What is NIST?

NIST (National Institute of Standards and Technology) is a US government institution with an exceptional track record in developing standards and fostering innovation in the technology industry. The institute, which was founded in 1901, has evolved to adapt to the challenges of the digital world, becoming a global benchmark in cybersecurity and biometric technology.

NIST is well-known as a leading body in defining standards and best practices in biometrics.

What is NIST?

NIST is an agency belonging to the United States Department of Commerce whose main mission is to promote industrial competitiveness and innovation.

Among its functions is measuring and evaluating the performance of biometric systems such as facial and voice biometrics.

NIST’s goals in cybersecurity

NIST develops and promotes standards, guidelines, and best practices to protect information systems and improve the resilience of critical infrastructure.

The agency works closely with government institutions and companies to develop recommendations to ensure information confidentiality, integrity, and availability in an increasingly digitised world.

NIST’s goals include fostering interoperability and trust in security systems, which is critical in an environment where cyber-attacks are becoming increasingly sophisticated and frequent. 

NIST’s involvement in global biometrics initiatives

Biometrics has experienced exponential growth in recent years.

In this context, NIST is key to participating in biometrics-related initiatives. Its collaboration with international organisations and governments seeks to establish standards that promote the secure and reliable use of these technologies in different industries, such as border security, anti-fraud, and identification in government systems.

NIST’s participation in these initiatives ensures that the biometric systems used meet requirements and can resist attempts at fraud or tampering. 

In February 2023, NIST met with business executives from Mexico and government officers from New Zealand and Italy to discuss progress on updating the cyber security framework. This dialogue led to a draft roadmap for digital identity management and improved digital identity solutions to make the technology more trustworthy, secure and equitable.

What does NIST assess?

NIST conducts rigorous evaluations and testing of biometric technologies to determine their accuracy, performance and security. Assessment of facial, voice, iris, and fingerprint biometrics ensures that biometric systems used in critical applications are reliable and effective.

Some of the fundamental aspects that NIST evaluates are the accuracy of biometric recognition, resistance to spoofing attacks, and performance stability in a wide range of scenarios.

Through performance testing under controlled conditions in realistic environments, NIST simulates various situations where these technologies can be used, ensuring that the systems are effective in practical cases.

Furthermore, NIST also analyses privacy and data protection issues to ensure that biometric information is handled securely and that individual privacy rights are protected.

What is NIST’s relationship with biometrics?

Since its inception, NIST has been involved in the research and development of biometric technologies, which has given it vast experience in this field. This relationship is based on NIST’s commitment to establishing standards, methods and guidelines related to the secure implementation of biometric systems in applications.

Description of biometric standards developed by NIST

NIST standards are widely recognised and embraced around the world. Some of the most relevant biometric standards are the following:

Facial Recognition Standards

• ANSI/NIST-ITL 1-2011: Image Data Interface Format Specification for Biometric Applications. This standard defines the format for exchanging biometric data, including facial images, among different systems.
• NIST FRVT (Facial Recognition Vendor Test): a series of assessments to assess the performance of facial recognition algorithms.

Iris Recognition Standards

• NIST IRIS Exchange (IREX) assesses iris recognition algorithms and the exchange of iris data among systems.
• NIST Special Database 32 is a database of iris images used to test and evaluate iris recognition algorithms.

Fingerprint Recognition Standards

• NIST Special Database 9: is a database of fingerprint images used to test and evaluate fingerprint recognition algorithms.
• NIST MINEX (Minutiae Exchange): standard for exchanging minutiae (distinguishing characteristics of fingerprints) data among systems.

Voice Recognition Standards

• NIST Speaker Recognition Evaluation (SRE): periodic evaluations to assess the performance of speech recognition systems in speaker identification and verification tasks.

General Biometrics Standards

There are other more generic standards related to biometrics, such as:

• NISTIR 6529-A is a guide for biometric technology assessments that guides evaluating biometric technologies in operational environments.
• NISTIR 7966: this standard sets quality requirements for biometric images used in specific applications.

Face Recognition Vendor Test (FRVT) 

In recent years, numerous evaluation frameworks have emerged and have gradually been overtaken by the improved performance of state-of-the-art biometric systems. To obtain reliable results, databases and a robust protocol must be executed by a trusted external body such as NIST.

To meet these conditions, NIST launched the FRVT program in 2017, which has since become the most popular standard in the industry. Vendors submit their facial biometrics technologies, and NIST assesses their features and performance on different databases replicating different scenarios.

