1、BSI Standards Publication PD ISO/IEC TR 29144:2014 Information technology Biometrics The use of biometric technology in commercial Identity Management applications and processesPD ISO/IEC TR 29144:2014 PUBLISHED DOCUMENT National foreword This Published Document is the UK implementation of ISO/IEC T
2、R 29144:2014. The UK participation in its preparation was entrusted to Technical Committee IST/44, Biometrics. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. U
3、sers are responsible for its correct application. The British Standards Institution 2014. Published by BSI Standards Limited 2014 ISBN 978 0 580 68453 1 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the author
4、ity of the Standards Policy and Strategy Committee on 31 July 2014. Amendments issued since publication Date Text affectedPD ISO/IEC TR 29144:2014 ISO/IEC 2014 Information technology Biometrics The use of biometric technology in commercial Identity Management applications and processes Technologies
5、de linformation Biomtrique Utilisation de la technologie biomtrique dans les processus et les applications de gestion de lidentit dans le commerce TECHNICAL REPORT ISO/IEC TR 29144 First edition 2014-07-01 Reference number ISO/IEC TR 29144:2014(E)PD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E)ii IS
6、O/IEC 2014 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2014 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or a
7、n intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.
8、org Published in SwitzerlandPD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E) ISO/IEC 2014 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 1.1 In scope 1 1.2 Exclusions 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols and abbreviated terms . 2 5 Biometric
9、s and Identity Management Systems 2 5.1 General . 2 5.2 Biometrics and identity . 2 5.3 Identity and biometric identification 2 5.4 Biometric identifiers 3 5.5 Human role in biometrics 4 5.6 Assuring the integrity of the database 4 6 Biometric considerations in Identity Management Systems 4 6.1 Gene
10、ral . 4 6.2 Capturing and recording biometric characteristics 4 6.3 Adhesion of biometric characteristics 5 6.4 Changes to name, alias and identification data . 7 6.5 Changes of condition 7 6.6 Biometric spoofing 7 6.7 Legitimate use of another identity . 7 6.8 Other exceptions 8 6.9 Other issues of
11、 importance 8 7 Implementation issues . 8 7.1 General . 8 7.2 Aggregation of databases . 8 7.3 Strengthening of token and knowledge based identity systems 9 7.4 Restrictions to accessing data 9 7.5 Privacy 9 7.6 Mechanisms for preventing abuse of systems 11 7.7 Multinational commercial organizations
12、 11 Bibliography .12PD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC par
13、ticipate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmen
14、tal and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are describe
15、d in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the po
16、ssibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the
17、ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
18、 as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 37, Biometrics.iv ISO/IEC 2014
19、 All rights reservedPD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E) Introduction This Technical Report provides support for the further development of ISO/IEC biometric standards in the context of cross-jurisdictional and societal applications of biometrics, including standardization of both existi
20、ng and future technologies. The contents of this Technical Report are recommended practices and guidelines and they are not mandatory. Legal requirements of the respective countries take precedence and biometric data should be obtained in accordance with local norms of behaviour. This Technical Repo
21、rt does not reduce any rights or obligations provided by applicable laws. Compliance with any recommendations in the Technical Report does not, in itself, confer immunity from legal obligations. Examples of the benefits to be gained by following the recommendations and guidelines in this Technical R
22、eport are enhanced acceptance by subjects of systems using biometric technology, improved public perception and understanding of these systems, smoother introduction and operation of these systems, potential long-term cost reduction (whole life costs), adoption of commonly approved good privacy prac
23、tice, interoperability both domestically and internationally, and implemented solutions having a greater degree of vendor independence. The primary stakeholders are identified as users those who use the results of the biometric data, developers of technical standards, subjects those who provide the
24、biometric sample, writers of system specifications, system architects, and IT designers, and public policy makers. ISO/IEC 2014 All rights reserved vPD ISO/IEC TR 29144:2014PD ISO/IEC TR 29144:2014Information technology Biometrics The use of biometric technology in commercial Identity Management app
25、lications and processes 1 Scope 1.1 In scope This Technical Report will discuss concepts and considerations for the use of biometrics in a commercial Identity Management Solutions, items that need to be considered when integrating biometrics into a commercial Identity Management Solutions, and imple
26、mentation Issues when implementing biometrics into commercial Identity Management Solutions. 1.2 Exclusions This Technical Report will not define an architecture and framework for IDM, discuss any specification or assessment of government policy, discuss the business need for a biometric database or
27、 process, discuss the specific biometrics and which ones are to be used in particular systems, consider the legality and acceptability in particular jurisdictions and cultures, analyse the general structure of identifiers and the global identification of objects (e.g. object identifiers), and discus
28、s technical specifications in relation to the use of trusted biometric hardware and software. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited appli
29、es. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 2382-37:2012, Information technology Vocabulary Part 37: Biometrics 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 2382-37:2
