ISO/IEC 19792:2025

International
Standard
ISO/IEC 19792
Second edition
Information security, cybersecurity
2025-06
and privacy protection — General
principles, requirements and
guidance for security evaluation of
biometric systems
Reference number
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 General biometric terms .1
3.2 Biometric systems .3
3.3 Biometric processes .4
3.4 Recognition performance .5
3.5 Presentation attack detection .6
4 Abbreviated terms . 7
5 Overview of security evaluation of biometric systems . 7
5.1 Biometric systems and their vulnerabilities .7
5.2 Approach of security evaluation of biometric systems .8
6 Threat and vulnerability analysis . 9
6.1 Overview .9
6.2 Threats and vulnerabilities for considerations .10
6.2.1 Overview .10
6.2.2 Performance limitations.11
6.2.3 Hostile environment . 12
6.2.4 Insufficient controls of the enrolment process . 12
6.2.5 Difficulty of concealing biometric characteristics . 13
6.2.6 Leakage and alteration of biometric data . 13
6.2.7 Synthesized wolf biometric samples . 13
6.2.8 PAI of biometric characteristics .14
6.2.9 Similarity due to blood relationship .14
6.2.10 Special biometric characteristics .14
6.2.11 Modification of biometric characteristics . 15
6.2.12 Further considerations . 15
7 Evaluation of biometric recognition performance and related vulnerabilities .15
7.1 Overview . 15
7.2 Concept – testing security-relevant error rates . 15
7.3 Independent testing .16
7.4 Consideration of impact of error rates .17
8 Evaluation of biometric vulnerabilities . 17
8.1 Overview .17
8.2 Vulnerability assessment for presentation attacks and other potential threats .18
8.2.1 Application note .18
8.2.2 Performance limitations.18
8.2.3 Hostile environment .18
8.2.4 Procedural vulnerabilities around the enrolment process .19
8.2.5 Difficulty of concealing biometric characteristics .19
8.2.6 Leakage and alteration of biometric data .19
8.2.7 Synthesized wolf biometric samples . 20
8.2.8 PAI of biometric characteristics . 20
8.2.9 Similarity due to blood relationship .21
8.2.10 Special biometric characteristics . 22
8.2.11 Modification of biometric characteristics . 22
8.2.12 Further considerations . 22
9 Privacy .23
9.1 Overview . 23

© ISO/IEC 2025 – All rights reserved
iii
9.2 Data protection . 23
9.3 Account deactivation of biometric reference data .24
9.4 De-enrolment .24
Bibliography .25

© ISO/IEC 2025 – All rights reserved
iv
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 19792:2009), which has been technically
revised.
The main changes are as follows:
— the structure has been harmonized with general security evaluation methodology;
— the title has been changed from “Security evaluation of biometrics” to “General principles, requirements
and guidance for security evaluation of biometric systems”, to align with the ISO/IEC 19989 series, the
ISO/IEC 15408 series and the ISO/IEC 18045.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
v
Introduction
This document does not aim to define any concrete methodology for the security evaluation of biometric
systems but instead focuses on the principal requirements. As such, the requirements in this document are
independent of any evaluation or certification scheme. If the requirements of this document are intended to
be used in such a scheme, it will be necessary to adapt and incorporate them into the scheme before use.
This document defines various areas that are important to consider during a security evaluation of a
biometric system. These areas are represented by the following clauses:
— Clause 5 explains the outline of security evaluation of biometric systems;
— Clause 6 overviews the threats and vulnerabilities to biometric systems that should be considered for
the evaluation;
— Clause 7 describes the evaluation of biometric specific vulnerabilities related to recognition performance;
— Clause 8 deals with the evaluation of biometric specific vulnerabilities related to presentation attack
detection;
— Clause 9 overviews the evaluation of privacy.
This document is relevant to both evaluator and developer communities. It shows how a security evaluation
of a biometric system is performed. It serves to inform developers of the requirements for biometric security
evaluations to help them prepare for security evaluations.
Although this document is independent of any specific evaluation scheme, it serves as a framework for
developing concrete evaluation and testing methodologies that integrate the requirements for biometric
evaluations into existing evaluation and certification schemes.
This document refers to and utilizes other biometric standards, notably those for biometric performance
testing and reporting from ISO/IEC 19795-1, and the evaluation of presentation attack detection from the
ISO/IEC 30107 series. These standards have been applied as necessary for the specific requirements of
biometric security evaluation.
This document can also be used by organizations such as developers and procurers of biometric systems or
devices to set proper security requirements for biometric systems or devices.
