ISO/IEC 19792:2009

INTERNATIONAL ISO/IEC
STANDARD 19792
First edition
2009-08-01
Information technology — Security
techniques — Security evaluation of
biometrics
Technologies de l'information — Techniques de sécurité — Cadre de la
sécurité pour l'évaluation et le test de la technologie biometrique

Reference number
©
ISO/IEC 2009
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved

Contents Page
Foreword .iv
1 Scope.1
2 Conformance .2
3 Normative references.2
4 Terms and definitions .2
4.1 General .2
4.2 Biometric systems.4
4.3 Biometric processes .5
4.4 Error rates .7
4.5 Statistical.8
5 Abbreviated terms .8
6 Security evaluation.9
6.1 Overview.9
6.2 Methodology .9
7 Error rates of biometric systems .10
7.1 Introduction.10
7.2 Concept – Testing security-relevant error rates .11
8 Vulnerability assessment .19
8.1 Introduction.19
8.2 Vulnerability assessment .19
8.3 Common vulnerabilities of biometric systems .21
9 Privacy.29
9.1 Overview.29
Annex A (informative) Reference model of a biometric system.31
Bibliography.37

© ISO/IEC 2009 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 19792 was prepared by Technical Committee ISO/TC JTC1, Information technology, Subcommittee
SC 27, IT Security techniques.

iv © ISO/IEC 2009 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 19792:2009(E)

Information technology — Security techniques — Security
evaluation of biometrics
1 Scope
This International Standard specifies the subjects to be addressed during a security evaluation of a biometric
system.
It covers the biometric-specific aspects and principles to be considered during the security evaluation of a
biometric system. It does not address the non-biometric aspects which might form part of the overall security
evaluation of a system using biometric technology (e.g. requirements on databases or communication
channels).
This International Standard does not aim to define any concrete methodology for the security evaluation of
biometric systems but instead focuses on the principal requirements. As such, the requirements in this
International Standard are independent of any evaluation or certification scheme and will need to be
incorporated into and adapted before being used in the context of a concrete scheme.
This International Standard defines various areas that are important to be considered during a security
evaluation of a biometric system. These areas are represented by the following clauses of this International
Standard:
⎯ Clauses 4 and 5 of this International Standard give an overview of all terms, definitions and acronyms
used,
⎯ Clause 6 introduces the overall concept for a security evaluation of a biometric system,
⎯ Clause 7 describes statistical aspects of security-relevant error rates,
⎯ Clause 8 deals with the vulnerability assessment of biometric systems and
⎯ Clause 9 describes the evaluation of privacy aspects.
This International Standard is relevant to both evaluator and developer communities.
⎯ It specifies requirements for evaluators and provides guidance on performing a security evaluation of a
biometric system.
⎯ It serves to inform developers of the requirements for biometric security evaluations to help them prepare
for security evaluations.
Although this International Standard is independent of any specific evaluation scheme it could serve as a
framework for the development of concrete evaluation and testing methodologies to integrate the
requirements for biometric evaluations into existing evaluation and certification schemes.
This International Standard refers to and utilizes other biometric standards, notably those for biometric
performance testing and reporting from ISO/JTC1 SC 37. These standards have been adapted as necessary
for the specific requirements of biometric security evaluation.
© ISO/IEC 2009 – All rights reserved 1

2 Conformance
To conform to this International Standard, a security evaluation of a biometric system shall be planned,
executed and reported in accordance with the normative requirements contained herein.
This International Standard describes the specific aspects of a security evaluation of a biometric system in
terms of
⎯ statistical error rates (see Clause 7),
⎯ biometric-specific vulnerabilities (see Clause 8), and
⎯ privacy (see Clause 9)
As some evaluation schemes that adopt this International Standard may not address all of the aforementioned
aspects it shall further be possible to claim conformance to parts of this International Standard. In this case a
security evaluation of a biometric system shall be planned, executed and reported in accordance with a subset
of the normative requirements of this International Standard. In this case the requirements that are addressed
shall be clearly identified.
Note that conformance to this International Standard is limited to the adoption of the biometric evaluation
methodology described and adherence to the specified normative requirements. Conformance does not
include scheme related issues such as action to be taken in the event that a system under evaluation fails to
meet security relevant evaluation criteria or targets. The overarching scheme is responsible for specifying this
action, which could include, for example:
⎯ outright evaluation failure,
⎯ restatement of evaluation criteria or targets to match achieved results, or
⎯ development of a system under evaluation to meet specified evaluation criteria or targets.
3 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 19795-1:2006, Biometric performance testing and reporting — Part 1: Principles and framework
4 Terms and definitions
4.1 General
4.1.1
assurance level
amount of assurance obtained according to the specific scale used by the assurance method
NOTE Definition from [1].
4.1.2
attacker
person seeking to exploit potential vulnerabilities of a biometric system
2 © ISO/IEC 2009 – All rights reserved

