Biometrics is now an indispensable technology


The Biometrics Alliance Initiative (BAI) was launched in readiness for the important role that biometrics were expected to play in new fields, beyond the scope of state prerogatives. These predictions were confirmed in 2012, when a leading telephone manufacturer[1] took over a major fingerprint manufacturer, starting a trend that has become unavoidable.

 

Since the start of the project, we have witnessed:

  •  an explosion of the various types of biometrics, like heartbeat networks (the Nymi project[2]), for example
  •  a desire shown by new players in mobile telephony to go faster. They are attempting to impose their vision of biometrics by setting up the biggest installed base as quickly as possible
  •  the restricted mastery of players in ensuring optimal  biometric performance in varying contexts
  •  the confirmation of the general public's ignorance of the technology and its scope of application. Biometrics can be used to authenticate or identify individuals, but is not a security technology "in itself"
  •  ongoing experiments (e.g., based on vocal technology in France[3]).

 At the same time, the discovery of the diesel vehicles pollution fraud has confirmed the need to develop evaluation systems based on realistic situations that are used by independent laboratories.


The need for visibility of biometric technologies


The field of use of consumer biometrics is growing, to include:

  • new usages, especially in services, such as access to online banking services,
  • different implementations, which, for example, are no longer limited to mobile phones, but will include all sorts of connected objects,
  • new modalities.

But deployments are mostly based on proprietary technologies, whose performances are difficult to assess and which are impossible to access outside the ecosystem defined by the manufacturer.

 

The recent survey by the Mobey Forum[4] clearly shows the strong demand amongst users for open interfaces.

In response to the question, "Handset manufacturers have been integrating fingerprint sensors in mobile devices. Some of the fingerprint sensors have an open interface, where the authentication data can be controlled by the bank or a provider chosen by the bank.How do you see this development?", 83% of the companies questions answered "A fingerprint sensor with an open interface is an opportunity for us."

 

This open interface would allow for:

  •  the definition of the foundations of interoperability. The use of existing biometric standards would allow for the creation of an open system of technologies adapted to the different uses,
  •  the establishment of an evaluation and certification system,
  • performance evaluation based on an open approach (white box vs. black box).

 

The goal of the BAI is to define conditions applying to this openness that provide clear visibility of performances and implementations and, therefore, of security.

 

The main challenge which biometric evaluation testing faces is context. Underlying technologies behind different biometric solutions are sensitive to different settings. And so are the security and performance requisites.

The BAI framework is a stepping stone in addressing these specifics. Notwithstanding the high adoption of mass-market biometrics, proper evaluation procedures are still lacking in the market. With the expertise of well established players like Elitt and Paycert, we have implemented the biometric factor into a feasible, transparent and repeatable testing and certification infrastructure. Other players have largely contributed in giving the empirical touch to this framework.

Our approach aims at instilling high levels of trust amongst the different actors of the biometric market. Ensuring expected security and convenience levels in operational conditions is the key to sustainable biometric solutions.

 

Arvin RAMKHELAWON, Consult Hyperion


The characteristics of the BAI


The strength and characteristics of the BAI lie in its intention to formally define an approach, but also to call on the four main types of players involved in the implementation of biometric applications:

 

(1)             R&D laboratories, which are mostly in universities, and focus on research into biometrics. This is where the new modalities (such as facial recognition, for example) and attacks against biometric systems are developed

(2)             Players in industrialisation that concentrate on the reproducibility of tests, the durability of evaluations and adopt a certification-oriented approach

(3)             End users, but also regulators and institutions that will use or authorise deployments on the basis of improved knowledge of the implementations

(4)            Industrial manufacturers, who are looking for an operational evaluation and certification process

 

A local project with European horizons


On the strength of its unique position in the realms of evaluation and knowledge of security, France naturally has a role to play in the evaluation, certification and evolution of biometric technologies.

 

And this is the underlying reason of this federating initiative that benefited from regional and European funding (Feder and Dirrecte) to complete the first reference frameworks.

 

The Biometrics Alliance Initiative adopts a contributive and collaborative approach towards other European projects, such as the BEAT programme, which concentrates more particularly on developing attacks against biometric systems.

 

The main players


R&D laboratories

CITC. Madrid III. Telecom Lille. Ensicaen

Players in evaluation and certification

Elitt. Paycert. UL.