This document focuses mostly on the cases of complete biometric systems for verification or identification
scenarios. However, the evaluation principles can be used entirely or partly for other cases such as:
subsystems (e.g. presentation attack detection component, comparison component), other biometric
scenarios (e.g. enrolment, duplicate enrolment check, white listing, black listing, quality assessment) or
other biometrics-related processing aspects (e.g. emotional estimation, age estimation).
This document can be seen as an introduction to the ISO/IEC 19989 series, which covers the security
evaluation of biometric products based on the ISO/IEC 15048 series. In addition, this document provides
general guidance to design and execute security evaluation methodologies of biometric systems that are not
aimed for evaluation conformant to ISO/IEC 15408 series.
This document does not address the vulnerabilities that are common to IT systems in general. For example,
unprotected biometric data, biometric references, or comparison decisions, with which an attacker can
tamper in order to impersonate someone else, are such vulnerabilities and are subject to evaluation under
a general methodology, not specific to biometrics, such as the one specified in ISO/IEC 15408-1. However,
general vulnerabilities associated with the information handled by the biometric system can employ system
specific countermeasures which are addressed in Clauses 6 and 8.

© ISO/IEC 2025 – All rights reserved
vi
International Standard ISO/IEC 19792:2025(en)
Information security, cybersecurity and privacy protection —
General principles, requirements and guidance for security
evaluation of biometric systems
1 Scope
This document specifies general principles, requirements and guidance for a security evaluation of a
biometric system.
This document provides an overview of the main biometric-specific aspects, i.e. recognition performance,
presentation attack detection and privacy, and specifies principles to consider for the security evaluation of
a biometric system.
This document does not address the non-biometric aspects which can form part of the overall security
evaluation of a system using biometric technology (e.g. requirements on databases or communication
channels).
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 General biometric terms
3.1.1
assurance
grounds for confidence that a target of evaluation meets the security functional requirements
[SOURCE: ISO/IEC 15408-1:2022, 3.6]
3.1.2
attacker
person seeking to exploit potential vulnerabilities of a biometric system
3.1.3
authentication
provision of assurance that a claimed characteristic of an entity is correct
[SOURCE: ISO/IEC 27000:2018, 3.5]

© ISO/IEC 2025 – All rights reserved
3.1.4
biometric
of or having to do with biometrics
Note 1 to entry: The use of biometric as a noun, to mean for example, biometric characteristic (3.2.1), is deprecated.
EXAMPLE 1 Incorrect usage #1: ICAO resolved that face is the biometric most suited to the practicalities of travel
documents.
EXAMPLE 2 Correct usage #1: ICAO resolved that face recognition is the biometric mode most suited to the
practicalities of travel documents.
EXAMPLE 3 Incorrect usage #2: The biometric recorded in my passport is a facial image.
EXAMPLE 4 Correct usage #2: The biometric characteristic recorded in my passport is a facial image.
Note 2 to entry: Since the late 19th century the terms biometrics and biometry have been used with the general
meaning of counting, measuring and statistical analysis of any kind of data in the biological sciences including the
relevant medical sciences.
[SOURCE: ISO/IEC 2382-37:2022, 37.01.01]
3.1.5
biometric recognition
biometrics
automated recognition of individuals based on their biological and behavioural characteristics
Note 1 to entry: In the field of biometrics (as defined in this document), “Individual” is restricted in scope to refer only
to humans.
Note 2 to entry: The general meaning of biometrics encompasses counting, measuring and statistical analysis of any
kind of data in the biological sciences including the relevant medical sciences.
Note 3 to entry: Biometric recognition encompasses biometric verification and biometric identification.
Note 4 to entry: Automated recognition implies that a machine-based system is used for the recognition either for the
full process or assisted by a human being.
Note 5 to entry: Behavioural and biological characteristics cannot be completely separated which is why the definition
uses "and" instead of "and/or". For example, a fingerprint image results from the biological characteristics of the finger
ridge patterns and the behavioural act of presenting the finger.
Note 6 to entry: Use of "authentication" as a synonym for “biometric verification or biometric identification” is
deprecated; the term biometric recognition is preferred.
[SOURCE: ISO/IEC 2382-37:2022, 37.01.03]
3.1.6
developer
organization responsible for the development of the target of evaluation
Note 1 to entry: According to ISO/IEC 15408-1:2022, 3.90, a target of evaluation is defined as a set of software,
firmware and/or hardware possibly accompanied by guidance, which is the subject of an evaluation.
