Welcome to the Strength of Function for Authenticators - Biometrics (SOFA-B) Discussion Draft! We’re excited to share these early thoughts and collaborate on addressing some of its more challenging concepts and propositions! You can click HERE to start reading.
There are many different methods for authenticating users to applications, devices, and services, from “traditional” user names and passwords, to software one-time passwords, to multiple modalities of biometric systems. Each method brings to the table a unique set of characteristics—both security and usability—as well as potential vulnerabilities. With all these options, and the persistent drive towards stronger authentication, the emerging question is, “How can I compare the security of these technologies and determine which fits my risk environment?” The purpose of the SOFA framework is to provide guidance for measuring, evaluating, and comparing the strength of authentication systems. But, where to start? Given the growing ubiquity of biometric-capable devices and their convenience, they represented the ideal initiation point for the SOFA framework—a diverse and emerging set of technologies with varying performance, configurations, and capabilities—but, typically, with limited security guidance in place. This document attempts to provide a starting point for the overall SOFA framework by identifying the ways in which biometric authenticator strength can be measured and evaluated. It focuses on three core concepts: False Match Rate, Presentation Attack Detection Error Rate, and Effort . We have opened the document for discussion specifically to gain community insight on how to address some of the challenging concepts proposed in its pages. Commenters are encouraged to review and provide input on any and all sections, but we are seeking specific feedback on:
The concept of Effort and how it may be evaluated, quantified, and incorporated into the strength of function;
The proposed components of the SOFA-B equation—false match rate, presentation attack detection error rate (a.k.a. spoof detection error), and Effort required to attack the system; and
Existing work or artifacts that could inform and advance the project as well as align it with existing standards.
Commenters are encouraged to provide input through the issue function on GitHub — see this page for details on how to submit a comment. Comments in other forms will be accepted via emails sent to firstname.lastname@example.org. We request that all commenters provide specific suggested text to address your comments.
Finally, we wanted to point out that this is a work in progress and some sections are still under construction. But we are hoping with your active participation we will be able to advance the development of measurement science in the identity space and collaboratively build a framework that can improve the ways in which government and business understand and manage identity risk.
-The SOFA Team