1、BSI Standards PublicationPD ISO/IEC TR 29144:2014Information technology Biometrics The useof biometric technologyin commercial IdentityManagement applications andprocessesPD ISO/IEC TR 29144:2014 PUBLISHED DOCUMENTNational forewordThis Published Document is the UK implementation of ISO/IEC TR29144:2
2、014.The UK participation in its preparation was entrusted to TechnicalCommittee IST/44, Biometrics.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are respon
3、sible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 68453 1ICS 35.040Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Po
4、licy and Strategy Committee on 31 July 2014.Amendments issued since publicationDate Text affectedPD ISO/IEC TR 29144:2014 ISO/IEC 2014Information technology Biometrics The use of biometric technology in commercial Identity Management applications and processesTechnologies de linformation Biomtrique
5、Utilisation de la technologie biomtrique dans les processus et les applications de gestion de lidentit dans le commerceTECHNICAL REPORTISO/IECTR29144First edition2014-07-01Reference numberISO/IEC TR 29144:2014(E)PD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E)ii ISO/IEC 2014 All rights reservedCOPYR
6、IGHT PROTECTED DOCUMENT ISO/IEC 2014All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written per
7、mission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandPD ISO/IEC TR 29
8、144:2014ISO/IEC TR 29144:2014(E) ISO/IEC 2014 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 11.1 In scope 11.2 Exclusions 12 Normative references 13 Terms and definitions . 14 Symbols and abbreviated terms . 25 Biometrics and Identity Management Systems 25.1 General . 25.2 B
9、iometrics and identity . 25.3 Identity and biometric identification 25.4 Biometric identifiers 35.5 Human role in biometrics 45.6 Assuring the integrity of the database 46 Biometric considerations in Identity Management Systems 46.1 General . 46.2 Capturing and recording biometric characteristics 46
10、.3 Adhesion of biometric characteristics 56.4 Changes to name, alias and identification data . 76.5 Changes of condition 76.6 Biometric spoofing 76.7 Legitimate use of another identity . 76.8 Other exceptions 86.9 Other issues of importance 87 Implementation issues . 87.1 General . 87.2 Aggregation
11、of databases . 87.3 Strengthening of token and knowledge based identity systems 97.4 Restrictions to accessing data 97.5 Privacy 97.6 Mechanisms for preventing abuse of systems 117.7 Multinational commercial organizations 11Bibliography .12PD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E)ForewordISO
12、(the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committee
13、s established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
14、 In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria
15、needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent r
16、ights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name
17、used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical
18、Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 37, Biometrics.iv ISO/IEC 2014 All rights reservedPD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E)IntroductionThis
19、Technical Report provides support for the further development of ISO/IEC biometric standards in the context of cross-jurisdictional and societal applications of biometrics, including standardization of both existing and future technologies.The contents of this Technical Report are recommended practi
20、ces and guidelines and they are not mandatory. Legal requirements of the respective countries take precedence and biometric data should be obtained in accordance with local norms of behaviour. This Technical Report does not reduce any rights or obligations provided by applicable laws. Compliance wit
21、h any recommendations in the Technical Report does not, in itself, confer immunity from legal obligations.Examples of the benefits to be gained by following the recommendations and guidelines in this Technical Report are enhanced acceptance by subjects of systems using biometric technology, improved
22、 public perception and understanding of these systems, smoother introduction and operation of these systems, potential long-term cost reduction (whole life costs), adoption of commonly approved good privacy practice, interoperability both domestically and internationally, and implemented solutions h
23、aving a greater degree of vendor independence.The primary stakeholders are identified as users those who use the results of the biometric data, developers of technical standards, subjects those who provide the biometric sample, writers of system specifications, system architects, and IT designers, a
24、nd public policy makers. ISO/IEC 2014 All rights reserved vPD ISO/IEC TR 29144:2014PD ISO/IEC TR 29144:2014Information technology Biometrics The use of biometric technology in commercial Identity Management applications and processes1 Scope1.1 In scopeThis Technical Report will discuss concepts and
25、considerations for the use of biometrics in a commercial Identity Management Solutions, items that need to be considered when integrating biometrics into a commercial Identity Management Solutions, and implementation Issues when implementing biometrics into commercial Identity Management Solutions.1
26、.2 ExclusionsThis Technical Report will not define an architecture and framework for IDM, discuss any specification or assessment of government policy, discuss the business need for a biometric database or process, discuss the specific biometrics and which ones are to be used in particular systems,
27、consider the legality and acceptability in particular jurisdictions and cultures, analyse the general structure of identifiers and the global identification of objects (e.g. object identifiers), and discuss technical specifications in relation to the use of trusted biometric hardware and software.2
28、Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendmen
29、ts) applies.ISO/IEC 2382-37:2012, Information technology Vocabulary Part 37: Biometrics3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 2382-37:2012 apply.TECHNICAL REPORT ISO/IEC TR 29144:2014(E) ISO/IEC 2014 All rights reserved 1PD ISO/IEC TR 291
