Deploying a new biometric system requires a pragmatic approach to ensure efficiency. This involves identifying credible standards, guidelines, and best practices. Resources like the ISO/IEC 30107 Series, the Biometrics Institute’s Best Practice Framework, and established best practices offer guidance on conducting needs assessments, selecting technology, implementing security measures, and addressing privacy and ethical concerns. Let’s delve into these standards.
Credible Standards
A directly responsible individual wishing to successfully deploy a new biometric system should follow credible standards. According to Purdue Universities Biometric Technology Implementation process an individual seeking to do so must adhere to a process that requires approval, plans for data storage, encryption, identification compared against authentication, the use of Biometric Data, and emerging standards(Biometric Technologies Implementation Standard – Secure Purdue – Purdue University, n.d.). These steps could help to formulate a benchmark to build up using a heavily regulated entity. For a global standard for Biometric Technology Implementation, organizations can refer to the standards developed by the ISO/IEC JTC 1/SC 37 committee. This international standards committee is responsible for the development of biometric standards and focuses on the standardization of generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems(Podio & U.S. National Institute of Standards and Technology, n.d.).
In the use case of large scale testing, accuracy, tamper resilience and interoperability, NIST has some key facts to support their frameworks. Biometric accuracy determination requires the use of large-scale databases for testing(National Institute of Standards and Technology, 2002). Using realistic INS data, one index fingerprint can provide a 90% probability of verification with a 1% probability of false acceptance for verification on a sample of 6000 fingers(National Institute of Standards and Technology, 2002). Public Key Infrastructure (PKI) can support the key-enabled digital signature that is the analogue of a written signature. Existing Federal Information Processing Standard (FIPS) are approved standards and should be used for the Digital Signature Algorithm and other required components for the system(National Institute of Standards and Technology, 2002). There are several approved standards that should be used for interoperability between systems for both identification and verification functions. The ANSI standard, Data Format for the Interchange of FIngerprint, Facial, & Scar Mark & Tatto (SMT) Information (ANSI/NIST-ITIL 1-2000), formats fingerprint data to perform background searches against the FBI or another Automated Fingerprint Identification System’s(AFIS) criminal file(National Institute of Standards and Technology, 2002). It’s important that these implementation standards, accuracy, tamper resilience, and interoperability undergo testing which should represent the expected behavior based on specifications.
According to Belen Fernandez-Saavedra from the ID testing lab of the University of Madrid there are a few phases to be considered in common criteria and biometric performance testing. These phases include general evaluation process, biometric system evaluation process, common criteria & CEM and specific guidelines including interpretation of a general biometric schema as well as CC testing activities involved in biometric performance testing(Fernandez-Saavedra et al., n.d.).
Now that we’ve reviewed the credible standards for deployment, let’s move onto recommended guidelines and frameworks for designing the deployment project.
Recommended Guidelines and Frameworks
A directly responsible individual could focus on various aspects of biometric system deployment, including privacy, ethics, data protection and technical considerations. The Biometrics Institute launched a ‘Good Practice Framework,’ to give companies a structured pathway through the various factors that influence or hinder biometric applications(Burt, 2022). The framework provides guidance on strategic planning, data acquisition and processing, system outputs, and products and services. The Biometrics Institute also provides training and workshops for members who will be responsible for implementation. The FIDO Alliance Biometric Component Certification Program ensures that biometric components meet specific security and interoperability requirements, fostering trust in the system.
FIDO Alliance utilizes standards developed by ISO/IEC JTC 1 SC 37, Biometrics(“First Smartphones Certified by FIDO’s Biometric Component Certification Program,” 2019). This is particularly encouraging as this ISO was referenced in the credible standards section of this writing. It is important to recognize the wide range adoption of a standard when it is adopted throughout the implementation project key phases, providing increased confidence in the framework for different components of the process. The Fast Identity Online Alliance(FIDO) created a Biometric Component Certification Program in response to the market need for a standards-based means to assess the efficacy of biometric certification components utilizing accredited third-party, independent labs to assure the performance of a vendor implementation(“First Smartphones Certified by FIDO’s Biometric Component Certification Program,” 2019).
