search

biometricITC / cPP-biometrics

Contains the development of a Collaborative Protection Profile for biometrics
MIT License
10 stars 2 forks source link

NIST 800-63B PAD verification? #406

Closed woodbe closed 1 year ago

woodbe commented 1 year ago

https://github.com/biometricITC/cPP-biometrics/issues/401#issuecomment-1402154234

Section - 5.2.3

Page - 33

Line - 1283-1289

Comment

What are the expectations for proof on PAD (beyond the 90% success at detection)? Self-attest or validated?

Suggested Change

gfiumara commented 1 year ago

This may be related to Comment 2 on #408. Perhaps we suggest in part A a requirement to evaluation biometric systems against published standards, like ours, which may answer the expectations for proof of PAD performance.

woodbe commented 1 year ago

@n-kai will review the ISO document and update this with a possible suggestion (or a recommendation to drop the comment).

n-kai commented 1 year ago

@woodbe, I want to suggest the below based on the above comment from @gfiumara.

Could you also close #410 if this comment is acceptable? #410 is merged into the comment below.

Section - 5.2.3

Page - 33

Line 1287 - 1288

Comment

Clause 12 of [ISO/IEC30107-3:2017] mainly defines metrics (e.g., IAPAR) that should be reported for the performance testing of PAD but provides little information about how to perform “Testing of presentation attack resistance”.

Clause 9 of [ISO/IEC30107-3:2017] requires reporting how the PAIs (e.g., fake fingerprints) are created, however, this standard doesn’t tell anything about how the PAIs should be created (e.g, material or tools used for the creation of PAIs).

Primitive PAIs can be created easily but such PAIs are simply rejected by data capture or quality check before reaching to the PAD subsystem. That’s is the reason why the Biometrics Security iTC developed the various recipes for the creation of useful PAIs to conduct the meaningful PAD testing.

[ISO/IEC30107-3] doesn’t specify who should perform the PAD testing. The Biometrics Security iTC recommends that the testing should be done by the evaluation labs to confirm that the devices have adequate presentation attack resistance because it may be difficult for non-biometric experts to judge this decision.

[ISO/IEC30107-3:2017] has been revised by [ISO/IEC 30107-3:2023] and Clause 12 of [ISO/IEC 30107-3:2017] moves to Clause 13 of [ISO/IEC 30107-3:2023].

Suggested Change

Testing of presentation attack resistance SHALL be in accordance with industry standards. Note that industry standards can include ISO/IEC 30107, FIDO, Biometrics Security iTC or similar programs.

woodbe commented 1 year ago

I have updated the sheet, replacing the earlier comment with this one. Check #401 for the latest.