30、44:2014ISO/IEC TR 29144:2014(E)4 Symbols and abbreviated termsFor the purposes of this document, the following abbreviated terms apply.DoB Date of BirthIDM Identity ManagementIDMS Identity Management SystemPIN Personal Identification NumberTR Technical Report5 Biometrics and Identity Management Syst
31、ems5.1 GeneralThis Technical Report introduces concepts and considerations for the use of biometrics in a commercial IDMS.It is not the intention of this Technical Report to outline how an IDMS works but only to provide guidance for the use of biometrics. Multipart standard ISO/IEC 24760-1:2011 desc
32、ribes concepts in a suggested IDM framework and this Technical Report will complement the International Standard5.2 Biometrics and identityA biometric capture subject, such as a human being, can be described by many different attributes and different sets of these attributes can form different ident
33、ities.The identity of a human can be characterized uniquely in a biometric system. The term “identifier” is used to refer to one or more attributes in an identity that express uniqueness. This aspect of uniqueness is widely understood as the essence of identity. In the context of IDM, uniqueness is
34、just one of the many aspects to be considered.While an identity can be unique in one system, the individual can still have unique but different identity in one or more other biometric systems. The set of attributes used as an identifier should always be sufficient to distinguish the biometric captur
35、e subject from any other biometric capture subject within a particular system.ISO/IEC 24760 describes a range of identities that a biometric capture subject can have in various circumstances. These include biological identities such as biometrics. If a given biometric identifier is shared with multi
36、ple systems, it is possible to match data in different (or separate) biometric systems about the same identity.When a biometric is introduced into an IDMS, it can only confirm with a level of confidence whether the biometric capture subject is or is not the same person who enrolled the biometric pre
37、viously. In this sense, it is quite misleading to state that a biometric confirms an identity as it can only confirm that the biometric capture subject is the person previously associated with a set of data.5.3 Identity and biometric identificationBiometric identification is the process of comparing
38、 a biometric sample to an enrolled biometric database and returning a list of records from the database (typically ordered by the probability that the person who enrolled the record is the same person who has provided the sample). The matching probability 2 ISO/IEC 2014 All rights reservedPD ISO/IEC
39、 TR 29144:2014ISO/IEC TR 29144:2014(E)thresholds, comparison process and the business rules for the system will determine whether the sample is a match of an existing enrolled sample. This process will enable Identification of a biometric capture subject whose biometric(s) have already been register
40、ed in the biometric database (one-to-many or identification). This does not require any biographic information, Confirmation of an identity when an individual provides a claim of identity (e.g. a passport) is compared to a biometric reference sample (one-to-one or verification.), and Comparison of a
41、 biometric capture subject with a list of biometric reference samples selected using a list of identification references provided by the system where the biometric capture subject sample is compared with each reference sample in turn (watch list matching).Before implementing biometrics into an IDMS,
42、 it is essential to determine the required identification process along with the associated levels of identity assurance. Identity should be defined according to the identification requirements. Consideration should be given to the following which is not exhaustive:a) The identity reference that the
43、 biometric capture subject will use;b) Whether the reliance on evidence of identity is dependent upon the level of activity or access granted, and whether the evidence is based on recent or old activity;c) Identification documents and tokens can be appropriated by others or used with the owners perm
44、ission, for example a membership card or discount card;d) Naming information can change with marriage or in witness protection schemes;e) Biometric data of the biometric capture subject can change over time;f) Biometric capture subject cannot provide a particular biometric if the biometric is missin
45、g or damaged due to injury or disease;g) Behavioural biometric data can vary with each attempt.The risk management approach, in conjunction with appropriate policies and procedures, could provide an acceptable level of assurance when using a biometric identification system.5.4 Biometric identifiersA
46、 wide range of identifiers can be used in a biometric system. The suitability of an identifier has to be assessed to ensure that it will meet the needs of all the system users and deliver a workable solution.There are a number of key discriminators to consider when choosing a particular biometric mo
47、dality. These can include the following: Stability: A biometric should preserve enough features to ensure that any changes will have minimal impact on the systems ability to identify a candidate correctly; Usability: The convenience and ease of use of a biometric is a key driver in the adoption and
48、acceptance of a biometric system. Where possible, sensors should be situated so that all people can use them effectively. The system should respond in a timely fashion and should be easy to manage and maintain;NOTE Further guidance on usability/privacy is given in ISO/IEC TR 24714-1:2008. Privacy: W
49、ith increasing scrutiny and public awareness of biometric systems, the privacy of identities stored within a biometric system should be of the utmost importance. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the biometric data subject;NOTE Further guidance is given in ISO/IEC TR 24714-1:2008 ISO/IEC 2014 All rights reserved 3PD ISO/IEC TR 29144:2014ISO/IEC TR 29144:2014(E)