TECHNICAL ISO/IEC TR REPORT 29156 First edition 2015-11-15 Information technology Guidance for specifying performance requirements to meet security and usability needs in applications using biometrics Technologies de I'information -Directives spécifiant les exigences de performance afin d'atteindre la sécurité et les besoins d'utilisation dans les applications biometriques Reference number ISO/IEC TR 29156:2015(E) TEC International Organization for Standardization ANG INST OF STANDARDIZATION C15956617 @IS0/IEC2015 IS0/IEC TR 29156:2015(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISO copyrightoffice Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org Intenatinair ganization for Standardization icensee-ZHEJIANG INSTOF STANDJSA/IEC05-All rights reserved Not for Resale, 2016/3/29 06:09:42 IS0/IEC TR 29156:2015(E) Contents Page Foreword ..V Introduction. ...vi 1 Scope 2 Normative references. 3 Terms and definitions 4 Abbreviated terms .3 5 Authentication factors .3 5.1 Overview .3 5.2 Security and usability of authentication mechanisms ..4 5.3 Knowledge-based authentication (PIN, passwords) 5.3.1 General description with examples 5.3.2 Security considerations 6 5.3.3 Usability considerations .7 5.4 Possessionbasedauthentication(tokens.cards) 7 5.4.1 Generaldescriptionwithexamples .7 5.4.2 Security considerations. .8 5.4.3 Usability considerations. .9 5.5 Personal characteristic based authentication (biometrics) .9 5.5.1 General description with examples .9 5.5.2 Security considerations ..11 5.5.3 Usability considerations ..12 5.6 Multi-factor authentication. ..12 5.6.1 General. .12 5.6.2 Example: token and PIN .13 5.6.3 Implementation options. ..13 5.6.4 Performance requirements for multi-factor authentication. ..14 5.7 Comparing security performance of authentication mechanisms ..14 5.8 Summary comparison of authentication factors. .15 6 Determining biometric authentication security requirements ..15 6.1 General .15 6.2 Business requirements. .15 6.3 Security-enhancing aspects .16 6.4 Suitable target figures for false acceptance rates ..16 6.5 Other considerations in authentication security. ..16 6.6 Limits of authentication assurance .16 7 Determining biometric authentication usability requirements .17 7.1 General .17 7.2 Accessibility considerations. .17 7.3 Throughput. .17 7.4 Authentication failure rate for authorized users ..18 7.5 Ease of use at point of authentication .19 7.6 Ease of use for enrolment. .19 7.7 Other aspects of usability 19 8 Additional considerations in defining biometric security and usability requirements .19 8.1 Organization of requirements 19 8.2 Verification and identification modes of operation 20 8.3 Stages of authentication... 20 8.4 Authentication assurance and standards. 21 8.5 Application-specific performance considerations .21 8.5.1 Performance for business functionality .21 8.5.2 Performance for identity proofing and enrolment .22 iii nsee=ZHEJIANG INST OF STANDARDIZATION C1 5956617 ted without license from IHS Not for Resale, 2016/3/29 06:09:42