Testing for biometric identity verification still maturing

Biometrics testing is a rapidly maturing field, but there is more to effective identity verification than an accurate matching algorithm, Dr. Chris Allgrove, director and co-founder of Ingenium Biometric Laboratories explained during a presentation for the EAB. The Lunch Talk “Exploring the Spectrum of Identity Verification Technology Testing” delved into the standards used in IDV testing and the gaps between them.

Allgrove began by defining identity verification and its primary function of binding an individual and their identity evidence. He reviewed the standards and processes around identity document authentication, and the types of documents that can be used. The differences in the quality of biometric reference images and other data collected can be quite significant, particularly between those documents with embedded machine-readable chips and those which must be captured optically.

He then ran through the remote identity verification process, including checks for biometric data quality and presentation attack detection, the genuineness and integrity of the document, and the biometric match.

Reference images gathered from electronic chips are more consistent in their quality, due to specified minimums for image size and the preservation of image quality from digital transmission, compared to a photo of the document. But Allgrove notes that it is still a single, two-dimensional image, which can pose still pose a challenge for selfie biometric matching.

The ultimate goal of biometrics testing, Allgrove says, is the assessment of risk. The risk could be an inability to accurately and reliably process the document, or to perform the biometric match, each of which raises the risk that the system will not bind the individual to their document, undermining the system’s function.

Allgrove breaks the tests for identity verification systems into functional and security elements of the biometric and document authentication components. Security tests include presentation and injection attacks protection, for both the document and biometric, while functional testing evaluates characteristics like the accuracy of matching and capture reliability.

 

 

Established standards and new guidelines

 

He describes the ISO/IEC 19795 (biometric performance) and ISO/IEC 30107 (PAD) standards as “mature” and “well established,” and says “they work broadly pretty well, they provide a good framework to tell us how we should go about testing. They don’t tell us what to test to, or what the evaluation needs to measure, it tells us how to go about measuring those.”

Following them, he says, establishes a strong foundation of trust.

Allgrove discussed test schemes like those from the FIDO Alliance, the Android compatibility definition document and common criteria biometrics evaluations, and how they support a level playing field for vendors.

The presentation moved on to the measurements used.

Vendors tell Allgrove they are confident in their PAD capabilities, but new holes are appearing in the security landscape even as that one closes.

ISO 19795 defines technology, scenario and operational biometrics testing types, and Allgrove explained how they apply to different areas of identity verification, as well as the three levels of presentation attack species.

There is no standards framework for testing document authentication, however, and national guidelines for conformity assessment are the closest thing available. Performance testing standards for document authentication are on the way, however, Allgrove says, and the FIDO Alliance published a standard for document authentication requirements.

He reviewed the FIDO Alliance’s work on testing, including the new biometrics certification program. FIDO’s document authentication testing requirements define assessment criteria, including document security features, attack vectors and performance measurements. So far, FIDO addresses only optical document capture, but NFC scanning is due to be added in the next update, which could be just weeks away, according to Allgrove. FIDO defines levels of document security and attack instruments.

A practical challenge for document authentication testing, he points out, is that possession of forged ID documents is illegal in many places.

Injection attacks and the deepfakes they deliver are the emerging threat vendors are focused on, Allgrove notes. While deepfakes for documents are still relatively weak, with Allgrove giving the example of an ID document that states someone’s birthday is the 43rd of July, that will change, he says.

As it does, testing will have to change too.

Allgrove recently joined iBeta’s David Yambay and BixeLab’s Ted Dunstone for a Biometric Update webinar on how biometrics testing can help technology developers and their customers. The webinar is available to stream for free on-demand with registration.

National Protective Security Authority (NPSA) Facilitates Inclusion of Biometric Access Control Products in Critical Infrastructure Catalogue

National Protective Security Authority (NPSA) has announced an updated process for companies offering biometric products for physical access control to be featured in the Catalogue of Security Equipment. National Protective Security Authority, formerly the Centre for the Protection of National Infrastructure, is the national technical authority in the United Kingdom for physical and personnel protective security, maintaining expertise in counter terrorism as well as state threats.