End users, but also regulators and institutions

Natural Security Alliance. Trust Designer. Vauban. Groupement Cartes Bancaires. Bizraiser

Industrial manufacturers

Agnitio

 

(1)         R&D laboratories


The first work was completed at the instigation of the ENSICAEN[5] and Christophe Rosenberger's team. The team at the CITC [6] contributed to the launch of the project, and to the definition phase in particular. Mohamed Daoudi and Boulbaba Ben Amor's team at Télécom Lille came on-board and provided its expertise in facial biometrics.

 

"In its capacity as an R&D team, Télécom Lille is faced with the need to evaluate the facial technologies developed by the institute on a daily basis. The BAI lays the foundations of a common method that enables us to develop new tools in support of the industrial manufacturers we work with. "

 

Mohamed Daoudi, Télécom Lille/ CRIStAL (UMR 9189)

 

«  CITC (Centre de Ressources Technologiques en matière de technologie sans contact et d’Internet des Objets) a research centre in contactless technologies and Internet of Things was a key founding member of the BAI by providing insights on the methodology and helping defining evaluation schemes. Interoperability and open systems required solid methodological foundations to help reuse, capitalisation and sharing of different models. »

 

Chékib GHARBI, CITC

 

(2)        Players in evaluation and certification


One particular feature of this project is that most of the contributions and rereading work was done by the team at Elitt, which incorporated the BAI activities in a concrete and operational approach, on the strength of its skills and know-how of evaluation and certification systems.

 

ELITT, a subsidiary of Groupement des Cartes Bancaires CB, is an evaluation laboratory that specializes in secure electronic transactions. ELITT’s main business is to check the proper functioning and interoperability of issuance products (e.g. cards, mobile phones, portable objects, e-passports) and acceptance systems (e.g. POIs, unattended terminals, e-business) used in the payment, transportation, healthcare and identity sectors.

The ISO committee defines evaluation, also known as conformity assessment, as the "demonstration that specified requirements relating to a product, process, system, person or body are fulfilled".[7]

In the context of biometric technologies, evaluation tests should answer a wide variety of questions, for example: Does it work on a sunny day? Is it easy to use? What are the false rejection and false acceptance rates? Is the product compatible with different devices from different providers? Can the unit under test be hacked? Can the modality be spoofed?

Tests aim to guarantee that the biometric solution is as convenient and safe as traditional solutions (e.g. chip cards, PIN codes on a mobile phone). Such a guarantee is best provided by having an independent laboratory measure system performance, verify conformity to specified standards (e.g. ISO) and assess security.

The use of an independent and recognized laboratory to perform these tests in accordance with a specification or norm ensures fairness and guarantees the methodology followed, for example an evaluation framework defined by the Biometrics Alliance Initiative (BAI) or the Biometrics Evaluation And Testing (BEAT) project.

Evaluation should take into account the business and technical requirements for a targeted usage.

 

Alain Louis, Elitt

 

« Setting standards for any types of technology can be challenging. Setting the associated certification infrastructure is also challenging as it needs to be transparent, technically sound and of course repeatable – with consistent results when testing.  For the payments industry, its major challenges will be technical compatibility – particularly the ability for the certification to adapt to use across all types of cards and payments devices – and security. Cardholder information is incredibly sensitive, and with high consequences for breaches, security will always be a high priority for users. »

 

Ludovic Verecque, Paycert

 

UL joined the project, confirming its European dimension.


(3)        End users / regulators and institutions


The teams from the Natural Security Alliance, Trust Designer, Vauban, the Groupement Cartes Bancaires and Bizraiser worked together to define the conditions of use and the various cases of use of biometrics.

 

"Vauban System is a manufacturer on the access control systems market. As an integrator, we call on industrial manufacturers that supply biometric sensors. For us, it is important to offer clear visibility of the way the technology we provide. This is why the work done by the BAI helps us to have a better grasp of existing technologies."

 

Jean-Claude Bultel, Vauban System


(4)        Industrial manufacturers, to have a realistic operational view of the evaluation and certification process


The work done by the BAI offers industrial manufacturers an operational vision of the conditions of use of their technologies. By defining concrete scenarios (payment, physical and logical access control, etc.), it is possible to better comprehend biometric technologies.

  

Key elements

The Biometrics Alliance Initiative was formed to define a common process for testing, approving and certifying biometric technology. This framework for the performance, security and usability of biometrics aligns with business and user needs, and complies with international standards, particularly for payment, banking and access control.

 

The initiative, which has been welcomed by regulators, is based on key differentiating essentials like practicality and feasibility, and defines specific application scenarios for biometric use. Assessment looks at multiple factors such as technology, performance, security, interoperability and environment, thus offering a wider scope for overall evaluation. Furthermore, the evaluation methodology framework can evolve to encompass changes in biometrics resulting from technological and societal evolutions.

