Guidance for Authentication of Remote Biometrics

Standards Development Organisation:

CIOSC

Contact Information:

Digital Governance Standards Institute (DGSI)

Working Program:

View the CIO SC work program

Designation Number:

CAN/CIOSC 120

Standard Type:

National Standard of Canada - Domestic

Standard Development Activity:

New Standard

ICS code(s):

35.020

35.240

35.240.15

Status:

Proceeding to development

SDO Comment Period Start Date:

2022-07-26

SDO Comment Period End Date:

2022-08-17

Posted On:

2022-07-15

Scope:

Note: CIO Strategy Council announced an organizational name change to the Digital Governance Council (DGC), effective January 30, 2023 and the creation of a new standards development division, Digital Governance Standards Institute (DGSI). This standard will define the minimum requirements of remote identity verification using biometrics. It will also list various attack types and explain how they can subvert the biometric verification process. Then it will define methods that can be used to detect or invalidate the attacks, allowing the biometric verification to be authenticated remotely. Authentication methods that have not yet been devised can also reference this standard if they can demonstrate how they detect or invalidate the various attack types.

Project need:

Biometric matching is used to verify the identity of individuals in many different applications. Recently, more of these applications occur remotely, where the individual being verified is not present at the point of verification. In these cases, the remote biometric matching needs to be authenticated to ensure that the biometric collected is a live sample from a real person and that the match result or comparison score is from a trusted source. This standard proposes to explain various attacks on remote biometric systems and how they can be mitigated. Depending on the types of mitigation and which attacks they cover, an authentication score can be computed. Trust can be assigned to the remote biometric process for different types of applications depending on its authentication score.

Note: The information provided above was obtained by the Standards Council of Canada (SCC) and is provided as part of a centralized, transparent notification system for new standards development. The system allows SCC-accredited Standards Development Organizations (SDOs), and members of the public, to be informed of new work in Canadian standards development, and allows SCC-accredited SDOs to identify and resolve potential duplication of standards and effort.

Individual SDOs are responsible for the content and accuracy of the information presented here. The text is presented in the language in which it was provided to SCC.