Biometrics Insititute logo

Biometric Vulnerability Assessment Methodology

Papers:

Biometrics Institute White Paper on "Biometric Vulnerability: A Principled Assessment Methodology" (August 2008).
Request a copy of this paper by emailing manager_at_biometricsinstitute.org.

Overview:

Although there has been significant recent research into the vulnerability of various biometric systems to spoofing attacks, there is as yet no generally agreed method of assessing the degree of vulnerability in a principled fashion.
Since 2007, the Biometrics Institute has been working on this problem, partly co-funded by the Australian Government through the Department of Prime Minister and Cabinet. The goal is to develop a general methodology for vulnerability assessment applicable  to any biometric system, and to apply it to a number of biometrics. A methodology has been developed and applied to a number of face, fingerprint, voice and iris biometric systems.
The aim of the methodology is to provide, for a given system and method of attack, a level of assurance about the maximum proportion of attacks likely to succeed. This is a practical measure which is readily incorporated into system design. Suggested countermeasures to identified risks are also provided.
Now that this methodology has been developed, the Biometrics Institute intends to use it as the basis for Biometric Vulnerability Assessment Testing.

History:

April - Dec 2010 A commercial test on an iris biometric system was conducted for the Australian government.
October 2008 Milestone 3 focusing on the fingerprint biometric spoofing has been completed successfully. The voice biometric lab has now been set up at University of Canberra.
August 2008 The Biometrics Institute releases a White Paper on "Biometric Vulnerability: A Principled Assessment Methodology". Request a copy of this paper by emailing manager_at_biometricsinstitute.org.
May 2008 The first Milestone of the Biometric Vulnerability Assessment (Finger & Voice) Project has been completed successfully at the end of April on time and on budget. A specific assessment methodology has been developed for the vulnerability of a fingerprint biometric system to deliberate attack by impostors. Milestone 2 is well under way looking at validating the methodology through a series of tests. It is due to be completed by the end of August 2008.
December 2007 The new project, the Biometric Vulnerability Assessment (Finger & Voice) Project is confirmed to start on the 1 February 2008. It will develop the methodology for a finger biometric initially. It will then look at the voice biometric. The project is scheduled to be completed by May 2009.
November 2007 Milestone 3 of the (Face) Project has been completed successfully and has produced of a report that informs decision making of capability developers and managers in users agencies on vulnerability assessments for face biometrics.
October 2007 The Biometrics Institute today announced that it has been approved to receive funding from the Australian Government Department of the Prime Minister under the 2nd Round of the Research Support for Counter-Terrorism Programme for the Biometrics Vulnerability Assessment Extension Project (Finger & Voice). This project will build onto the first project and look at developing a vulnerability assessment methodology for two more biometrics - voice and fingerprint.
July 2007 Milestone 2 of the (Face) Project has been completed successfully and a specific assessment methodology has been developed for the vulnerability of a face biometric system to deliberate attack by impostors.
June 2007

 MANAGING THE RISKS TO TRADE, VS13/2007, 28 June 2007: Speech to Secure Trade in the APEC Region (Star V) Conference, Sydney, 28 June 2007 by The Hon Mark Vaile

"..Let me mention the Biometrics Institute. The Sydney-based Institute draws members from the private and public sector to research and promote the use of biometrics.
At the moment, I'm told the Institute is developing a project to test the vulnerability of various biometrics. Once this project eventually goes commercial, companies would be able to test for risks in biometric products and devise counter-measures to address those risks."

June 2007 The Biometrics Institute today announced that it has completed the first milestone of the Biometrics Vulnerability Assessment Project on time.
The Biometric Vulnerability Assessment Project will develop a principled assessment methodology for the vulnerability of biometric systems to deliberate attack by impostors.
The outcome of the first milestone is a general methodology framework for the assessment of biometric systems vulnerability. A summary paper will be available from the Biometrics Institute website. Comments are welcome and should be addressed to the Project Manager, Isabelle Moeller.
Work on the second milestone is already under way. A specific methodology applicable to a chosen biometric, outlining the capability to test and report on the vulnerability of any individual system, including suggested countermeasures to identified risks is being developed.
“When this methodology has been developed the Biometrics Institute intends to use it as the basis for the Biometric Vulnerability Assessment Service (BVAS), a commercial service offering such assessments both within Australia and overseas”, said  Isabelle Moeller, General Manager, Biometrics Institute Ltd.
Read the full press release
April 2007 Milestone 1 of the BVA (Face) Project has been completed successfully and a principled assessment methodology for the vulnerability of biometric systems to deliberate attack by impostors has been developed.
February 2007

The Biometrics Institute today announced that it has been approved to receive funding from the Australian Government Department of the Prime Minister under the Research Support for Counter-Terrorism Programme for the Biometric Vulnerability Assessment Project.
The Biometric Vulnerability Assessment Project will develop a principled assessment methodology for the vulnerability of biometric systems to deliberate attack by impostors.
The main outcomes will be a general methodology for the assessment of biometric systems vulnerability; and a specific methodology applicable to a chosen biometric (Face), outlining the capability to test and report on the vulnerability of any individual system, including suggested countermeasures to identified risks.
When this methodology has been developed the Biometrics Institute intends to use it as the basis for the Biometric Vulnerability Assessment Service (BVAS).
All research will be carried out in Australia by a consortium led by the Biometrics Institute including Argus Solutions, Biometix, Geoff Poulton Research, NSW Police Force and Queensland University of Technology. It will generate a new Science &Technology capability.