< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27553:2022+ — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices [Part 1 published, part 2 DRAFT]

Introduction

This standard provides high-level requirements for biometric authentication on mobile devices, including functional components and communications.

Biometrics are increasingly used for user authentication on mobile devices.  They are easier to use and harder to steal or fake than conventional passwords and tokens. However, proliferating devices and approaches are fragmenting the market, hence standardization offers advantages for users and manufacturers.

ISO/IEC JTC 1/SC 27/WG 5 is responsible for this standard.

 ISO/IEC 27553-1:2022 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: Local modes

• Abstract: “This document provides high-level security and privacy requirements and recommendations for authentication using biometrics on mobile devices, including security and privacy requirements and recommendations for functional components and for communication.” [Source: ISO/IEC 27553-1:2022]
• Scope: biometric authentication on mobile devices. The standard “is applicable to the cases that the biometric data and derived biometric data do not leave the device, i.e. local modes” - in other words, where the user of a mobile ICT device such as a smartphone or tablet PC biometrically authenticates directly to the device such as when logging on to unlock the device, access stored data and run mobile apps.
• Although the outcome of biometric authentication may be used elsewhere (e.g. in cloud or corporate server apps), this standard specifically concerns risks to and protection of the biometrics on the device itself (e.g. fingerprints).
• The standard references ISO/IEC 24745:2022 “Biometric information protection”.
• Content: the main clauses are:
5. Security challenges
6. System description
7. Information assets
8. Threat analysis
9. Security requirements and recommendations
10. Privacy considerations
 

Annexes:

• Implementation example
• Security issues related to communication between agents and servers for authentication using biometric on mobile devices (!)
• An example of authentication assurance and assurance levels
   
• Status: published in November 2022.
• Personal comments: as a generic standard, it addresses commonplace information risks that typically arise in relation to biometrics on mobiles. In practice, we should manage (identify, evaluate, treat and monitor) the actual information and privacy risks in real-world situations, including any that may not have been identified in this standard. That is context-dependent e.g. the information risks relating to my biometrics on my cellphone are similar but not entirely the same as the king’s or president’s since the impacts of any incidents may be materially different.

ISO/IEC 27553-2  — Information technology — Security techniques — Security and Privacy requirements for authentication using biometrics on mobile devices —
Part 2: Remote modes [DRAFT]

• Abstract: [TBA]
• Scope: [TBA]
• Content: [TBA]
• Status: part 2 is at Preliminary Work Item stage.

< Previous standard      ^ Up a level ^      Next standard >