[SOURCE: ISO/IEC 15408-1:2022, 3.33, modified — Note 1 to entry has been added.]
3.1.7
evaluation
assessment of a target of evaluation against defined criteria
[SOURCE: ISO/IEC 15408-1:2022, 3.37, modified — “PP-Configuration, protection profile (PP), a security
target (ST), or” has been removed.]

© ISO/IEC 2025 – All rights reserved
3.1.8
evaluator
individual assigned to perform evaluations in accordance with a given evaluation standard and associated
evaluation methodology
Note 1 to entry: An example of evaluation standards is the ISO/IEC 15408 series with the associated evaluation
methodology given in ISO/IEC 18045.
[SOURCE: ISO/IEC 19896-1:2018, 3.5]
3.1.9
user
person interacting with a biometric system
Note 1 to entry: The term “user” sometimes means “biometric data subject”.
3.2 Biometric systems
3.2.1
biometric characteristic
biological and behavioural characteristic of an individual from which distinguishing, repeatable biometric
features (3.2.4) can be extracted for the purpose of biometric recognition
EXAMPLE Examples of biometric characteristics are Galton ridge structure, face topography, facial skin texture,
hand topography, finger topography, iris structure, vein structure of the hand, ridge structure of the palm, retinal
pattern, handwritten signature dynamics, etc.
[SOURCE: ISO/IEC 2382-37:2022, 37.01.02]
3.2.2
biometric data
biometric sample or aggregation of biometric samples at any stage of processing
EXAMPLE Biometric reference (3.2.5), biometric probe, biometric feature (3.2.4) or biometric property.
Note 1 to entry: Biometric data need not be attributable to a specific individual, e.g. Universal Background Models.
[SOURCE: ISO/IEC 2382-37:2022, 37.03.06]
3.2.3
biometric data subject
individual whose individualized biometric data is within the biometric system
Note 1 to entry: The intent of the word “individualized” is to distinguish biometric data subjects from those whose
aggregated data was used in the creation of the biometric recognition algorithm. Examples of individuals contributing
biometric data who are not biometric data subjects include those who contributed to a Universal Background Model in
speaker recognition systems, or who contributed to the creation of an eigenface basis set in a facial recognition system.
[SOURCE: ISO/IEC 2382-37:2022, 37.07.05]
3.2.4
biometric feature
numbers or labels extracted from biometric samples (3.2.6) and used for comparison
Note 1 to entry: The set of numbers or labels are the output of a completed biometric feature extraction.
Note 2 to entry: The use of this term should be consistent with its use by the pattern recognition and mathematics
communities.
Note 3 to entry: A biometric feature set can also be considered a processed biometric sample.
Note 4 to entry: Biometric features may be extracted from an intermediate biometric sample.

© ISO/IEC 2025 – All rights reserved
Note 5 to entry: Filters applied to biometric samples are not themselves biometric features. However, the output of the
filter applied to the biometric samples can be. Therefore, eigenfaces are not biometric features, for example.
[SOURCE: ISO/IEC 2382-37:2022, 37.03.11]
3.2.5
biometric reference
one or more stored biometric samples (3.2.6), biometric templates or biometric models attributed to a
biometric data subject and used as the object of biometric comparison
EXAMPLE Face image stored digitally on a passport; fingerprint minutiae template on a National ID card or
Gaussian Mixture Model for speaker recognition, in a database.
Note 1 to entry: A biometric reference may be created with implicit or explicit use of auxiliary data, such as Universal
Background Models.
Note 2 to entry: The subject/object labelling in a comparison can be arbitrary. In some comparisons a biometric
reference can potentially be used as the subject of the comparison with other biometric references or incoming
biometric samples and input to a biometric algorithm for comparison. For example, in a duplicate enrolment check a
biometric reference will be used as the subject for comparison against all other biometric references in the database.
[SOURCE: ISO/IEC 2382-37:2022, 37.03.16]
3.2.6
biometric sample
analogue or digital representation of biometric characteristics (3.2.1) prior to biometric feature extraction
EXAMPLE A record containing the image of a finger is a biometric sample.
[SOURCE: ISO/IEC 2382-37:2022, 37.03.21]
3.3 Biometric processes
3.3.1
biometric enrolment
enrolment
act of creating and storing a biometric enrolment data record in accordance with an enrolment policy
Note 1 to entry: Registration has a different meaning in the signal processing community and its use is therefore
deprecated in biometrics in favour of enrolment.
Note 2 to entry: Enrolment in a biometric system can in some cases not involve storage.