 

The BAI was started to provide users better visibility over biometric technologies. At present, user confidence in and access to biometric technologies is severely limited by the lack of a recognized certification process for biometric solutions and the absence of European harmonization.

 

While some biometric standards already exist and ensure the interoperability of biometric systems, they generally target governmental applications. In order for biometrics to gain ground commercially and in private companies, performance and operation benchmarks as well as baselines adapted to private sector use must be developed so that performance, security and usability expectations can be set, evaluated and met.

It is a fact that not all biometric technologies or implementations are created equal. Some have been developed to offer convenience, while others have been designed to meet the more ambitious objective of improving security. Characterizing, segmenting and evaluating biometric solutions (whether in a usage context or independently) will serve to create and maintain user confidence in biometrics. One of the BAI’s objectives is to lead the way in shaping the security, usability and performance requirements and certification of all different biometric technologies and implementations.

The BAI aims to define a testing, certification and approval process that will make it possible to guarantee different levels of security and usability, to align with needs and international standards in the banking and payment processing industry. It will also provide the necessary testing procedures to enable this infrastructure.

The BAI is set up as a working group that provides a forum where users can express their needs, but also aims to publish, with the support of specialist suppliers, concrete operational recommendations for the use and development of biometrics. The BAI will therefore offer biometric technology suppliers documentation on user requirements and constraints based on the work of and direct input from different users. Furthermore, it will develop a methodology for evaluating biometric solutions with regard to transparency and competition. This methodology will be developed in cooperation with users and suppliers, and will build on objective criteria.

 

A summary by Dr. Raul Sanchez-Reillo, Universidad Carlos III de Madrid

The Biometrics Alliance Initiative is launching a certification scheme for those commercial systems that use biometrics for authenticating the user (e.g. payment systems). This certification system will cover aspects such as functionality, performance, interoperability, impact of the environment where it is deployed and the security level achieved.

 

 

The certification scheme has been designed for the benefit customers, service providers, system designers, manufacturers and integrators. By obtaining the relevant certificates, manufacturers, integrators and system designers will get a stronger position towards a service provider choosing the solution to be deployed. System providers will benefit in achieving a larger level of confidence by choosing those products that have obtained the required algorithms. And customers, or citizens in general, will benefit by obtaining a larger level of trust in the system being used, and therefore the correct handling of their personal data and security in the service provided.

 

Certificates will be available not only for full systems, but also for the capture devices and the algorithms individually. Citizens and service providers will be more interested in those certificates for the full system, while manufacturers, integrators and system designers will be more interested in the certificates for capture devices and algorithms.

 

The certification scheme is based on the current international standards, and the specific requirements of the target application of the system.

 

In summary, this certification scheme is a big step forward in providing trust and confidence to citizens and service providers in those products related to Biometrics.

Deliverables (Version1.0 available)

WP1: Evaluation levels for biometric technology 

  • D.1.1. Biometric system representations
  • D.1.2. Definition of the different evaluation levels: compliance and certification and the approval level for self-assessment

WP2: Definition of general requirements for the evaluation frameworks

  • D.2.1. General requirements for Functionality evaluation framework
  • D.2.2. General requirements for Performance evaluation framework
  • D.2.3. General requirements for Interoperability evaluation Framework
  • D.2.4. General requirements for Environment evaluation framework
  • D.2.5. General requirements for Security evaluation framework

WP3: Definition of specific tests and test tools for the evaluation frameworks considering all evaluation levels and the different biometric representations at each level

  • D.3.1. Specific tests for Functionality evaluation framework
  • D.3.2. Specific tests and test tools for Performance evaluation framework
  • D.3.3. Specific tests and test tools for Interoperability evaluation framework
  • D.3.4. Specific tests and test tools for Environment evaluation framework
  • D.3.5. Specific tests for Security evaluation framework

WP4: Definition of the global certification scheme

  • D.4.1. Structure and organization of the global biometric certification scheme
  • D.4.2. Types of certificates
  • D.4.3. Scopes for accreditations

BAI is available for members of the Biometrics Alliance Initiative


Membership fees :

  • 250 euros for universities, school, individuals, companies of less than 10 employees and associations

  • 500 euros for companies of more than 10 employees and less than 250 employees

  • 1 000 euros for companies of more than 250 employees 

Contact us with the following form to know how to join the BAI.


Note : veuillez remplir les champs marqués d'un *.