
Fido Alliance adds a biometrics certification program to help fight spoofing
- Select a language for the TTS:
- UK English Female
- UK English Male
- US English Female
- US English Male
- Australian Female
- Australian Male
- Language selected: (auto detect) - EN
Play all audios:
“The goal of the Biometric Certification Component Program is to provide a framework for the certification of biometric subsystems that can in turn be integrated into FIDO Certified
authenticators,” it writes on its website.
While biometric verification systems such as fingerprint readers have been pretty widely adopted in the mobile space already — with Apple introducing its fingerprint biometric, Touch ID, to
the iPhone a full five years ago; followed, last fall, by a facial recognition biometric (Face ID) for its high end iPhone X — the Alliance says that, up to now, there hasn’t been a
standardized way to validate the accuracy and reliability of biometric recognition systems in the commercial marketplace. Which is where it’s intending the new certification program to come
in.
While few would doubt the robustness of Apple’s biometrics components (and testing regime), the sprawlingly diverse Android marketplace hosts all sorts of OEM players — which inevitably
raises the risk of some lesser quality components (and/or processes) slipping in.
And in recent years there have been plenty of examples of poorly implemented biometrics, especially in the mobile space — with hackers easily able to crack into various Android devices that
were using facial or iris recognition technology in trivially bypassable ways.
In 2017, for example, Chaos Computer Club members used a print out of an eye combined with a contact lens to fox iris scanners on the Samsung Galaxy S8. And that was one of the most
sophisticated biometric hacks. Others have just required a selfie of the person to be held up in front of a ‘face unlock’ system to get an easy open sesame.
Where the not-for-profit Alliance comes in — an industry group whose board includes security exec reps from the likes of Amazon, Google and Microsoft, among others — is it’s on a mission to
reduce reliance on passwords for digital security because they inject friction into the online experience.
And biometrics do tend to be convenient, given they are attached to each person. Which is why they have been increasingly finding their way into smartphones and all sorts of other consumer
electronics — from wearables to car tech, helped by component costs shrinking as biometrics adoption grows.
But it’s no good trying to speed up ID verification if the alternatives being reached for are badly implemented — and end up actively damaging security.
Apple’s biometrics are not so easily mocked. And while Touch ID is vulnerable to spoofing, like pretty much any fingerprint reader, its depth-mapping Face ID tech is by far the most
sophisticated biometric implementation in the consumer electronics space to date. And hasn’t been meaningfully hacked (well, barring attacks by identical twins/strikingly similar looking
family members).
So there’s clearly a world of difference (and, well, cost) between a well architected biometric recognition system which puts security considerations front and center, vs the awful sloppy
stuff we’ve seen in recent years — where OEMs were just rushing to compete.
Biometrics has certainly often been treated more as a convenience gimmick for device marketing purposes, rather than viewed as a route to evolve (and even potentially enhance) device
security.
The Alliance’s certification program is using accredited independent labs to test that biometric subcomponents meet what it dubs “globally recognized performance standards for biometric
recognition performance and Presentation Attack Detection (PAD)” — and thus that they are “fit for commercial use”.
PAD refers to various methods that can be used to try to attack and circumvent biometric systems, such as using silicon or gelatine fingerprints, or deploying harvested facial or video
imagery of the device owner.
So it looks like the Alliance’s hope for the program is to ‘upskill’ biometric implementations — or at least weed out the really stupid stuff.
“For customers, such as regulated online service providers, OEMs and enterprises, it provides a standardized way to trust that the biometric systems they are relying upon for fingerprint,
iris, face and/or voice recognition can reliably identify users and detect presentation attacks,” it writes.
Speed is another goal too, as it says prior to this certification program due diligence was carried out by enterprise customers (or at least by those “who had the capacity to conduct such
reviews”) — which required biometric vendors to repeatedly prove performance for each customer.
Whereas going forward vendors can use the program to test and certify just once to validate their system’s performance and re-use that third-party validation across the market — gaining what
the Alliance bills as” substantial time and cost savings”.
“With biometrics being a popular option for mobile and web applications implementing Fido Authentication, there is a growing need for those service providers to appropriately assess the risk
of fraud from lost or stolen devices,” he added.
Asked whether the program had been introduced in response to particular concerns about weak consumer biometrics — given some of the aforementioned examples of poor implementations — McDowell
also told us: “With the rise of any new technology, there’s a risk that some suppliers may over emphasize visible features at the expense of security considerations as they rush to market.
“This program, motivated by our online services community, mitigates that risk for mobile and desktop biometrics by providing a commercial-grade benchmark and independent lab assessment for
performance features and spoof attack detection security considerations. Another benefit of the program is a clear way for service providers to prove compliance with strong authentication
regulation, which is becoming the norm for financial services. This trend is expected to expand to other sectors as passwords continue to be exploited at increasingly alarming rates.”
Currently only one lab has been accredited to perform components testing for the program.
The lab, iBeta, is located in the U.S. but a spokeswoman for the Fido Alliance told us: “The Alliance is actively working to bring in additional labs.”
She added that the Alliance will update this list as more are added.
This post was updated with additional comment from McDowell
Natasha was a senior reporter for TechCrunch, from September 2012 to April 2025, based in Europe. She joined TC after a stint reviewing smartphones for CNET UK and, prior to that, more than
five years covering business technology for silicon.com (now folded into TechRepublic), where she focused on mobile and wireless, telecoms & networking, and IT skills issues. She has also
freelanced for organisations including The Guardian and the BBC. Natasha holds a First Class degree in English from Cambridge University, and an MA in journalism from Goldsmiths College,
University of London.