ISO/IEC 30107-3:2023

INTERNATIONAL ISO/IEC
STANDARD 30107-3
Second edition
2023-01
Information technology — Biometric
presentation attack detection —
Part 3:
Testing and reporting
Technologies de l'information — Détection d'attaque de présentation
en biométrie —
Partie 3: Essais et rapports d'essai
Reference number
© ISO/IEC 2023
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved

Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
3.1 Attack elements . 2
3.2 Metrics . 3
3.3 Test roles . 5
4 Abbreviated terms . 6
5 Conformance . 7
6 Presentation attack detection (PAD) overview . 7
7 Levels of evaluation of PAD mechanisms . 8
7.1 Overview . 8
7.2 General principles of evaluation of PAD mechanisms . 9
7.3 PAD subsystem evaluation. 9
7.4 Data capture subsystem evaluation . 10
7.5 Full system evaluation . 10
8 Artefact properties .11
8.1 Properties of PAIs in biometric impostor attacks . 11
8.2 Properties of PAIs in biometric concealer attacks .12
8.3 Properties of synthesized biometric samples with abnormal characteristics .12
9 Considerations in non-conformant capture attempts of biometric characteristics .13
9.1 Methods of presentation .13
9.2 Methods of assessment .13
10 Artefact creation and usage in evaluations of PAD mechanisms .13
10.1 General .13
10.2 Artefact creation and preparation . 13
10.3 Artefact usage . 14
10.4 Iterative testing to identity effective artefacts . 15
11 Process-dependent evaluation factors .15
11.1 Overview . 15
11.2 Evaluating the enrolment process . 15
11.3 Evaluating the verification process . 16
11.4 Evaluating the identification process . 16
11.5 Evaluating offline PAD mechanisms . 17
12 Evaluation using Common Criteria framework .17
12.1 General . 17
12.2 Common Criteria and biometrics . 18
12.2.1 Overview . 18
12.2.2 General evaluation aspects . 19
12.2.3 Error rates in testing . 19
12.2.4 PAD evaluation . 19
12.2.5 Vulnerability assessment . 20
13 Metrics for the evaluation of biometric systems with PAD mechanisms .21
13.1 General . 21
13.2 Metrics for PAD subsystem evaluation . 22
13.2.1 General .22
13.2.2 Classification metrics .22
13.2.3 Non-response metrics . 25
iii
© ISO/IEC 2023 – All rights reserved

13.2.4 Efficiency metrics .25
13.2.5 Summary . 25
13.3 Metrics for data capture subsystem evaluation . 25
13.3.1 General . 25
13.3.2 Acquisition metrics .26
13.3.3 Non-response metrics . 26
13.3.4 Efficiency metrics .26
13.3.5 Summary . 26
13.4 Metrics for full system evaluation . 27
13.4.1 General . 27
13.4.2 Accuracy metrics. 27
13.4.3 Efficiency metrics . 27
13.4.4 Generalized full-system evaluation performance .28
13.4.5 Summary . 30
Annex A (informative) Classification of attack types .32
Annex B (informative) Examples of artefact species used in a PAD subsystem evaluation
for fingerprint capture devices .36
Annex C (informative) Roles in PAD testing .37
Bibliography .38
iv
© ISO/IEC 2023 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 37, Biometrics.
This second edition cancels and replaces the first edition (ISO/IEC 30107-3:2017), which has been
technically revised.
The main changes are as follows:
— the relative impostor attack presentation accept rate has been added (13.4.4);
— information on roles in presentation attack detection testing have been added (Annex C);
— general technical clarifications and improvements have been made.
A list of all parts in the ISO/IEC 30107 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2023 – All rights reserved