4.1.3
biometric characteristic
biological and behavioural characteristic of an individual that can be detected and from which distinguishing,
repeatable biometric features can be extracted for the purpose of automated recognition of individuals
NOTE 1 Definition from [2].
NOTE 2 Biological and behavioural characteristics are physical properties of body parts, physiological and behavioural
processes created by the body and combinations of any of these.
NOTE 3 Distinguishing does not necessarily imply individualization.
EXAMPLE Examples of biometric characteristics are: Galton ridge structure, face topography, facial skin texture,
hand topography, finger topography, iris structure, vein structure of the hand, ridge structure of the palm or retinal pattern.
4.1.4
biometric product
biometric component, system or application acting as the scope of an evaluation
4.1.5
biometrics
automated recognition of individuals based on their behavioural and biological characteristics
NOTE Definition from [2].
4.1.6
evaluator
person or party responsible for performing a security evaluation of a biometric product
4.1.7
evaluation
assessment of a deliverable against defined criteria
NOTE 1 Definition from [1].
NOTE 2 In this context, a deliverable is a biometric system.
4.1.8
lamb
biometric reference that results in higher than normal similarity scores on a particular biometric system when
compared to biometric samples or references from other subjects
4.1.9
vendor
party that sells, produces or uses a biometric system and is responsible for providing the biometric system
and all necessary evidence for evaluation
NOTE In cases where a vendor decides to delegate certain tasks to another party (e.g. to a third party testing
laboratory), this party shall be seen as a vendor as well.
4.1.10
user
person interacting with a biometric system
4.1.11
wolf
biometric sample that results in higher than normal similarity scores on a particular biometric system when
compared to biometric references of enrolees
© ISO/IEC 2009 – All rights reserved 3

4.2 Biometric systems
4.2.1
attempt
submission of one (or a sequence of) biometric samples to the system
NOTE An attempt results in an enrolment template, a matching score (or scores), or possibly a failure-to-acquire.
4.2.2
biometric data
biometric sample at any stage of processing, biometric reference, biometric feature or biometric property
NOTE Definition from [2].
4.2.3
biometric feature
numbers or labels extracted from biometric samples and used for comparison
NOTE 1 Biometric features are the output of a completed biometric feature extraction.
NOTE 2 The use of this term should be consistent with its use by the pattern recognition and mathematics communities.
NOTE 3 A biometric feature set can also be considered a processed biometric sample.
4.2.4
biometric model
stored function (dependent on the biometric data subject) generated from a biometric feature(s)
NOTE 1 Definition from [2].
NOTE 2 Comparison applies the function to the biometric features of a recognition biometric sample to give a
comparison score.
NOTE 3 The function may be determined through training.
NOTE 4 A biometric model may involve intermediate processing similar to biometric feature extraction.
EXAMPLE Examples for the stored function could be a Hidden Markov Model, Gaussian Mixture Model or an
Artificial Neural Network.
4.2.5
biometric property
descriptive attributes of the biometric data subject estimated or derived from the biometric sample by
automated means
NOTE Definition from [2].
EXAMPLE Fingerprints can be classified by the biometric properties of ridge-flow, i.e. arch, whorl, and loop types; In
the case of facial recognition, this could be estimates of age or gender.
4.2.6
biometric reference
one or more stored biometric samples, biometric templates or biometric models attributed to a biometric data
subject and used for comparison
NOTE 1 Definition from [2].
NOTE 2 A biometric reference may be created with implicit or explicit use of auxiliary data, such as Universal
Background Models.
EXAMPLE Face image on a passport; Fingerprint minutiae template on a National ID card; Gaussian Mixture Model,
for speaker recognition, in a database.
4 © ISO/IEC 2009 – All rights reserved