The Catalogue of Security Equipment (CSE), maintained by NPSA, serves as a comprehensive repository essential for NPSA partners. NPSA works with partners to target and harden the UK’s economy, infrastructure, industries and crowded places. NPSA undertakes this through campaigns, training, guidance, and advice offering, which includes helping organisations of all sizes and sectors to recognise, identify and mitigate security risks by implementing proportionate and practical protective security measures.  One of the offerings is the assurance of products and the maintenance of the CSE.

NPSA aims to enhance the overall security infrastructure by ensuring that only rigorously tested and approved biometric access control products find their place in the CSE. This initiative not only strengthens the security posture of entities but also fosters innovation and reliability within the biometrics industry.

As part of this initiative, NPSA has outlined a transparent process for vendors seeking inclusion of their biometric access control products in the Catalogue of Security Equipment. Interested companies are required to submit their systems to the NPSA approved test lab for an evaluation against the NPSA test standard.

NPSA’s test standard, titled ‘Biometric Authentication in Automatic Access Control Systems,’ delineates operational requirements, strengths and weaknesses, threats associated with biometric systems, and performance measurements. This standard  encompasses system design and construction, guidance on selecting a biometric modality, and considerations for installation and maintenance. The standard has been specifically crafted for the biometric access control vendor community, addressing both access control and biometric capability aspects, with particular emphasis on security of biometric-enabled AACS systems.

For more information about NPSA and the inclusion process for biometric access control products, please visit:

About National Protective Security Authority (NPSA) 

The UK Government’s National Technical Authority for Physical and Personnel Protective Security. NPSA works with partners in government, police, industry and academia to reduce the vulnerability of the national infrastructure.

U.S. academic institutions get biometric upgrades with new partnerships

ROC to offer in-kind gift of SDK access for staff and students at WVU

A press release says ROC (formerly Rank One Computing), which provides U.S.-made biometrics and computer vision for military, law enforcement and fintech, is enhancing biometric systems engineering exploration at West Virginia University’s Benjamin M. Statler College of Engineering and Mineral Resources, as an in-kind gift to benefit future students.

The gift enables students and faculty in the Lane Department of Computer Science and Electrical Engineering to access ROC’s software development kit (SDK) for research and coursework in computer vision, biometrics, AI and machine learning, data science, cybersecurity and other areas. It has been made through the nonprofit WVU Foundation.

“This partnership will give students valuable, hands-on experience with innovative technologies that are increasingly critical for both government and commercial applications,” says Scott Swann, CEO of ROC. “It goes hand-in-hand with ROC’s mission of promoting homegrown innovation at its core.”

Jeremy Dawson, associate professor in the Lane Department, says ROC’s “cutting-edge recognition software will give students the opportunity to apply these tools in research projects funded by the Center for Identification Technology Research and other agencies. It also provides unique learning and training opportunities that students would not normally receive.”

Per its release, ROC, “the only American-made multimodal biometrics and computer vision provider,” is the NIST’s top ranking global facial recognition provider in combined accuracy and efficiency.

Ingenium Biometrics partnership trained on biometrics research

Ingenium Biometric Laboratories is forming a partnership with the University of Southampton’s School of Electronics and Computer Science (ECS), focused on biometric research projects. It aims to develop further research to support the global biometrics industry and drive innovation to address critical challenges in the field.

Areas of investigation will include demographic bias, deepfake technologies and AI.

“We are thrilled to partner with the University of Southampton’s School of Electronics and Computer Science in our shared pursuit of advancing biometric technologies,” says Chris Allgrove, co-founder at Ingenium Biometric Laboratories. “This collaboration represents a powerful synergy between industry and academia, enabling us to push the boundaries of innovation and develop groundbreaking research and testing capabilities for the biometrics industry.”

Ingenium Biometric Laboratories and University of Southampton announce strategic collaboration in biometric technology research

Ingenium Biometric Laboratories, a leading innovator in biometric technologies research and testing, and the University of Southampton’s School of Electronics and Computer Science (ECS) proudly announce their partnership in biometrics research projects.

This collaboration represents a significant opportunity to develop further research and development capabilities to support the global biometric technology industry. This strategic alliance will leverage the combined expertise and resources of both organisations to drive innovation and address critical challenges in the field of biometrics.

Together, they will focus on exploring the performance and security of biometric technology, including the development of research projects relating to the role of demographic bias, deep fake technologies and artificial intelligence.

