INTERNATIONAL STANDARD
Part 1:Framework
Partie 1: Structure
Informationtechnology-Biometric presentationattackdetection-
Technologies de l’information - Detection d’attaque de presentationen biometrie -
COPYRIGHTPROTECTEDDOCUMENT
Allrights reserved. Uless otherwise specified or required in the context of its imlementation o part of this publication maybe reproduced or utilized otherwise in any form or by any means electronic or mechanical including photocopying or posting on the intermet or an intranet without prior written permission. Permission can be requested from either ISO at the address belowor ISO's member body in the country of the requester.
ISO copyright officeCH-1214 Vernier Geneva CP 401 • Ch. de Blandonnet 8Email:copyright@ Phone: 41 22 749 01 11Website: in Switzerland
Contents
Page
Foreword. ivIntroduction. V1 Scope. 12 Normative references. 13 Terms and definitions. 14 Characterization of presentation attacks. 4.1 General. 34.2 Presentation attack instruments. 35 Framework for presentation attack detection methods. Types of presentation attack detection. 45.1 5.2 The role of challenge-response. 5 45.2.2 5.2.1 Challenge-response related to liveness detection. General. 65.2.3 5.2.4 Challenge-response not related to biometrics. Liveness detection not related to challenge-response. 65.3 Presentation attack detection process. 65.4 5.4.1 Presentation attack detection within biometric system architecture. Overview in terms of the generalized biometric framework. 7 75.4.2 PAD processing considerations relative to the other biometric subsystems. 86 Obstacles to biometric impostor presentation attacks in a biometric system. 5.4.3 PAD location implications regarding data interchange. 9 6Bibliography. 11
Foreword
ISO (the International Organization for Standardization) and IEC (the International ElectrotechnicalCommission) form the specialized system for worldwide standardization. National bodies that aremittees established by the respective organization to deal with particular fields of technical members of ISO or IEC participate in the development of International Standards through technicalorganizations governmental and non-governmental in liaison with ISO and IEC also take part in the activity. ISO and IEC technical mittees collaborate in fields of mutual interest. Other internationalwork.
The procedures used to develop this document and those intended for its further maintenanceare described in the ISO/IEC Directives Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted inaccordance with the editorial rules of the ISO/IEC Directives Part 2 (see or
ISO and IEC draw attention to the possibility that the implementation of this document may involve theuse of (a) patent(s). ISO and IEC take no position concerning the evidence validity or applicability ofany claimed patent rights in respect thereof. As of the date of publication of this document ISO and IEC had not received notice of (a) patent(s) which may be required to implement this document. However implementers are cautioned that this may not represent the latest information which may be obtainedfrom the patent database available at and ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.
For an explanation of the voluntary nature of standards the meaning of ISO specific terms andexpressions related to conformity assessment as well as information about ISO's adherence to In the IEC see
This document was prepared by Joint Technical Committee ISO/IEC JTC 1 Information technology Submittee SC 37 Biometrics.
This second edition cancels and replaces the first edition (ISO/IEC 30107-1:2016) which has beentechnically revised.
The main changes are as follows:
the terms and definitions have been harmonized with the other parts of the ISO/IEC 30107 series.
A list of all parts in the ISO/IEC 30107 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user's national standardsbody. A plete listing of these bodies can be found at and
Introduction
Biometric technologies are used to recognize individuals based on biological and behaviouralcharacteristics. Consequently they are often used as a ponent in security systems. A biometricor foes or can attempt to recognize persons who are unknown to the system as either.
Since the beginning of these technologies the possibility of subversion of recognition by determinedsubversive recognition attempts or presentation attacks. Subversion of the intended function of a adversaries has been widely acknowledged as has the need for countermeasures to detect and defeatbiometric technology can take place at any point within a security system and by any actor whether aon mechanisms for the automated detection of presentation attacks undertaken by biometric capturesubjects at the capture device during the presentation of the biometric characteristics. These automatedbiometric samples that are manipulated to match two or more biometric data subjects are submittedmethods are similar for PAD and morphing attack detection mechanisms. during enrolment are not considered in the ISO/IEC 30107 series though the performance assessment
The potential for subversion of biometric systems at the point of data collection by determinedindividuals acting as biometric capture subjects has limited the use of biometrics in applicationswhich are unsupervised by an agent of the system owner such as remote collections over untrusted networks. Guidelines on e-authentication for example do not remend the use of biometrics as anopen networks automated presentation attack detection methods can be applied to mitigate the risks authentication factor for this reason. In unattended applications such as remote authentication overof attack. Standards best practices and independently-evaluated mechanisms can improve the securityof all systems employing biometrics whether using supervised or unsupervised data capture including those using biometric recognition to secure online transactions.
As is the case for biometric recognition PAD mechanisms are subject to errors both false positive andfalse negative: false positive indications wrongly categorize bona-fide presentations as attacks thusimpairing the efficiency of the system and false negative indications wrongly categorize presentation attacks as bona fide not preventing a security breach. Therefore the decision to use a specifictrade-offs with respect to security and efficiency. implementation of PAD depends upon the requirements of the application and consideration of the
framework through which presentation attack events can be specified and detected so that they canbe categorized detailed and municated for subsequent biometric system decision-making andISO/IEC mittees and submittees. This document does not advocate a specific mechanism as a standard PAD tool.
There are currently three other parts in the ISO/IEC 30107 series. ISO/IEC 30107-2 defines dataformats for conveying the type of approach used in biometric presentation attack detection and forconveying the results of PAD methods. The data formats defined in ISO/IEC 30107-2 are integrated into the extensible biometric data interchange formats defined in the ISO/IEC 39794 series. ISO/IEC 30107-3establishes principles and methods for performance assessment of PAD mechanisms. ISO/IEC 30107-4 provides requirements for assessing the performance of PAD mechanisms on mobile devices with localbiometric recognition.