Breaking news: iBeta’s biometric presentation attack detection testing levels up

Launch of Level 3 addresses threat of sophisticated, targeted attacks

The growing sophistication of spoof attacks on biometric systems for identity verification and authentication is a well-established concern, recognized by businesses and governments around the world. In response to this worrying situation, iBeta Quality Assurance is introducing Level 3 presentation attack detection testing based on ISO/IEC 30107-3.

Level 3 testing is available for face biometrics to start, iBeta Deputy Director of Biometrics David Yambay says in an interview with Biometric Update. As the most common modality for remote transactions, it is also the modality that the most organizations urgently need protection for.

“As biometric technology continues to get more sophisticated, the people doing attacks and trying to hack into the systems are getting more sophisticated,” iBeta Director of Biometrics Sales and Marketing Evan Call told Biometric Update on the same call. “It just keeps escalating. We saw that happening in the industry and had clients asking us for the next Level of PAD testing. Our goal is to continuously improve our service offering for biometrics testing as the needs of the industry continuously grow.

The PAD testing to ISO 30107-3 offered by iBeta needed to add a level of sophistication, therefore.

What is Level 3?

“Level 3 is a more rigorous from of testing which will include, for instance, custom-made, hyper-realistic masks that we have had a chance to source from around the world,” iBeta Director of Biometrics Ryan Borgstrom explains.

iBeta also developed other kinds of presentation attack instruments (PAIs), and had artists create pieces to mimic the movements prompted by active PAD systems. Level 3 is “not just the PAI itself, but its also about creating the environment,” Yambay adds.

That means considering how to change lighting and other environmental factors. The lab carefully considered questions like what resources attackers might have, and how much knowledge they might have of the system they are attacking.

The monetary and time constraints for iBeta’s Level 1 and 2 PAD tests are eased for Level 3. The test still includes a time constraint, but Yambay says, “the tester is going to have a lot of time to think about every attempt they’re going to make. And the goal is to set up a perfect environment, tailored and curated to the systems as best as possible.”

Level 2 deals with attacks not as carefully targeted as Level 3, according to Yambay, which addresses the threat of attacks carried out with significant background knowledge and funding.

iBeta talked to NIST NAVLAP accreditors during the Level 3 creation process, Yambay says, and Call notes that the lab is in regular consultation with the broader industry members.

An urgent problem

Level 3 testing is likely to be of interest to any organization involved in financial services, and any other kind of higher-value interaction, in Call’s assessment. It may not be as important for access control to an office, but still applies to “the bulk of the industry,” he says.

That includes consumer-facing companies that have recently joined the trend of getting their PAD systems evaluated, like Grab and Shopee. Governments are also strengthening testing regimes and requirements, in response to the changing threat landscape.

iBeta can perform Level 3 assessments for companies that have done level 1 and 2 with it or with other labs, though the procedure is slightly different.

The process starts with iBeta engaging with the client company to learn more about their situation, starting with providing an expanded version of the checklist it gives to companies engaging for Level 1 for Level 2 and engaging in a discussion. They then develop a specific solution for that client to achieve Level 3 compliance.

For Level 3 PAD tests, as with Level 1 and 2, organizations are allowed to retry twice following a failure in the Readiness Review Phase and one during the Testing Phase. During the Testing Phase they need to execute a Change Order with iBeta for the hours of testing before the failure.

Borgstrom emphasizes that companies should also be doing their own internal testing and continuous model training. And this has become somewhat easier to do with availability of synthetic data.

Yambay suggests biometrics providers take their time to ensure they are ready for the test, saying “this way they can get the most out of all the testing that we do.”

Adapting with innovation, assurance with standards

iBeta is always looking for new types of tests to serve industry needs, Call says, but developing them takes time.

“We want to take the time to be careful and to develop testing methodologies that are targeted to what the industry needs and responsive to the kinds of spoofing and attacks that are out there in the world,” he says.

The company will consider extending Level 3 to other biometric modalities in the future, and is already considering the development of another test type, Call reveals, though declining any specifics.

iBeta will continue to evolve its testing services, especially as new accreditations come online from bodies like Android and FIDO, Mastercard, ISO and others.

The lab has joined the International Committee for Information Technology Standards (INCITS) M1 Biometrics and M1.5 Biometrics Performance Testing Technical Committees, with Yambay as the primary voter and Borgstrom as the alternate voter. INCITS M1 is the technical advisory group to ISO JTC 1/SC 37 for the U.S., and gives iBeta “a seat at the table” for standards development.

As those discussions and others across the industry take place to advance the standards behind biometrics testing, iBeta will be confirming the compliance of biometric PAD systems to the ISO standard for a whole new level of attacks to continuously contribute to a safer and more secure biometrics industry.

For more information contact [email protected]