SIST-TS CEN/TS 16634:2014

SLOVENSKI STANDARD
01-september-2014
2VHEQDLGHQWLILNDFLMD3ULSRURþLOD]DXSRUDERELRPHWULMHSULHYURSVNHP
DYWRPDWL]LUDQHPPHMQHPQDG]RUX
Personal identification - Recommendations for using biometrics in European Automated
Border Control
Persönliche Identifikation - Empfehlungen für den Einsatz von Biometrie bei der
automatisierten Grenzübergangskontrolle in Europa
Identification personnelle - Recommandations pour l’utilisation de la biométrie dans les
contrôles aux frontières automatisés en Europe
Ta slovenski standard je istoveten z: CEN/TS 16634:2014
ICS:
35.240.15 Identifikacijske kartice in Identification cards and
sorodne naprave related devices
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION
CEN/TS 16634
SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
April 2014
ICS 35.240.15
English Version
Personal identification - Recommendations for using biometrics
in European Automated Border Control
Identification personnelle - Recommandations pour l'usage Persönliche Identifikation - Empfehlungen für den Einsatz
de la biométrie lors des contrôles automatisés aux von Biometrie bei der automatisierten
frontières de l'Europe Grenzübergangskontrolle in Europa
This Technical Specification (CEN/TS) was approved by CEN on 11 November 2013 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their
comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available
promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS)
until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 16634:2014 E
worldwide for CEN national Members.

Contents Page
Foreword .3
Introduction .4
1 Scope .5
2 Terms and definitions .5
3 Abbreviated terms .8
4 ABC systems - an overview .9
4.1 Concept .9
4.2 Biometric references .9
4.3 Types of travel documents . 10
4.3.1 General . 10
4.3.2 National identity cards . 10
4.3.3 Biometric passports . 10
4.3.4 Schengen visa . 11
4.4 Topologies of ABC systems . 11
5 Biometric systems in ABC . 11
5.1 General recommendations . 11
5.1.1 Usability and accessibility . 11
5.1.2 Architecture . 13
5.1.3 Biometric security functions . 15
5.1.4 Logging, data protection and privacy. 20
5.2 Recommendations for face biometrics . 20
5.2.1 Condition for good quality sample acquisition . 20
5.2.2 Biometric verification and process design . 21
5.2.3 Security . 22
5.2.4 Usability and environment . 23
5.3 Recommendations for fingerprint biometrics . 23
5.3.1 Condition for good quality sample acquisition . 23
5.3.2 Biometric verification and process design . 24
5.3.3 Usability and environment . 24
5.4 Recommendations for iris biometrics . 25
5.4.1 Condition for good quality sample acquisition . 25
5.4.2 Biometric verification and process design . 26
5.4.3 Security . 27
5.4.4 Usability and environment . 27
Annex A (informative) Testing examples — Facial Images. 29
Annex B (informative) Example process for multi-camera systems for 3D face recognition . 30
Bibliography . 32

Foreword
This document (CEN/TS 16634:2014) has been prepared by Technical Committee CEN/TC 224 “Personal
identification, electronic signature and cards and their related systems and operations”, the secretariat of
which is held by AFNOR.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria, Croatia, Cyprus,
Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany,
Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland,
Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Introduction
European countries are increasingly deploying technological solutions to support border guard officers in
fulfilling their duties. Such solutions can consist of inspection systems that directly assist the officers in
screening travellers or of electronic kiosk and gates offering various degrees of automation.
Electronic Machine Readable Travel Documents (eMRTD) as defined in ICAO Document 9303 [27] can
contribute to a high degree of border automation. Under Council Regulation (EC) No 2252/2004 [21], EU
Member States nowadays issue electronic passports containing biometric data (facial image, two fingerprint
images). Ireland and UK are not bound by the Regulation and issue ePassports storing only the facial image
of the holder. Currently a number of European countries have deployed ABC systems which automate border
checks for EU citizens in possession of an electronic passport. The upcoming “Smart Borders Package” will
foresee the introduction of an EU Registered Traveller Programme [23]. This would allow certain groups of
frequent travellers (i.e. business travellers, family members, etc.) from third countries to enter the EU, subject
to appropriate pre-screening, using simplified border checks at ABC systems. The European Commission
proposes that this RTP makes maximum use of existing systems and tools, such as the Biometric Matching
System which underpins the Visa Information System (VIS) and the fingerprint scanners which are used for
this system.
