This Technical Report provides guidance on specifying performance requirements for authentication using biometric recognition in order to achieve desired levels of security and usability for the authentication mechanism.<\/p>\n
Guidance addresses issues such as the following:<\/p>\n
the biometric performance metrics that impact security and usability;<\/p>\n<\/li>\n
comparing and quantifying the security and usability of biometrics and other authentication mechanisms, when used alone or in combination;<\/p>\n<\/li>\n
how to combine performance of individual authentication elements in order to meet an overall security and usability requirement;<\/p>\n<\/li>\n
the trade-off between security and usability in applications using biometric recognition;<\/p>\n<\/li>\n
considerations in maintaining security and usability in systems incorporating biometrics.<\/p>\n<\/li>\n<\/ul>\n
The guidance is targeted towards applications that<\/p>\n
use biometrics for the authentication of individuals, and<\/p>\n<\/li>\n
are of small to medium size (in terms of the number of enrolled individuals).<\/p>\n<\/li>\n<\/ul>\n
The guidance does not address the following:<\/p>\n
surveillance systems;<\/p>\n<\/li>\n
systems whose primary aim is to detect and prevent attempts by individuals to create multiple enrolments under different identities;<\/p>\n<\/li>\n
systems with a large and diverse population of enrolees, which can include people with special needs;<\/p>\n<\/li>\n
other systems with a complex mix of functional, security and usability requirements.<\/p>\n<\/li>\n<\/ul>\n
Such large-scale applications are typically the domain of large organizations, and it is assumed that the developers of such systems will have access to appropriate biometric expertise able to provide guidance beyond the scope of this Technical Report.<\/p>\n
This Technical Report does not address biometric modality and technology specific issues, nor does it provide quantitative biometric performance requirements that would satisfy a particular application.<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 7<\/td>\n | Foreword <\/td>\n<\/tr>\n | ||||||
| 8<\/td>\n | Introduction <\/td>\n<\/tr>\n | ||||||
| 9<\/td>\n | 1\tScope 2\tNormative references <\/td>\n<\/tr>\n | ||||||
| 10<\/td>\n | 3\tTerms and definitions <\/td>\n<\/tr>\n | ||||||
| 11<\/td>\n | 4\tAbbreviated terms 5\tAuthentication factors 5.1\tOverview <\/td>\n<\/tr>\n | ||||||
| 12<\/td>\n | 5.2\tSecurity and usability of authentication mechanisms <\/td>\n<\/tr>\n | ||||||
| 13<\/td>\n | 5.3\tKnowledge-based authentication (PIN, passwords) 5.3.1\tGeneral description with examples <\/td>\n<\/tr>\n | ||||||
| 14<\/td>\n | 5.3.2\tSecurity considerations <\/td>\n<\/tr>\n | ||||||
| 15<\/td>\n | 5.3.3\tUsability considerations 5.4\tPossession based authentication (tokens, cards) 5.4.1\tGeneral description with examples <\/td>\n<\/tr>\n | ||||||
| 16<\/td>\n | 5.4.2\tSecurity considerations <\/td>\n<\/tr>\n | ||||||
| 17<\/td>\n | 5.4.3\tUsability considerations 5.5\tPersonal characteristic based authentication (biometrics) 5.5.1\tGeneral description with examples <\/td>\n<\/tr>\n | ||||||
| 19<\/td>\n | 5.5.2\tSecurity considerations <\/td>\n<\/tr>\n | ||||||
| 20<\/td>\n | 5.5.3\tUsability considerations 5.6\tMulti-factor authentication 5.6.1\tGeneral <\/td>\n<\/tr>\n | ||||||
| 21<\/td>\n | 5.6.2\tExample: token and PIN 5.6.3\tImplementation options <\/td>\n<\/tr>\n | ||||||
| 22<\/td>\n | 5.6.4\tPerformance requirements for multi-factor authentication 5.7\tComparing security performance of authentication mechanisms <\/td>\n<\/tr>\n | ||||||
| 23<\/td>\n | 5.8\tSummary comparison of authentication factors 6\tDetermining biometric authentication security requirements 6.1\tGeneral 6.2\tBusiness requirements <\/td>\n<\/tr>\n | ||||||
| 24<\/td>\n | 6.3\tSecurity-enhancing aspects 6.4\tSuitable target figures for false acceptance rates 6.5\tOther considerations in authentication security 6.6\tLimits of authentication assurance <\/td>\n<\/tr>\n | ||||||
| 25<\/td>\n | 7\tDetermining biometric authentication usability requirements 7.1\tGeneral 7.2\tAccessibility considerations 7.3\tThroughput <\/td>\n<\/tr>\n | ||||||
| 26<\/td>\n | 7.4\tAuthentication failure rate for authorized users <\/td>\n<\/tr>\n | ||||||
| 27<\/td>\n | 7.5\tEase of use at point of authentication 7.6\tEase of use for enrolment 7.7\tOther aspects of usability 8\tAdditional considerations in defining biometric security and usability requirements 8.1\tOrganization of requirements <\/td>\n<\/tr>\n | ||||||
| 28<\/td>\n | 8.2\tVerification and identification modes of operation 8.3\tStages of authentication <\/td>\n<\/tr>\n | ||||||
| 29<\/td>\n | 8.4\tAuthentication assurance and standards 8.5\tApplication-specific performance considerations 8.5.1\tPerformance for business functionality <\/td>\n<\/tr>\n | ||||||
| 30<\/td>\n | 8.5.2\tPerformance for identity proofing and enrolment <\/td>\n<\/tr>\n | ||||||
| 31<\/td>\n | 8.5.3\tPerformance for identity verification 8.6\tAdditional security related requirements <\/td>\n<\/tr>\n | ||||||
| 32<\/td>\n | 8.7\tException handling 8.8\tMulti-factor authentication 8.8.1\tGeneral 8.8.2\tImproved discrimination <\/td>\n<\/tr>\n | ||||||
| 33<\/td>\n | 8.8.3\tImprovements in accessibility 8.8.4\tImprovements in usability 8.8.5\tImprovements in overall security 8.9\tDealing with security and usability shortfalls <\/td>\n<\/tr>\n | ||||||
| 34<\/td>\n | 8.10\tHypothetical example of quantitative performance requirements <\/td>\n<\/tr>\n | ||||||
| 35<\/td>\n | 9\tUse cases 9.1\tGeneral 9.2\tTime and attendance 9.3\tPhysical access control <\/td>\n<\/tr>\n | ||||||
| 36<\/td>\n | 9.4\tComputer sign-on <\/td>\n<\/tr>\n | ||||||
| 37<\/td>\n | 9.5\tRemote authentication <\/td>\n<\/tr>\n | ||||||
| 39<\/td>\n | Annex\u00a0A (informative) Risk assessment <\/td>\n<\/tr>\n | ||||||
| 48<\/td>\n | Bibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Information technology. Guidance for specifying performance requirements to meet security and usability needs in applications using biometrics<\/b><\/p>\n |