Introduction
The presentation of an artefact or of human characteristics to a biometric capture subsystem in a fashion
intended to interfere with system policy is referred to as a presentation attack. The ISO/IEC 30107
series deals with techniques for the automated detection of presentation attacks. These techniques are
called presentation attack detection (PAD) mechanisms.
As is the case for biometric recognition, PAD mechanisms are subject to false positive and false negative
errors. False positive errors wrongly categorize bona fide presentations as attack presentations,
potentially flagging or inconveniencing legitimate users. False negative errors wrongly categorize
presentation attacks (also known as attack presentations) as bona fide presentations, potentially
resulting in a security breach.
Therefore, the decision to use a specific implementation of PAD will depend on the requirements of
the application and consideration of the trade-offs with respect to security, evidence strength and
efficiency.
The purpose of this document is as follows:
— to define terms related to biometric PAD testing and reporting, and
— to specify principles and methods of performance assessment of biometric PAD, including metrics.
This document is directed at vendors or test laboratories seeking to conduct evaluations of PAD
mechanisms.
Biometric performance testing terminology, practices and methodologies for statistical analysis have
been standardized through ISO and Common Criteria. False accept rate (FAR), false reject rate (FRR)
and failure to enrol rate (FTE) are widely used to characterize biometric system performance. Biometric
performance testing terminology, practices and methodologies for statistical analysis are only partially
applicable to the evaluation of PAD mechanisms due to significant fundamental differences between
biometric performance testing concepts and PAD mechanism testing concepts. These differences can
be categorized as follows.
a) Statistical significance
Biometric performance testing utilizes a statistically significant number of test subjects, representative
of the targeted user group. Error rates are not expected to vary significantly when adding more test
subjects or using a completely different group.
In PAD testing, many biometric modalities can be attacked by a large or indeterminate number of
potential presentation attack instrument species (PAIS). In these cases, it is very difficult or even
impossible to have a comprehensive model of all possible presentation attack instruments (PAIs). Hence,
it could be impossible to find a representative set of PAIS for the evaluation. Therefore, measured error
rates of one set of PAIs cannot be assumed to be applicable to a different set.
PAIS present a source of systematic variation in a test. Different PAIs can have significantly different
error rates. Additionally, within any given PAIS, there is random variation across instances of the PAI
series. The number of presentations required for a statistically significant test scales linearly with the
number of PAIS of interest. Within each PAIS, the uncertainty associated with a PAD error rate estimate
depends on the number of artefacts tested and the number of individuals.
EXAMPLE 1 In fingerprint biometrics, many potent artefact materials are known, but any material or material
mixture that can present fingerprint features to a biometric capture device is a possible candidate. Since artefact
properties such as age, thickness, moisture, temperature, mixture rates and manufacturing practices can have
a significant influence on the output of the PAD mechanism, it is easy to define tens of thousands of PAIS using
current materials. Hundreds of thousands of presentations would be needed for a proper statistical analysis, and
even then, resulting error rates cannot be transferred to the next set of new materials.
vi
© ISO/IEC 2023 – All rights reserved

PAI presentation can also be source of variation in a test. Variation in pressure, position or even PAI
presenter characteristics can impact PAD performance.
b) Comparability of test results across systems
In biometric performance testing, application-specific error rates based on the same corpus of biometric
samples can be used to compare different biometric systems or different configurations. Results can be
used to unambiguously compare and assess system performance. By contrast, when using error rates to
benchmark PAD mechanisms, interpreting results can be highly dependent on the intended application.
EXAMPLE 2 In a given testing scenario with 10 PAIS (presented 100 times), System detects 90 % of attack
presentations and System detects 85 %. System detects all presentations for 9 PAIS but fails to detect all
2 1
presentations with the 10th PAIS. System detects 85 % of all PAIS. Which is better? In a security analysis
System would be worse than System , because revealing the 10th PAIS would orient an attacker such that they
1 2
could use this method to defeat the capture device all the time. However, if attackers could be prevented from
using the 10th PAIS, System would be better than System , because individual rates indicate that it is possible to
1 2
overcome System with all PAIS.
c) Cooperation
Many biometric performance tests address applications such as access control in which subjects
are cooperative. Errors due to incorrect operation are an issue of a lack of knowledge, experience
or guidance rather than intent. Significant uncooperative behaviour in a group is not part of the
underlying “biometric model” and would render the determined error rates almost useless for biometric
performance testing.
PAD tests include subjects whose behaviour is not cooperative. Attackers will try to find and exploit any
weakness of the biometric system, circumventing or manipulating its intended operation. Presentation
attack types, based on the experience and knowledge of the tester, can change the success rates for an
attack dramatically. Hence it can be difficult to define testing procedures that measure error rates in a
fashion representative of cooperative behaviour.
d) Automated testing
In biometric performance testing, it is often possible to test comparison algorithms using databases
from devices or sensors of similar quality. Performance can be measured in a technology evaluation
using previously collected corpora of samples as specified in ISO/IEC 19795-1.
In PAD testing, data from the biometric capture device (e.g. digitized fingerprint images) can in some
cases be insufficient to conduct evaluations. Biometric systems with PAD mechanisms often contain
additional sensors to detect specific properties of a biometric characteristic. Hence, a database
previously collected for a specific biometric system or configuration is not necessarily suitable for
another biometric system or configuration.
Even slight changes in the hardware or software could make earlier measurements useless. It is
generally impractical to store multivariate synchronized PAD signals and replay them in automated
testing. Therefore, automated testing is often not an option for testing and evaluating PAD mechanisms.
e) Quality and performance
In biometric performance testing, performance is usually linked directly to biometric data quality. Low-
quality samples generally result in higher error rates while a test with only high-quality samples will
generally result in lower error rates. Quality metrics are therefore often used to improve performance
(dependent on the application).
In PAD testing, even though low biometric quality can cause an artefact to be unsuccessful, there is no
reason to assume a certain quality level from artefacts in general. Samples from artefacts can exhibit
better quality than samples from human biometric characteristics. Without a model of attacker skill,
it seems valid (at least in a security evaluation) to assume a “worst case” scenario where the attacker
always uses the best possible quality. That way, one can at least determine a guaranteed minimal
detection rate for the specific test set while reducing the number of necessary tests at the same time.
vii
© ISO/IEC 2023 – All rights reserved

