IEEE 2410-2021

The Standard for Biometric Privacy provides a biometric-agnostic security protocol for private authentication, identification, and liveness. The SBP implementation need not know whether the underlying system is a machine learning model, a relational database management system (RDBMS) or a search engine. The SBP implementation functionality offers a “point-and-cut” mechanism to add the appropriate security to the production systems as well as to the systems in development. SBP additionally includes the biometric identification which the industry frequently calls the ‘one to many’ case. In the past, biometric identification was not considered because this requires a lookup against previously stored biometrics and this lookup required indexing and storing the biometric in plain text biometric identification. This specification includes biometric identification by using biometric features vectors as input to the enroll endpoint, biometric feature vectors as input to the predict endpoint and either video or audio as input to the liveness endpoint.

This standard provides a biometric-agnostic security protocol for authentication, identification, and liveness.

Revision Standard - Active. The Standard for Biometric Privacy (SBP) provides private identity assertion. SBP supersedes the prior IEEE Std 2410(TM)-2019 by including a formal specification for privacy and biometrics such that a conforming SBP system does not incur GDPR, CCPA, BIPA or HIPAA privacy obligations. Homomorphic encryption ensures the biometric payload is always one-way encrypted with no need for key management and provides full privacy by ensuring plaintext biometrics are never received by the SBP server. The SBP implementation includes software running on a client device and on the SPB server. Pluggable components are used to replace legacy functionality to allow rapid integration into existing operating environments. The SBP implementation allows the systems to meet security needs by using the application programming interface, whether the underlying system is a relational database management system or a search engine. The SBP implementation functionality offers a “point-and-cut” mechanism to add the appropriate security to the production systems as well as to the systems in development. The architecture is language neutral, allowing Representational State Transfer (REST ), JavaScript Object Notation (JSON), and Transport Layer Security (TLS) to provide the communication interface. This document describes the essential methodology to SBP.