Biometric systems must tolerate some natural variation in appearance over time, particularly for passports that can remain valid for a decade
An international standard has been introduced to help governments and industry defend biometric identification systems against increasingly sophisticated “morphing attacks” – digitally altered images designed to outwit facial recognition technology.
The ISO/IEC 20059 standard, developed by the joint biometrics committee of the International Electrotechnical Commission (IEC) and the International Organisation for Standardisation (ISO), sets out methods to assess how well biometric systems can resist such attacks. Biometric checks are widely used for passports and border controls, relying on unique human traits that are difficult to forge. But the rise of artificial intelligence tools has made it easier to blend the facial features of two people into a single image, potentially enabling multiple individuals to share one identity.
Authorities have already seen real-world cases. A German activist once obtained a passport using a photo morphed from two people to protest the government’s biometric data policies, while Slovenian police in 2021 uncovered more than 40 instances of morphed passports sold to Albanians seeking refugee status in Canada.
Biometric systems must tolerate some natural variation in appearance over time, particularly for passports that can remain valid for a decade. This flexibility can be exploited by attackers. Although morphing attack detection (MAD) tools exist, their accuracy depends on the type of manipulation used, and attackers continually refine their techniques.
The new standard provides a framework to simulate scenarios such as border checks, testing how different biometric systems perform against a range of morphing techniques. It introduces metrics including the “morphing attack classification error rate” and “bona fide sample classification error rate” to measure detection accuracy and overall resilience.
While ISO/IEC 20059 is not a security certification in itself, experts say it will strengthen the global defence against identity fraud. It joins more than 140 biometric standards developed by the IEC and ISO’s SC 37 committee, which also addresses cybersecurity, data privacy and ethical considerations in the growing use of biometric technology.