It is then a matter of rating the attack potential of successful artefacts (effort and expertise for the
needed quality) in order to assess the security level, as is the practice in Common Criteria evaluations.
Based on the differences in a) through e), the following general comments regarding error rates and
metrics related to PAD mechanisms can be derived.
— In an evaluation, PAIS are analysed/rated separately.
— Attack presentation classification error rates other than 0 % for a PAIS only prove that the PAI
can be successful. A different tester can potentially achieve a higher or lower attack presentation
classification error rate. Further, training to identify the relevant material and presentation
parameters could increase the attack presentation classification error rate for this PAIS. The
experience and knowledge of the tester, as well as the availability of the necessary resources, are
significant factors in PAD testing and are taken into account when conducting comparisons or
performance analysis.
Error rates for PAD mechanisms are determined by the specific context of the given PAD mechanism,
the set of PAIS, the application, the test approach, and the tester. Error rates for PAD mechanisms are not
necessarily comparable across similar tests, and error rates for PAD mechanisms are not necessarily
reproducible by different test laboratories.
viii
© ISO/IEC 2023 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 30107-3:2023(E)
Information technology — Biometric presentation attack
detection —
Part 3:
Testing and reporting
1 Scope
This document establishes:
— principles and methods for the performance assessment of presentation attack detection (PAD)
mechanisms;
— reporting of testing results from evaluations of PAD mechanisms; and
— a classification of known attack types (Annex A).
Outside the scope are:
— standardization of specific PAD mechanisms;
— detailed information about countermeasures (i.e. anti-spoofing techniques), algorithms or sensors;
and
— overall system-level security or vulnerability assessment.
The attacks considered in this document take place at the biometric capture device during presentation.
Any other attacks are considered outside the scope of this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 2382-37, Information technology — Vocabulary — Part 37: Biometrics
ISO/IEC 15408-1, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 1: Introduction and general model
ISO/IEC 15408-2, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 2: Security functional components
ISO/IEC 15408-3, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 3: Security assurance components
ISO/IEC 19795-1, Information technology — Biometric performance testing and reporting — Part 1:
Principles and framework
ISO/IEC 30107-1, Information technology — Biometric presentation attack detection — Part 1: Framework
© ISO/IEC 2023 – All rights reserved