Therefore, the FRVT rigorously evaluates the performance of facial recognition providers using standardised datasets. Vendors submit their face recognition algorithms to tests – also called challenges – designed to simulate realistic situations.

The program is mainly composed of 1:1 FRVTs and 1:N FRVTs. In this sense:

1:1 Face verification

The identity verification operation (checking whether two images correspond to the same individual) is the core element of the biometric engine. Its evaluation allows testing the system’s ability to discriminate between identities. 

1:N Face identification 

It allows performing facial identification operations on a set of previously registered identities. This process ultimately involves performing a series of 1:1 verification operations and ordering the results from the highest to lowest probability of match.

For cases where the database of pre-registered identities is extensive (in the order of hundreds of thousands of users), it is crucial to apply algorithms that reduce the search set so there is no over-dependent relationship between the number of identities and the response time.

Evaluation for Presentation Attack Detection (PAD)

Face recognition systems also face challenges. One of the most critical challenges is presentation attacks (PADs), also known as spoofing attacks. PADs occur when malicious individuals attempt to fool the system using photos, videos or masks to impersonate another person.

To safeguard the integrity and security of the biometric systems, the FRVT has incorporated an assessment to detect this type of attack. In this regard, a specific evaluation is performed to measure the resistance of facial recognition systems against presentation attacks.

Technology providers must demonstrate the effectiveness of their solutions in detecting various forms of attacks, such as masks or printouts on paper, the use of screens (both still image and video), and so forth.

Metrics used for the assessment of biometric systems

NIST uses a wide variety of metrics to evaluate the effectiveness and performance of biometric systems. The metrics differ depending on whether we deal with a 1:1 or 1:N process. Hence:

1:1 Face verification metrics

• Performance: the memory consumed in generating a feature vector, the size of the feature vector, the feature vector generation times and the vector comparison times.
• Classification errors: the core element of the FRVT 1:1 assessment is the calculation of errors committed in different configurations (scenario types and databases). NIST performs hundreds of thousands of checks for each of them and stores the results returned by the biometric system. Once completed, it makes the DET curve and chooses the false rejection rate (FNMR) as the final result corresponding to the point where the false acceptance rate (FMR) takes a predetermined value.
• False rejection rate: represents the proportion of cases where the biometric system does not correctly recognise a legitimate individual. In other words, it is the probability that the system wrongly rejects an authorised person.

• False acceptance rate: measures the probability that the system incorrectly accepts an unauthorised person as legitimate. It is the proportion of cases where the system allows access to an unauthenticated individual.

• Classification error rate: this is the sum of the false rejection and false acceptance rates and is used to assess the overall performance of the biometric system. A lower classification error indicates a more accurate and secure system.

1:N facial identification metrics

• False ID rejection rate: represents the proportion of times the system incorrectly rejects a legitimate ID. It shows the probability that the system does not identify an individual who should be recognised.
• False ID acceptance rate: measures the proportion of times the system incorrectly accepts a non-legitimate ID. It refers to the probability that the system accepts an individual who should not be recognised.
• Identification error classification rate: this is the sum of the two previous rates and represents the probability of an error occurring in the identification process.

Databases for the evaluation of biometric engines

As commented above, NIST uses databases to evaluate the biometric systems of vendors. Some of the most common configurations are:

• Visa: is provided by the US State Department and contains visa and passport images of individuals of different nationalities. It is mainly used to evaluate facial recognition systems in border control and airport identification applications.
• VisaBorder: is specifically used to evaluate facial recognition algorithms in the context of border control and the identification of individuals at borders.
• Mugshot: contains images of prisoners and arrested people provided by police forces. It is used to evaluate the accuracy of facial recognition systems in identifying individuals in mugshot images.
• Border: focuses on border control images and has been used to evaluate facial recognition systems in the context of border surveillance and immigration control.
• Kiosk: This database configuration focuses on images captured in controlled environments of kiosks and similar devices. It provides a diverse set of biometric samples to assess biometric engines in fast and user-friendly interaction applications.
• Wild: this contains biometric images and samples collected in uncontrolled, real-world environments.

Importance of biometrics vendors being evaluated by NIST

Fair and rigorous assessments by NIST have become essential for biometric solution providers. NIST certification provides a competitive advantage in the market, and the results of the challenges attest to the excellence of the technology.

Furthermore, the assessment provides an objective validation of the performance of biometric systems and a comparison with other competitors that can help identify improvements.

Has NIST assessed Mobbeel?