What is the value of a FIDO biometric certificate?
FIDO biometric certification is based on ISO standards1, with requirements developed by the FIDO Alliance, an international authority of stakeholders from industry, government, and subject matter experts, and offered by a FIDO accredited network of laboratories worldwide.
The certification programs, for the first time ever, assess a biometric system’s performance, across different demographics, including skin tone, age, and gender, i.e. biometric system bias.
What is the difference between the Biometric Component Certification and Identity Verification Face Verification Certification programs?
The FIDO Alliance has two biometric evaluation certification programs:
- Face verification program of remote biometric identity verification technology (verifying a user against a trusted identity document) to test and certify the performance for accuracy, liveness, and bias. Certification requirements and other policy documents are located here.
- Biometric component certification program of biometric verification technology (authentication of users) to test and certify the performance of biometric verification technology and considers accuracy, liveness, and bias. Certification requirements and other policy documents are located here.
Why did the FIDO Alliance introduce the Face Verification Certification program?
The Face Verification Certification program comes at a time of soaring demand for face biometric identity solutions and recognition of the importance of robust enrollment and identity re-binding processes to the overall security of digital transactions. It consists of 10,000 tests at a minimum, assesses a biometric system’s performance across different demographics, including skin tone, age, and gender. It measures resistance to spoof and deep fake attacks with Imposter Attack Presentation Accept Rate (IAPAR), and also assesses the usability and security of solutions by measuring False Reject Rate and False Accept Rates (FRR and FAR, respectively). The certification also tests “selfie match” capabilities to ensure a user’s “selfie” matches to the face portrait associated with their government-issued ID in the initial account setup process.
What is the value for Biometric Vendors?
- Independent validation of biometric performance
- Opportunity to understand gaps in product performance to then improve and align with market demands, considering accuracy, fairness and robustness against spoofing attacks
- Demonstrate product performance to potential customers
- Improve market adoption by holding an industry-trusted certification
- Leverage one certification for many customers/relying parties
- Benefit from FIDO delta and derivative certification for minor updates and customer extendability
- Reduce need to repeatedly participate in vendor bake-offs
What is the value for Relying Parties?
- Independent third party validation by government-recognized certification body and world-renowned, independent accredited labs
- Assessment of biometric performance considering accuracy, fairness and robustness against spoofing attacks
- Assessment of a biometric system’s performance,across different demographics, including skin tone, age, and gender, i.e. biometric system bias
- Provides consistent, independent evaluation of vendor products – eliminating the burden of maintaining own program for evaluating biometric products
- Complements usage of passkeys by providing certified approach for possession-based account enrollment and recovery
- Commitment to ensure quality products for customers of the relying parties
- Requirements developed by a diverse, international group of stakeholders from industry, government, and subject matter experts
- Conforms to ISO1 standards for biometric performance (ISO 19795) and presentation attack detection (ISO 30107)
- FIDO Annex published in ISO standards1
What is the value of accredited laboratories?
Laboratories are available worldwide and follow a common set of requirements and rigorous evaluation processes, defined by the FIDO Alliance Biometrics Working Group (BWG) and following all relevant ISO standards1. Laboratories are audited and trained by the FIDO Biometric Secretariat to ensure continuity of testing across different accredited labs, that the testing methodologies are compliant, and utilize governance mechanisms in accordance with FIDO requirements. Laboratories perform biometric evaluations in alignment with audited FIDO accreditation processes. Bespoke, single laboratory biometric evaluations may not have sufficient trust from relying parties for authentication and remote identity verification use cases.
A listing of FIDO Biometric Component Accredited Laboratories is located here.
A listing of FIDO Identity Verification Accredited Laboratories is located here.
What is the difference between FIDO and other evaluation programs?
Other programs such as NIST FRTE and DHS RIVTD perform evaluations of biometric solutions for specific government use cases. While this testing is an important step towards realizing high performing solutions, it does not result in a certification.
The FIDO biometric certification programs are focused on a scenario evaluation of full end-to-end solutions which include user interface, image capture, quality software, matching comparison, and presentation attack detection. The result of the evaluation is a certification.
FIDO evaluation is focused on two specific use cases: (1) Biometric Component Certification for authentication and (2) Face Verification for Remote Identity Verification Certification. Vendors may choose and contract with a set of accredited laboratories around the world listed here (biometric component) and here (face verification) .
Does FIDO Certification conform to ISO standards?
All FIDO Biometric Certifications conform to ISO standards1. Additionally two ISO standards (ISO 30107-4 and ISO 19795-9) and one under development (ISO 19795-10) include an Annex, which is specific to FIDO Certification for both biometric performance and presentation attack detection and are listed below:
ISO/IEC 30107-4:2020 Information technology — Biometric presentation attack detection — Part 4: Profile for testing of mobile devices
-FIDO Annex, published 2024
ISO/IEC 19795-9:2019 Information technology — Biometric performance testing and reporting — Part 9: Testing on mobile devices
-FIDO Annex, published 2019
ISO/IEC 19795-10:2024 Information technology — Biometric performance testing and reporting — Part 10: Quantifying biometric system performance variation across demographic groups
-FIDO Annex, under development
[1] ISO Standards which FIDO Certification conform to:
Terminology
ISO/IEC 2382-37:2022 Information technology — Vocabulary — Part 37: Biometrics
Presentation Attack Detection
ISO/IEC 30107-3:2023 Information technology — Biometric presentation attack detection — Part 3: Testing and reporting
ISO/IEC 30107-4:2020 Information technology — Biometric presentation attack detection — Part 4: Profile for testing of mobile devices
-FIDO Annex, published 2024
Performance (e.g. FRR, FAR)
ISO/IEC 19795-1:2021 Information technology — Biometric performance testing and reporting — Part 1: Principles and framework
ISO/IEC 19795-9:2019 Information technology — Biometric performance testing and reporting — Part 9: Testing on mobile devices
-FIDO Annex, published 2019
Bias (differentials due to demographics)
ISO/IEC 19795-10:2024 Information technology — Biometric performance testing and reporting — Part 10: Quantifying biometric system performance variation across demographic groups
-FIDO Annex, under development
Laboratory
ISO/IEC 17025:2017, General requirements for the competence of testing and calibration laboratories