Biometric Component Certification
Biometric user verification has become a popular way to replace passwords and PINs, but the lack of an industry-defined program to validate performance claims has led to concerns over variances in the accuracy and reliability of these solutions. To fill this gap, the FIDO Alliance launched the Biometric Component Certification Program – the first such program for the industry at large. The program utilizes accredited independent labs to certify that biometric subcomponents meet globally recognized performance standards for biometric recognition performance and Presentation Attack Detection (PAD) and are fit for commercial use.
The FIDO Alliance aims to deliver several benefits to providers and users of biometric recognition systems through the new Biometric Component Certification Program. Until now, due diligence was performed primarily by large enterprise customers who had the capacity to conduct such reviews. This required biometric vendors to repeatedly prove performance for each customer. The FIDO Alliance program allows vendors to test and certify only once to validate their system’s performance and re-use that third-party validation across their potential and existing customer base, resulting in substantial time and cost savings.
“The lack of standards has long been an issue in biometrics, forcing security professionals to ‘get deep in the weeds’ to not only understand the attributes that are important but subsequently evaluate vendors on those attributes. An unbiased Alliance-based certification program expedites solution evaluation for companies but also eases adoption by providing assurances to the C-suite of proper choice.”
Frank Dickson, Research Vice President, IDC
For customers, such as regulated online service providers, OEMs and enterprises, the new certification program provides a standardized way to trust that the biometric systems they are relying upon for fingerprint, iris, face and/or voice recognition can reliably identify users and detect presentation attacks.
The Biometric Certification Component Program introduces biometric requirements to the FIDO Certification Program. The goal of the Biometric Certification Component Program is to provide a framework for the certification of biometric subsystems that can in turn be integrated into FIDO Certified authenticators.
Biometric Component Certification Process
FIDO Alliance’s Biometric Component Certification Program is independent of its other certification programs. There are no FIDO certification prerequisites to apply for biometric component certification for a subsystem. Once a biometric subsystem has been certified, there are rules for how it can be integrated into an authenticator seeking FIDO Authenticator Certification. These rules are described in the Allowed Integration Document and are defined by the biometric vendor during the biometric component certification process.
The use of a certified biometric component is optional for level 1 and level 2 FIDO authenticator. At level 3 and higher an authenticator shall use a certified biometric component if a biometric modality is used for authentication.
The following figure and paragraphs explain the overall process certification of a biometric component.
In order to apply for an application for a biometric component, the developer first needs to apply for an account via the account request form. After this account has been created, the developer can login to the Biometric Dashboard and issue a request for certification.
FIDO Alliance’s biometric component certification secretariat reviews the application, notifies the Vendor if it is approved, rejected, or requires clarification.
In this step of the overall process the vendor submits the biometric component to a FIDO accredited biometric laboratory along with its required documentation. A time estimate is provided by the accredited laboratory; vendor and laboratory agree on the cost involved for testing.
The FIDO Accredited biometric laboratory is responsible for testing against the requirements through a combination of online and offline live subject testing. The first step in the certification process is demonstrated below.
An allowed integration document is used to document the changes that may be necessary to accommodate integration of the biometric component into an authenticator. The allowed integration document must be drafted by the vendor and provided to the accredited biometric laboratory.
A list of FIDO Accredited Biometric Laboratories is available on the FIDO website.
The accredited laboratory performs testing and returns a laboratory report to the vendor and to FIDO’s biometric certification secretariat. The report also includes the review of the allowed integration document. The laboratory must validate that the changes will not impact fulfilling the requirements.
FIDO Alliance’s biometric component certification secretariat reviews the laboratory report and makes a decision to approve, reject, or ask for clarification.
After the laboratory report has been approved, the vendor completes a certification request. The certification request also includes metadata to be added to the metadata service to describe the certified biometric subsystem (see FIDO Metadata Service).
FIDO Alliance provides information to relying parties regarding FIDO authenticators through the FIDO Metadata Service. This information can be used by relying parties for purposes such as determining whether it accepts the authenticator or enables certain privileges (e.g., checking an account balance vs. transferring funds).
The biometric-related information that the FIDO Metadata Service provides includes the following:
- Biometric Certification Level
- Self-Attested False Accept Rate (FAR)
- Self-Attested False Reject Rate (FRR)
Submitting metadata to the FIDO Metadata Service is optional. However, metadata must be submitted during the biometric component certification process and will be verified for accuracy and completeness during the laboratory evaluation.
FIDO Alliance reviews and, if complete, approves the certification request and issues a biometric compontent certificate.
Metadata Submission to MDS (Optional)
The vendor has the option to submit Metadata to the FIDO Metadata Service (MDS).
Biometric Certification Fees
- FIDO Member: $10,000 USD
- Non-Member: $13,000 USD
The documents for Authenticator Certification include:
|Biometric Component Certification Policy|
This policy governs the biometric certification aspects of the FIDO Certification Program. It defines the overall process of the biometric certification and also answers questions around recertification.
|FIDO Authenticator Vendor NDA|
Non-disclosure Agreement to be signed by Authenticator Vendors (Implementers) completing Biometric Certification.
|FIDO Biometric Certification Requirements|
This document defines the requirements and test procedures for biometric component certification. It contains the requirements for the performance of the biometric authenticator as well as requirements on Presentation Attack Detection.
|FIDO Authenticator Metadata Requirements|
This document defines the authenticator metadata requirements referenced in the biometric component certification requirements.
|FIDO Allowed Integration Document template |
This document contains a template for an Allowed Integration Documentfor a biometric component.
Biometric Implementer Dashboard
Implementers can Login to view their Dashboard.