There is a need to harmonize processes containing biometric elements, biometric technology tests and
reporting frameworks (in accordance with Bibliographical Entries [11], [12], [13]) and to link biometric
characteristics with supervision requirements.
This Technical Specification focuses on automated systems that can be supervised by an operator, but such
supervision is not a requirement for the biometric comparison subsystem. The level of supervision is an
operational decision that can be changed according to the needs of the operating authorities.
ABC systems can be classified into four profiles based on their document requirements:
• eMRTD based,
• MRTD based,
• Token other than MRTD - physical and logical, transferable,
• Tokenless.
Regarding the location of the eligibility check, ABC systems can be implemented as:
• One-Step Process,
• Integrated Two-Step Process,
• Segregated Two-Step Process.
This document has been drafted with the contribution of the European Agency for the Management of
Operational Cooperation at the External Borders of the Member States of the European Union (Frontex) and
was adopted by CEN after public enquiry and formal vote according to the CEN Rules of Procedure.
1 Scope
This Technical Specification primarily focuses on biometric aspects of Automated Border Control (ABC)
systems. Drawing on the first European and international ABC deployments, it aims to disseminate best
practice experiences with a view to ensure consistent security levels in European ABC deployments.
Furthermore, the best practice recommendations given here shall help make border control authorities'
processes more efficient, speeding up border clearance, and delivering an improved experience to travellers.
ISO/IEC JTC1/SC 37 has published a series of standards dealing with biometric data coding, interfaces,
performance tests as well as compliance tests. In order to promote global interoperability it is essential that all
these standards are applied in European deployments. However, these standards do not consider national or
regional characteristics; in particular, they do not consider European Union privacy and data protection
regulation as well as European accessibility and usability requirements [22]. Thus, this Technical Specification
amends the ISO standards with respect to special European conditions and constraints.
The Technical Specification systematically discusses issues to be considered when planning and deploying
biometric systems for ABC and gives best practice recommendations for those types of systems that are or
will be in use in Europe. The document deals with personal identification including ergonomic aspects that
have an impact on the acquisition of biometric data.
Communication, infrastructure scalability and security aspects other than those related to biometrics are not
considered. This document also does not consider hardware and security requirements of biometric
equipment and does not recommend general border crossing procedures.
The enrolment process, e. g. for electronic passports, is out of scope of this document.
2 Terms and definitions
2.1
Automated Border Control (ABC) system
automated system which authenticates the electronic machine readable travel document or token, establishes
that the passenger is the rightful holder of the document or token, queries border control records, then
determines eligibility of border crossing according to the pre-defines rules
2.2
biometric capture
collection of, or attempt to collect a signal(s) from a biometric characteristic(s), or a representation(s) of a
biometric characteristic(s,) and conversion of the signal(s) to a captured biometric sample set [4]
2.3
biometric verification
process of confirming a biometric claim of the holder of an eMRTD through biometric comparison
2.4
border checks
checks carried out at border crossing points, to ensure that persons, including their means of transport and
the objects in their possession, may be authorized to enter the territory of the Member States or authorized to
leave it [24]
Note 1 to entry: See also “Border crossing point (BCP)”.
2.5
Border Crossing Point
BCP
crossing point authorized by the competent authorities for the crossing of external borders [24]
2.6
border guard
public official assigned, in accordance with national law, to a border crossing point or along the border or the
immediate vicinity of that border who carries out, in accordance with the Schengen Borders Code and national
law, border control tasks [24]
2.7
border management authority
public law enforcement institution which, in accordance with national law, is responsible for border control
2.8
database
application storing a structured set of data and allowing for the management and retrieval of such data
EXAMPLE The Schengen Information System (SIS) is a joint information system that enables the competent
authorities in each Member State of the Schengen area, by means of an automated search procedure, to have access to
alerts on persons and property for the purposes of border checks and other police and customs checks carried out within
the country in accordance with national law and, for some specific categories of alerts (those defined in Article 96 of the
Schengen Convention), for the purposes of issuing visas, residence permits and the administration of legislation on aliens
in the context of the application of the provisions of the Schengen Convention relating to the movement of persons.