[SOURCE: ISO/IEC 2382-37:2022, 37.05.03]
3.3.2
biometric identification
process of searching against a biometric enrolment database to find and return the biometric reference
identifier(s) attributable to a single individual
Note 1 to entry: Use of the term “authentication” as a substitute for biometric identification is deprecated.
[SOURCE: ISO/IEC 2382-37:2022, 37.08.02]
3.3.3
biometric verification
process of confirming a biometric claim through comparison
Note 1 to entry: The term “verification”, in the above definition refers to verifying biometrics.
Note 2 to entry: Use of the term “authentication” as a substitute for biometric verification is deprecated.
[SOURCE: ISO/IEC 2382-37:2022, 37.08.03]

© ISO/IEC 2025 – All rights reserved
3.3.4
comparison decision
determination of whether the biometric probe(s) and biometric reference(s) have the same biometric source,
based on a comparison score(s), a decision policy(ies) including a threshold and possibly other inputs
Note 1 to entry: A match is a positive comparison decision. A non-match is a negative comparison decision. A decision
of “undetermined” may sometimes be given.
[SOURCE: ISO/IEC 2382-37:2022, 37.03.26]
3.3.5
comparison score
numerical value (or set of values) resulting from a comparison
Note 1 to entry: A higher score does not necessarily mean more similar.
[SOURCE: ISO/IEC 2382-37:2022, 37.03.27]
3.3.6
de-enrolment
destruction of the biometric data associated with a biometric enrolment data record
Note 1 to entry: De-enrolment does not imply destruction of transaction records.
Note 2 to entry: De-enrolment is always irreversible.
[SOURCE: ISO/IEC 2382-37:2022, 37.06.41]
3.3.7
enrol
create and store a biometric enrolment data record in accordance with the biometric enrolment policy
[SOURCE: ISO/IEC 2382-37:2022, 37.05.08]
3.3.8
threshold
numerical value (or set of values) at which a decision boundary exists
[SOURCE: ISO/IEC 2382-37:2022, 37.03.36]
3.4 Recognition performance
3.4.1
casual attack
attack in which an attacker presents their own natural biometric characteristics (3.2.1) hoping to achieve a
match against a biometric reference belonging to a legitimate enrolee other than themself
Note 1 to entry: The presentation can be accompanied by a false claim of identity for verification (1:1 comparison)
systems or without a claim of identity for identification (1:N comparison) systems.
3.4.2
false match rate
FMR
proportion of the completed biometric non-mated comparison trials that result in a false match
Note 1 to entry: The value computed for the false match rate depends on thresholds, and other parameters of the
comparison process, and the protocol defining the biometric non-mated comparison trials.
Note 2 to entry: Comparisons between the following require proper consideration (see ISO/IEC 19795-1):
— identical twins;
— different, but related biometric characteristics (3.2.1) from the same individual, such as left and righthand
topography.
© ISO/IEC 2025 – All rights reserved
Note 3 to entry: “Completed” refers to the computational processes required to make a comparison decision, i.e.
failures to decide are excluded.
[SOURCE: ISO/IEC 2382-37:2022, 37.09.09]
3.4.3
false non-match rate
FNMR
proportion of the completed biometric mated comparison trials that result in a false non-match
Note 1 to entry: The value computed for the false non-match rate will depend on thresholds, and other parameters of
the comparison process, and the protocol defining the biometric mated comparison trials.
Note 2 to entry: “Completed” refers to the computational processes required to make a comparison decision, i.e.
failures to decide are excluded.
[SOURCE: ISO/IEC 2382-37:2022, 37.09.11]
3.4.4
test crew
set of test subjects utilized in an evaluation
[SOURCE: ISO/IEC 19795-1:2021, 3.2]
3.5 Presentation attack detection
3.5.1
goat
biometric data subject whose biometric reference results in a similarity score lower than normal on a
particular biometric system when compared against biometric probes from biometric data subject themself
3.5.2
lamb
biometric data subject whose biometric reference results in a similarity score higher than normal on a
particular biometric system when compared against biometric probes from other biometric data subjects
3.5.3
presentation attack detection
PAD
automated discrimination between bona-fide presentations and biometric presentation attacks
Note 1 to entry: PAD cannot infer the biometric capture subject’s intent.
[SOURCE: ISO/IEC 2382-37:2022, 37.06.42]
3.5.4
presentation attack instrument
PAI
biometric characteristic (3.2.1) or object used in a biometric presentation attack
Note 1 to entry: The set of PAI includes artefacts but would also include lifeless biometric characteristics, (i.e.
stemming from dead bodies) or altered biometric characteristics (e.g. altered fingerprints that are used in an attack).
