ISO/IEC 27533

ISO/IEC 27533

This standard, currently in two parts, provides a collection of high-level requirements for biometric authentication on mobile devices.

Part 1 focuses on what the standard refers to as ‘local modes,’ biometric data and derived biometric data do not leave the device. In other words, the standard focuses on the protection of biometric data on the device itself, not as it relates to access to remote, off-device services. This standard was approved and published in November 2022.88^[1]

Part 2, still under development, picks up where Part 1 leaves off and focuses on remote modes where the biometric data “the biometric data or derived biometric data are transmitted between the mobile devices and the remote services in either or both directions.”89 ISO has additional standards that focus more on biometric attacks and testing biometric algorithms (see the ISO/IEC 30107 Biometric presentation attack detection family and ISO/IEC 19795-1:2021 for testing biometric verification performance).90 Reviewing these criteria in these standards may go a long way to helping governments and businesses use biometric data safely and equitably.

ISO has additional standards that focus more on biometric attacks and testing biometric algorithms (see the ISO/IEC 30107 Biometric presentation attack detection family and ISO/IEC 19795-1:2021 for testing biometric verification performance).

References

1. ↑ ISO/IEC 27553-1:2022 Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using Biometrics on mobile devices — Part 1: Local modes. ISO/IEC JTC 1/SC 27. Geneva, Switzerland: ISO, published November 2022. https://www.iso.org/standard/71671.html