When it comes to criteria and methodology for security evaluation of biometric systems, it is important to keep in mind that there is no global certification scheme that exists as of yet. The first step that had been taken towards establishing a global scheme was the NVLAP in the United Statements. Testing biometric systems is extremely important. It allows one to understand operating at critical scenarios and handle sensitive information.

First Approach

According to international or national standards such as ISO/IEC 19989-1:2020, ISO/IEC 19989-2:2020, and ISO/IEC 19989-3:2020, biometric performance testing and reporting requires security standards to be met. ISO/IEC 19792 Security evaluation is the way to go for biometrics. However, it is important to keep in mind that it does come with certain disadvantages such as the fact that only specific requirements are met by the standard.

Second Approach

The second approach is based on other certification schemes. Its common criteria for information security evaluation are less than the ones set by certificates that are internationally recognized. The fact is that the overall evaluation process is far less than the Common Evaluation Methodology (CEM). As for its disadvantages, general testing methodology and evaluation framework is not entirely adaptable for biometric products. This is something that cannot be overlooked.

Common Criteria and CEM 7 

Diving deeper into the second approach, we look at more exhaustive evaluation which has specific guidelines for the biometric systems. The problem is not as recent as the Biometric Technology Evaluation under CC was not as effective as the Biometric Evaluation Methodology Supplement (BEM) which was followed in 2002. The ISO/ IEC 19792 – BTSE requirements do not fully detail the methodology.

New Guidelines

Now, there are new guidelines in place that can be applied to biometric systems based on previous works such as the BEM, BTSE, and ISO/ IEC 19792. The current versions offer a relation between the biometric testing requirements for covering biometric performance testing and analysis. It makes sure that threats are counteracted. Formal methodology is needed for covering analysis of the remainder of the vulnerabilities that have not been specified as of yet. The interpretation of the general biometric system, the TOE design, and functional specifications would be considered for the CC testing activities that are required for biometric performance testing.

For the interpretation of a general biometric scheme, you can consider TOE (Target of Evaluation) as the standing document. The security objectives will be set to ensure correct authentication and identification of users. Specific error rates would also need to be fulfilled for a combination of software and hardware that is involved in verification and enrolment. Finally, you would need to go through the specifications before proceeding.


After you have gone over this post, you will gain a basic understanding about the criteria and methodology for security evaluation of biometric systems. Make sure to use the post as a reference point for proceeding further. It aims to help steer you in the right direction.