Tag Archives: kantara initiative

All the Cool Kids Are Performing Injection Attack Detection Testing

I talk endlessly about presentation attack detection independent testing, but I occasionally discuss injection attack detection independent testing also, who performs the test (as more entities do so), and who has been tested.

The testing entities perform the test according to the European Committee for Standardization (CEN) standard CEN/TS 18099:2025.

“This document provides an overview of: 

– Definitions of biometric data injection attacks; 

– Use cases for injection attacks with biometric data on essential hardware components of biometric systems used for enrollment and verification; 

– Tools for injection attacks on systems using one or more biometric modalities. 

This document provides guidance for: 

– Injection Attack Instrument Detection System (defined in 3.12); 

– adequate risk mitigation for injection attack tools; 

– Creation of a test plan for the evaluation of an injection attack detection system (defined in 3.9).”

And Ingenium and BixeLab have developed their own testing methods.

iBeta and Injection Attack Detection Testing

And if you need a third choice of a testing lab, there is one. Via a sponsored post, iBeta joined the party.

“A new testing solution from iBeta Quality Assurance meets a growing need for evaluations of injection attack detection (IAD) products. The lab’s IAD testing launches today, and will be part of what iBeta showcases at Identity Week 2026 in Amsterdam next week. It includes testing up to Level 3, against the European standard CENS/TS 18099: 2025, across multiple platforms. And it presages the planned 2027 publication of the ISO/IEC standard dedicated to injection attack testing. iBeta will release a IAD testing solution for the ISO standard when it is released.”

Changes

The Biometric Update quote about the forthcoming ISO/IEC standard illustrates the challenge in testing when standards change, and new standards are adopted.

Something the Kantara Initiative recently addressed:

“Kantara Initiative announces the formal publication of the Kantara Initiative International Assurance Program: SP 800-63A-4 Service Assessment Criteria (SAC) & Statement of Criteria Applicability (SoCA), aligned to NIST Special Publication 800-63A Revision 4 – Identity Proofing.

“Following completion of the public review process and consideration of community feedback, the assessment criteria have been finalized and are effective immediately.”

NIST Special Publication 800-63A Revision 4 is the successor to Revision 3. Kantara Initiative previously offered assessments against the older standard, and can now assess against the newer one.

This illustrates the ripple effect of standards revisions…and in the case of injection attack detection, upcoming new standards.

Who is Signing That Docusign Document?

Many of us have been using Docusign for years to electronically sign documents. But how does Docusign know that the person applying John Bredehoft’s signature is really John Bredehoft?

Enter Docusign’s implementation of Identity Assurance Level 2 (IAL2).

As reported by Biometric Update, Docusign published a November 6 post outlining how Docusign has incorporated identity verification technology into its document workflows.

“The Docusign ID Verification for IAL2 Compliance workflow is easy to add to workflows within eSignature and Maestro, part of the Docusign Intelligent Agreement Management (IAM) platform. 

“Before a recipient can access an agreement, they will be required to verify their identity using their existing ID.me or CLEAR account. If needed, they can create a free account with either provider from within the same Docusign workflow. Once verified, they can securely sign and complete their agreement, all in a single, seamless experience.”

So Docusign has integrated with proven IAL2 vendors. See the Kantara Initiative trust status list of certified full service providers, which includes both CLEAR and ID.me for IAL2 and AAL2 (Authenticator Assurance Level 2).

But I have one teeny quibble with whoever writes Docusign’s headlines. The November 6 announcement was entitled “Identity Verification at the Highest Level: Docusign ID Verification for IAL2 Compliance.”

From the Docusign blog, November 6.

As you and I well know, IAL3 (rather than IAL2) is the highest level of identity verification.

But Docusign isn’t ready to jump to THAT level of identity verification…yet.