[SOURCE: ISO/IEC 2382-37:2022, 37.06.44]
3.5.5
wolf
attacker whose biometric characteristics (3.2.1) or presentation attack instrument (3.5.4) results in a
similarity score higher than normal on a particular biometric system when compared against biometric
references of enrolees
© ISO/IEC 2025 – All rights reserved
4 Abbreviated terms
For the purposes of this document, the following terms apply.
FMR false match rate
FNMR false non-match rate
PII personally identifiable information
5 Overview of security evaluation of biometric systems
5.1 Biometric systems and their vulnerabilities
This clause provides a context in which the security evaluation of biometric systems is conducted.
Figure 1 shows the reference architecture of a biometric system used in this document. A biometric system
comprises a collection of hardware and software components. It is normally used to implement a biometric
application, in which it operates in an externally provided environment that forms an essential part of the
application. The environment comprises not only physical factors such as space, temperature, humidity and
illumination, but also all procedural aspects and human users of the system. Users of the system comprise
a variety of people who can interact with the system such as operators, administrators, enrolees and
attackers. For more details of biometric systems, see ISO/IEC 24741.
SOURCE ISO/IEC 30107-1:2023, Figure 1.
NOTE 1 A dashed line in Figure 1 shows interactions between the presentation attack detection (PAD) subsystem
and other subsystems. “Biometric claim” in Figure 1 means a claim of biometric reference.
NOTE 2 Configurations other than the one shown in this figure are possible.
Figure 1 — General biometric framework with presentation attack detection
This document is principally directed at the security evaluation of biometric systems themselves rather than
complete biometric applications. A biometric application comprises a biometric system and possibly other
hardware and software components, together with an operating environment, and organizational processes

© ISO/IEC 2025 – All rights reserved
and policies that collectively provide the functionality of the application. These additional elements can have
security vulnerabilities of their own, or can amplify or mitigate vulnerabilities possessed by the biometric
system itself.
Vulnerability analysis should be conducted in an ordered manner that involves the investigation of
individual component vulnerabilities. Evaluators should however exercise caution when assessing the
results of component vulnerability assessment without considering the interactions that take place with
other system components. These interactions can determine whether component vulnerabilities can be
exploited in practice. Therefore, evaluators should always assess vulnerabilities in the context of the overall
system functioning and not solely based on assessment of individual component vulnerabilities.
Similarly, a biometric system can display intrinsic vulnerabilities that are realized, aggravated or mitigated
by interaction among system components. For example, a biometric comparison algorithm can display
anomalous behaviour if presented with biometric data out of range, and this behaviour can give rise to a
vulnerability. However, if any component responsible for supplying the biometric data to the comparison
algorithm prevents such anomalous data being supplied, there is no resultant vulnerability. Although the
methodology in this document can be used to evaluate security factors for components of a biometric
system, evaluators should exercise caution when examining individual component vulnerabilities and
seek to understand the interactions between components to determine how these can affect the resulting
system vulnerabilities. In general, the assessment of individual component vulnerabilities can be limited
and misleading if conducted outside the context of a system evaluation.
5.2 Approach of security evaluation of biometric systems
This document addresses the aspects of security evaluation specific to biometric systems, although a
security evaluation of a biometric system can also involve the evaluation of IT security aspects. It does not
seek to address the broader issues of security evaluation of a complete biometric application.
NOTE For the general information technology (IT) security aspects, readers can refer to other IT security
evaluation standards and methodologies such as the ISO/IEC 15408 series .
The vendor of the biometric system under evaluation shall provide a description of the system before
an evaluation can begin. The level of detail is dependent on the evaluation requirements and the level of
assurance for the evaluation outcome. This allows the evaluator to become familiar with the system and
support decisions later in the evaluation process.
Both the vendor and the evaluator should conduct threat and vulnerability analysis independently. Clause 6
overviews potential vulnerabilities of biometric systems, based on theoretical considerations and practical
experience.
Vulnerability assessment benefits from a methodical approach. It also requires expertise and creative
thinking on the part of the evaluator. Evaluators should therefore be aware of the general threats,
vulnerabilities and countermeasures, and those which are specific to biometric systems in some cases.