3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19795-1, ISO/IEC 2382-37,
ISO/IEC 30107-1 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 Attack elements
3.1.1
presentation attack
attack presentation
presentation to the biometric data capture subsystem with the goal of interfering with the operation of
the biometric system
Note 1 to entry: An attack presentation can be a single attempt, a multi-attempt transaction, or another type of
interaction with a subsystem.
3.1.2
bona fide presentation
interaction of the biometric test subject and the biometric data capture subsystem in the fashion
intended by the policy of the biometric system
Note 1 to entry: Bona fide is analogous to normal or routine, when referring to a bona fide presentation.
Note 2 to entry: Bona fide presentations can include those in which the user has a low level of training or
skill. Bona fide presentations encompass the totality of good-faith presentations to a biometric data capture
subsystem.
3.1.3
attack type
elements and characteristics of a presentation attack, including presentation attack instrument (PAI)
species, concealer or impostor attack, degree of supervision, and method of interaction with the capture
device
3.1.4
test approach
totality of considerations and factors involved in presentation attack detection (PAD) evaluation
Note 1 to entry: Elements of a test approach are given in Clauses 6–10.
Note 2 to entry: A test approach refers to all processes, factors and aspects specified in the course of the
evaluation.
3.1.5
item under test
IUT
implementation that is the object of a test assertion or test case
Note 1 to entry: The IUT is the equivalent of the "target of evaluation" (TOE) in Common Criteria evaluations.
© ISO/IEC 2023 – All rights reserved

3.1.6
presentation attack instrument species
PAIS
class of presentation attack instruments (PAIs) created using a common production method and based
on different biometric characteristics
EXAMPLE 1 A set of fake fingerprints all made in the same way with the same materials but with different
friction ridge patterns would constitute a PAIS.
EXAMPLE 2 A specific type of alteration made to the fingerprints of several test subjects would constitute a
PAIS.
Note 1 to entry: The term “recipe” is often used to refer to how to make a PAIS.
Note 2 to entry: PAIs of the same species can have different success rates due to variability in the production
process or in the PAI source.
3.1.7
PAI series
class of presentation attack instruments (PAIs) created using a common production method and based
on the same biometric characteristics
EXAMPLE A set of fake fingerprints all made in the same way with the same materials and with the same
friction ridge pattern.
Note 1 to entry: Depending on the experimental goals, an evaluation can potentially utilize multiple series, each
with different production methods or sources. While tests involving several biometric sources can demonstrate
generality of a PAI species, they add variation associated with individual human traits.
3.1.8
target of evaluation
TOE
IT product that is the subject of the evaluation within the context of the Common Criteria
Note 1 to entry: The TOE is the equivalent of the "item under test" (IUT) in Common Criteria evaluations.
3.1.9
attack potential
measure of the capability to attack a target of evaluation (TOE) given the attacker’s knowledge,
proficiency, resources and motivation
3.2 Metrics
3.2.1
attack presentation classification error rate
APCER
proportion of attack presentations using the same presentation attack instrument (PAI) species
incorrectly classified as bona fide presentations by a presentation attack detection (PAD) subsystem in
a specific scenario
3.2.2
attack presentation classification error rate at the given attack potential
APCER
AP
attack presentation classification error rate (APCER) of the most successful presentation attack
instrument (PAI) species within a given attack potential
3.2.3
bona fide presentation classification error rate
BPCER
proportion of bona fide presentations incorrectly classified as presentation attacks in a specific
scenario
© ISO/IEC 2023 – All rights reserved

3.2.4
attack presentation acquisition rate
APAR
proportion of attack presentations using the same presentation attack instrument (PAI) species from
which the data capture subsystem acquires a biometric sample of sufficient quality
3.2.5
attack presentation non-response rate
APNRR
proportion of attack presentations using the same presentation attack instrument (PAI) species that
cause no response at the presentation attack detection (PAD) subsystem or data capture subsystem
EXAMPLE A fingerprint system can potentially not register or react to the presentation of a PAI due to the
PAI’s lack of realism.
3.2.6
bona fide presentation non-response rate
BPNRR
proportion of bona fide presentations that cause no response at the presentation attack detection (PAD)
subsystem or data capture subsystem
3.2.7
impostor attack presentation accept rate
IAPAR
in a full-system evaluation of a verification system, proportion of impostor attack presentations using
the same presentation attack instrument (PAI) species that result in accept
3.2.8
impostor attack presentation accept rate at the given attack potential
IAPAR
AP
in a full-system evaluation of a verification system, proportion of impostor attack presentations of the
most successful presentation attack instrument (PAI) species at the given attack potential that result in
accept
3.2.9
concealer attack presentation reject rate
CAPRR
in a full-system evaluation of a verification system, proportion of concealer attack presentations using
the same presentation attack instrument (PAI) species that result in a reject decision
Note 1 to entry: CAPRR is transactional and involves both biometric comparison and presentation attack
detection (PAD), whereas non-match rates are attributed to the comparison algorithm.
Note 2 to entry: A biometric concealer compelled to unlock a device might want to be rejected. In this case, they
might use a PAI to obscure their biometric characteristic, leading to a rejection.
3.2.10
impostor attack presentation identification rate
IAPIR
in a full-system evaluation of an identification system, proportion of impostor attack presentations
using the same presentation attack instrument (PAI) species in which the targeted reference identifier
is among the identifiers returned, or, depending on the intended use case, at least one identifier is
returned by the system,
Note 1 to entry: An attacker might be both an impostor (trying to match an existing non-self enrollee) and a
concealer (obscuring their real biometric sample with a PAI).
© ISO/IEC 2023 – All rights reserved

