A new European technical standard, CEN/TS 18099:2025, has been published to address the growing concern of biometric data injection attacks. The standard provides a framework for evaluating the effectiveness of identity verification (IDV) vendors in detecting and mitigating these attacks, filling a critical gap left by existing regulations.
Biometric authentication systems face two primary types of attacks: presentation attacks, which involve fraudulent artifacts being presented to biometric capture devices, and injection attacks, which manipulate the data flow by bypassing the biometric sensor entirely, often through virtual cameras or smartphone emulators. The latter is of increasing concern, as many IDV vendors have reported a rise in such attacks.
While ISO/IEC 30107-3 has long been the benchmark for assessing presentation attack detection, the lack of a corresponding standard for injection attack detection has left IDV vendors without a unified methodology to address these digital intrusions. The introduction of CEN/TS 18099:2025 represents a significant step forward in filling this gap.
Akif Khan, VP Analyst at Gartner, commented that the absence of a standard for injection attack detection has been a persistent issue, making it difficult to compare vendors and their solutions. “This is really positive news for the IDV space,” he said, expressing hope that biometric test labs will soon begin offering assessments in conformance with the new standard.
He added that establishing sensible targets and thresholds for evaluation would help distinguish which IDV vendors can meet these new requirements, ultimately benefiting both vendors and buyers looking to make informed security decisions.
CEN/TS 18099:2025 outlines key guidelines for defining, detecting, and mitigating biometric data injection attacks. It characterizes injection attack methods and instruments, offers guidance on implementing detection systems, and provides a structured evaluation framework. In addition to testing the ability of systems to detect and counter injection attack instruments, the standard also includes bona fide presentation testing to assess whether IDV systems correctly classify legitimate users. However, presentation attack testing, which is already covered under ISO/IEC 30107, remains out of scope for this document.
With the adoption of this standard, biometric authentication providers now have a structured guideline for improving injection attack detection mechanisms, enhancing transparency in the IDV market, and strengthening the overall security posture of digital identity verification solutions. The hope is that increased assessment and compliance will create a more secure ecosystem for biometric authentication.
“This should be good news for buyers of IDV solutions—and Gartner analysts who cover the IDV space—who are always striving to differentiate between IDV vendors,” Khan remarked.
Source: iTeh
–
February 10, 2025 – by Cass Kennedy and Alex Perala
Follow Us