ISO IEC 30107-3-2023 PDF

Full title and description

ISO/IEC 30107-3:2023 — Information technology — Biometric presentation attack detection — Part 3: Testing and reporting. This international standard defines principles and methods for performance assessment of presentation attack detection (PAD) mechanisms, prescribes reporting requirements for PAD evaluations, and includes a classification of known attack types (informative annex). It addresses attacks presented to the biometric capture device during presentation and explicitly excludes standardization of specific countermeasure algorithms, sensors or overall system-level vulnerability assessments.

Abstract

This document establishes: (1) principles and methods for the performance assessment of PAD mechanisms; (2) requirements and recommended formats for reporting test results from PAD evaluations; and (3) a taxonomy/classification of presentation attack instrument species (PAIS) and attack types (Annex A). The intent is to provide repeatable, comparable testing approaches and minimum reporting content so stakeholders (vendors, test labs, procurers and certification bodies) can understand and compare PAD performance claims.

General information

• Status: Published (International Standard).
• Publication date: January 2023 (published 10 January 2023 / edition 2 released in January 2023).
• Publisher: International Organization for Standardization (ISO) / IEC (joint ISO/IEC standard produced by ISO/IEC JTC 1/SC 37 - Biometrics).
• ICS / categories: 35.240.15 (Identification cards and related devices / Biometrics).
• Edition / version: Edition 2.0 (2023), revising and replacing the 2017 edition.
• Number of pages: 39 pages (official publication page count).

Scope

Specifies methods and principles for evaluating PAD mechanisms at different evaluation levels (PAD subsystem, data-capture subsystem, full system) and defines the minimum content and structure of PAD test reports. The standard covers artefact (PAI) properties and creation, test roles and responsibilities, performance metrics specific to PAD (for example: attack presentation accept/reject rates, attack presentation non-response), and considerations for statistical validity and transferability of results. It does not standardize specific anti-spoofing algorithms, sensors, or perform holistic system vulnerability assessments.

Key topics and requirements

• Definitions and taxonomy: clear definitions for bona fide presentation, attack presentation, attacker types (biometric impostor vs biometric concealer) and a classification of PAIS.
• Evaluation levels: guidance for PAD-subsystem, capture-subsystem and full-system testing and how to report each.
• Artefact creation and usage: requirements and recommendations for creating, documenting and using PAIs in tests, including iterative testing to discover effective artefacts.
• Metrics and reporting: standardized metrics for PAD (e.g., Attack Presentation Classification Error Rate, Attack Presentation Non-Response Rate, and related classification metrics), plus required report elements to ensure reproducibility and comparability.
• Statistical considerations: guidance on sample sizes, variability across PAIS, and limits on transferring error rates between different PAIS or applications.
• Conformance and relation to evaluation frameworks: how PAD evaluation can be expressed in established evaluation frameworks (e.g., Common Criteria) and interaction with biometric performance evaluations.

Typical use and users

Primary users include biometric product vendors, independent test laboratories, certification bodies, procurement teams, integrators and researchers. The standard is used to design PAD test plans, run repeatable evaluations, produce consistent test reports for claims verification, and as a reference when specifying PAD requirements in procurement and certification programs. Test labs use it to establish test protocols and metrics; vendors use it to validate countermeasures; procurers and certifiers use it to interpret and compare results.

Related standards

Part of the ISO/IEC 30107 series on biometric presentation attack detection (other parts include Part 1: Terminology and Part 2: Framework). It is commonly referenced alongside biometric performance and security evaluation standards such as ISO/IEC 19792 (security evaluation of biometrics), ISO/IEC 18045 (methodology for IT security evaluation) and other ISO/IEC JTC 1/SC 37 deliverables. National/adopted versions and regional technical reports may also reference this part when specifying PAD testing and certification requirements.

Keywords

Biometrics, presentation attack detection (PAD), presentation attack instrument (PAI), presentation attack species (PAIS), testing, reporting, evaluation metrics, anti-spoofing, PAD subsystem, biometric capture device.

FAQ

Q: What is this standard?

A: ISO/IEC 30107-3:2023 is the international standard that specifies how to test and report on biometric presentation attack detection (PAD) mechanisms — the methods used to detect spoofing or other presentation attacks against biometric capture devices.

Q: What does it cover?

A: It covers test design principles, evaluation levels (PAD subsystem, data-capture, full system), artefact creation and handling, PAD-specific metrics and recommended report contents to ensure tests are reproducible and results comparable. It excludes specification of anti-spoofing algorithms, sensor design and full system vulnerability assessments.

Q: Who typically uses it?

A: Vendors, independent test laboratories, certification bodies, procurers, integrators and researchers use the standard for designing PAD tests, validating countermeasures, and producing or evaluating PAD test reports.

Q: Is it current or superseded?

A: Current — edition 2.0 published in January 2023 supersedes ISO/IEC 30107-3:2017 (the 2017 edition has been withdrawn and replaced by the 2023 edition).

Q: Is it part of a series?

A: Yes — it is Part 3 of the ISO/IEC 30107 series on biometric presentation attack detection; other parts cover terminology, framework and related subjects within the PAD domain.

Q: What are the key keywords?

A: Biometrics, presentation attack, presentation attack detection (PAD), presentation attack instrument (PAI), attack presentation classification, PAD metrics, testing, reporting, anti-spoofing.