3.2.11
concealer attack presentation non-identification rate
CAPNIR
in a full-system evaluation of an identification system, proportion of concealer presentation attacks
using the same presentation attack instrument (PAI) species in which the reference identifier of the
concealer is not among the identifiers returned, or, depending on the intended use case, in which no
identifiers are returned
Note 1 to entry: In a negative identification system, such as a block-list, the concealer could intend that no
identifiers are returned to avoid scrutiny by a human operator.
Note 2 to entry: CAPNIR is transactional and involves both biometric comparison and presentation attack
detection (PAD) whereas false negative identification rates are attributed to the comparison algorithm.
3.2.12
relative impostor attack presentation accept rate
RIAPAR
sum of impostor attack presentation identification rate (IAPAR) and false reject rate (FRR) at a fixed
decision threshold
3.2.13
PAD subsystem processing duration
PS-PD
duration required for the presentation attack detection (PAD) subsystem to classify PAD data
3.2.14
data capture subsystem processing duration
DCS-PD
duration required for the data capture subsystem to acquire a sample, inclusive of the presentation
attack detection (PAD) subsystem processing duration (if applicable)
3.2.15
full system processing duration
FS-PD
duration required for the data capture subsystem and comparison subsystem to acquire and process
a sample, inclusive of the presentation attack detection (PAD) subsystem processing duration (if
applicable)
3.3 Test roles
3.3.1
biometric impostor
subversive biometric capture subject who performs a biometric impostor attack
Note 1 to entry: Biometric impostors include capture subjects using PAIs and capture subjects presenting
intentionally damaged or altered characteristics.
[SOURCE: ISO/IEC 2382-37:2022, 37.07.13, modified — Original notes to entry deleted; new Note 1 to
entry added.]
3.3.2
biometric concealer
subversive biometric capture subject who performs a biometric concealment attack
Note 1 to entry: Biometric concealers include capture subjects using PAIs and capture subjects presenting
intentionally damaged characteristics.
[SOURCE: ISO/IEC 2382-37:2022, 37.07.21, modified — Note 1 to entry added.]
© ISO/IEC 2023 – All rights reserved

3.3.3
PAI presenter
individual or mechanism presenting the presentation attack instrument (PAI) to the biometric system
3.3.4
PAI source
individual or mechanism from which biometric samples are obtained for use in a presentation attack
instrument (PAI), realized in a PAI series
3.3.5
PAI creator
individual or mechanism responsible for the conception, formulation, design and realization of a
presentation attack instrument (PAI) species
4 Abbreviated terms
The abbreviated terms below are used in this document.
AP attack potential
APAR attack presentation acquisition rate
APCER attack presentation classification error rate
APCER attack presentation classification error rate at the given attack potential
AP
APNRR attack presentation non-response rate
ATM automatic teller machine
BPCER bona fide presentation classification error rate
BPNRR bona fide presentation non-response rate
BSI German Federal Office for Information Security
CAPNIR concealer attack presentation non-identification rate
CAPRR concealer attack presentation reject rate
CCRA Common Criteria Recognition Arrangement
DCS-PD data capture subsystem processing duration
DET detection error tradeoff
EAL Evaluation Assurance Level
FTA failure to acquire rate
FTE failure to enrol rate
FAR false accept rate
FNIR false negative identification rate
FPIR false positive identification rate
FRR false reject rate
© ISO/IEC 2023 – All rights reserved

