Comments on NIST 800-63A

[n-kai]

Sorry but I am not sure if this topic was discussed at the last meeting.

NIST is requesting to review the draft NIST 800-63A (*1) on the following topics for Identity Proofing and Enrollment (See L199-203)

• Are current testing programs for liveness detection and presentation attack detection sufficient for evaluating the performance of implementations and technologies? • What impacts would the proposed biometric performance requirements for identity proofing have on real-world implementations of biometric technologies

So it seems that NIST wants to see comments on "5.1.8. Requirements for Use of Biometrics". We can make, for example, following comments to promote our activities.

[Comment 1] The CSP can rely on the mobile device biometric verification instead of doing it by itself. For example, L483-486 can be extended when the CSP uses the biometrics (of course the CSP needs to develop an app to make sure that the applicant finishes the biometric verification before providing the code but the cost of app development is much cheaper that the developing the biometric verification system in the CSP).

c) The CSP sends an enrollment code to the validated phone number of the applicant, the applicant provides the enrollment code to the CSP after finishing the biometric verification by the mobile device, and the CSP confirms they match, verifying they the applicant is in possession and control of the validated phone number

[Comment 2] We can make comments on those requirements in 5.1.8, for example...

_6. CSPs SHALL have all biometric algorithms tested by an independent entity (e.g., accredited laboratory or research institution) for performance, including performance across demographic groups.

7. Testing of all algorithms SHALL be consistent with published ISO/IEC standards for the given modality._

NIST should define minimum requirement to conduct performance testing. Result of testing may be useless if there is no such requirements (for example, lab may test the biometrics using only 10 volunteers with many attempts from the same volunteer). I don't know the ISO/IEC standards that specify such minimum number (may be in 19795-9? but this is not IS but TS) but [BIOSD] may be useful document to refer for the testing.

*1) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63A-4.ipd.pdf

[gfiumara]

The "Notes to Reviewers" is the same for each of the 3 documents (a little confusing). But, making comments on Part A is still perfectly valid.

Comment 1: I think in the example they are showing, they're trying to confirm that the phone number provided by the user is controlled by the user, so doing a biometric check here seems above and beyond.

Comment 2: What if instead we say that algorithms and systems shall be tested against industry standards such as BIO-iTC cPP, FIDO, etc.? We technically don't provide specifications on algorithms, but rather, closed systems. Maybe this is a larger comment about the testing of systems vs. algorithms.

[woodbe]

Comment: The requirement that only ISO/IEC is acceptable as a standard is limiting as several industry groups are working on implementing biometric and PAD performance testing, many based on the ISO requirements. These should be accepted as valid systems for testing.

Note that industry standards can include ISO/IEC, FIDO, Biometrics Security iTC or similar programs. NIST should specify minimum requirements to conduct performance testing that would then set a minimum standard for expectations of this type of testing.

Suggestion:

7. Testing of all algorithms and systems SHALL be consistent with published industry standards for the given modality.

[woodbe]

drop the first comment per @n-kai