“We are thrilled to partner with the University of Southampton’s School of Electronics and Computer Science in our shared pursuit of advancing biometric technologies,” said Chris Allgrove, co-founder at Ingenium Biometric Laboratories. “This collaboration represents a powerful synergy between industry and academia, enabling us to push the boundaries of innovation and develop groundbreaking research and testing capabilities for the biometrics industry.”

Professor of Biometric Technologies Richard Guest, from the School of Electronics and Computer Science, said: “Southampton is at the forefront of pioneering new research for the future of biometrics. Combining our expertise with Ingenium will bring about new opportunities and develop technologies in an industry of national importance for the UK.”

About Ingenium Biometric Laboratories:

Ingenium is a research and innovation laboratory, helping organisations test and trust identity, biometric and age estimation technology, to enable organisations to use them with confidence in their digital and business transformation initiatives. Ingenium is also the UK’s independent biometrics laboratory for the National Protective Security Authority (NPSA) including for critical national infrastructure. 

About University of Southampton’s School of Electronics and Computer Science: 

The University of Southampton’s School of Electronics and Computer Science is a world-renowned hub for research and education in biometrics, computer science, electronics, and related disciplines.  

Testing and evaluation of biometric technology is essential

Testing and evaluation of biometric technology is not speed-dating, it is a long-term relationship.

Testing biometrics isn’t optional, it’s essential. With growing adoption of biometrics in critical applications, the Biometrics Institute recently emphasised the vital role of comprehensive testing across every stage of development and implementation.

The race is on, and it is a continuous catch-up. This urgent message stemmed from the Institute’s recent “On the Pulse Conversation,” an online event convening representatives from 27 countries, primarily government representatives, to discuss why not testing biometrics can lead to costly mistakes.

Testing upholds the Third Law of Biometrics, which requires understanding your algorithm and system,” said Isabelle Moeller, CEO, Biometrics Institute. “Fortunately, cutting-edge laboratories are actively testing biometric applications, and this event offered unparalleled access to their expertise.

In 2010, the Biometrics Vulnerability Assessment Expert Group (BVAEG) was formed to raise awareness of biometric vulnerabilities, develop a common assessment methodology, and align findings with international standards. Fourteen years later, in the trusted environment provided by the Institute, the BVAEG discussed what vulnerabilities exist in biometrics, how much of a risk morphs and deepfakes are, and where they occur.

A deepfake is where an attacker mimics a targeted individual in order to attack a biometric system. This can be an attack on the sensor of the device or even bypass the biometric sensor in what is called an injection attack. Biometric solutions address this through layers of security that include deepfake detection, liveness detection, challenge response and securing the pipeline for transmitting the data. More testing is needed to ensure these solutions perform effectively.

Biometric systems are complex, and continuous testing is essential to ensure resilience, user-friendliness and security. The absence of comprehensive testing can lead to vulnerabilities, decreased performance, and a failure to meet user expectations.

Biometric testing key takeaways:

  • End-to-end and life-cycle testing is essential: No stage can be overlooked, from design to deployment and ongoing monitoring
  • Live or supervised photo capture is crucial: This safeguards against spoofing and injection attacks, especially for secure credential use cases. Consider a multi-factor approach combining supervised capture with advanced detection technologies
  • Deepfakes pose a rising threat: Their sophistication demands ongoing advancements in detection capabilities
  • Injection attacks present unique challenges: While harder to initiate, once a deepfake is injected, they are more difficult to detect than presentation attacks
  • Cloud-based biometrics require novel testing methods: This evolving area needs further exploration and standardised approaches
  • Remote identity proofing is a complex and challenging process: Approaches for comprehensive evaluation to ensure reliability are emerging for remote identity proofing
  • Testing is a critical tool that transforms the unknown: Through consistent and continuous evaluation, organisations can adapt and evolve their biometric systems to respond to new challenges and advancements. This can improve system integrity, build trust and strengthen organisational reputation

The event featured walkthroughs of several testing laboratories and updates from standards and research organisations, including presentations by:

Moeller concluded: “Significant effort goes into developing and evaluating this technology, and we’ve seen notable improvements. However, new challenges like deepfakes and cloud-based applications require constant vigilance and innovation. This is a journey, not a destination, and we must work together to ensure responsible, ethical and effective biometric implementation.

