The issues with biometric systems

Recognition errors

There are two basic types of recognition errors: the false accept rate (FAR) and the false reject rate (FRR). A False Accept is when a nonmatching pair of biometric data is wrongly accepted as a match by the system. A False Reject is when a matching pair of biometric data is wrongly rejected by the system. The two errors are complementary: When you try to lower one of the errors by varying the threshold, the other error rate automatically increases. There is therefore a balance to be found, with a decision threshold that can be specified to either reduce the risk of FAR, or to reduce the risk of FRR.

In a biometric authentication system, the relative false accept and false reject rates can be set by choosing a particular operating point (i.e., a detection threshold). Very low (close to zero) error rates for both errors (FAR and FRR) at the same time are not possible. By setting a high threshold, the FAR error can be close to zero, and similarly by setting a significantly low threshold, the FRR rate can be close to zero. A meaningful operating point for the threshold is decided based on the application requirements, and the FAR versus FRR error rates at that operating point may be quite different. To provide high security, biometric systems operate at a low FAR instead of the commonly recommended equal error rate (EER) operating point where FAR = FRR.

Compromised biometric data

Paradoxically, the greatest strength of biometrics is at the same time its greatest liability. It is the fact that an individual's biometric data does not change over time: the pattern in your iris, retina or palm vein remain the same throughout your life. Unfortunately, this means that should a set of biometric data be compromised, it is compromised forever. The user only has a limited number of biometric features (one face, two hands, ten fingers, two eyes). For authentication systems based on physical tokens such as keys and badges, a compromised token can be easily canceled and the user can be assigned a new token. Similarly, user IDs and passwords can be changed as often as required. But if the biometric data are compromised, the user may quickly run out of biometric features to be used for authentication.

Vulnerable points of a biometric system

The first stage involves scanning the user to acquire his/her unique biometric data. This process is called enrollment. During enrollment, an invariant template is stored in a database that represents the particular individual.

To authenticate the user against a given ID, this template is retrieved from the database and matched against the new template derived from a newly acquired input signal.

This is similar to a password: You first have to create a password for a new user, then when the user tries to access the system, he/she will be prompted to enter his/her password. If the password entered via the keyboard matches the password previously stored, access will be granted.


There are seven main areas where attacks may occur in a biometric system:

Biometric system links
directory of biometric systems suppliers
Search directory Register your company
Biometrics books
Security books