Tag Archives: nist

Europe is Looking At More Than Just Biometric Testing

A little more detail, courtesy EU Brussels, regarding the policy brief published by the EU Innovation Hub for Internal Security, coordinated by eu-LISA together with the European Commission, Europol and Frontex.

As I noted earlier today, one proposal is for Europe to perform its own independent biometric testing, reducing Europe’s dependence on the American National Institute of Standards and Technology (NIST).

“The second is a centralised evaluation and testing platform connected to that repository, allowing standardised, independent and continuous assessment of biometric technologies, including benchmarking across vendors.”

But if there is a second proposal (European testing) in the cited European biometric policy brief, there must also be a first proposal—one I failed to discuss this morning.

“The first is a common EU biometric data repository containing datasets that comply with European rules, reflect the demographics and use-cases relevant to EU authorities and are stored in a secure environment.”

Makes sense. If you are going to test you need test data. And NIST has no obligation to ensure its test data complies with the General Data Protection Regulation (GDPR). The subjects in NIST test databases rarely provided the “explicit consent” mentioned in GDPR, and the “right to erasure” from a NIST database is…laughable.

Yes, it’s extremely challenging to construct a testing database that complies with GDPR.

And NIST certainly ain’t gonna do it.

Will a European entity construct it?

And if the right to erasure is maintained, how will you maintain historical consistency of test results?

Why Would Europe Perform Its Own Biometric Testing?

I’ve seen two articles about a possible move by Europe to set up a Europe-wide biometric testing agency, bypassing the need for National Institute of Standards and Technology (NIST) biometric testing.

One reason is that a European-controlled testing methodology can incorporate European regulations, such as the General Data Protection Regulation (GDPR).

A second related reason for Europe to bypass NIST biometric testing is that U.S. government agencies, including NIST and the Federal Bureau of Investigation (FBI), naturally place prime importance on American interests.

Remember when the U.S. House of Representatives Select Committee on the Chinese Communist Party complained that the FBI Certified Products List contained Chinese biometric vendors (the Certified Communist Products List)?

  • Wait until they discover all the Chinese companies that participate in NIST testing.
  • And wait until someone in the legislative or executive branches decides that the FBI or NIST shouldn’t list products from other countries deemed unfriendly to the United States. Denmark? Germany? France?

For these reasons, Europe may be compelled to set up its own biometric testing organization.

And so may China.

On DOJ/DoD/DHS ABIS Interoperability

The image at the top of this post was taken from the NIST website and is a from an interoperability slide in a 2016 FBI presentation. Although the reference to “IAFIS” suggests that the image was created long before 2016. No NGI, and no HART either.

Because—while this may make some uncomfortable—biometric interoperability between the Departments of Defense, Homeland Security, and Justice is critically important.

For years after 9/11, the (then) systems from the three Departments were NOT interoperable.

Which made it difficult to identify if a military person or citizenship applicant was a criminal.

Today, while the three current systems use three different data interchange standards (based upon work by NIST), they CAN talk to each other.

We just have to ensure that the interoperability is legal and proper.

You CAN Modernize…But Should You?

In the past, I have said:

“[T]he technology is easy. The business part is the difficult part.”

But Chris Burt of Biometric Update phrased it more succinctly:

“[P]olicy chases modernization”

As Burt notes, examples of policy chasing modernization include:

  • Digital sovereignty, a topic of discussion with everyone from ID4Africa to an organization called the World Ethical Data Foundation. (As an aside, a Bredemarket client and I were recently discussing the pros and cons of managing digital identities in the cloud vs. peer-to-peer synchronization.)
  • Cybersecurity and digital identity, a topic of discussion in government (the White House, NIST) and industry (Jordan Burris of Socure).
  • Other topics, including police facial recognition policy. (Hmm…I recall that both government and vendor biometric policies were the topic of a Biometric Update guest article last year.)

All of you recall Pandora’s Box. I’ve used the story multiple times, including when discussing my creation of Bredebot and its nearly-instantaneous hallucinations. Yes, I do have “policies” regarding this “modernization,” including full disclosure.

But are policies enough?

Returning to Lattice Identity

The last time I delved into lattices, it was in connection with the NIST FIPS 204 Module-Lattice-Based Digital Signature Standard. To understand why the standard is lattice-based, I turned to NordVPN:

“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”

In essence, the lattice structure allows more elaborate access rights.