The BVAEG will meet again in a workshop on Vulnerability Testing on 21 October 2024 in London, alongside the Biometrics Institute Congress. FIDO is preparing to release a certification programme that will help tackle the remote identity proofing challenge by prioritising both user experience and security. The Institute is also working on an executive briefing document entitled Biometric vulnerabilities in digital identity – executive briefing. which will be released in the coming months. For more information on the Three Laws of Biometrics and other good practice resources, visit the Biometrics Institute website.

Ingenium Biometrics partners with Kent researchers to expand into the age estimation market

The University and Ingenium Biometrics have secured funding from Innovate UK to collaborate on a 2-year Knowledge Transfer Partnership which will support Ingenium Biometrics’ expansion into the age estimation market.

The KTP will be supported by academics in the Division of Computing, Engineering and Mathematical Sciences, with the aim of developing a system and robust methodology for testing the accuracy of facial age estimation software.

The collaboration will support Ingenium to expand into age estimation market where there is growing demand for technology which can accurately estimate the age of customers without the need for ID verification. With applications in a wide range of industries, including gaming and dating, age estimation software has the potential to reduce customer friction whilst improving outcomes for everyone.

The £232k project will be supported by two esteemed biometrics experts based at the University of Kent. Professor Richard Guest is a member of the UK Government’s Biometric and Forensic Ethics Committee and has had significant involvement with biometrics standards development. He will be supporting the project alongside Professor Gareth Howells who has been involved in research relating to security, biometrics and pattern classification techniques for over 25 years.

The academic team will work with a skilled graduate hired especially to deliver the project and embed their knowledge and expertise within the company. In particular, the project will benefit from the academics’ experience in the design and evaluation of biometrics systems, the definition and use of biometric standards and ethical considerations relating to the use of biometric data.

Commenting on the partnership, Professor Richard Guest said, ‘We’re delighted to be working with Ingenium on this KTP. The use of automated age estimation is expected to grow exponentially over the coming years so it’s absolutely vital that the performance of these systems are understood.’

Knowledge Transfer Partnerships, funded by Innovate UK, help businesses to improve their competitiveness and productivity through the better use of knowledge, technology and skills that reside within the UK knowledge base. With over 36 years of experience in delivering KTPs and a 100% application success rate, we are perfectly-positioned to help your business tap into this fantastic opportunity to innovate and grow. Visit our Knowledge Transfer Partnerships at Kent site to find out more.

Biometrics testing and market building presage broader technology adoption

Gains in biometric accuracy and new developments in digital wallets were major themes of the week among the most-read stories on Biometric Update. Performance improvements are seen in the latest edition of the world’s leading facial recognition benchmark from Idemia and other developers, while the OpenWallet Foundation introduced an engine for digital wallet-builders. On the market side, Fingerprint Cards’ CEO sees gains ahead in several different growth areas, and a tent-pole client of Yoti is expanding its implementation of facial age verification.

Top biometrics news of the week

The latest edition of the NIST FRVT 1:N evaluation shows further incremental gains in enrollment performance and biometric accuracy. The various categories representing different facial recognition applications were topped by Idemia, Cloudwalk, Sensetime and NEC, with Paravision also appearing near the top of several.

Biometric security for payments, door locks and PCs each represent massive opportunities that Fingerprint Cards CEO Ted Hansson tells Biometric Update in an interview he has been focussing on since taking the role late last year. Even mobile can be a growth market for the company, he says, between its new under-display technology and an extensive network of strong partners.

The OpenWallet Foundation says digital wallets could play a role for identity in online environments analogous to the one web browsers have traditionally played, in terms of importance and ubiquity, during the launch of its engine for wallet-builders. Representatives of Visa, Accenture, OIX and a Huawei subsidiary and other leading organizations presented the vision, and called for developers to participate in it.

In payments, an OWF report quotes a Worldpay estimate that digital wallets were used in nearly $16 trillion-worth of transactions in 2021. The white paper makes the pitch for open-source digital wallets, just as the Mobey Forum launched a working group for digital wallets to help banks find their role in the ecosystem.

