An overview of biometrics standards

Access & Identity Management Handbook 2004 Access Control & Identity Management

The past two years have seen significant developments at an international level in the generation of standards in the field of biometrics. This article gives a brief overview of the current state of affairs in biometrics standards generation.

It could reasonably be asked why it is necessary to generate and abide by standards at all, and the following points highlight some of the benefits provided by standards:

Interoperability: Enabling application development and easier systems integration by using a common standard for data formats as well as hardware and software interfaces.

Biometric system assurance: Providing some form of assurance in the integrity of system through the use of common testing criteria and common security evaluation.

Avoiding vendor lock-in: Consumers like to have a choice, and adherence to standards enables end-users to switch between vendors without having to change the underlying application.

Future-proofing: Providing a common standard to revert back to in case new technology fails us, or in case the standards have not yet caught up with new technology.

The main players who have been instrumental in rapidly advancing biometrics standards over the past two years include the US and Canadian governments, with the 11 September 2001 terrorist attacks playing a significant role; International standards bodies such as the International Standards Organisation (ISO) and International Electrotechnical Commission (IEC); international organisations such as the International Civil Aviation Authority (ICAO) and International Labour Organisation (ILO), which falls under the UN; US and other national standards bodies such as ANSI and NIST; and industry associations such as the BioAPI Consortium, OASIS and AAMVA.

Dr Nick van der Merwe
Dr Nick van der Merwe

ISO/IEC JTC1 SC37

In terms of biometrics the most important standards body is ISO/IEC JTC1 SC37, which is a steering committee falling under the joint technical committee (JTC1) set up between ISO and the IEC. The scope of SC37 is the 'standardisation of generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems'.

The activities of ISO/IEC JTC1 SC37 is broken down in six different workgroups as follows:

* WG1: Harmonised biometric vocabulary.

* WG2: Biometric technical interfaces.

* WG3: Biometric interchange formats.

* WG4: Biometric functional architecture and related profiles.

* WG5: Biometric performance testing and reporting.

* WG6: Cross-jurisdictional and societal aspects.

The main brief for WG1 is to create a document of terms and definitions to be used throughout SC 37 international standards, and the major output from this group is a harmonised biometric vocabulary.

WG2 focuses on the standardisation of all necessary interfaces and interactions between biometric components and sub-systems, and the major outputs so far from this group are the Biometric Application Programming Interface (BioAPI) and the Common Biometric Exchange Formats Framework (CBEFF).

The focus of WG3 is on the standardisation of the content, meaning and representation of biometric data formats which are specific to a particular biometric technology. The major output from this group is the multipart standard 19794 - 'Biometric Data Interchange Formats' - which currently includes data interchange formats for finger minutiae, finger pattern spectral data, finger image data, face image data, iris image data, signature/sign behavioural data, finger pattern skeletal data and vascular biometric image data.

WG4's brief is to develop a biometric functional architecture and related profiles that bind together the various biometric-related base standards in a manner consistent with functional blocks of operation of biometric systems. The major output from this workgroup so far is the multipart standard 24713 - 'Biometric Profiles for Interoperability and Data Interchange' - which comprises a 'Biometric Reference Architecture' as part 1 and 'Biometric Based Verification and Identification in a Highly Secure Environment' as part 2. In the near future a profile for 'Biometric Based Verification and Identification of Seafarers' and also a profile for 'Biometric Based Verification and Identification for financial applications' will be added.

The main brief for WG5 is 'to create testing and reporting methodologies and metrics that cover biometric technologies, systems and components'. Major outputs from this group is the multipart standard 19795 - 'Biometric Performance Testing and Reporting', which has four sub-sections, namely: Part 1 - Principles and Framework, Part 2 - Testing Methodologies, Part 3 - Specific Testing Methodologies and Part 4 - Specific Test Programmes.

WG6 looks at standardisation in the field of cross-jurisdictional and societal aspects in the application of ISO/IEC biometrics standards. Within this context, the terms of reference include the support of design and implementation of biometric technologies with respect to accessibility, health and safety and support of legal requirements and acknowledgement of cross-jurisdictional and societal considerations pertaining to personal information. The main output from this group so far has been a technical report on 'Cross Jurisdictional and Societal Aspects of Implementation of Biometric Technologies'.

Due to the wide area of applications in which biometrics can be used, SC37 have ready set up a host of formal international liaisons, including SC17 (cards and personal identification), SC27 (IT security techniques) and SC29 (coding of audio, picture, multimedia and hypermedia information) within ISO/IEC JTC1; with ISO TC68 (banking, securities and financial services); as well as with the International Civil Aviation Authority (ICAO) and International Labour Organisation (ILO), which falls under the UN. National standards bodies typically belong to ISO as either voting (P) or observer (O) members, and industry bodies feed in via the relevant national body.