Note 1 to entry: See also “Schengen area” and “Watch List”.
2.9
database hit
instance of identifying an item of data which matches the requirements of a search
Note 1 to entry: See also “Database” and “Watch List”.
2.10
digital mirror
display showing the horizontally mirrored live image of the camera's capturing area
2.11
eGate
one of the components of an ABC system, consisting of a physical barrier operated by electronic means
2.12
eID
electronically enabled card that may be used as an identity document (typically compliant to ICAO Doc 9303
Part 3 [27])
2.13
ePassport
A machine readable passport (MRP) containing a contactless integrated circuit (IC) chip within which is stored
data from the MRP data page, one or more biometric samples of the passport holder, and a security object to
protect the data with Public Key Infrastructure (PKI) cryptographic technology, and which conforms to the
specifications of ICAO Doc 9303, Part 1 [27]
2.14
EU citizen
person having the nationality of an EU Member State, within the meaning of Article 20(1) of the Treaty on the
Functioning of the European Union
2.15
Frontex
European Agency for the Management of Operational Cooperation at the External Borders of the Member
States of the European Union [29]
2.16
impostor
subversive biometric capture subject who attempts to be matched to someone else’s biometric reference [4]
2.17
Machine Readable Zone
MRZ
area on a passport containing two lines of data (three lines on a TD-1 card) that are printed using a standard
format and font as explained in ICAO Doc 9303
Note 1 to entry: See also “Visual Inspection Zone (VIZ)”.
2.18
member state
country which is member of the European Union
Note 1 to entry: Within the context of the present Recommendations, the term also applies to those countries that, not
being EU members, take part in the Schengen area. See also “Schengen area”.
2.19
Machine Readable Travel Document
MRTD
official document (e.g. passport, visa), conforming with the specifications contained in ICAO Doc 9303, issued
by a State or organization which is used by the holder for international travel (e.g. passport, visa, MRTD) and
which contains mandatory visual (eye readable) data and a separate mandatory data summary in a format
which is capable of being read by machine
2.20
operator
border guard officer who is responsible for the remote monitoring and control of the ABC system and whose
tasks typically include:
a) monitor the user interface of the application;
b) react upon any notification given by the application;
c) manage exceptions and make decisions about them;
d) communicate with the assisting personnel for the handling of exceptions at the eGates;
e) monitor and profile travellers queuing in the ABC line and using the eGates looking for suspicious
behaviour in travellers; and
f) communicate with the border guards responsible for second line checks whenever their service is needed
2.21
presentation attack
person can conduct a presentation attack by using artificial or non-living biometrics [4]
2.22
Registered Traveller Programme
RTP
scheme aiming to facilitate border crossing for frequent, pre-vetted and pre-screened travellers, often making
use of ABC systems
2.23
Schengen Area
area without internal border control which encompasses 26 European countries, including all EU Member
States except Bulgaria, Croatia, Cyprus, Ireland, Romania and the United Kingdom, as well as four non EU
countries, namely Iceland, Lichtenstein, Norway and Switzerland, and which takes its name from the
Schengen Agreement signed in Schengen, Luxembourg, in 1985 and later incorporated into the EU legal
framework by the 1997 Treaty of Amsterdam
2.24
spoof attack
attack on a biometric system wherein an artefact is presented to a sensor for the purpose of being enrolled or
recognized, or for the purpose of circumventing an enrolment or recognition process
2.25
third country national
person who is not an EU citizen within the meaning of Article 20(1) of the Treaty on the Functioning of the
European Union and who is not a person enjoying the Union right to freedom of movement, as defined in
Article 2(5) of the Schengen Borders Code
2.26
Visual Inspection Zone
VIZ
portions of the MRTD (data page in the case of an ePassport) designed for visual inspection, i.e. front and
back (where applicable), not defined as the MRZ
Note 1 to entry: See also “Machine Readable Zone (MRZ)”.