Information on biometric vulnerabilities appears in 6.2 but evaluators should also seek out further
information available in the literature, including public domain reports on biometric vulnerabilities
appearing in magazines, academic studies and the internet. Additionally, evaluators should acquire practical
experience with the techniques of biometric vulnerability investigation as described in these reports. This is
regarded as necessary pre-requisite training for evaluators before conducting a vulnerability assessment as
part of a biometric security evaluation.
The aspects of security evaluation specific to biometric systems are:
— evaluation of vulnerabilities related to recognition performance (see Clause 7);
— evaluation of vulnerabilities related to PAD (see Clause 8);
— evaluation of vulnerabilities related to privacy (see Clause 9).
Clause 7 introduces the concept of a test of recognition performance in the context of a biometric system
security evaluation. Statistical error rates can be measured for biometric algorithms alone (e.g. technology
testing, typically using pre-existing databases of biometric samples), or for systems (e.g. scenario testing

© ISO/IEC 2025 – All rights reserved
where biometric data subjects provide the biometric samples directly to the sensor of the data capture
component). Technology testing is often used to compare the performance of different algorithms and to
quantify changes resulting from algorithm development. Technology testing is of limited value in security
evaluation because algorithmic errors are only one source of errors in a biometric system. It is common
practice to conduct statistical error measurement of biometric systems using biometric samples acquired
by the capture component of the system from real subjects in a scenario test. However, a technology test
of an algorithm can contribute to the necessary understanding of the biometric system that is required to
prepare the test conducted by a third party, such as an evaluation body, or to claim the maximum error rates
of the biometric system. In addition, technology testing can help to identify statistical weaknesses that can
be exploited by an attacker. Thus, Clause 7 also introduces how biometric recognition performance can be
exploited by exploiting the capture process or by bypassing it.
Clause 8 provides a fundamental framework for evaluation of PAD and other PAD-related vulnerabilities.
Technical vulnerabilities are dealt with corresponding to the potential vulnerabilities, which are considered
in Clause 6, based on theoretical considerations and practical experience. The exploitation of a potential
vulnerability typically involves multiple components. For example, a PAI must be accepted by the sensor
and defeat any PAD; pass the acquisition quality analysis step; be successfully pre-processed and feature
extracted; and pass any subsequent quality control check. These steps normally involve more than one
component of the system.
Clause 9 details evaluator actions required to address the concerns of privacy when processing and storing
biometric data. This is an inherent security concern for biometric systems because the data used is personal
and can be governed by constraints of use determined by legislation or codes of practice. Additionally,
leakage of biometric data can facilitate the exploitation of vulnerabilities detailed in Clauses 7 and 8.
This document describes developer and evaluator roles, and specifies requirements and actions for each
party. Although the methodology is scheme-independent, the separation of roles here reflects the perceived
need for the responsibilities and actions of the evaluator to remain independent from those of the developer.
For an evaluation following the frameworks specified in the ISO/IEC 15408 series and ISO/IEC 18045 series,
the evaluation should follow the principles and requirements of the ISO/IEC 19989 series.
6 Threat and vulnerability analysis
6.1 Overview
Threats against biometric systems can manifest themselves in various ways but are principally aimed at
achieving one or more of the following objectives.
— Impersonation: a threat against a verification or identification system that is working with a positive
claim, where an attacker is falsely recognized as another user who is correctly enrolled, thereby allowing
the attacker to obtain or use the other user's ID or associated privileges within the system.
— Concealment: a threat to a verification or identification system that an enrolled user can deliberately
change or conceal their biometric characteristic(s) in order to avoid being recognized. This can be, for
instance, a particular threat to a system whose objectives include the prevention of multiple enrolments
by a single individual using different identities.
— Denial of service: a threat to a verification or identification system that is working with a positive claim
where an attacker repeatedly causes a rejection or a failure, which can cause an exception condition
leading to a diversion to a fallback system that is easier to exploit than the biometric system.
— Information leakage: a threat to any kind of biometric system where an attacker succeeds to get access
to all or part of the biometric information (and any associated attached PII) handled by the system.
The principal threats described above can be manifested in attacks using various techniques against different
processes and components used by the biometric system. For example, an attacker can impersonate another
person by falsely enrolling as that person, by presenting a PAI containing a copy of the victim’s biometric
characteristics or by manipulating the enrolment database to replace the victim’s biometric reference with
that of the impersonator.
© ISO/IEC 2025 – All rights reserved
Threats are usually taken to be deliberate attempts by an attacker to subvert system functionality. However,
it should be noted that, in certain situations, inadvertent actions by legitimate users (including users and
operators/administrators) can also lead to the subversion of system functionality.
An exampl
...