About us Partners Compliance Careers Contact us
logo-veridas-white-1.png

What requirements must biometric technology meet to be secure?

December 22, 2021

Table of contents

Legal & Compliance Director

Veridas: reliability and safety

Technology cannot be conceived simply as functionality but must be accompanied by a series of guarantees to ensure that this functionality is safe for users, something that we at Veridas take care of at every step in the development of our technology.

When we talk about security, we can separate it into two areas that, although they are completely related, are the subject of differentiated analysis:

  • Solution reliability.
  • Information security.

As a whole, they allow us to ensure that the technology being used by the user for different use cases offers the necessary guarantees to avoid fraud, information leaks, etc.

Reliability of the biometric solution

New technologies have arrived to provide simpler and more agile solutions, but the security of the operation they enable must not be overlooked. And here, by the security of the operation, we refer to its reliability.

A clear example of this is when the eIDAS Regulation (EU Regulation No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market) states that the identification of a person may be made by electronic means provided that they “provide security equivalent in terms of reliability to physical presence”. 

And the suppliers of these technological solutions must be able to assess that their products meet the minimum safety requirements and comply with the given product specifications.

In the case of biometric identification and verification technology, there are more and more regulatory frameworks that establish what these minimum security requirements should be. We can speak here of the aforementioned eIDAS Regulation and its Implementing Regulation (EU Implementing Regulation 2015/1502), Law 6/2020, of November 11, regulating certain aspects of electronic trust services, Order ETD/465/2021, of May 6, regulating remote video identification methods for the issuance of qualified electronic certificates, Annex F11 of the ICT Security Guide CCN-STIC-140, SEPBLAC authorizations, AEPD and European Data Protection Committee guides, and even the European Commission’s proposal for a regulation on Artificial Intelligence. All of them, with greater or lesser technical detail, is laying the foundations of the requirements for biometric technologies.

In the first place, and the case of Artificial Intelligence-based technology, the quality of the databases used for training, testing, and validation, the absence of bias, the accuracy of biometric comparisons, the accuracy when evaluating samples with different periods, etc., must be guaranteed. These are issues that are analyzed in the evaluations carried out by the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce, an organization that can be considered the world reference for the evaluation of these technologies.

NIST conducts evaluations – free and open to any public or private developer – of biometric technology accuracy for both verification (1:1) and identification (1:N) cases, with the results being public.

On the other hand, it must be taken into account that biometric recognition technology cannot be based solely on a comparison between two or more faces, voices, etc. At the same time, it must be ensured that the data used for the comparison are legitimate. That is to say, that the person trying to verify his identity is not being impersonated by another person, but that it is he who is there, alive, and willing to carry out the process.

For this, we must refer to the ISO/IEC 30107 standard, which refers to the detection of presentation attacks or, in other words, to the detection of attempts to impersonate or deceive the system. To this end, solutions must have active and/or passive (depending on whether they require user action) anti-spoofing mechanisms.

Finally, certification of biometric identity verification products is starting to become available in some sectors. Among the requirements for these certifications, reference is made to those mentioned above (evaluation at NIST, detection of presentation attacks, etc.). In this regard, the Spanish National Cryptologic Center recently published Annex F.11, on video-identification tools, of the ICT Security Guide CCN-STIC-140, which makes these solutions certifiable products.

Veridas' commitment to the reliability of its solutions

Since 2018, Veridas has submitted its technology to periodic NIST evaluations. Currently, it is the only company to have its systems evaluated in all the following categories: Facial Recognition Vendor Test 1:1 Verification (facial biometrics), Facial Recognition Vendor Test 1:N Identification (facial biometrics), and Speaker Recognition Challenge (voice biometrics).

All Veridas systems include anti-spoofing and fraud prevention techniques. In addition, Veridas’ facial recognition system (das-Face) has been certified by iBETA to ISO/IEC 30107-3 Level 1.

Also, to the extent that there are evaluation and certification schemes, Veridas submits its solutions to testing processes by accredited entities, to obtain certificates of compliance with all applicable legal and technical regulations.

This has been the case of the certifications issued by DEKRA Testing & Certification accrediting the compliance of the Veridas solution with the requirements established in the authorizations issued by SEPBLAC (Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses), by which the subjects obliged by Law 10/2010, of 28 April, on the prevention of money laundering and terrorist financing, can use non-face-to-face identification systems (both by video call and video-identification) with their clients.

Also, as a result of the new regulation on non-face-to-face identification for the issuance of qualified certificates by Qualified Trusted Electronic Service Providers (QTSPs), DEKRA has assessed the compliance of Veridas’ solution concerning the requirements of the CCN-STIC-140, Annex F.11 guide (issuing the report that is required until July 2022), and the Lince certification process has been initiated.

Information security

We could speak here of the “layer” that covers the entire solution to make it secure. In other words, once we have a reliable solution in terms of its operation and the accuracy of the results it produces, it is also necessary to ensure that there are no anomalies or security incidents that could “break” this normal activity.

Information security control and management measures do not necessarily have to be specific to biometric technology. On the contrary, we can use evaluations and certifications applicable to any information system.

First, we could talk about information security system certifications. Here we come first to ISO/IEC 27001, the highest international standard for information security management. It is a certifiable standard that guarantees that the company has implemented a management system to manage and protect its assets.

Likewise, at a national level, the National Security Scheme (ENS), initially designed for the Spanish Electronic Administration and already adopted by a multitude of private entities supplying the Public Administrations, establishes the security policy for the use of electronic media and the basic principles and minimum requirements for the adequate protection of information. It could be said that -partly because it is regulated in a Law and Royal Decree- it is a system compatible with ISO 27001, but it adds greater detail and requirements for the implementation and maintenance of an information security system.

Also, at the European level, we could talk about the NIS Directive (and its subsequent update), which establishes the minimum security requirements to improve the security of the networks and information systems of the Member States of the European Union. It is not a certifiable standard, but it is mandatory for certain sectors of activity.

On the other hand, although it is part of the measures evaluated in the previous certifications, the security of connections must be guaranteed. In this sense, we can refer to the security measures applicable to communications, encryption of information in transit and at rest, authentication of websites, etc.

In addition, the security of the software used to provide the service must also be guaranteed. Ensuring that it is free of malware, performing vulnerability analysis, penetration tests, etc. are some usual and essential practices to guarantee the security of the system against malicious attacks.

Veridas' commitment to information security

As part of its firm commitment to information security, Veridas has implemented an information security system audited and certified under the ISO/IEC 27001 standard and the Information Security Scheme. Veridas has also integrated into its policies and procedures all the obligations derived from the NIS Directive (Royal Decree 43/2021, January 26th).

Internally, and within this information security management system, Veridas has implemented vulnerability analysis and management procedures, multiple service security measures, access controls, change management, information security profile designation, internal and external penetration tests, etc.

In addition, in the process of choosing suppliers, compliance by these entities with all standards and procedures regarding information security is an essential requirement, which is continuously monitored to ensure the security of all steps in our processes.

Identity, Biometrics and Artificial Intelligence

Discover the new era of biometrics with AI, all the legal frameworks and obligations in terms of security and data protection, and how ethics should guide the activity of our sector.

Share

Subscribe to our newsletter

Request a demo Careers
Contact us