2.27
watch list
list of individuals, groups, or items that require close surveillance
3 Abbreviated terms
ABC Automated Border Control
BCP Border Crossing Point
CEN European Committee for Standardization
DG2 Data Group 2 (eMRTD face image)
DG3 Data Group 3 (eMRTD fingerprint image)
DET Detection Error Trade-off
EEA European Economic Area
eMRTD Electronic MRTD
EU European Union
EU/EEA/CH European Union/European Economic Area/ Switzerland
FAR False accept rate
FRR False reject rate
ICAO International Civil Aviation Organization
IR Infrared
ISO International Organization for Standardization
JPEG Joint Photographic Experts Group
JPG JPEG compression format for images
JPG2000 JPEG 2000 compression format for images
MRTD Machine Readable Travel Document
MRZ Machine Readable Zone
MS Member State of the Schengen Agreement
PC Personal Computer
RFID Radio Frequency Identification
RTP Registered Traveller Programme
SC Subcommittee
SDK Software Development Kit
TC Technical Committee
TCN Third Country Nationals
TS Technical Specification
UV Ultraviolet
VIS Visa Information System
VIZ Visual Inspection Zone
WG Working Group
4 ABC systems - an overview
4.1 Concept
An ABC system “authenticates the eMRTD, establishes that the traveller is the rightful holder of the document,
queries border control records, then automatically determines eligibility for border crossing according to pre-
defined rules” [28].
An ABC solution checks the authenticity of the travel document presented by a traveller and the traveller's
ownership of that document using his/her biometric data. An eMRTD based ABC system may make use of all
the biometric modalities recommended by ICAO, i.e. face, finger and iris. While other biometric modalities
could be used for ABC, this TS concentrates on the ones approved by ICAO.
As ABC systems might also be based on another token than an eMRTD or might be tokenless, the
authenticity check of the travel document might have been done at the time of enrolment for the system.
An important issue concerns the need for clearly defined protocols when failures appear in a fully automatic
system (without human supervision). Failures can lead to genuine user rejection or problems with outliers
(i.e. people that have difficulty in fully showing their face due to cultural reasons). In such situations, and in
order to avoid raising acceptance issues, an alternative procedure can be needed. Such an alternative
procedure can consist of performing border checks in a dedicated, assisted border control booth. The
definition of these protocols is out of scope of this Technical Specification.
4.2 Biometric references
The use of biometric data is the key for ensuring a close binding between the person and the document.
As described in [26] two general types of ABC systems can be identified in relation to their use of biometric
references, token-based or tokenless:
• Token based systems require the traveller to present a token (eMRTD, MRTD or any other issued or
approved token) to the system, in order to provide additional authentication information or biometric
references.
• If local legislation does not require the presentation of a travel document for border crossing, it is possible
to rely only on live biometrics capture of pre-enrolled qualified (vetted) travellers at the time of the border
crossing. In this case immediate (1:N) comparison against an up-to-date list of authorized travellers would
take place without any document inspection during the ABC process. Legislation might require that
travellers carry a valid travel document even if this document does not have to be presented for
inspection.
This document focuses on the biometric aspects of both types of ABC solutions.
4.3 Types of travel documents
4.3.1 General
Usually, travellers wishing to enter the European Union are required to carry a passport as a travel document
compliant with the ICAO Doc 9303 attesting the holders’ nationality and their demographic data. Personal
identification information is available both in printed form on the data page of the document, as well as stored
in the RFID chip (ISO/IEC 14443 [6]) complying with the ICAO Doc 9303 for national identity documents. It
therefore carries the capabilities for biometric identification using a facial comparison system external to the
document itself. The following travel ID documents are currently in use or could be used in the future for ABC
in the Member States:
• ePassports issued to EU/EEA/CH citizens;
• National ID cards (in Germany and Spain for their own citizens).
In the future, if legislation and technical means allow it, other documents e.g. ePassports of third country
nationals (visa waiver), registered traveller cards and Schengen visa could also be used.
4.3.2 National identity cards
Electronic national identity cards are used in a number of countries including the EU/EEA/CH. Such cards
identify physically and/or electronically a person as a national of the issuing country, and accredit the
biographic data of that person. They store personal identification information both in the VIZ of the document
as well as in the MRZ according to ICAO Doc 9303 Part 3. National ID cards issued by the Member States are
accepted as travel documents entitling the holder to cross the external borders in the EU/Schengen context.
