IAPAR defined in SFR

[woodbe]

As we have been adding/adjusting the FAR/FRR claims to be more explicit, I am thinking we should probably do the same for the MBE/MBV_EXT.3 requirements.

FIDO uses the IAPAR (Impostor Attack Presentation Accept Rate) from ISO-30107-3 (we have part 1 listed in the PPM and part 3 in the SD) and they specify a limit of 7% (though in the upcoming version they will actually relax that some to 15% as the minimum to pass with an option to get to 7% and have it listed on the certificate).

Given that we have set a lower acceptable boundary for the FAR/FRR values, it would seem that we need to do so here as well. This would entail rewriting the SFRs though I do not think the SD will need much change.

So one question is what should the minimum be? I would vote for the 15% as the highest failure rate that is allowed. I don't know if we also need to specify confidence intervals here as well (given what this testing is, I'm not sure that is applicable).

[n-kai]

30107 doesn't require to specify confidence intervals but define the following. 30107-3 Biometric presentation attack detection — Part 3: Testing and reporting Require to report sample size and error rate for each PAI series without confidence interval 30107-4 Biometric presentation attack detection — Part 4: Profile for testing of mobile devices Define minimum number of PAI series etc for mobile biometrics PAD testing

Android guidance *1) specifies the max SAR (Spoof Accept Rate) that is equivalent to IAPAR for Class 2 (weak : 7-20%) and Class 3 (strong : 0-7%) devices. It doesn't specify the max SAR for Class 3 (Convenience) however, Class 3 device MUST disclose that this mode may be less secure than a strong PIN, pattern, or password and clearly enumerate the risks of enabling it, if the spoof and imposter acceptance rates are higher than 7% as measured by the Android Biometrics Test Protocols 2)

1) https://source.android.com/compatibility/11/android-11-cdd#7_3_sensors 2) https://source.android.com/security/biometric/measure

BIOSD was developed mainly based on Android guidance but I don't know which standard or guidance we should follow.

[woodbe]

Since PAD is optional here, I don't think we need to worry about the Class 1, since if the IAPAR/SAR is that poor, they probably wouldn't try to add those claims. So I think we are OK specifying something more more restrictive. So the markers for Android and FIDO sort of match (which is probably why FIDO has been updating to make those changes as well). If we specify something like 15% or lower, then we would match with FIDO and be slightly more strict than Google (which they are likely not going to complain about).

So it would seem then that we should update the SFRs to include a max-allowed rate. I think IAPAR is the term used by ISO, so I would think that is what we should use (so we are referencing ISO and not Google).