< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27553:2022+ — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices [part 1 published,
part 2 DRAFT]

Introduction

This standard provides high-level requirements for biometric authentication on mobile devices, including functional components and communications.

Biometrics are increasingly used for user authentication on mobile devices. They are easier to use and harder to steal or fake than conventional passwords and tokens. However, proliferating devices and approaches are fragmenting the market, hence standardization offers advantages for users and manufacturers.

ISO/IEC 27553-1:2022 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: Local modes (first edition)

• Abstract: “[ISO/IEC 27553-1] provides high-level security and privacy requirements and recommendations for authentication using biometrics on mobile devices, including security and privacy requirements and recommendations for functional components and for communication. [ISO/IEC 27553-1] is applicable to the cases that the biometric data and derived biometric data do not leave the device, i.e. local modes.” [Source: ISO/IEC 27553-1:2022]
• Scope: biometric authentication on mobile devices.
• The standard applies where the user of a mobile ICT device such as a smartphone or tablet PC biometrically authenticates directly to the device such as when logging on to unlock the device, access stored data and run mobile apps.
• Although the outcome of biometric authentication may be used elsewhere (e.g. in cloud or corporate server apps), this standard specifically concerns risks to and protection of the biometrics on the device itself (e.g. fingerprints).
• The standard references ISO/IEC 24745:2022 “Biometric information protection”.
   
• Content: the main clauses are:
5. Security challenges
6. System description
7. Information assets
8. Threat analysis
9. Security requirements and recommendations
10. Privacy considerations
 

Annexes:

• Implementation example
• Security issues related to communication between agents and servers for authentication using biometric on mobile devices [!]
• An example of authentication assurance and assurance levels
   
• Status: the first edition of part 1 was published in 2022.
• Personal comments: as a generic standard, it addresses commonplace information risks that typically arise in relation to biometrics on mobiles. In practice, we should manage (identify, evaluate, treat and monitor) the actual information and privacy risks in real-world situations, including any that are not explicitly identified and accurately described in this standard. That is context-dependent - for instance, the information risks relating to my biometrics on my cellphone are broadly similar but not entirely the same as, say, the king’s or yours, not least because the impacts of any incidents would probably be materially different. Aside from the security and privacy implications arising, there may also be different assurance requirements relating to biometric authentication.

ISO/IEC 27553-2  — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices —
Part 2: remote modes [DRAFT]

• Abstract: “[ISO/IEC 27553-2] provides high-level security and privacy requirements for authentication using biometrics on mobile devices, including security and privacy requirements for functional components, for communication and for remote processing. [ISO/IEC 27553-2] is applicable to remote modes, i.e.,the cases that: the biometric sample is captured through mobile devices; the biometric data or derived biometric data are transmitted between the mobile devices and the remote services in either or both directions. The cases that the biometric data or derived biometric data never leave the mobile devices (i.e., local modes) are out of scope for [ISO/IEC 27553-2].” [Source: ISO/IEC JTC 1/SC 27 Committee Doc 11 May 2025]
• Scope: biometric authentication on mobile devices where biometric information is communicated between the devices and remote services via network connections, as opposed to local modes where the authentication process and data are limited to the devices. The standard is restricted to authentication, excluding enrolment and identification.
• Content: the main clauses cover:

5. Security and privacy considerations

6. System description

7. Information assets

8. Threat analysis

9. Security requirements and recommendations

10. Privacy considerations, requirements and recommendations
 

Plus 2 annexes:

A. Implementation example

B. Authentication assurance and assurance level
 

• Status: part 2 is at Final Draft International Standard stage, with publication expected any day now.
• Personal comments: involvement of remote services in the authentication process implies network data communication with associated confidentiality, integrity and availability implications, as well as risks relating to the remote storage and processing (such as aggregating, correlating and comparing biometric and other data between various remote and networked systems to glean additional information).

Although language issues are common in draft standards, I am a little distracted by inconsistent/inaccurate use of key terms such as risk, threat and vulnerability in the CD, begging questions about the integrity of the model and analysis underpinning this standard - but that may simply be a trivial editorial matter and misinterpretation on my part.

Not being a Subject Matter Expert in authentication, specifically, I am intrigued by obscure terms such as “synthesized wolf biometric samples” and “hill climbing attack”. Presumably these are covered by the numerous cited standards and familiar to authentication SMEs.

It would be a challenge for this standard to adopt ISO’s version of plain English.

< Previous standard      ^ Up a level ^      Next standard >