This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:

“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”

It then says

“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”

Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.

But it appears that we sometimes don’t care about the intent of AI agents.

“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”

This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).

As should we all.

Refresh

I am not as good at this as I should be, but at least I think about it. Sometimes.

I’m the one who preaches about the necessity of ensuring old content is accurate.

For example, I wrote a post about NIST facial recognition testing in 2022, back when the relevant test was called “FRVT.”

It wasn’t until this year—2026—that I made clarifying edits to the post to rename the test “FRTE.”

Now I just have to stop people from downloading my six questions and start downloading my seven questions instead.

What is the NIST Facial Recognition Technology Evaluation (FRTE)? And Why Should You Care?

I’m guilty of acronym overuse. I just wrote a post that mentioned something called “FRTE,” and I belatedly realized that many of the people who read the post…and many of the people who need to read the post…have no idea how to spell FRTE, much less WHY it’s important. So let me explain.

But before I explain FRTE, I should explain NIST. It’s the National Institute of Standards and Technology, part of the U.S. Department of Commerce, and it promotes technology standards throughout the country and throughout the world.

Among the many, many, many things that NIST does, it looks at the use of biometrics for identification and classification of individuals, including face. NIST’s face work is split into face recognition and face analysis. While the latter concerns classification of faces (whether the face is real or a presentation attack, the estimated age of the person), the former focuses on individualization.

FRTE and other stuff, from NIST.

But I’m not going to talk about FATE today. Let’s focus on FRTE.

Why FRTE?

There are hundreds upon hundreds of algorithms out there that purport to compare a face to another face, or to compare a face to many faces, and indicate the likelihood that the compared faces belong to the same person.

And any algorithm provider can claim that its facial recognition algorithm provides 100.00% accuracy or 99.99% accuracy or whatever.

Or that it can search a trillion record database in 0.1 seconds or whatever.

Perhaps the provider even backs up this claim with published data in which the provider tested its algorithm with 1,000 searches against a 100,000 record database and the algorithm did not make a single error.

Are you impressed?

I’m not.

Anyone can score 100% on a self-test.

But what happens when you are given a test by someone else…closed book…with no answer key?

(And yes, I’m aware of the claims that these independent tests are flawed. So design a better one that more than one algorithm provider supports.)

If you’re looking to buy facial recognition technology, the second best way to evaluate the different facial recognition algorithms is to consult the NIST FRTE tests.

  • These tests are continuous, with new algorithms usually added monthly.
  • These tests are complex, measuring umpteen diffferent databases and search types. One or more of these may match your particular use case.
  • These tests are black box. The algorithm providers send their algorithms to NIST, and they are tested against all the other algorithms on identical setups.

Most importantly, the results of these tests are public, and you can view them yourself. The 1:1 testing is here, and the 1:N testing is here.

Oh, and the tests are listed by the algorithm provider, so if Omnigarde says they’ve been tested by NIST, you can look at the test results and find Omnigarde’s algorithm.

And if Vendor X says its algorithm tested well, but you can’t find Vendor X in the algorithm list, then you need to ask Vendor X which algorithm it’s using.

And if Vendor Y says it’s really accurate, but doesn’t state that the algorithm it uses was NIST tested…ask Vendor Y to prove its accuracy claims.

So that’s FRTE. And if your facial recognition vendor isn’t talking about FRTE…ask why.

Why Biometric Marketing Experience Beats Biometric Marketing Immaturity

I know that the experts say that “too much knowledge is actually bad in tech.” But based upon what I just saw from an (unnamed) identity verification company, I assert that too little knowledge is much worse.

As a biometric product marketing expert and biometric product marketing writer, I pay a lot of attention to how identity verification companies and other biometric and identity companies market themselves. Many companies know how to speak to their prospects…and many don’t.

Take a particular company, which I will not name. Here is the “marketing” from this company.

  • We have funding!
Google Gemini.
  • We offer lower pricing than selected competitors!
  • We claim high facial recognition accuracy but don’t publish our NIST FRTE results! (While the company claims to author its technology, the company name does not appear in either the NIST FRTE 1:1 or NIST FRTE 1:N results.)
  • We claim liveness detection (presentation attack detection) but don’t publish any confirmation letters! (Again, I could not find the company name on the confirmation letter lists from BixeLab or iBeta.)
Google Gemini.

