Alongside technical measures to prevent attacks during remote identification, it is necessary to implement organizational and managerial measures.
What is meant by organizational measures?
First and foremost, it is important to adhere to industry standards, if available, and to stay informed about the latest threat vectors and limitations of outdated standards in the rapidly evolving landscape of biometric cybersecurity.
Regarding remote authentication, ISO/IEC 30107 establishes principles for evaluating the effectiveness of methods used to detect presentation attacks. Since attack vectors are constantly changing, ISO/IEC 27001 includes requirements for an organization's information security management system. Other standards from the ISO/IEC 27000 family are also applicable.
As attack scenarios evolve rapidly, especially in the digital world, we can expect the emergence of new standards, certifications, and testing methods. A potential new certification scheme for remote identity verification should encompass different levels of assurance and provide protection against both face attacks and document-based identity verification.
Methods for remote authentication have also been analyzed by a dedicated expert group of the European Telecommunications Standards Institute (ETSI) [ETSI - Specialist Task Force 588: Identity Proofing for Trust Service Subjects, https://portal.etsi.org/STF/STFs/STF-HomePages/STF588]. The following standards have been developed:
These standards fill the gap in previous European standards published by ETSI for trust services, which only defined identity proofing through general requirements such as "physical presence or equivalent means ensuring physical presence" derived from Article eIDAS 24.1, by providing specific and measurable requirements, including for remote processes.
If human operators are involved in the process, they are a fundamental element of the result's effectiveness, and their tasks should be easily performable and controllable. In this regard, the following control elements can be implemented:
Another countermeasure that can be implemented is the development of a linear and understandable process that guarantees good performance by users and operators. A complex process can lead to a loss of awareness of the actions performed, the expected outcomes, and the reasons for performing them.
A highly effective control that can yield tangible and practical results is the creation of a reward program that provides financial incentives to those who can evade remote identity verification and falsely identify themselves as another person or deceive the system by claiming that a fake artifact or video is real and represents a live person.
It is also important to adopt a risk-based approach and utilize a reliable risk analysis methodology aligned with best practices to identify current and, most importantly, future and unknown threats.
Governments and other institutions should also play their role by launching external, objective, and unbiased testing frameworks for services available in the market. A good example of such an approach is the Face Recognition Vendor Test (FRVT) conducted by the National Institute of Standards and Technology (NIST) in the United States [NIST - Face Recognition Vendor Test (FRVT),
What is meant by organizational measures?
First and foremost, it is important to adhere to industry standards, if available, and to stay informed about the latest threat vectors and limitations of outdated standards in the rapidly evolving landscape of biometric cybersecurity.
Regarding remote authentication, ISO/IEC 30107 establishes principles for evaluating the effectiveness of methods used to detect presentation attacks. Since attack vectors are constantly changing, ISO/IEC 27001 includes requirements for an organization's information security management system. Other standards from the ISO/IEC 27000 family are also applicable.
As attack scenarios evolve rapidly, especially in the digital world, we can expect the emergence of new standards, certifications, and testing methods. A potential new certification scheme for remote identity verification should encompass different levels of assurance and provide protection against both face attacks and document-based identity verification.
Methods for remote authentication have also been analyzed by a dedicated expert group of the European Telecommunications Standards Institute (ETSI) [ETSI - Specialist Task Force 588: Identity Proofing for Trust Service Subjects, https://portal.etsi.org/STF/STFs/STF-HomePages/STF588]. The following standards have been developed:
- ETSI TR 119 460 Electronic Signatures and Infrastructures (ESI): Overview of technologies and normative requirements for identity proofing of trust service subjects.
- ETSI TS 119 461 Electronic Signatures and Infrastructures (ESI): Policy and security requirements for identity proofing of trust service subjects, including remote processes.
These standards fill the gap in previous European standards published by ETSI for trust services, which only defined identity proofing through general requirements such as "physical presence or equivalent means ensuring physical presence" derived from Article eIDAS 24.1, by providing specific and measurable requirements, including for remote processes.
If human operators are involved in the process, they are a fundamental element of the result's effectiveness, and their tasks should be easily performable and controllable. In this regard, the following control elements can be implemented:
- Allowing operators to stop and cancel remote identity verification if they have any suspicions without having to provide justifications to the applicant.
- Assigning a specific registrar for a particular remote identity verification process in a non-predictable manner.
- Ensuring proper and continuous training for operators, focused on their role in identity verification as well as social engineering attacks that may tempt them to bypass control measures.
- Defining and implementing a monitoring process.
- Providing a secure and well-organized working environment for operators.
Another countermeasure that can be implemented is the development of a linear and understandable process that guarantees good performance by users and operators. A complex process can lead to a loss of awareness of the actions performed, the expected outcomes, and the reasons for performing them.
A highly effective control that can yield tangible and practical results is the creation of a reward program that provides financial incentives to those who can evade remote identity verification and falsely identify themselves as another person or deceive the system by claiming that a fake artifact or video is real and represents a live person.
It is also important to adopt a risk-based approach and utilize a reliable risk analysis methodology aligned with best practices to identify current and, most importantly, future and unknown threats.
Governments and other institutions should also play their role by launching external, objective, and unbiased testing frameworks for services available in the market. A good example of such an approach is the Face Recognition Vendor Test (FRVT) conducted by the National Institute of Standards and Technology (NIST) in the United States [NIST - Face Recognition Vendor Test (FRVT),