30、012 apply. TECHNICAL REPORT ISO/IEC TR 29144:2014(E) ISO/IEC 2014 All rights reserved 1PD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E) 4 Symbols and abbreviated terms For the purposes of this document, the following abbreviated terms apply. DoB Date of Birth IDM Identity Management IDMS Identity Ma
31、nagement System PIN Personal Identification Number TR Technical Report 5 Biometrics and Identity Management Systems 5.1 General This Technical Report introduces concepts and considerations for the use of biometrics in a commercial IDMS. It is not the intention of this Technical Report to outline how
32、 an IDMS works but only to provide guidance for the use of biometrics. Multipart standard ISO/IEC 24760-1:2011 describes concepts in a suggested IDM framework and this Technical Report will complement the International Standard 5.2 Biometrics and identity A biometric capture subject, such as a human
33、 being, can be described by many different attributes and different sets of these attributes can form different identities. The identity of a human can be characterized uniquely in a biometric system. The term “identifier” is used to refer to one or more attributes in an identity that express unique
34、ness. This aspect of uniqueness is widely understood as the essence of identity. In the context of IDM, uniqueness is just one of the many aspects to be considered. While an identity can be unique in one system, the individual can still have unique but different identity in one or more other biometr
35、ic systems. The set of attributes used as an identifier should always be sufficient to distinguish the biometric capture subject from any other biometric capture subject within a particular system. ISO/IEC 24760 describes a range of identities that a biometric capture subject can have in various cir
36、cumstances. These include biological identities such as biometrics. If a given biometric identifier is shared with multiple systems, it is possible to match data in different (or separate) biometric systems about the same identity. When a biometric is introduced into an IDMS, it can only confirm wit
37、h a level of confidence whether the biometric capture subject is or is not the same person who enrolled the biometric previously. In this sense, it is quite misleading to state that a biometric confirms an identity as it can only confirm that the biometric capture subject is the person previously as
38、sociated with a set of data. 5.3 Identity and biome tric identification Biometric identification is the process of comparing a biometric sample to an enrolled biometric database and returning a list of records from the database (typically ordered by the probability that the person who enrolled the r
39、ecord is the same person who has provided the sample). The matching probability 2 ISO/IEC 2014 All rights reservedPD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E) thresholds, comparison process and the business rules for the system will determine whether the sample is a match of an existing enrolled
40、 sample. This process will enable Identification of a biometric capture subject whose biometric(s) have already been registered in the biometric database (one-to-many or identification). This does not require any biographic information, Confirmation of an identity when an individual provides a claim
41、 of identity (e.g. a passport) is compared to a biometric reference sample (one-to-one or verification.), and Comparison of a biometric capture subject with a list of biometric reference samples selected using a list of identification references provided by the system where the biometric capture sub
42、ject sample is compared with each reference sample in turn (watch list matching). Before implementing biometrics into an IDMS, it is essential to determine the required identification process along with the associated levels of identity assurance. Identity should be defined according to the identifi
43、cation requirements. Consideration should be given to the following which is not exhaustive: a) The identity reference that the biometric capture subject will use; b) Whether the reliance on evidence of identity is dependent upon the level of activity or access granted, and whether the evidence is b
44、ased on recent or old activity; c) Identification documents and tokens can be appropriated by others or used with the owners permission, for example a membership card or discount card; d) Naming information can change with marriage or in witness protection schemes; e) Biometric data of the biometric
45、 capture subject can change over time; f) Biometric capture subject cannot provide a particular biometric if the biometric is missing or damaged due to injury or disease; g) Behavioural biometric data can vary with each attempt. The risk management approach, in conjunction with appropriate policies
46、and procedures, could provide an acceptable level of assurance when using a biometric identification system. 5.4 Biometric identifie rs A wide range of identifiers can be used in a biometric system. The suitability of an identifier has to be assessed to ensure that it will meet the needs of all the
47、system users and deliver a workable solution. There are a number of key discriminators to consider when choosing a particular biometric modality. These can include the following: Stability: A biometric should preserve enough features to ensure that any changes will have minimal impact on the systems
48、 ability to identify a candidate correctly; Usability: The convenience and ease of use of a biometric is a key driver in the adoption and acceptance of a biometric system. Where possible, sensors should be situated so that all people can use them effectively. The system should respond in a timely fa
49、shion and should be easy to manage and maintain; NOTE Further guidance on usability/privacy is given in ISO/IEC TR 24714-1:2008. Privacy: With increasing scrutiny and public awareness of biometric systems, the privacy of identities stored within a biometric system should be of the utmost importance. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent o
