Biometrics#

Reference of biometric modalities, recognition standards, performance metrics, and the legal-regulatory context an operator meets in identity verification, border security, forensics, and surveillance work.

For broader cryptographic context, see Cryptographic Primitives. For privacy regulation, see Standards & Regulations. For OSINT- flavoured face / image search, see OSINT Sources.

Modalities#

Modality

Notes

Fingerprint

minutiae-based; the oldest biometric (Henry Faulds 1880). AFIS systems; mobile capture; 10-print + slap-print.

Face

2D photographic + 3D structured-light + depth + thermal.

Iris

near-infrared imaging; high accuracy; rigid; UAE + IN Aadhaar use at scale.

Retina

less common; medical-grade; legacy for high-security.

Voice

text-dependent (passphrase) vs text-independent; anti-spoofing essential.

Hand geometry

legacy; physical access.

Vein (palm / finger

) infrared; harder to spoof than surface biometrics; common in JP banks.

DNA

forensic standard; STR + SNP; mtDNA + Y-STR for maternal / paternal lineage.

Signature

dynamic (pressure / speed) or static.

Keystroke dynamics

behavioral; typing-rhythm.

Mouse / touch dynamics

behavioral; gesture pattern.

Gait

video-based; surveillance-grade.

Ear

alternate face-modality.

Heart (ECG)

wearable / medical device.

Brainwave (EEG)

experimental.

Periocular

eye + brow region; works behind masks.

Lip movement / visual lip-reading

speech + visual fusion.

Combined / multimod al

industry default for high-stakes use.

Standards#

Standard

Notes

ISO/IEC 19794

Biometric data interchange formats; -1 framework, -2 minutiae, -4 finger image, -5 face image, -6 iris, -7 signature, -8 finger pattern skeletal, -9 vascular, -10 hand geometry, -11 signature dynamics, -13 voice, -14 DNA, -15 palmprint.

ISO/IEC 19785

Common Biometric Exchange Formats Framework (CBEFF).

ISO/IEC 24745

biometric template protection.

ISO/IEC 19792

security testing.

ISO/IEC 30107

Presentation Attack Detection (PAD); anti-spoofing.

ISO/IEC 39794

updated container format (replaces 19794-5).

NIST SP 500-280

ANSI / NIST-ITL transmission format; LE-grade.

NIST FIPS 201

PIV standard for US Federal IDs.

NIST IBIA

biometric performance reporting.

ICAO Doc 9303

e-passport biometric standard (incl. face minimum, optional iris + finger).

Performance metrics#

Metric

Notes

FMR / FAR

False Match Rate / False Accept Rate; the security error.

FNMR / FRR

False Non-Match Rate / False Reject Rate; the usability error.

FTE

Failure-To-Enroll; % of users for whom usable template can’t be captured.

FTA

Failure-To-Acquire (per-attempt).

EER

Equal Error Rate; FMR = FNMR; single-number summary.

DET curve

Detection Error Tradeoff plot.

CMC curve

Cumulative Match Characteristic; identification ranking (1-to-N).

ROC

Receiver Operating Characteristic.

APCER / BPCER

PAD: Attack Presentation Classification Error Rate / Bonafide Presentation Classification Error Rate.

NIST tests publish per-modality performance benchmarks (NIST FRVT for face, NIST FpVTE for fingerprint, NIST IRVT for iris, NIST SRE for speaker recognition).

National-scale ID systems#

System

Notes

India Aadhaar

1.4B enrolees; 10-finger + iris + face; UIDAI; ABIS by Idemia / Morpho.

EU Eurodac

asylum + visa fingerprints; ~10M.

UK IABS

now-defunct; replaced by HOIA.

US IDENT / HART

DHS biometrics database; transitioning IDENT → HART (~270M records).

US IAFIS / NGI

FBI Next Generation Identification; fingerprint + face + iris.

Mexico CURP

national ID; with biometrics being added.

Brazil CPF / RG

historic ID + biometrics added per state.

China Public Securi

ty Cyber Crime Bureau / Skynet, mass face surveillance.

Russia FSB

biometric database for residents 2024+.

Estonia eID

card + mobile + smart-ID; chip-based.

Singapore SingPass

national digital ID; face + voice options.

UAE Emirates ID

iris + face + finger.

Saudi Absher

biometric digital ID.

Common products / vendors#

Vendor

Notes

Idemia

French-US; NEC-acquired biometric units; AFIS / iris.

Thales

face + finger.

NEC

face leader on NIST FRVT; deployed in many AFIS.

Cognitec / Onfido / Innovatrics

commercial face.

Rank One Computing

open + commercial face.

Clearview AI

scraped-photo face-search; LE-only since 2022.

PimEyes / FaceCheck .id

commercial face-reverse-search.

Suprema

fingerprint hardware + biometric access.

Crossmatch / HID

fingerprint scanners.

Iris ID / Eyelock

iris scanners.

Dermalog

fingerprint + face.

Aware

multi-modal SDK.

Neurotechnology

VeriFinger / VeriEye / VeriLook SDKs.

Daon

mobile-first multimodal.

ID R&D, Pindrop

voice + anti-spoofing.

Veridium

passwordless multimodal.

FIDO / WebAuthn#

The non-traditional “biometric” standard for the consumer space: rather than transmit biometric data, FIDO uses device-local biometric unlock (Touch ID, Face ID, Windows Hello) to release a hardware-bound private key.

Standard

Notes

FIDO2

umbrella; CTAP + WebAuthn.

WebAuthn

W3C; browser API.

CTAP

FIDO Client-to-Authenticator Protocol; USB / NFC / BLE.

Passkeys

FIDO2 + iCloud / Google Password Manager / Microsoft sync; the consumer rollout (2023+).

Yubikey 5 / 5C

hardware authenticator; supports FIDO2.

Titan key

Google.

Feitian

Chinese-origin authenticators.

SoloKeys

open-source.

Nitrokey

open-source.

Operator notes#

  • Aadhaar-scale lessons, 1.4B-record systems generate enormous compliance + abuse risk; UIDAI breach + leak history is instructive.

  • Spoofing, gummy fingers, printed faces, recorded voice, generated deepfakes; ISO 30107 PAD is the test framework.

  • Biometric vs token, biometrics are not secret + can’t be revoked; pair with hardware-rooted attestation, not used alone.

  • Privacy law, BIPA (Illinois) class actions have driven US enforcement; EU AI Act prohibits real-time public-space remote biometric ID with narrow exceptions; UK ICO + NL DPA active.

  • Cross-border data flows, biometrics are special- category data under GDPR Art 9; rules apply to processing, not just sharing.

  • Forensic vs identification vs verification, 1-to-N search, 1-to-1 verification, and forensic-grade examination have very different error budgets.

  • Sanctions / dual-use, some surveillance-grade biometric tech is export-controlled; Wassenaar Arrangement + EU Dual-Use Reg.

References#