Biometrics#
Reference of biometric modalities, recognition standards, performance metrics, and the legal-regulatory context an operator meets in identity verification, border security, forensics, and surveillance work.
For broader cryptographic context, see Cryptographic Primitives. For privacy regulation, see Standards & Regulations. For OSINT- flavoured face / image search, see OSINT Sources.
Modalities#
Modality |
Notes |
|---|---|
Fingerprint |
minutiae-based; the oldest biometric (Henry Faulds 1880). AFIS systems; mobile capture; 10-print + slap-print. |
Face |
2D photographic + 3D structured-light + depth + thermal. |
Iris |
near-infrared imaging; high accuracy; rigid; UAE + IN Aadhaar use at scale. |
Retina |
less common; medical-grade; legacy for high-security. |
Voice |
text-dependent (passphrase) vs text-independent; anti-spoofing essential. |
Hand geometry |
legacy; physical access. |
Vein (palm / finger |
) infrared; harder to spoof than surface biometrics; common in JP banks. |
DNA |
forensic standard; STR + SNP; mtDNA + Y-STR for maternal / paternal lineage. |
Signature |
dynamic (pressure / speed) or static. |
Keystroke dynamics |
behavioral; typing-rhythm. |
Mouse / touch dynamics |
behavioral; gesture pattern. |
Gait |
video-based; surveillance-grade. |
Ear |
alternate face-modality. |
Heart (ECG) |
wearable / medical device. |
Brainwave (EEG) |
experimental. |
Periocular |
eye + brow region; works behind masks. |
Lip movement / visual lip-reading |
speech + visual fusion. |
Combined / multimod al |
industry default for high-stakes use. |
Standards#
Standard |
Notes |
|---|---|
ISO/IEC 19794 |
Biometric data interchange formats; -1 framework, -2 minutiae, -4 finger image, -5 face image, -6 iris, -7 signature, -8 finger pattern skeletal, -9 vascular, -10 hand geometry, -11 signature dynamics, -13 voice, -14 DNA, -15 palmprint. |
ISO/IEC 19785 |
Common Biometric Exchange Formats Framework (CBEFF). |
ISO/IEC 24745 |
biometric template protection. |
ISO/IEC 19792 |
security testing. |
ISO/IEC 30107 |
Presentation Attack Detection (PAD); anti-spoofing. |
ISO/IEC 39794 |
updated container format (replaces 19794-5). |
NIST SP 500-280 |
ANSI / NIST-ITL transmission format; LE-grade. |
NIST FIPS 201 |
PIV standard for US Federal IDs. |
NIST IBIA |
biometric performance reporting. |
ICAO Doc 9303 |
e-passport biometric standard (incl. face minimum, optional iris + finger). |
Performance metrics#
Metric |
Notes |
|---|---|
FMR / FAR |
False Match Rate / False Accept Rate; the security error. |
FNMR / FRR |
False Non-Match Rate / False Reject Rate; the usability error. |
FTE |
Failure-To-Enroll; % of users for whom usable template can’t be captured. |
FTA |
Failure-To-Acquire (per-attempt). |
EER |
Equal Error Rate; FMR = FNMR; single-number summary. |
DET curve |
Detection Error Tradeoff plot. |
CMC curve |
Cumulative Match Characteristic; identification ranking (1-to-N). |
ROC |
Receiver Operating Characteristic. |
APCER / BPCER |
PAD: Attack Presentation Classification Error Rate / Bonafide Presentation Classification Error Rate. |
NIST tests publish per-modality performance benchmarks (NIST FRVT for face, NIST FpVTE for fingerprint, NIST IRVT for iris, NIST SRE for speaker recognition).
National-scale ID systems#
System |
Notes |
|---|---|
India Aadhaar |
1.4B enrolees; 10-finger + iris + face; UIDAI; ABIS by Idemia / Morpho. |
EU Eurodac |
asylum + visa fingerprints; ~10M. |
UK IABS |
now-defunct; replaced by HOIA. |
US IDENT / HART |
DHS biometrics database; transitioning IDENT → HART (~270M records). |
US IAFIS / NGI |
FBI Next Generation Identification; fingerprint + face + iris. |
Mexico CURP |
national ID; with biometrics being added. |
Brazil CPF / RG |
historic ID + biometrics added per state. |
China Public Securi |
ty Cyber Crime Bureau / Skynet, mass face surveillance. |
Russia FSB |
biometric database for residents 2024+. |
Estonia eID |
card + mobile + smart-ID; chip-based. |
Singapore SingPass |
national digital ID; face + voice options. |
UAE Emirates ID |
iris + face + finger. |
Saudi Absher |
biometric digital ID. |
Common products / vendors#
Vendor |
Notes |
|---|---|
Idemia |
French-US; NEC-acquired biometric units; AFIS / iris. |
Thales |
face + finger. |
NEC |
face leader on NIST FRVT; deployed in many AFIS. |
Cognitec / Onfido / Innovatrics |
commercial face. |
Rank One Computing |
open + commercial face. |
Clearview AI |
scraped-photo face-search; LE-only since 2022. |
PimEyes / FaceCheck .id |
commercial face-reverse-search. |
Suprema |
fingerprint hardware + biometric access. |
Crossmatch / HID |
fingerprint scanners. |
Iris ID / Eyelock |
iris scanners. |
Dermalog |
fingerprint + face. |
Aware |
multi-modal SDK. |
Neurotechnology |
VeriFinger / VeriEye / VeriLook SDKs. |
Daon |
mobile-first multimodal. |
ID R&D, Pindrop |
voice + anti-spoofing. |
Veridium |
passwordless multimodal. |
FIDO / WebAuthn#
The non-traditional “biometric” standard for the consumer space: rather than transmit biometric data, FIDO uses device-local biometric unlock (Touch ID, Face ID, Windows Hello) to release a hardware-bound private key.
Standard |
Notes |
|---|---|
FIDO2 |
umbrella; CTAP + WebAuthn. |
WebAuthn |
W3C; browser API. |
CTAP |
FIDO Client-to-Authenticator Protocol; USB / NFC / BLE. |
Passkeys |
FIDO2 + iCloud / Google Password Manager / Microsoft sync; the consumer rollout (2023+). |
Yubikey 5 / 5C |
hardware authenticator; supports FIDO2. |
Titan key |
Google. |
Feitian |
Chinese-origin authenticators. |
SoloKeys |
open-source. |
Nitrokey |
open-source. |
Operator notes#
Aadhaar-scale lessons, 1.4B-record systems generate enormous compliance + abuse risk; UIDAI breach + leak history is instructive.
Spoofing, gummy fingers, printed faces, recorded voice, generated deepfakes; ISO 30107 PAD is the test framework.
Biometric vs token, biometrics are not secret + can’t be revoked; pair with hardware-rooted attestation, not used alone.
Privacy law, BIPA (Illinois) class actions have driven US enforcement; EU AI Act prohibits real-time public-space remote biometric ID with narrow exceptions; UK ICO + NL DPA active.
Cross-border data flows, biometrics are special- category data under GDPR Art 9; rules apply to processing, not just sharing.
Forensic vs identification vs verification, 1-to-N search, 1-to-1 verification, and forensic-grade examination have very different error budgets.
Sanctions / dual-use, some surveillance-grade biometric tech is export-controlled; Wassenaar Arrangement + EU Dual-Use Reg.
References#
BIPA (Illinois Biometric Information Privacy Act)