If you have difficulty in submitting comments on draft standards you can use a commenting template and email it to admin.start@bsigroup.com. The commenting template can be found here.
Standards Development
This document is focussed on face biometrics, and provides the specifics of this biometric modality for the application of all the specifications provided in parts 1 till 3. It also defines a set of application profiles, that detail de applicable tests, the evaluation parameters and the assessment criteria.
In detail, this document defines, for face biometrics:
• General aspects of a face biometric product
• Common resources needed for the evaluation
• Each of the possible tests to be applied
• Application profiles for different kinds of face biometrics products
In the last 5 years, the use of remote services has increased significantly. This was boosted during the pandemic, when most service providers and Administrations migrated most of their processes to online handling. We can find nowadays many online services, such as opening of a bank account, claiming expenses, paying taxes, starting legal actions, etc.
For all these services there is the need of identifying the persons claiming for that service, and doing it in a comfortable, universal, reliable and auditable way. Even though some of those services, in some countries, were deployed using PKIs (Public Key Infrastructures), as recommended by eIDAS, this approach was far away from being used by a significant part of the population.
This situation led to creating identification services using videoconferencing tools, such as using any device camera to scan a document, and capture your face for biometric recognition. But equivalent situations can be found in other applications, such as the use of facial biometrics as a second factor for the authentication of people in the European wallet proposed by the new eIDAS regulation, which needs a strength support about secure biometric technologies.
Many use cases can be deployed in many countries and sectors, but using ad-hoc solutions, limiting interoperability and increasing costs and risks.
In this context, service providers and Administrations have to define their own requirements, select the products and deploy the solution. On the other hand, manufacturers had to implement different solutions to different customers, in order to fulfil each of those requirement sets. Both sides would benefit from standards and regulations, on which to rely for the product definition.
Everybody will benefit from having a conformity assessment scheme for this kind of technology/products. But this is nowadays impossible, as in particular, in the case of biometrics, the sector has no tradition in performing independent evaluations, and also the technology is improving very fast, but still quite weak in several aspects, such as Presentation Attack Detection.
Some important works have been done in this respect:
• ISO/IEC and CEN have developed technological standards that could serve as a basis for such conformity assessment. But sometimes those standards are too generic, and only focussing on a high-level methodology.
• To try to avoid bad practices or even future problems, institutions such as ENISA, have started to offer recommendations and webinars, raising the awareness of the need to consider certain potential risks.
• ETSI/ESI has published in 2021 the "Policy and security requirements for trust service components providing identity proofing of trust service subjects" (ETSI TS 119 461)
• Some countries, such as Portugal, have created a regulation on the use of videoconferencing tools for citizen identification.
• France has gone one step forward, defining, through ANSSI a document titled "Remote identity verification service providers. Requirements rule set", with a high level of definition towards a certification process.
• And Spain has also provided that kind of definitions within the context of the LINCE certification scheme, which has been included in document Annex F11 of document CCN-STIC-140. Additionally, Spain has also published a Technical Instruction (IT-14) on how to conduct the evaluation required in Annex F11.
All these initiatives have a lot in common, but manufacturers have to still face different requirements for each country, plus each country has to establish their conformity assessment scheme. It is clear that reaching a common solution will be beneficial to everybody.
The project proposed with this PWI is addressing this need for the case of Biometric Products, analysing and merging all current works, and defining a detailed set of requirements, a biometric-modality-specific evaluation methodology, and the passing criteria for different application profiles. A multipart project is considered with the following structure:
Parts 1 to 3 will be defined in a modality and application independent way. Parts 4 and beyond will be focussed on each single biometric modality, and will include application profiles for each of them.
As required by CEN/CENELEC Internal Regulations Part 3, Clause 33 “Aspects of conformity assessment”, conformity assessment requirements will be specified only in the Part 1 document, in such a way the rest of the documents can be applied independently for different conformity assessment schemas if required. Note: in case the WI is based on documents from other organizations than ISO/IEC, please specify it here
You are now following this standard. Weekly digest emails will be sent to update you on the following activities:
You can manage your follow preferences from your Account. Please check your mailbox junk folder if you don't receive the weekly email.
You have successfully unsubscribed from weekly updates for this standard.
Comment on proposal
Required form fields are indicated by an asterisk (*) character.