Comments on Mobile Device Biometric System Use Case document

[BrJu]

Those comments relate to this doc from @woodbe and @n-kai.

Background :

• a biometric system may be capable of only part of the list.
• to the last paragraph, I would add: It is also possible that the biometric system on the mobile device is a subpart of a larger biometric system that is partially implemented outside the mobile device.

use cases

• Am I correct when seeing use case 1 as the only one related to MDF PP?
• Between use case 1 (no lab testing) and use case 2 (independent testing), how would we define the category of mobile biometric system for which the requirement is for the lab to only repeat vendor testing.
• I see, following my comment on background, at least one additional use case.

Use case 6: Where data are sent to another device/server. Mobile device here mainly as sensor + PAD (possibly) + communication engine. Generally for more sensitive applications where you do not trust the device for the decision, which would imply higher security requirements

[n-kai]

The following are my personal opinion.

•Am I correct when seeing use case 1 as the only one related to MDF PP? Bio cPP for use case 1 should be related or harmonized with MDF PP as much as possible so that both Bio and mobile evalution can be conducted at once without any overlap. However the content of mobile bio cPP for use case 1 and use case 2 should be same as much as possible.

•Between use case 1 (no lab testing) and use case 2 (independent testing), how would we define the category of mobile biometric system for which the requirement is for the lab to only repeat vendor testing.

This should be discussed later, when we develop the SFR and assurance activity. However I have the following initial idea.

Use case 1: Evaluator does not need to conduct an independent testing for estimating performance (FAR/FRR) however she shall look at developer’s performance test documents (e.g. test plan and test report) to make sure their documents meet pre-defined requirements such as ones defined in ISO/IEC 19795-1 so that she can assume that developer conducted reliable performance testing at documentation level.

Use case 2: Evaluator shall conduct an independent testing for estimating performance (FTE/FAR/FRR) in addition to examining developer’s performance test documents. She needs to gather, for example, 100 test subjects and conduct performance testing with support from developer. Developer should make sure that her performance testing is done in the same way as developer did for their internal performance testing. She should also repeat developer's performance test mixing the data of developer and evaluator.

•I see, following my comment on background, at least one additional use case. In this use case 6, Is "larger biometrics system" out of scope of the TOE?

[woodbe]

@BrJu related to Use Case 6

For the mobile device systems I'm familiar with this use case isn't possible for modalities that are built into the device. I'll use Samsung as the example (since I'm familiar with it, but as far as I know Apple is the same and Android pushes this overall, so I wouldn't expect say LG to be different). For any built-in biometric (so for me that would be fingerprint and iris on the S8, I'm not going to talk about face as it currently works), the "image" taken for the sample is contained within the trusted environment (i.e. the TEE for Android, Secure Enclave for iOS) and cannot be exported from there. This is a specific design of the systems since they are commercial and geared to the use of end users (who in general probably don't want to send their biometrics to someone else).

So for a Samsung device, there is no API or programmatic way you could use the fingerprint sensor and have that information exported outside of the TEE (at least not without some sort of root-level hack that would break you security model for the device). The same would go for the iris.

Now if you did something like voice using an external app (since there is no built-in voice) or some sort of camera-based thing, again with an external app, then you could do whatever you want with the data, but using the direct, built-in sensors and exporting the data from them is not possible (and probably not desirable, either, since it would open up to the possibility of capturing the data directly for not-so-nice purposes).

[BrJu]

@n-kai -- to answer your question. Yes or no. Both options are possible. However, for the focus on mobile device use cases, we can assume that the remote part is outside the TOE.

@woodbe -- sure I agree this is not always possible or desirable, but still it exists and is required by some service providers.

[BrJu]

The suggested use case 6 will be added to the list ( @Brju ) and we will have to check whether SFRs cover the use case.

[woodbe]

@BrJu I can agree with this on the proposition of a different use case (i.e. 6, not 1 or 2). I have seen products doing this (quite cool, I thought, too).

[woodbe]

Closing based on agreement