4.2.7
biometric sample
analog or digital representation of biometric characteristics prior to biometric feature extraction and obtained
from a biometric capture device or biometric capture subsystem
NOTE 1 Definition from [2].
NOTE 2 A biometric capture device is a biometric capture subsystem with a single component.
4.2.8
biometric template
set of stored biometric features comparable directly to biometric features of a recognition biometric sample
NOTE 1 Definition from [2].
NOTE 2 A biometric reference consisting of an image, or other captured biometric sample, in its original, enhanced or
compressed form, is not a biometric template.
NOTE 3 The biometric features are not considered to be a biometric template unless they are stored for reference.
4.2.9
enrolment data record
record created upon enrolment, associated with an individual and including biometric reference(s) and
typically non-biometric data
NOTE Definition from [2].
4.2.10
transaction
sequence of attempts on the part of a user for the purposes of an enrolment, biometric verification or biometric
identification
NOTE There are three types of transaction: an enrolment sequence, resulting in an enrolment or a failure-to-enrol; a
verification sequence, resulting in a verification decision; or an identification sequence, resulting in an identification
decision.
4.3 Biometric processes
4.3.1
authentication
provision of assurance of the claimed identity of an entity
NOTE Definition from [1].
4.3.2
biometric application decision
conclusion based on the application decision policy after consideration of one or more comparison decisions,
comparison scores and possibly other non-biometric data
NOTE 1 Definition from [2].
NOTE 2 Biometric application decisions can be made on the basis of complex policies, allowing for variable numbers of
positive comparison decisions.
NOTE 3 A biometric verification application could allow a positive biometric application decision even if there are one or
more non-matches against enrolled biometric references.
EXAMPLE A biometric application decision could be “accept claim”.
© ISO/IEC 2009 – All rights reserved 5

4.3.3
biometric recognition
recognition using a biometric product
NOTE A biometric recognition can either be realized as a biometric verification or as a biometric identification
process.
4.3.4
comparison score
numerical value (or set of values) resulting from a comparison
NOTE Definition from [2].
4.3.5
de-enrolment
deletion of the biometric reference from storage and if necessary, associated data in connection with the end-
user's identity from the biometric system
4.3.6
decision policy
collection of parameters, rules and values used to determine the acceptance or rejection of the biometric
recognition of the subject
4.3.7
enrol
create and store an enrolment data record for a biometric capture subject in accordance with an enrolment
policy
NOTE Definition from [2].
4.3.8
enrolment
action of enrolling or being enrolled
NOTE Definition from [2].
4.3.9
biometric identification
biometric system function that performs a one-to-many search to obtain a candidate list
NOTE Definition from [2].
4.3.10
comparison decision
determination of whether the recognition biometric sample(s) and biometric reference(s) have the same
biometric source, based on a comparison score(s), a decision policy(ies) including a threshold, and possibly
other inputs
NOTE 1 Definition from [2].
NOTE 2 A match is a positive comparison decision.
NOTE 3 A non-match is a negative comparison decision.
NOTE 4 A decision of “undetermined” can sometimes be given.
4.3.11
threshold
boundary value of the comparison score used by the comparison application to automatically generate the
matching decision
6 © ISO/IEC 2009 – All rights reserved

4.3.12
biometric verification
biometric product function that performs a one-to-one comparison
NOTE Adapted from [2].
4.4 Error rates
NOTE Definitions 4.4.1 to 4.4.9 and 4.4.11 are from ISO/IEC 19795-1:2006.
4.4.1
active impostor attempt
attempt in which an individual tries to match the stored template of a different individual by presenting a
simulated or reproduced biometric sample, or by intentionally modifying his/her own biometric characteristics
4.4.2
failure-to-enrol rate
FTE
proportion of the population for whom the system fails to complete the enrolment process
NOTE The observed failure-to-enrol rate is measured on test crew enrolments. The predicted/expected failure-to-
enrol-rate will apply to the entire target population.
4.4.3
false non-match rate
FNMR
proportion of genuine attempt samples falsely declared not to match the template of the same characteristic
from the same user supplying the sample
NOTE The measured/observed false non-match rate is distinct from the predicted/expected false non-match rate (the
former may be used to estimate the latter).
4.4.4
false match rate
FMR
proportion of zero-effort impostor attempt samples falsely declared to match the compared non-self template
NOTE The measured/observed false match rate is distinct from the predicted/expected false match rate (the former
may be used to estimate the latter).
4.4.5
false reject rate
FRR
proportion of verification transactions with truthful claims of identity that are incorrectly denied
4.4.6
false accept rate
FAR
proportion of verification transactions with wrongful claims of identity that are incorrectly confirmed
4.4.7
identification rank
smallest value k for which a user's correct identifier is in the top k identifiers returned by an identification
system
NOTE The Identification rank is dependent on the size of the enrolment database, and should be quoted “rank k out
of n”.
4.4.8
pre-selection algorithm
algorithm to reduce the number of templates that need to be matched in an identification search of the
enrolment database
© ISO/IEC 2009 – All rights reserved 7

