Liveness Detection: PAD Testing in Accordance with ISO Standards.

Background.

In recent years, we've witnessed a higher interest in using biometric data for authentication, which led to an increase in the availability of suitable devices such as webcams, smartphones, tablets, and other gadgets with the relevant technology and sensors to capture the data.

With these rapid innovations in biometric capturing and identity verification, and the constant improvement in data quality, standardisation parties have identified the need to provide a proper framework. Consequently, the ISO/IEC 30107-1 standard was published around half a decade ago. However, it wasn't until almost two years later that they published the standard for testing these solutions against spoof attacks; ISO/IEC 30107-3. The timing could not have been any better, with the circumstances for the current pandemic having created a greater urgency for remote onboarding and authentication solutions. The ISO/IEC 30107-3 standard establishes the principles and methods for PAD testing.

What is PAD testing?

Presentation Attack Detection (PAD) testing is the assessment of the capabilities of a biometric liveness detection system to detect active spoof attempts under controlled and varied conditions to conform to the ISO/IEC 30107-3 standards. This should ideally be performed by a third-party testing laboratory that is accredited by the Fast IDentity Online (FIDO) Alliance, the EU's Biometrics Evaluation Testing (BEAT) project, the US's National Institute of Standards and Technology (NIST), or any other relevant institution.

Why is it Important?

With the advent of Covid, branch visits have practically become obsolete, while many people now prefer to transact remotely instead. Without a physical face-to-face interaction, it becomes more difficult to verify the identity of a person, increasing the risk for fraud. Therefore, the ability of a system to detect if a person is real and physically present when performing tasks like authorising transactions or opening accounts, becomes crucial - and this can only be achieved by a system that has been put through its paces.

The tests are solely performed according to the ISO/IEC 30107-3 standards by trying to fool or spoof a system by presenting various artifacts to falsely represent existing biometric data and embody a wide variety of ethnicities and age groups in the process. These attack examples are known as Presentation Attack Instruments (PAIs) and fall within two test levels under the current ISO requirements:

Sybrin Passed the Test!

It was crucial to Sybrin that we accommodate for the diversity prevalent in our markets. Our testing criteria were selected to defend against the most extensive attack diversity on the market.

Our solution was successfully tested by the FIDO-accredited biometric laboratory, Fime, on level A and B attacks from numerous PAIs, including paper masks, reconstructed faces on busts, videos, live persons, and more. Our SDK passed rigorous assessments against criteria based on FIDO Biometric Certification Requirements v1.1 (FIDO1.1) and in accordance with ISO/IEC 30107-1 and ISO/IEC 30107-3:2017 and has been declared to conform to this standard.