Testing and evaluation of biometric technology is essential

Testing and evaluation of biometric technology is not speed-dating, it is a long-term relationship.

Testing biometrics isn’t optional, it’s essential. With growing adoption of biometrics in critical applications, the Biometrics Institute recently emphasised the vital role of comprehensive testing across every stage of development and implementation.

The race is on, and it is a continuous catch-up. This urgent message stemmed from the Institute’s recent “On the Pulse Conversation,” an online event convening representatives from 27 countries, primarily government representatives, to discuss why not testing biometrics can lead to costly mistakes.

Testing upholds the Third Law of Biometrics, which requires understanding your algorithm and system,” said Isabelle Moeller, CEO, Biometrics Institute. “Fortunately, cutting-edge laboratories are actively testing biometric applications, and this event offered unparalleled access to their expertise.

In 2010, the Biometrics Vulnerability Assessment Expert Group (BVAEG) was formed to raise awareness of biometric vulnerabilities, develop a common assessment methodology, and align findings with international standards. Fourteen years later, in the trusted environment provided by the Institute, the BVAEG discussed what vulnerabilities exist in biometrics, how much of a risk morphs and deepfakes are, and where they occur.

A deepfake is where an attacker mimics a targeted individual in order to attack a biometric system. This can be an attack on the sensor of the device or even bypass the biometric sensor in what is called an injection attack. Biometric solutions address this through layers of security that include deepfake detection, liveness detection, challenge response and securing the pipeline for transmitting the data. More testing is needed to ensure these solutions perform effectively.

Biometric systems are complex, and continuous testing is essential to ensure resilience, user-friendliness and security. The absence of comprehensive testing can lead to vulnerabilities, decreased performance, and a failure to meet user expectations.

Biometric testing key takeaways:

  • End-to-end and life-cycle testing is essential: No stage can be overlooked, from design to deployment and ongoing monitoring
  • Live or supervised photo capture is crucial: This safeguards against spoofing and injection attacks, especially for secure credential use cases. Consider a multi-factor approach combining supervised capture with advanced detection technologies
  • Deepfakes pose a rising threat: Their sophistication demands ongoing advancements in detection capabilities
  • Injection attacks present unique challenges: While harder to initiate, once a deepfake is injected, they are more difficult to detect than presentation attacks
  • Cloud-based biometrics require novel testing methods: This evolving area needs further exploration and standardised approaches
  • Remote identity proofing is a complex and challenging process: Approaches for comprehensive evaluation to ensure reliability are emerging for remote identity proofing
  • Testing is a critical tool that transforms the unknown: Through consistent and continuous evaluation, organisations can adapt and evolve their biometric systems to respond to new challenges and advancements. This can improve system integrity, build trust and strengthen organisational reputation

The event featured walkthroughs of several testing laboratories and updates from standards and research organisations, including presentations by:

Moeller concluded: “Significant effort goes into developing and evaluating this technology, and we’ve seen notable improvements. However, new challenges like deepfakes and cloud-based applications require constant vigilance and innovation. This is a journey, not a destination, and we must work together to ensure responsible, ethical and effective biometric implementation.

The BVAEG will meet again in a workshop on Vulnerability Testing on 21 October 2024 in London, alongside the Biometrics Institute Congress. FIDO is preparing to release a certification programme that will help tackle the remote identity proofing challenge by prioritising both user experience and security. The Institute is also working on an executive briefing document entitled Biometric vulnerabilities in digital identity – executive briefing. which will be released in the coming months. For more information on the Three Laws of Biometrics and other good practice resources, visit the Biometrics Institute website.