Some national ID cards provide eID capabilities using biometric functionality for “comparison-on-card” as well
as for “comparison-off-card” in accordance with the standards for 2nd generation electronic passports.
CEN/TS 15480 (all parts) standardizes these documents [2].
Currently, national eID cards can be used only in a limited number of ABC systems and by own citizens of the
deploying country although greater interoperability may be achieved in the future.
4.3.3 Biometric passports
Such passports are travel documents compliant with ICAO Doc 9303 Part 1. They attest the nationality and
the biographic data of a certain person. Personal identification information is stored in the VIZ and in the MRZ
of the document, as well as in the RFID chip complying with ICAO Doc 9303. Biometric passports carry
reference data for two types of biometric identification:
• a facial image is stored in all biometric passports.
• depending on the country of issuance the passport may store, in addition, the images of the two (in the
most cases) index fingerprints, the two iris images, or both; using fingerprints is mandatory for all
countries bound by Regulation EC 2252/2004 [21].
Biometric passports have no biometric verification capabilities (facial, and/or fingerprint or iris), thus external
verification units are required for the automated biometric verification of the passport holder.
4.3.4 Schengen visa
Nationals of certain countries require a visa in order to cross the borders of the Schengen area. Personal
identification information is printed in the VIZ as well as in the MRZ of the document.
Additionally, the Schengen biometric visa, issued by EU/EEA/CH countries covered by Schengen
agreements, contains reference to fingerprint data stored in the European Visa Information System (VIS). If
future legislation allows it, such visas could be used in ABC systems.
4.4 Topologies of ABC systems
In general there are three topologies of ABC systems in use:
• one-step process which combines the verification of the traveller and their passage through the border;
this design allows the traveller to complete the whole transaction in one single process without the need
to move to another stage;
• integrated two-step process, which is a variation on the one-step design described above: the difference
between the two topologies is that in an ABC system designed as an integrated two-step process the
traveller will initiate the verification of the document and the traveller’s eligibility to use the system at the
first stage, and then if successful move to a second stage where a biometric comparison and other
applicable checks are carried out;
• segregated two-step process where the process of traveller verification and their passage through the
border control are completely separated; the traveller verifies at the first stage, a tactical biometric is
captured or a token is issued, and then the traveller proceeds to the eGate where the tactical biometric or
the token is checked to allow border crossing.
5 Biometric systems in ABC
5.1 General recommendations
5.1.1 Usability and accessibility
In automated systems, the usability of the system for the traveller is a key factor for system performance as
well as for traveller acceptance.
Usability consists of:
• ergonomic aspects of the user interfaces (e.g. sensors, input devices, displays);
• aspects of user guidance (e.g. signage, feedback, user information).
To enhance the usability of systems, the following factors with regard to the system environment should be
considered:
• climate;
• contamination;
• external or public areas;
• throughput and data subject population;
• access to the devices (position and location of the devices);
• illumination.
NOTE 1 Further guidance on these aspects is given in ISO/IEC/TR 24714-1 [14].
The use of the system should be intuitive and the sequence of actions should be logical.
The EN 1332 series [1] specifies requirements for the user interface of identification card systems and should
be applied when designing a biometric ABC system. With regard to the ergonomic aspects of user guidance
displays, the relevant standards of the ISO/IEC 9241 series [5] should also be taken into account. Specific
attention should be paid to legibility (e.g. font size and contrast) and colour coding. Colour and shape based
information should always be used simultaneously. Multiple colours or harsh contrasts within graphics should
be avoided to enable travellers with visual impairment to use the system easily.
In order to maximize accessibility, ABC systems should be designed to cater for travellers who have
permanent or temporary physical or psychological disabilities. They should be easy to use and flexible enough
to deal with handling errors. For travellers that cannot use the biometric system alternative systems are
necessary and should be provided.
Disabled travellers might need extra assistance on the use of biometric systems. Furthermore, the specific
needs of disabled people should be considered during the specification phase of a system and tests should be
performed as early as possible.
Consideration should be given to traveller ergonomics as these will impact on usage and transaction times.
Recommendations are listed below [30]:
• ePassport readers should be at a height which makes them easy to reach by the majority of travellers
(average elbow-height), and placed on the right hand side of the eGate.
