I hope you’re sitting down for this…but vendors make assertions that favor themselves. Or in this case “favour,” because the vendor in question is iProov.
The English company shared four questions on independent testing of vendor claims, and I think we can all predict how iProov would answer these four questions.
But that doesn’t negate the importance of the questions.
- Which independent lab(s) tested the system? Not just a vendor red team, or a partner story. An accredited third party.
- Against which standard? ISO/IEC 30107-3, CEN/TS 18099, FIDO Face Verification, or a combination? Defending against the full attack spectrum matters.
- At what level? Substantial, High? If the level isn’t listed, be sure to ask why.
- When? Standards evolve. Threat models evolve faster. Certifications can age quickly.
Yes, you can claim that customer testing is more important than independent testing.
And some have claimed that independent testing is flawed because it doesn’t test properly. (One semi-related example: because FBI EBTS Appendix F assumes that the fingerprints contact the capture surface, it is useless for contactless solutions. The powers that be are working on an alternative.)
But if your solution doesn’t have independent test or conformance results, you’d better have a good reason.
Bredemarket 