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Joint Technical Committee (JTC) 1 on Information Technology and its Subcomittee (SC) 37 on Biometrics have coordinated and worked closely with the FIDO Alliance since 2017 through an established liaison arrangement(“First Smartphones Certified by FIDO’s Biometric Component Certification Program,” 2019). The specificity of security and the standards for certification are important because of the large amount of personal identifiable data being captured, stored and used for the various cases outlined throughout this writing. Global standards should be taken into consideration due to the interconnectedness of the world we live in today, as we do business internationally as well as hire talent from all around the world. GDPR and other relevant privacy regulations should remain within scope when deploying a biometric system, it’s critical to adhere to relevant data privacy regulations, such as GDPR, to ensure the protection of individuals’ personal information.
Now that we’ve covered recommended guidelines and frameworks let’s delve into best practices for biometric system deployment.
Best Practices for Biometric System Deployment
There are a number of best practices and they are all valid aspects to consider, however depending on project resources, a directly responsible individual may have access to unlimited resources or very little. If the project is constrained by resources, each best practice task should be prioritized against the risk and satisfaction of the departmental strategic goals in the current business cycle. The project is deemed medium/high risk due to the critical need for the solution. My approach to the research and planning phase would be prioritized like this:
- Conduct a needs assessment
- Review security measures
- User Privacy Standardization
- Regular System testing and evaluation
- Develop a comprehensive incident response plan
- Select appropriate biometric technology
I would adopt the Purdue use case as my business case for benchmarking and reach out to the ISO/IEC JTC to present my project plan. Through my collaboration with those subject matter experts I would pick the best product based on their certification program knowing with some confidence it’s secure and privacy enabled. After we’ve iterated the project scope to include the updated details from the subject matter experts I would present the project plan utilizing PMBOK enhancement to present key aspects of the project management processes such as scope management, schedule management, cost management, quality management, resource management, communications management, risk management, procurement management and stakeholder engagement. Partnering with organizations such as the Biometrics Institute, NIST and the University of Madrid could lead to increased stakeholder buy-in/investment as well as growth opportunities for the project as a whole. This collaboration would satisfy the final three items on the prioritized approach list. I believe this approach would yield the greatest potential outcome for success.
Now that we’ve covered best practices for biometric system deployment lets wrap-up and review keys points.
Conclusion
As we can see a pragmatic approach to breaking down the deployment of a biometric system can be done utilizing a project charter, plan, phased approaches, risk management and understanding the business needs. We’ve reviewed credible standards, guidelines, frameworks, and best practices. We’ve identified sources such as ISO/IEC JCT, The Biometrics Institute, NIST and the University of Madrid as potential partners with a possible stake in the success of the project. There are multiple layers of consideration in scope capture and definitions that would ultimately lead to the success of the deployment project.
References
INCITS/ISO/IEC 30107-1:2016 (2021) – Information technology – Biometric presentation attack detection – Part 1: Framework. (n.d.). https://webstore.ansi.org/standards/incits/incitsisoiec3010720162021
Burt, C. (2022, April 19). Biometrics Institute ‘Good Practice Framework’ launched to demystify responsible implementation. Biometric Update | Biometrics News, Companies and Explainers. https://www.biometricupdate.com/202007/biometrics-institute-good-practice-framework-launched-to-demystify-responsible-implementation
National Institute of Standards and Technology. (2002). SUMMARY OF NIST STANDARDS FOR BIOMETRIC ACCURACY, TAMPER RESISTANCE, AND INTEROPERABILITY. https://www.nist.gov/system/files/documents/2021/10/25/nist_appendix_pact_nov02.pdf
Podio, F. L. & U.S. National Institute of Standards and Technology. (n.d.). International biometric standards – Worldwide impact on personal authentication applications. ISO/IEC JTC 1/SC 37. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=51224
Fernandez-Saavedra, B., Sanchez-Reillo, R., Liu-Jimenez, J., Tomeo-Reyes, I., & CARLOS III UNIVERSITY OF MADRID. (n.d.). COMMON CRITERIA AND BIOMETRIC PERFORMANCE TESTING. https://www.nist.gov/system/files/documents/2020/12/15/231_fernandez.pdf
First smartphones certified by FIDO’s Biometric Component Certification program. (2019, March 22). American National Standards Institute – ANSI. https://www.ansi.org/standards-news/all-news/2019/03/first-smartphones-certified-by-fidos-biometric-component-certification-program-22#