Biometrics Institute Biometric Vulnerability Assessments Biometrics Institute Biometric Vulnerability Assessment Service (BVAS)  Download Information Flyer
Participate in the BVAS Feedback Survey
The Biometrics Institute is offering a new service to its members and other key stakeholders: The Biometrics Institute Biometric Vulnerability Assessment Service (BVAS).
The Biometrics Institute has developed a framework (refer below) to assess the vulnerabilities in a biometrics system and derive useful metrics for the likelihood of an attack succeeding. This likelihood depends on the type of attack, the particular technology being used, and the knowledge of the attacker. Based on this methodology we are now offering a Biometric Vulnerability Assessment Service (BVAS) for the following biometrics:
- Facial
- Fingerprint
- Voice
- Iris
This service addresses a market need by offering an independent assessment of the vulnerabilities of submitted biometric technologies. It will not undertake general overall performance assessments (FAR/FRR).
The aim of the BVAS is to allow those implementing biometric systems to understand which risks need to be mitigated and to provide developers with a target for improving vulnerability to attack. Whilst this is important for all biometrics, we currently can test vulnerabilities for face and fingerprint biometrics and as of mid-2009 voice. Other biometrics will be considered later on. The service has been designed to ensure that the evaluation is cost effective and leads to practical outputs that can be used as part of the risk analysis process for any system using biometrics. It is also hoped that it will spur developments in techniques and procedures that can be used to mitigate biometric vulnerabilities. The existence of BVAS increases the integrity of biometric-based identity management systems, lessening the likelihood of successful imposter attacks on such systems. It also provides a mechanism for continuous improvement of biometric system vulnerability. If you have any queries regarding this service, please email the Technical Committee at technical_committe(at)biometricsinstitute.org. Further reading:
See the 'Common Criteria' Section of the Biometrics Institute website.
See the Mythbuster Video on Fingerprint Spoofing at: (or search www.youtube.com for 'mythbuster biometric')
Biometric Vulnerability Assessment Expert Group (BVAEG)
In May 2010, the Biometrics Institute formed the Biometric Vulnerability Assessment Expert Group (BVAEG). A second meeting of the BVA Expert Group was held in London in October 2010 discussing closer collaboration in the field and a potential workshop during 2011.
The May 2011 meeting confirmed the agenda for the 1st formal full-day BVAEG Meeting in London on the 21 October 2011. 16 attendees attended this by-invitaiton only meeting, the focus of which was to provide updates on the level of research conducted by the various groups. An agenda was then set for a next meeting to set specific outputs for the group.
The BVAEG currently includes the following members:
- Isabelle Moeller, Biometrics Institute
- Ted Dunstone, Biometix
- Geoff Poulton, GP Research
- Nigel Gordon, Communications Electronic Securities Group (CESG)
- Tony Mansfield, National Physical Laboratory (NPL)
- Ralph Breithaupt, Federal Office for Information Security, Germany (Bundesamt for Sicherheit in der Informationstechnik BSI)
- Raul Sanchez-Reillo, University Carlos III of Madrid (UC3M) - Electronic Technology Department
- Elaine Newton, National Institute of Standards and Technology (NIST)
Aim:
The Group was established to raise awareness about the importance of biometric vulnerability assessments and to exchange knowledge and experiences. It is also looking at:
• Developing a common standard and align to SC37
• Having basis for methodology and put experiences it has in practice together
• Raising awareness about the importance of vulnerability assessments and that mitigation is available
Membership:
Membership is by invitation only and Members need to demonstrate their expertise in the field of biometric vulnerability assessments through publication or work in the field. The members are drawn from different countries to have a good balance of information.
Meeting Schedule for the BVAEG
5 March 2012 - Gaithersburg, USA: day prior to the NIST Testing and Evaluation conference.
21 October 2011 - London: One-day by invitation-only Meeting including presentations from members and guests.
9 Sept 2011 - Tampa, Florida - during Consortium conference
15 July 2011 - following the Inaugural Biometrics Institute Singapore Meeting and the SC37 Meeting in Japan
Biometrics Institute Biometric Vulnerability Assessment Methodology (Face) & Extension (Finger & Voice & Iris) Papers:
Biometrics Institute White Paper on "Biometric Vulnerability: A Principled Assessment Methodology" (August 2008).
