ISO/IEC 27553-2
ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes
(first edition)
Abstract
ISO/IEC 27553 part 2 "provides high-level security and privacy requirements for authentication using biometrics on mobile devices, in particular, for functional components, communication, storage and remote processing. [The standard] is applicable to remote modes, i.e. the cases where: the biometric sample is captured through mobile devices, and the biometric data or derived biometric data are transmitted between the mobile devices and the remote services in either or both directions. The following are out of scope of this document: the cases where the biometric data or derived biometric data never leave the mobile devices (i.e. local modes), the preliminary steps for biometric enrolment before authentication procedure, and the use of biometric identification as part of the authentication.”
[Source: ISO/IEC 27553-2:2025]
Introduction
Part 2 provides high-level requirements for situations where biometric authentication on mobile devices involves communicating biometric data over the network to a remote authentication server.
Scope
Biometric authentication on mobile devices where biometric information is communicated between the devices and remote services via network connections, as opposed to local modes where the authentication process and data are limited to the devices.
The standard is restricted to authentication, excluding enrolment and identification.
Structure
Main sections:
5: Security and privacy considerations
6: System description
7: Information assets
8: Threat analysis
9: Security requirements and recommendations
10: Privacy considerations, requirements and recommendations
Annex A: Implementation example
Annex B: Authentication assurance and assurance level
Status
The current first edition was published in 2025.
Commentary
Involvement of remote services in the authentication process implies network data communication with associated confidentiality, integrity and availability implications, as well as risks relating to the remote storage and processing (such as aggregating, correlating and comparing biometric and other data between various remote and networked systems to glean additional information).
Not being a Subject Matter Expert in authentication, specifically, I am intrigued by obscure terms such as “synthesized wolf biometric samples” and “hill climbing attack”. Presumably these are covered by the numerous cited standards and familiar to authentication SMEs.
It would be challenging to adopt ISO’s version of plain English for such a technical standard.