Australia’s federal, state and territory governments have agreed on a deal to have digital credentials recognized across the country, with legislation on a new digital identity scheme expected later this year. A government watchdog warns that the country’s digital identity system is at significant risk of security breaches, meanwhile.

The digital identity market will generate $53 billion a year for vendors by 2026, according to a recent forecast, as the use of digital ID apps soars. Juniper Research also says digital wallets, by combining identity and payment functions, are the one threat to their dominance.

Responses to the Blair Institute’s call for a government-backed decentralized digital ID were varied in several ways. Emailed comments from iProov CEO and Co-founder Andrew Bud calling for open standards, and from OIX Chief Strategist Nick Mothershaw calling for cooperation with the private sector on digital ID, stand out.

The plan for Kenya’s new national ID system is becoming clearer, with information revealed about how government databases will interact, as the Ruto administration seeks to differentiate it from Huduma Namba. A central population register and digital access to all government services is in; cards are out.

Funding for the previous administration’s national ID program has been slashed by 84 percent, meanwhile.

Instagram is expanding its use of facial age estimation from Yoti to new countries on four continents as an alternative for users to sharing an ID document if they change their age. The partners say the arrangement protects user privacy while also protecting children from potentially harmful content.

Sweden’s plans for its term with the EU Presidency include reducing security risks through its digital policies and warns of potentially contentious negotiations around the AI Act. Criminal threats are evolving, and the scope of digital identity proposals has changed, the discussion paper says.

Easily accessible deepfake tools are making what would once have been considered sophisticated fraud attempts easy for people, it seems. Tools to detect these attempts exist, such as those from ID R&D and Nuance, but are only part of the answer, even where they are deployed. As Ingenium Biometric Laboratories commented on LinkedIn, the “step-change in the capability of voice deep fakes and makes the importance of being able to catch such presentation attacks ever-more apparent.” Systems need to have mitigated measures, and those need to be tested.

Ingenium Director and Co-founder Chris Allgrove will be part of a panel moderated by Biometric Update’s Chris Burt and discussing the threat deepfakes pose to biometric systems, as part of the online Biometric Summit 2023 on March 23.

Please let us know about any articles or other content we should share with the people in biometrics and the digital identity community in the comments below, or through social media.

Biometric recognition tests can’t be used for all use cases

Trust being essential to the algorithmic identification industry, it bears noting that having tests for, say, performance is not enough by itself to create durable confidence in code among regulators, competitors, insurers and buyers.

Judging by the reaction of people attending an Open Identity Exchange discussion this week, testing biometric recognition as a topic could be popular. The end of the session was swamped with (largely inaudible online) questions.

Outlining issues that may need more thought in the industry was Chris Allgrove, a director and co-founder of biometric ID services firm Ingenium Biometrics. Allgrove’s message was pretty simple. Successful manufacturers do not treat testing as a formality or a Band-Aid, and buyers should not take results at face value.

He made a lengthy presentation, but the meat of this matter begins at about 24 minutes in the webinar based on Allgrove’s remarks.

A test standard, or scheme, describes the way a biometric evaluation will be performed, explained Allgrove, whose company performs test services. Examples he called out were the FIDO Alliance biometric component certification scheme, Android compatibility definition document and Common Criteria biometrics evaluations.

But not all tests, even in a subsector of code, are equally valid for all purposes.

“You can’t re-apply test results willy-nilly,” he said. “That is quite a dangerous thing.”

A test designed to assess the performance of a piece of code evaluating a narrow use case like a fingerprint scan will not apply broadly.

“Fair and sensible comparisons are needed,” said Allgrove.

Not just the future of a product or company is at stake, he said. Few industries in history have depended on an unshakable trust the way AI-backed biometrics does. The same goes for the digital identities that rely on biometrics.

Fujitsu biometric self enrolment kiosks piloted for presentation attack detection

The Home Office in the United Kingdom will be running an unsupervised self-service kiosk trial in the UK relying on biometric technologies by Fujitsu, which won a tender first published last year.

The trial, which will last for a minimum of three-month, cost the government up to £500,000 (US$607,475). It will see the deployment of kiosks capable of securely enrolling face and fingerprint biometrics and biographics from customers without staff assistance.

