The average person has at least 10 password-protected accounts, according to a NordPass survey carried out in the US and UK. Because they are difficult to remember, many people use simple passwords that are easy to hack.
Two-factor authentication (2FA) is a popular solution, requiring the user to authenticate their password through both a password and a code sent to a mobile phone. Even more effective and easier to manage is biometric 2FA, which a growing number of organizations are implementing.
Biometric security makes use of our unique physical characteristics and features, such as fingerprints, iris scanning, face and voice recognition. It is widely believed that biometrics will eventually replace passwords altogether.
Biometric security offers a number of benefits. It is not only fast and convenient but also almost impossible to replicate.
But just as passwords can be stolen, fingerprints and other biometric markers are also vulnerable to thieves for so-called ‘presentation attacks’. Unlike passwords, however, they cannot be changed, giving cybercriminals permanent access to any computer or electronic device requiring biometric authentication.
International standards offer guidance based on best practices in industry, including the recently published ISO/IEC 19989 series.
The standard should be used in close conjunction with ISO/IEC 19792, the ISO/IEC 15408 series, and ISO/IEC 18045. The first defines the evaluation principles for biometric products and systems, while the other publications define the criteria and methodology requirements for security evaluation.
ISO/IEC 19989 is in three parts:
- ISO/IEC 19989-1:2020
Information security - Criteria and methodology for security evaluation of biometric systems - Part 1: Framework
This document introduces the general framework for the security evaluation of biometric systems, including extended security functional components, and supplementary activities to methodology, which is additional evaluation activities and guidance/recommendations for an evaluator to handle those activities.
- ISO/IEC 19989-2:2020
Information security - Criteria and methodology for security evaluation of biometric systems - Part 2: Biometric recognition performance
This document is for the security evaluation of biometric verification systems and biometric identification systems. It provides requirements and recommendations to the developer and the evaluator for the supplementary activities on biometric recognition performance
- ISO/IEC 19989-3:2020
Information security - Criteria and methodology for security evaluation of biometric systems - Part 3: Presentation attack detection
This document is for the security evaluation of biometric verification systems and biometric identification systems. It is dedicated to the security evaluation of presentation attack detection.
Sign up to receive selected stories