• The usage of ABC systems should require the minimum essential number of physical interactions. This
will reduce the number of times that a traveller shall swap hands with baggage. The system should take
into account the prevalence of large trolley bags with travellers.
• ABC systems should be usable with low physical effort.
• ABC systems should be designed to be inclusive with respect to height of travellers. Minimum and
maximum acquisition heights should be as wide as possible to enable more travellers to use the system.
User guidance should be given by:
• early information of eligibility to use the ABC System;
• information about the status of the system, the current step to be performed by the traveller, and the
remaining steps including time estimates;
• clear, intuitive, and self-explanatory instructions: the instructions should consider languages that are likely
to be understood by the traveller, using simple wording;
• pictograms demonstrating the correct facial pose, digital mirrors reflecting the facial image of the traveller
and visual indications which attract the traveller’s attention to notify the user how to properly stand in front
of the camera(s) for the facial image acquisition: a diagram of the hand, with the finger required for the
verification properly marked can avoid wrong finger placement errors;
• enhancements such as blinking lights or other effects to attract the attention of travellers at critical stages
should also be considered;
• feedback that indicates success or failure as well as responses expected from the traveller;
• an indication that biometric capture is taking place (especially when the traveller is not required to take
actions);
• the availability of a help or support facility;
• adequate signage and user information that is clear and carefully positioned for maximum visibility.
For the purpose of consistency and understanding, standardized symbols, icons and pictograms should be
used. An example is given in Bibliographical Entry [20].
Standards providing further guidance on the use of symbols, icons and pictograms in biometric systems are
currently drafted in the standardization committee ISO/IEC JTC1/SC 37 in the project
ISO/IEC 24779 series [16]. It is recommended that all deployed ABC systems make use of the same set of
pictograms to reach a unique traveller perception and to facilitate and to cause training effects in order to
lower error rates. As there is no such set of pictograms available, a close cooperation between all agencies
operating ABC systems is recommended.
When implementing ABC systems in parallel one should avoid or at least minimize any interference between
systems.
The influence of daylight coming through windows should be considered.
NOTE 2 Airports, railway stations and sea ports usually have indoor facilities for border clearance. In such facilities the
environmental conditions are more stable than in outdoor systems.
5.1.2 Architecture
Member States can define specific process flows in order to ensure compliance with EU and national border
control regulations. To optimize the time required for the verification of each traveller, all technical processes
should be carried out in parallel to the extent possible if it speeds up the overall process.
The biometric verification process is composed of two separate steps:
• biometric capture sub-process, carried out by the face, fingerprint or iris capture unit;
• biometric verification sub-process, carried out by the face, fingerprint or iris verification unit.
In general there are two recommended options for the implementation of a biometric verification process
within an ABC system. Within the modular approach separate units for capture and verification are used,
which provides a high degree of flexibility to the deployed solution, e.g. an easier migration of the comparison
algorithm. In this scenario the capture system needs to be able to do pre-qualification and pre-processing to
ensure that only images of sufficient quality are provided to the verification process (see Figure 1).
a) b)
Figure 1 — Verification with quality driven approach a) and score driven approach b)
In the “score driven” method, biometric characteristics from multiple capture attempts are compared with a
biometric reference until the comparison score reaches a threshold or a timeout is exceeded. In each capture
attempt biometric characteristics are searched for and, if found, encoded and compared against the reference
from the passport. If the comparison score is above a threshold, entry is granted, data may be recorded
and/or printed and the process is stopped. If the score is not above the threshold then entry is not granted and
the traveller is directed to an alternative process.
In the “quality driven” method, biometric characteristics from multiple capture attempts are assessed for
quality until a quality level above a threshold is achieved or a timeout is exceeded. In each capture attempt
biometric characteristics are searched for and, if found, assessed for their quality. If the quality is above a
threshold, the biometric characteristics are encoded, and compared against the biometric reference. If the
comparison score is above a threshold, entry is granted, data may be recorded and/or printed and the process
is stopped. If the score is not above the threshold then entry is not granted and the traveller is directed to an
alternative process.
Those two basic methods can be enhanced or mixed.