4.4.9
pre-selection error
〈pre-selection algorithm〉 error that occurs when the corresponding enrolment template is not in the
preselected subset of candidates when a sample from the same biometric characteristic on the same user is
given
NOTE In pre-selection that is based on building partitions/classes of users, pre-selection errors happen when the
enrolment template and a subsequent sample from the same biometric characteristic on the same user are placed in
different partitions.
4.4.10
test crew
set of test subjects gathered for an evaluation
NOTE Definition from [1].
4.4.11
zero-effort impostor attempt
attempt in which an individual submits his/her own biometric characteristics as if he/she were attempting
successful verification against his/her own template, but the comparison is made against the template of
another user
4.5 Statistical
4.5.1
confidence interval
lower estimate L and an upper estimate U for a parameter x such that the probability of the true value of x
being between L and U is the stated value (e.g. 95 %)
[ISO/IEC 19795-1:2006, definition 4.8.2]
NOTE A confidence interval is always associated with a corresponding stated value of probability. In this International
Standard the stated value of probability is termed “confidence value”
4.5.2
confidence value
stated value of probability corresponding to a specified confidence interval
5 Abbreviated terms
DET detection error tradeoff (curve)
FAR false accept rate
FDIS Final Draft International Standard
FMR false match rate
FNMR false non-match rate
FRR false reject rate
FTE failure-to-enrol
IS International Standard
8 © ISO/IEC 2009 – All rights reserved

6 Security evaluation
6.1 Overview
This clause further delineates the scope of this International Standard described in Clause 1 and provides a
context in which the security evaluation of biometrics is conducted.
Figure A.1 shows the reference architecture of a biometric system used in this International Standard. A
biometric system comprises a collection of hardware and software components. It is normally used to
implement a biometric application, in which case it operates in an externally provided environment that forms
an essential part of the application. The environment comprises not only physical factors such as space,
temperature, humidity, illumination, etc., but also all procedural aspects and human users of the system.
Users of the system comprise all classes of people who might interact with the system such as operators,
administrators, enrolees, impostors etc.
This International Standard is principally directed at the security evaluation of biometric systems themselves
rather than complete biometric applications. A biometric application comprises a biometric system and
possibly other hardware and software components, together with an operating environment, organisational
processes and policies that collectively provide the functionality of the application. These additional elements
may have security vulnerabilities of their own or might amplify or mitigate vulnerabilities possessed by the
biometric system itself.
Vulnerability assessment should be conducted in an ordered manner that will involve the investigation of
individual component vulnerabilities. Evaluators should, however, exercise caution when assessing the results
of component vulnerability assessment without considering the interactions that take place with other system
components. These interactions can determine whether or not component vulnerabilities can be exploited in
practice. Therefore evaluators should always assess vulnerabilities in the context of the overall system
functioning and not solely based on assessment of individual component vulnerabilities.
Similarly, a biometric system may display intrinsic vulnerabilities that are realised, aggravated or mitigated by
interaction among system components. For example, a biometric comparison algorithm may display
anomalous behaviour if presented with out of range biometric data, and this behaviour could give rise to a
vulnerability. However, if the component(s) responsible for supplying the biometric data to the comparison
algorithm prevents such anomalous data being supplied, there is no resultant vulnerability. Although the
methodology in this International Standard could be used to evaluate security factors for components of a
biometric system, evaluators should exercise caution when examining individual component vulnerabilities
and seek to understand the interactions between components to determine how these may affect the resulting
system vulnerabilities. In general the assessment of individual component vulnerabilities may have limited
value and be misleading if conducted outside the context of a system evaluation.
This International Standard specifies a methodology for the evaluation of the technical security of biometric
systems. It does not seek to address the broader issues of security evaluation of a complete biometric
application. Accreditors of biometric applications will therefore need to develop threat/risk models for
applications and to assess whether other non-biometric specific vulnerabilities exist in the overall system and
what effect any biometric vulnerabilities discovered may have on the overall system security.
6.2 Methodology
This International Standard addresses the aspects of security evaluation that are specific to biometric systems.
A biometric system security evaluation will probably also involve the evaluation of IT security aspects. This
International Standard does not cover these aspects and evaluators should refer to other IT security
evaluation standards and methodologies for the evaluations of non-biometric aspects of a system security
evaluation, e.g. Common Criteria ([3]).
© ISO/IEC 2009 – All rights reserved 9

