talinn, Estonia. The group is not as large as it was when founded, but could grow again in membership, Busch observes.
“We were in the spirit of ‘in the future we will all have passports with biometric data inside.’ Everyone was excited, and we had a very large number of participants.”
Membership interest and numbers could be boosted once again by rollouts of digital identity wallets and other large-scale developments.
“At the end this increase of participation is a consequence of the pull of the market by facing new applications,” Busch says. “So, the more trustworthy transactions you have, the more you need these biometric mechanisms.”
With remote biometrics on the rise for online exams, interactions with administration, record keeping and other use cases, interest is bound to increase.
There remains significant “wider potential for these unsupervised biometric technologies,” Busch points out. “The world of a capture device and an attendant that controls it you’re not fooling and there’s no need to further standardize anything. But for the unsupervised activities, low-cost, unsupervised operation of capture devices, I think this is still relevant.”
No standards police
The role of standardization bodies like ISO includes providing mature testing methodology, but does not extend to policing the application of that methodology, Busch points out.
When asked about suggestions from vendors and others in the biometrics community that the value of tests for conformance to the standards is misunderstood, Busch accepts the premise. Labs that test for the standards are not all equal, he warns.
“We cannot go around the world and check which entity claims to know the standard and claims to run a test conformant to the standard,” Busch says. “I’m aware that some entities do this. Some of these entities have never participated in any standards. They may have not even really understood what the standard is about.”
There is no ready mechanism to resolve this situation. Busch recommends relying on the government authorities that authorize labs for their endorsement.
The role of the EAB
This is also where the European Association for Biometrics (EAB) and other industry organizations come in.
Raising awareness of what the standards are and what they mean is one of the goals of EAB events like the 2020 edition of the EAB’s Research Projects Conference, which brought together biometrics standards editors just following the completion of the interchange format publication. These kinds of events facilitate communications from standardization bodies to the community.
The organization also helps collect information from researchers and operators in the community to go into standards in development, “so it’s both ways.”
The EAB disseminates those standards that are ready, and contributes to those in development.
Lately, focusses of the latter activities are the work on morphing attack detection and on face image quality, which is currently at the working draft stage.
“The question is which methodology should go into this standard to make the standard mature and a very good standard,” Busch explains. “And EAB is trying through its activities to collect this type of information.”
EAB is also a partner in the iMARS research project.
Busch urges people working in the field of biometrics to engage with groups like the EAB through their events, newsletters and projects. He also encourages them to reach out to their national standards bodies and participate in the ongoing process of drafting, providing feedback on, and updating technical standards.
The ecosystem is strong, though small, Busch says, noting; “quantity does not count.”
Visit Biometric Update regularly for news about technical biometrics standards development and implementation over the year ahead. It promises to be another busy one.