SC37 was inaugurated in Orlando, Florida in December 2002, and has met every five months since then. Meetings entail workgroup sessions over a week, with an additional plenary session over two days held every second meeting. SC has been held in Ottawa (Canada), Rome (Italy), Sydney (Australia) and Seoul (Korea), with the next workgroup meetings scheduled for Paris (France) in November and the following workgroup meetings and plenary being held in SA in June 2005.

Mapping of biometric standards activities to the scope of biometric application. Source: Bioscript
Mapping of biometric standards activities to the scope of biometric application. Source: Bioscript

South Africa's involvement

SA's involvement in the international biometrics standards process was largely triggered by the drafting of a position paper entitled 'Establishment of a National Fingerprint Biometric Standard for Government', which was drafted by the Department of Home Affairs in 2001. This resulted in a number of workshops with wide participation from government and the biometrics industry, which ultimately led to the drafting of SABS National Workshop Agreement - ARP054, entitled 'Data format for the interchange of fingerprint information'. This workshop agreement was aimed at establishing a common data format for interchange between the various government departments utilising fingerprint biometrics, including applications by Home Affairs, Social Welfare, Transport and the Integrated Justice System (IJS).

One of the spin-offs from this process was the establishment of StanSA SC71J/WG1 (Biometrics), which is a local workgroup of technical experts in the field of biometrics who follow biometrics-related standard internationally, such as the activities of ISO/IEC JTC1 SC37 and S17, and ISO TC68. This workgroup reviews relevant draft international standards, votes on these drafts and also participates in workgroups and plenaries of both SC37 and SC17. The workgroup has been operational since August 2002, and meets approximately every four months.

Conclusion

The following conclusions can be drawn from the current state of biometrics standards:

* A lot has been achieved in a short space of time - in terms of standards generation SC37 has progressed very quickly, maybe too quickly?

* There is a large body of work currently in the pipeline at SC 37, resulting in a number of draft international standards by the fourth quarter of 2005.

* There are many important inter-relationships at play, with a number of formal liaisons being in place.

* South Africa has an important role to play.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Palm-vein biometric kiosks secure SAP at Transnet Engineering
Access Control & Identity Management Transport (Industry) Videos
Securing access to SAP is essential to avoid fraud or corruption. Ensuring that users can access the software quickly, easily, and conveniently to do their jobs is also essential.

Read more...
Empower individuals to control their biometric data
Information Security Access Control & Identity Management Security Services & Risk Management
What if your biometrics, now embedded in devices, workplaces, and airports, promising seamless access and enhanced security, was your greatest vulnerability in a cyberattack? Cybercriminals are focusing on knowing where biometric data is stored.

Read more...
Security industry embraces mobile credentials, biometrics and AI
AI & Data Analytics Access Control & Identity Management Integrated Solutions
As organisations navigate an increasingly complex threat landscape, security leaders are making strategic shifts toward unified platforms and emerging technologies, according to the newly released 2025 State of Security and Identity Report from HID.

Read more...
Nice launches DC Blue Astute garage door motor
Nice Group South Africa Technews Publishing News & Events Access Control & Identity Management Perimeter Security, Alarms & Intruder Detection
Nice Systems SA has launched the Nice DC Blue Astute, a garage door motor for the South African market featuring a pre-installed lithium-ion battery instead of traditional lead-acid batteries.

Read more...
Towards a global digital passport?
Access Control & Identity Management
In a world where borders are more connected and closely monitored, the idea of a universal digital passport could revolutionise how we travel, work, and even perceive citizenship.

Read more...
Empower individuals to control their biometric data
Information Security Access Control & Identity Management Security Services & Risk Management
What if your biometrics, now embedded in devices, workplaces, and airports, promising seamless access and enhanced security, was your greatest vulnerability in a cyberattack? Cybercriminals are focusing on knowing where biometric data is stored.

Read more...
A platform for access and identity at Securex 2025
Securex South Africa Access Control & Identity Management Facilities & Building Management
South African companies involved in supplying access control technology, security services, and data management are well-positioned to tap into the expanding access control market at Securex 2025.

Read more...
Background checks: risk levels and compliance
iFacts Access Control & Identity Management Security Services & Risk Management
Conducting background checks is a vital step in the hiring process for employers or when engaging service providers; however, it is crucial to understand the legal framework and regulations governing these checks.

Read more...
Insurance provider uses Net2 For access management
Paxton Access Control & Identity Management Integrated Solutions Healthcare (Industry)
BestMed selected Paxton Net2 for its access control requirements because of its simplicity of installation and ease of navigation for end users, as well as the 5-year warranty.

Read more...
Identity is a cyber issue
Access Control & Identity Management Information Security
Identity and access management telemetry has emerged as the most common source of early threat detection, responsible for seven of the top 10 indicators of compromise leading to security investigations.

Read more...