The vendor of the biometric system under evaluation will have to provide a description of the system before an
evaluation can begin. This will allow the evaluator to become familiar with the system and support decisions
later in the evaluation process. The biometric-specific aspects of biometric system security evaluation
described in this International Standard are:
⎯ Measurement of statistical error rates (see Clause 7)
⎯ Biometric specific vulnerabilities (see Clause 8)
⎯ Privacy (see Clause 9)
The underlying concept of this methodology is that – apart from these three areas – a security evaluation of a
biometric system can be conducted in the same manner as the security evaluation of any other IT system.
Clause 7 introduces the concept of a test of security-relevant error rates in the context of a biometric system
security evaluation. Statistical error rates can be measured for biometric algorithms alone (typically using
pre-existing databases of biometric samples), or for systems where users provide the biometric samples
directly to the sensor of the data capture component. Error rate testing of biometric algorithms is often used to
compare the performance of different algorithms and to quantify changes resulting from algorithm
development. Algorithm testing is of limited value in security evaluation because algorithmic errors are only
one source of errors in a biometric system. It is normally necessary to conduct statistical error measurement
of biometric systems using biometric samples acquired by the capture component of the system from real
subjects in a scenario test. However, a statistical test of an algorithm may contribute to the necessary
understanding of the biometric system that is needed to prepare the test or to find a claim about the maximum
error rates of the biometric system.
Clause 8 provides guidelines for vulnerability assessment. Technical vulnerabilities are dealt with under
headings that correspond to potential vulnerabilities of biometric systems, based on theoretical considerations
and practical experience. The exploitation of a potential vulnerability will typically involve multiple components.
For example, a spoof artefact will need to be accepted by the sensor and defeat any spoofing prevention;
pass the acquisition quality analysis step; be successfully pre-processed and feature extracted and pass any
subsequent quality control check. These steps will normally involve more than one component of the system.
Clause 9 details evaluator actions required to address the concerns of privacy when processing and storing
biometric data. This is an inherent security concern for biometric systems because the data used for
authentication is personal and may be governed by constraints of use determined by legislation or codes of
practice in various countries.
This International Standard defines vendor and evaluator roles and specifies requirements and actions for
each party. Although the methodology is scheme-independent, the separation of roles here reflects the
perceived need for the responsibilities and actions of the evaluator to remain independent from those of the
vendor.
7 Error rates of biometric systems
7.1 Introduction
One inherent characteristic of biometric recognition is that the decision of the biometric system is subject to
errors that can be expressed in terms of statistical error rates– for example: false accept and false reject rates.
These and other performance parameters also have implications for the strength of security provided by a
biometric system when used for authentication.
Hence each security evaluation of a biometric system shall include an assessment of the security-relevant
error rates.
The testing and reporting of security relevant error rates in this International Standard is based on
ISO/IEC 19795-1:2006. This International Standard utilises elements of biometric performance and
performance testing and reporting that are relevant to biometric security evaluation.
10 © ISO/IEC 2009 – All rights reserved