“The Home Office’s ambition is that all visitors and migrants will provide their biometric facial images and fingerprints under a single global immigration system ahead of travel to the UK, utilizing remote self-enrolment for those who are not required to apply for a visa as part of an ecosystem of enrolment options,” reads the heavily redacted tender.

The UK government also confirmed it ran separate ‘Biometrics Self-Enrolment Feasibility Trials’ from 29 November to 22 December 2021.
“This trial will be the next stage of testing for self-service kiosks to understand how they perform in the operational setting when there is no staff supervision,” explains the tender.

“In the future, the Home Office envisages that self-service kiosks will be one of the enrolment options available as part of an ecosystem of options.”

In particular, Fujitsu will provide four biometric self-service kiosks as part of the trials. Three will be hosted in the Home Office biometrics enrolment location for the aforementioned purposes, while the fourth will be deployed at a presentation detection attack (PAD) testing facility operated by Ingenium Biometrics on the campus of the University of Kent.

The latter deployment aims at improving the resilience of Fujitsu’s biometric algorithms to prevent attempts to spoof the automatic kiosks.

Ingenium also provided PAD testing services for the 2021 trials, which the current deployment is a continuation of.

According to a report by the Mirror, the kiosks deployed as part of the new pilot use similar technology to that evaluated in a 2019 study by the University of Kent unrelated to the current Home Office trial. The paper, which is not linked in the Mirror article (but appears to be this one), describes gaze-based PAD.
“A gaze-based spoofing detection system has been extensively evaluated using data captured from volunteers performing genuine attempts (with and without wearing such tinted glasses) as well as spoofing attempts using various artefacts,” reads the paper.

“The results of the evaluations indicate that the presence of tinted glasses has a small impact on the accuracy of attack detection, thereby making the use of such gaze-based features possible for a wider range of applications.”

Fujitsu does not manufacture its own kiosks.

The biometric kiosks supplied by Fujitsu are expected to be delivered to the Home Office by 30 April 2023.

This post was updated at 10:14am Eastern on January 17, 2023 to include the role of Ingenium and clarify that the University of Kent paper is not related to the Home Office trial.

Ingenium rewrites CPNI Test Standard for biometric access control

A Test Standard for Biometrics in access control managed by the Center for the Protection of National Infrastructure (CPNI) has been completely rewritten by Ingenium Biometrics in a new release.

Ingenium Co-founder and Director Chris Allgrove tells Biometric Update in an email that the new version marks a fresh start for the standard, rather than a simple update.

“The previous version of the CPNI test standard was quite old (at least ten years old, plus a few edits over the years) and is not really fit for purpose any more,” Allgrove explains. “Also, CPNI has changed their approach to testing — in the past they funded it but now it is vendor-funded and the test methodology needs to be updated to reflect this.

“The definition of presentation attack species and required performance levels have also been updated to reflect current best practices.”

CPNI’s mandate is to protect UK national security by reducing the vulnerability of critical infrastructure to threats like terrorism, espionage and sabotage.

The new standard is part of a revamped and relaunched biometric test program, and is intended to reflect the current state of the art in biometric-enabled access control and allow vendors to gain better value for money from the CPNI program.

The ‘Biometric Authentication in Automatic Access Control Systems’ document from CPNI sets out the operational requirements, strengths and weaknesses, and threats related to biometric systems, as well as system performance measurements. The document describes system design and building, how to choose a biometric modality, and installation and maintenance concerns. Tests should be commissioned after installation but prior to acceptance, according to the CPNI.

The standard is written for the biometric access control vendor community, both on the access control and biometric capability sides, according to Allgrove.
“CPNI maintains a product catalogue (the Catalogue of Security Equipment) that is used by organizations forming the Critical National Infrastructure community — Government, wider public sector, services (water, gas, electricity etc.), telecoms and other similar organizations — who must use products from the catalogue for their physical infrastructure,” Allgrove says. “It includes all sorts of things (bulletproof glass, bollards, security doors etc.) as well as biometric access control systems. Vendors submit their systems to us as the CPNI-approved test lab to evaluate against the test standard and if they pass, they get included in the catalogue.”

Ingenium and CPNI will host a presentation on the new Test Standard on July 13, 2022 in Canterbury.