Biometric methods, such as facial or fingerprint recognition, enable fast user authentication for access to sensitive services and data.

On smartphones in particular, biometrics is a popular authentication method for gaining access to the device itself, but also to applications.

With the use of biometric authentication in numerous areas of application, including healthcare, payment and identification applications, the requirements in terms of security and reliability are continuously increasing.

Compared to PINs/passwords or physical security tokens, biometric authentication is fast and very user-friendly. Biometric features cannot be forgotten or lost. On the other hand, they cannot be easily renewed or changed - we only have a face and a right index finger. It is therefore particularly important to know exactly how reliable and also how vulnerable biometric systems really are.

In order to find reliable and comprehensive answers to this question, the BSI has developed the BSI TR-03166 technical guideline for certifying the biometric performance and counterfeit resistance of biometric devices.

The BSI TR-03166 “Technical Guideline for Biometric Authentication Components in Devices for Authentication” defines requirements for biometric systems for three ascending security levels, so-called biometric trust levels: normal, substantial and high, based on the security levels of eIDAS.

Special features of the BSI TR include:

• Consideration and inclusion of existing standards
• Test methodologies are based on Common Criteria and ISO / CEN standards
• Instructions for determining the attack potential
• Consideration of the combination of biometric features:
  • Multi-modality (e.g. face, finger)
  • Multi-instance (e.g. different fingers)
• Use of organisational measures to make brute force attacks more difficult
• Consideration of state of the art presentation attacks

In addition to the Technical Guideline, the BSI provides an ‘Evaluation Guidance’ in which further details on the tests, metrics and best practices for evaluating biometric systems are summarised.

All documents are only available in English.

Comments and questions about the Technical Guideline can be sent to biometrie@bsi.bund.de.