7.2 Concept – Testing security-relevant error rates
The reliability of the biometric verification or identification functionality of a biometric system is an important
factor that determines the confidence that can be placed in an authentication decision provided by the system.
This reliability can be measured by means of a properly conducted test of the system performance parameters
that are relevant to authentication assurance. For an access control system, these parameters include the
False Accept Rate (FAR) and False Reject Rate (FRR), and their close relatives False Match Rate (FMR) and
False Non-Match Rate (FNMR) (see 4.4 and ISO/IEC 19795-1:2006 for a detailed definition of and
differentiation between these terms).
The reason why both FAR/FMR and FRR/FNMR need to be measured is that there exists an inverse
relationship between these types of error for a biometric system and it is usually possible to adjust the system
to achieve any desired FAR/FNMR value if no limitation is placed on the FRR/FNMR value. For an access
control application the FAR/FMR value can be thought of as denoting the security while the FRR/FNMR value
corresponds to usability. This security/usability trade-off is analogous to the case of passwords where
password length and randomness (security) can be traded off against difficulty of memorising (usability). Many
password security policies are formulated by consideration of the security aspects alone, without regard to
usability. This is not, however, deemed acceptable for a biometric system. The reason for this apparent
inconsistency is perhaps that a usability failure for password authentication is seen as a human failure,
whereas for biometric recognition it is seen as a system failure.
The purpose of measuring security relevant error rates of a biometric system is to provide reliable figures
upon which to establish the fundamental assurance of verification or identification decisions made by the
system.
The test of security relevant error rates starts with a security claim based on meeting or bettering specified
error rate limits. The performance test then aims to substantiate or refute this claim. In addition, evaluators
may need to consider the possible effect of test users having special characteristics or non-random choice of
test users on performance, and hence security.
The approach for testing described in this clause is based on a six step concept:
1) The vendor shall supply a description of the system and the context of its use (see 7.2.1).
2) The vendor shall claim the maximum values for the security-relevant error rates (see 7.2.2).
3) The claims shall be checked by the evaluator (see 7.2.3).
4) The vendor shall perform a test to prove that the claim is correct, i.e. that the error rates meet the
claim (see 7.2.4).
5) The vendor's test shall be assessed by the evaluator (see 7.2.4).
6) The evaluator shall perform an independent test (see 7.2.5).
These steps will be introduced in more detail in the following subclauses.
7.2.1 System description (Step 1)
The vendor shall provide the evaluator with a description of the biometric system under evaluation and its
context of use.
This description shall contain the following:
⎯ a description of the intended use of the system,
⎯ information on whether the product is intended to perform biometric verification or identification,
⎯ a description of the intended environment of the system,
© ISO/IEC 2009 – All rights reserved 11

⎯ a description of the target population of the system,
⎯ a description of all security relevant configuration parameters (including all threshold settings) and their
recommended settings to achieve the performance claims for the intended environment and target
population (see 7.2.2).
This description of the system is important for the evaluator in order to decide upon further requirements in the
context of this International Standard.
7.2.2 Vendor claim (Step 2)
The vendor shall provide performance claims in the form of a set(s) of maximum values of security-relevant
error rates that can be achieved simultaneously. For each claimed value of a security relevant error rates the
vendor shall provide the threshold(s) that the claim bases on.
This requirement comprises three aspects:
⎯ The vendor shall perform and provide an analysis of which error rates of the biometric system are
security-relevant.
⎯ The vendor shall provide the evaluator with set(s) of maximum values of security-relevant error rates that
can be achieved simultaneously in the context of relevant configuration parameters as defined in 7.2.1.
⎯ The vendor shall provide justification as to why the maximum values for security-relevant error rates are
acceptable considering the intended use of the biometric system.
7.2.3 Examination of vendor claim (Step 3)
The evaluator shall determine whether the list of security-relevant error rates is complete and whether the
claim for the maximum values of the error rates is adequate. They must also check the vendor's justification of
the error rates that the vendor considers to be irrelevant.
Factors that should be considered when deciding whether the claim for the maximum values of error rates is
adequate include:
⎯ the (future) application case of the biometric system and its security needs,
⎯ legal requirements,
⎯ contractual requirements (or customers' requirements),
⎯ requirements resulting from a specific evaluation methodology which is used.
Please note that, during a security evaluation, it is not the responsibility of the evaluator to decide whether the
claim of the error rates and their maximum values meet the “state of the art” of a biometric technology i.e.
whether the biometric system would in theory be able to meet better claims. The relevant question for this
aspect should rather be whether the vendor's claims meet the needs of the customer in the context of the
future application of the biometric system.
The evaluator shall consider all error rates in ISO/IEC 19795-1:2006 during their analysis to evaluate whether
the list of identified security-relevant error rates is complete.
To ensure that the list of error rates is complete the evaluator will have to decide for each error rate that is
defined in ISO/IEC 19795-1:2006 whether it is relevant for the biometric system under evaluations. Primarily
each error rate should be considered to be relevant.
12 © ISO/IEC 2009 – All rights reserved