Request a copy of this paper by emailing manager_at_biometricsinstitute.org. Overview:
Although there has been significant recent research into the vulnerability of various biometric systems to spoofing attacks, there is as yet no generally agreed method of assessing the degree of vulnerability in a principled fashion. Since 2007, the Biometrics Institute has been working on this problem, partly co-funded by the Australian Government through the Department of Prime Minister and Cabinet. The goal is to develop a general methodology for vulnerability assessment applicable to any biometric system, and to apply it to a number of biometrics. A methodology has been developed and applied to a number of face and fingerprint biometric systems. Testing of a voice biometric system will begin in the near future. The aim of the methodology is to provide, for a given system and method of attack, a level of assurance about the maximum proportion of attacks likely to succeed. This is a practical measure which is readily incorporated into system design. Suggested countermeasures to identified risks are also provided. Now that this methodology has been developed, the Biometrics Institute intends to use it as the basis for the Biometric Vulnerability Assessment Service (BVAS), see information above. For an overview on this project, please access the Biometric Vulnerability Assessment Presentation (as at June 2007). History: April - December 2010 - A commercial test on an iris biometric system was conducted for the Australian government. October 2008 - Milestone 3 focusing on the fingerprint biometric spoofing has been completed successfully. The voice biometric lab has now been set up at University of Canberra. August 2008 - The Biometrics Institute releases a White Paper on "Biometric Vulnerability: A Principled Assessment Methodology". Request a copy of this paper by emailing manager_at_biometricsinstitute.org. May 2008 - The first Milestone of the Biometric Vulnerability Assessment (Finger & Voice) Project has been completed successfully at the end of April on time and on budget. A specific assessment methodology has been developed for the vulnerability of a fingerprint biometric system to deliberate attack by impostors. Milestone 2 is well under way looking at validating the methodology through a series of tests. It is due to be completed by the end of August 2008. December 2007 - The new project, the Biometric Vulnerability Assessment (Finger & Voice) Project is confirmed to start on the 1 February 2008. It will develop the methodology for a finger biometric initially. It will then look at the voice biometric. The project is scheduled to be completed by May 2009. 5 November 2007 - Milestone 3 of the (Face) Project has been completed successfully and has produced of a report that informs decision making of capability developers and managers in users agencies on vulnerability assessments for face biometrics. 31 October 2007 - The Biometrics Institute today announced that it has been approved to receive funding from the Australian Government Department of the Prime Minister under the 2nd Round of the Research Support for Counter-Terrorism Programme for the Biometric Vulnerability Assessment Extension Project (Finger & Voice). This project will build onto the first project and look at developing a vulnerability assessment methodology for two more biometrics - voice and fingerprint. 3 July 2007 - Milestone 2 of the (Face) Project has been completed successfully and a specific assessment methodology has been developed for the vulnerability of a face biometric system to deliberate attack by impostors. 28 June 2007 - MANAGING THE RISKS TO TRADE, VS13/2007, 28 June 2007: Speech to Secure Trade in the APEC Region (Star V) Conference, Sydney, 28 June 2007 by The Hon Mark Vaile
[...]
Let me mention the Biometrics Institute. The Sydney-based Institute draws members from the private and public sector to research and promote the use of biometrics.
At the moment, I'm told the Institute is developing a project to test the vulnerability of various biometrics. Once this project eventually goes commercial, companies would be able to test for risks in biometric products and devise counter-measures to address those risks. 7 June 2007 – The Biometrics Institute today announced that it has completed the first milestone of the Biometrics Vulnerability Assessment Project on time.
The Biometric Vulnerability Assessment Project will develop a principled assessment methodology for the vulnerability of biometric systems to deliberate attack by impostors.
The outcome of the first milestone is a general methodology framework for the assessment of biometric systems vulnerability. A summary paper will be available from the Biometrics Institute website. Comments are welcome and should be addressed to the Project Manager, Isabelle Moeller.
Work on the second milestone is already under way. A specific methodology applicable to a chosen biometric, outlining the capability to test and report on the vulnerability of any individual system, including suggested countermeasures to identified risks is being developed.
“When this methodology has been developed the Biometrics Institute intends to use it as the basis for the Biometric Vulnerability Assessment Service (BVAS), a commercial service offering such assessments both within Australia and overseas”, said Isabelle Moeller, General Manager, Biometrics Institute Ltd. Read the full press release 3 April 2007 - Milestone 1 of the BVA (Face) Project has been completed successfully and a principled assessment methodology for the vulnerability of biometric systems to deliberate attack by impostors has been developed. 26 February 2007 - The Biometrics Institute today announced that it has been approved to receive funding from the Australian Government Department of the Prime Minister under the Research Support for Counter-Terrorism Programme for the Biometric Vulnerability Assessment Project.
The Biometric Vulnerability Assessment Project will develop a principled assessment methodology for the vulnerability of biometric systems to deliberate attack by impostors.
The main outcomes will be a general methodology for the assessment of biometric systems vulnerability; and a specific methodology applicable to a chosen biometric (Face), outlining the capability to test and report on the vulnerability of any individual system, including suggested countermeasures to identified risks.
When this methodology has been developed the Biometrics Institute intends to use it as the basis for the Biometric Vulnerability Assessment Service (BVAS).
All research will be carried out in Australia by a consortium led by the Biometrics Institute including Argus Solutions, Biometix, Geoff Poulton Research, NSW Police Force and Queensland University of Technology. It will generate a new Science &Technology capability. For enquiries contact:
Biometrics Institute
Tel: +61 2 9431 8686
Email: manager@biometricsinstitute.org |
