Standards and frameworks¶
A short, public-facing map of the standards and evaluation programs that shape biometric system design. None of this is legal advice — talk to your own counsel before claiming compliance — but knowing what each document covers will save a lot of time when reading vendor materials, RFPs, or wiki pages.
For terminology used below, see the Glossary.
Performance measurement¶
ISO/IEC 19795-1 — Biometric performance testing and reporting
The umbrella standard for how to measure and report a biometric system's accuracy: how to define genuine and impostor comparisons, how to compute FMR / FNMR, how to express confidence intervals, and what should appear in a published evaluation. If a vendor quotes an EER or "FMR at fixed FNMR" number with no protocol, this is the standard they should be following.
NIST FRVT / FATE / IREX
Public, vendor-neutral benchmark programs run by NIST:
- FRVT (Face Recognition Vendor Test) — accuracy and demographic performance for face recognition.
- FATE (Face Analysis Technology Evaluation) — focused on ancillary face tasks (quality, age, attribute estimation).
- IREX (Iris Exchange) — accuracy of iris recognition systems.
Reports are released periodically and include subgroup breakdowns. Worth reading the latest report directly when you want to compare modalities or vendors honestly.
Presentation Attack Detection (PAD)¶
ISO/IEC 30107 — Information technology — Biometric presentation attack detection
Three parts. The most cited:
- Part 1 — framework and vocabulary.
- Part 3 — testing and reporting. Defines the metrics every PAD product should publish (APCER, BPCER, ACER) and how to describe attack instruments. When a vendor says they have "iBeta-tested liveness", this is the report format they mean.
iBeta PAD evaluations
iBeta is a US-based independent lab that runs ISO/IEC 30107-3 conformance tests for face and other modalities. "iBeta Level 1" and "Level 2" are common shorthand for ISO/IEC 30107-3 attack tiers.
Identity assurance¶
NIST SP 800-63 (and -63A / -63B / -63C) — Digital Identity Guidelines
The US government's reference for digital identity. Most relevant:
- 800-63B — authentication and authenticator lifecycle. Defines AAL1, AAL2, AAL3, and the rules for when biometrics may be used as part of an authenticator (generally as an activation factor on a hardware-bound credential, not standalone).
- 800-63-4 (revised, 2025) — tightens biometric rules and adds explicit PAD requirements, equity / demographic-difference expectations, and phishing-resistance requirements at AAL2 and AAL3.
FIDO2 / WebAuthn / Passkeys
An open standard for cryptographic, phishing-resistant authentication. Biometrics under FIDO2 are an activation factor that unlocks a device-bound private key — the key, not the biometric, is what travels to the relying party. This is why FIDO deployments are typically described as "passwordless" rather than "biometric-only".
Data formats and interoperability¶
ISO/IEC 19794 / 39794 — Biometric data interchange formats
Defines on-the-wire and on-card containers for biometric data (images, minutiae, embeddings). 39794 is the modern successor; 19794 still appears in legacy and government deployments. If two systems need to exchange templates without a private SDK, this is the layer they speak at.
ISO/IEC 24745 — Biometric information protection
Requirements for protecting stored biometric data: confidentiality, integrity, irreversibility, and unlinkability. The reference document for the [template-protection] (../concepts/Privacy_Preserving_Biometrics.md) techniques covered in the concepts wiki.
Common Biometric Exchange Formats Framework (CBEFF)
Defines a wrapper around a biometric record so that signature, modality, format, and provenance metadata travel with the biometric data. Used in PIV cards and many federal flows.
Privacy law (regional)¶
These are not biometric standards per se — they are the rules a deployment has to live under. Treat this list as a starting point, not legal counsel.
- EU GDPR, especially Article 9 (special-category personal data, which explicitly includes biometric data used for unique identification).
- EU AI Act (2024) — places biometric identification in the high-risk and in some cases prohibited categories; mandates specific transparency and oversight.
- US BIPA (Illinois) and similar state laws in Texas, Washington, and others — informed-consent and storage-limit requirements for biometric identifiers.
- CCPA / CPRA (California) — biometric information is a recognized category of personal information.
Where this maps in the wiki¶
| If you want to know about… | Read… |
|---|---|
| how performance numbers are produced | the Glossary and the source modality page (e.g. Iris Recognition) |
| how to defend against spoofs | Anti-Spoofing Techniques |
| what fairness work looks like | Bias and Fairness in Biometrics |
| template protection / privacy | Privacy-Preserving Biometrics |
| field deployment patterns | Real-World Biometric Deployments |