Obvious reasons for which an error rates may not be relevant include:
⎯ specific legal requirements that do not require this error rate,
⎯ an error rate that is only applicable to a biometric identification system, where a biometric verification
system is being evaluated,
⎯ the pre-selection error rate in systems that do not perform pre-selection.
If the vendor considers a certain error rate to be irrelevant to security and this is not apparent to the evaluator,
the vendor shall provide additional justification to satisfy the evaluator. Otherwise the vendor shall provide the
error rate value(s) for the error rate under consideration.
7.2.4 Vendor test and evaluation of vendor test (Step 4 and 5)
While the previous clauses each addressed one step of the six test approach as introduced in 7.2, this
subclause combines the requirements for two steps of the approach:
⎯ The vendor's test to prove that the claimed error rates are correct, i.e. the error rates meet the claim.
⎯ The evaluator's assessment of this test.
This is beneficial to the interests of clarity and conciseness as the requirements for vendor and evaluator
testing share many common features. Where differences do occur they will be indicated. Note that if specific
scheme requirements require the vendor and evaluator actions to be separately documented, it may be
necessary to split the information in this clause into 2 distinct subclauses
The vendor shall plan, conduct and document a test which substantiates the claimed security relevant error
rates. This test shall comply with relevant parts of ISO/IEC 19795-1. The evaluator shall check and validate
the vendor test.
NOTE The requirements for vendor testing do not prevent the task being entrusted to a third party test organization.
However, such an organization shall be independent from the evaluator reviewing the test.
The role of performance testing in a biometric security evaluation is to determine or validate claimed
security-relevant error rates. Evaluations carried out according to this International Standard are required to
conform to the performance testing and reporting standards specified in ISO/IEC 19795-1:2006. In addition,
the following subclauses (7.2.4.1 to 7.2.4.8) are normative for tests conformant to this International Standard.
Those requirements extend, limit or emphasize requirements given in ISO/IEC 19795-1:2006. In the event of
conflicting requirements, the requirements in this International Standard shall take precedence.
NOTE Performance testing requires significant resources. It is therefore advisable for the vendor and evaluator to agree
the test methodology, protocol and report format prior to commencing the performance test, to ensure that the
performance test will meet the requirements of the evaluation.
In addition to the requirements from ISO/IEC 19795-1:2006, the following issues shall be addressed during
planning and execution of testing and shall be included in test documentation:
⎯ Any assumptions made about the test scenario shall be stated and justified,
⎯ The test crew shall be appropriate to the target application,
⎯ The test environment shall be consistent with the target application,
⎯ The security relevant error rates shall be reported and shown to be acceptable for the target
application,
⎯ Security relevant threshold value(s) and configuration parameters shall be set in accordance with
vendor recommendations for the test,
© ISO/IEC 2009 – All rights reserved 13

⎯ The retry counter shall be set in accordance with the vendor recommendations,
⎯ The single attempt error rate shall be measured and reported,
⎯ The statistical approach to the test shall be reported and justified by the vendor.
Additional information about these requirements can be found in the following subclauses.
7.2.4.1 Assumptions
During each test of the security relevant error rates of a biometric system assumptions must be made in order
to design an appropriate test scenario.
The vendor shall report all assumptions which have been made during the design and test phases.
Assumptions traditionally address:
⎯ the intended environment of the biometric system,
⎯ the expected behaviour of intended users of the biometric system,
⎯ the expected behaviour and background of attackers who might attack the biometric system in its
intended operating environment.
How closely the test conditions and assumptions match the intended operational conditions will affect how
reliably the test results will predict the operational performance of the biometric system. The vendor should
report all necessary assumptions made for the test, ensure that those assumptions are consistent with the
intended usage of the biometric system, and ensure that the test design as
...