When a “score driven” method is used, there is a difference between the FAR computed (as the reference
biometric characteristic is used all along the process to determine if the acquisition should end or not) and the
operational FAR as the template generated during a genuine acquisition would not necessarily be the same
as the one generated if the acquisition had been of an imposter.
By choosing a “quality driven” method, the template generation depends only on the quality of the acquisition
and is not linked in any way to quality measured on the reference image.
For the “quality driven” method a DET curve corresponding to the operational performance can be computed
offline, as the used and logged image does not depend on the passport image or the acceptance threshold.
That way, the impact of a threshold modification on FRR and FAR can be estimated. This allows an analysis
of the influence of external factors, such as passport origin, airport environment, frequent users or passport
aging on the performance of the biometric subsystem, including their evolution across time.
For the “score driven” method, the FAR cannot be computed offline as the acquisition process relies on the
reference image read from the passport. According to ISO/IEC 19795-1:2006, B.1.2, several thousands of
independent tests are necessary to claim a FAR of 0,5 %. It does not seem feasible to have so many people
using the system with someone else's passport. Moreover, it is not possible to analyse the influence of other
factors on the performance of the biometric subsystem.
Another option to measure the operational FAR for a “score driven” method would be to compute FAR based
on logged data and to estimate the maximum bias with operational performances.
It is recommended to use interfaces according to BioAPI [7] for the capturing of the biometric data. However,
the ABC operator may also allow proprietary vendor-specific SDK interfaces for the integration of the capture
unit, if this leads to reasonable advantages.
5.1.3 Biometric security functions
5.1.3.1 General
The reduction of human interaction in automated systems causes new security threats which shall be
addressed and treated differently than threats on systems with human interaction. For that reason, it is
essential to perform a complete security assessment for any ABC solution in its application context.
5.1.3.2 Tailgating prevention and detection
For the time being, it should be checked that only one person is using the ABC system at a time to prevent
improper use of the system. Therefore, the system can provide technical features to check for uniqueness.
This includes:
• acceptance of each individual;
• refusal of two or more individuals within the biometric data acquisition area; this also includes babies
carried by adults using the system;
• capability to detect items behind or in front of individuals (i.e. bags or suitcase).
The restrictions for luggage, hats, glasses, etc. only hold for the face recognition/verification system.
Fingerprint verification procedures are not affected by these circumstances but user should be instructed to
remove gloves if wearing any.
NOTE In the future, it might be possible to check more than one person at once. This could allow the processing of
families and people with special needs.
5.1.3.3 Acquisition of biometric reference data
The traveller puts his/her passport open by the data page (or trusted token) on the document reader. The ABC
system reads the biometric data contained in the passport's chip, or calls the stored reference data from a
reference database (if a token without data storage capacity is used). For tokenless systems, this acquisition
step is skipped.
NOTE The second generation of the data format standards ISO/IEC 19794-4 [8] and ISO/IEC 19794-5 [9] has been
published in 2011. Currently, passports implement data groups following the 2005 versions of these standards. At some
time ICAO might decide to start a transition to the 2011 version.
Integrity and authenticity of the reference data should be checked. For eMRTDs the security protocols
according to [27] and [21] should be used. In case of using a reference database appropriate security
mechanisms should be implemented.
The solution should be compatible with all eMRTD according to ICAO Document 9303 and all other eligible
travel documents specified by EU or Member State legislation (see 4.3).
5.1.3.4 Biometric comparison
The biometric verification component should compare the traveller's biometric data captured live with those
acquired as his/her reference data.
The maximum time necessary for the biometric verification (and, additionally, the maximum number of
attempts) should be set for all ABC systems in a way to avoid acceptance issues. The system should give
feedback about the current status shortly after the process has started. The maximum time and number of
attempts set depend on the application case and should be established taking into consideration accuracy and
throughput constraints.
In the case of identification, the traveller's biometric reference data should be present in the database of
authorized travellers.
NOTE In specific cases, additional biometric functions as the automatic comparison with search lists could be applied
during border crossing. Even if identification is not the main functionality of biometrics in a border control context where
the idea is to ensure that the person crossing the border is the person he/she claims to be, automatic recognition of
searched people is a valuable functionality. In order to perform this task, and if the technology allows fast comparison
operations, identification against watch lists can be run using the biometri
...