FSDPP fingerprint spoof detection protection profiles
FS-PD full system processing duration
IAPAR impostor attack presentation accept rate
IAPAR impostor attack presentation accept rate at the given attack potential
AP
IAPIR impostor attack presentation identification rate
IUT item under test
PAD presentation attack detection
PAI presentation attack instrument
PAIS presentation attack instrument species
PS-PD PAD subsystem processing duration
RIAPAR relative impostor attack presentation accept rate
TOE target of evaluation
5 Conformance
To conform to this document, an evaluation of PAD mechanisms shall be planned, executed and reported
in accordance with mandatory requirements as follows:
— those of Clause 6 and subclauses 11.1 and 13.1;
— for evaluations of PAD mechanisms in enrolment, 11.2;
— for evaluations of PAD mechanisms in verification, 11.3;
— for evaluations of PAD mechanisms in positive or negative identification, 11.4;
— for PAD subsystem evaluations, 13.2;
— for data capture subsystem evaluations, 13.3;
— for full-system evaluations of verification systems, 13.4.2.1;
— for full-system evaluations of positive identification systems, 13.4.2.2;
— for full-system evaluations of negative identification systems, 13.4.2.3.
Due to the potential sensitivity of information such as species formulation or system-specific
vulnerabilities, additional [derived/summary] reports for general dissemination may redact or
generalize sensitive information.
6 Presentation attack detection (PAD) overview
This document describes two types of presentation attackers: biometric impostors (a.k.a. impersonators)
and biometric concealers. These types of attackers differ in that biometric impostors typically need
to defeat PAD subsystems, pass quality checks, and match through comparison subsystems, whereas
biometric concealers do not need to match through comparison subsystems.
While the desired impersonation or concealment outcome can lend itself towards a sub-set of attack
types, any type of PAI can be used by either type of attacker (see Annex A for additional information).
© ISO/IEC 2023 – All rights reserved

Evaluations of PAD mechanisms and resulting reports shall specify the type of presentation attacker
(biometric impostor or biometric concealer) considered in an evaluation.
Evaluations of PAD mechanisms are classifiable as one of three general types, increasing in specificity,
as follows:
— generic, broad evaluations of PAD mechanisms of any device for an unknown application;
— application-focused evaluations of PAD mechanisms in which the set/range of attack types is
selected to be appropriate to the application, such as those discussed in Clause 11; or
— product-specific evaluations of PAD mechanisms, used to test a supplier’s claim of performance
against a specific category of attack types.
Evaluations of PAD mechanisms and resulting reports shall describe the type of evaluation conducted
as well as the attack types to be tested.
7 Levels of evaluation of PAD mechanisms
7.1 Overview
The evaluation of PAD mechanisms is determined by the item under test (IUT). PAD evaluations and
resulting reports shall fully describe the IUT, including all configurations and settings as well as
the amount of information available to the evaluator about PAD mechanisms in place. IUTs shall be
categorized as follows.
— PAD subsystem.
— Data capture subsystem.
— Full system.
A PAD subsystem is hardware and/or software that implements a PAD mechanism and makes an
explicit declaration regarding the detection of presentation attacks. Results of the PAD mechanism are
accessible to the evaluator and are an aspect of the evaluation.
EXAMPLE 1 A PAD subsystem could be a fingerprint device that logs a PAD score or decision when a PAI is
presented.
A data capture subsystem, consisting of capture hardware and/or software, couples PAD mechanisms
and quality checks in a fashion opaque to the evaluator. The evaluator does not necessarily know
whether the data capture subsystem utilizes presentation attack detection. Acquisition can be for the
purpose of enrolment or recognition, but no comparison takes place in the data capture subsystem.
EXAMPLE 2 A data capture subsystem could be an iris collection device that fails to acquire a sample from an
iris artefact, where it is impossible to determine whether failure to acquire is due to a liveness check or quality
check (the implementation does not provide this level of transparency).
For simplicity, the term “quality check” encompasses feature extraction, segmentation, or any other
automated processing function used to validate the utility of a biometric sample
A full system adds biometric comparison to the PAD subsystem or data capture subsystem, comprising
a full end-to-end system. This leads t
...