So what is the difference between this company and the other 100+ identity verification companies…many of which explicitly state their benefits, trumpet their NIST FRTE performance, and trumpet their third-party liveness detection confirmation letters?

If you claim great accuracy and great liveness detection but can’t support it via independent third-party verification, your claim is “so what?” worthless. Prove your claims.

Now I’m sure I could help this company. Even if they have none of the certifications or confirmations I mentioned, I could at least get the company to focus on meaningful differentiation and meaningful benefits. But there’s no need to even craft a Bredemarket pitch to the company, since the only marketer on staff is an intern who is indifferent to strategy.

Google Gemini.

Because while many companies assert that all they need is a salesperson, an engineer, an African data labeler, and someone to run the generative AI for everything else…there are dozens of competitors doing the exact same thing.

But some aren’t. Some identity/biometric companies are paying attention to their long-term viability, and are creating content, proposals, and analyses that support that viability.

Take a look at your company’s marketing. Does it speak to prospects? Does it prove that you will meet your customers’ needs? Or does it sound like every other company that’s saying “We use AI. Trust us“?

And if YOUR company needs experienced help in conveying customer-focused benefits to your prospects…contact Bredemarket. I’ve delivered meaningful biometric materials to two dozen companies over the years. And yes, I have experience. Let me use it for your advantage.

When Everyone Goes Multimodal: Iris ID and Faces

I’ve previously discussed the difference between the terms “multimodal” and “multifactor.”

Multimodal is often (though not exclusively) used to discuss the use of different biometric modalities. For example, when Motorola’s Biometric Business Unit was acquired, we joined an organization (Sagem Morpho) that specialized in three biometric modalities: finger, face, and iris.

From Sandeep Kumar, A. Sony, Rahul Hooda, Yashpal Singh, in Journal of Advances and Scholarly Researches in Allied Education | Multidisciplinary Academic Research, “Multimodal Biometric Authentication System for Automatic Certificate Generation.”

As you can imagine, the “which biometric is best” wars simply do not apply to the multimodal folks. Unlike someone committed to tongue biometrics because that’s all they do, a multimodal biometric vendor can say “this one’s best here, this other one’s best there.”

So I was a bit surprised to see the recent Biometric Update article, “Iris ID debuts in NIST FRTE 1:1.”

  • Iris ID is known for…well, irises.
  • FRTE is a face test.

I had some catching up to do.

After all, I was aware of the history of Iris ID (yet another New Jersey iris company) and its spinoff from LG, and although I don’t think I’ve ever met Mohammad Murad, I’ve certainly heard of him.

But Iris ID has branched off from just irises. Here’s what it exhibited at Identity Week America in September 2025:

“Highlighted in the Iris ID booth are the latest advances in multi-modal biometric technology, where iris and face recognition are combined in fully contactless solutions. These innovations are designed to deliver fast, frictionless throughput while ensuring accuracy and reliability, even in high-throughput environments.”

For what it’s worth, the Iris ID “001” algorithm tested in NIST FRTE 1:1 wasn’t an overwhelming world-beater, not even cracking the top 100 in any of NIST’s many, many categories (the best performance was in BORDER:BORDER).

But everyone has to start somewhere.

Just don’t get eyes and faces confused.

A biometric product marketing writer can help.

My Biometric Video One-Two Punch

Different moods, but both videos emphasize (not empathize) Bredemarket’s biometric product marketing expertise.

So what?

If your firm wants to speak to biometric prospects and customers, you need someone who speaks the language.

As a customer whose name I won’t mention recently said to me, “You have to know what FRTE [VENDOR NAME REDACTED] [NUMBER REDACTED] means.” (An algorithm submission to the U.S. National Institute of Standards and Technology Facial Recognition Technology Evaluation (FRTE), either the 1:1 test or the 1:N test.)

But even more important is why a vendor’s algorithmic submission matters…and why it may not matter. Ah, the nuances…

I’ve written about these nuances for almost two dozen firms. Perhaps I can write for your firm. Click below and book a free meeting with Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers