I’m guilty of acronym overuse. I just wrote a post that mentioned something called “FRTE,” and I belatedly realized that many of the people who read the post…and many of the people who need to read the post…have no idea how to spell FRTE, much less WHY it’s important. So let me explain.
But before I explain FRTE, I should explain NIST. It’s the National Institute of Standards and Technology, part of the U.S. Department of Commerce, and it promotes technology standards throughout the country and throughout the world.
But I’m not going to talk about FATE today. Let’s focus on FRTE.
Why FRTE?
There are hundreds upon hundreds of algorithms out there that purport to compare a face to another face, or to compare a face to many faces, and indicate the likelihood that the compared faces belong to the same person.
And any algorithm provider can claim that its facial recognition algorithm provides 100.00% accuracy or 99.99% accuracy or whatever.
Or that it can search a trillion record database in 0.1 seconds or whatever.
Perhaps the provider even backs up this claim with published data in which the provider tested its algorithm with 1,000 searches against a 100,000 record database and the algorithm did not make a single error.
Are you impressed?
I’m not.
Anyone can score 100% on a self-test.
But what happens when you are given a test by someone else…closed book…with no answer key?
(And yes, I’m aware of the claims that these independent tests are flawed. So design a better one that more than one algorithm provider supports.)
If you’re looking to buy facial recognition technology, the second best way to evaluate the different facial recognition algorithms is to consult the NIST FRTE tests.
These tests are continuous, with new algorithms usually added monthly.
These tests are complex, measuring umpteen diffferent databases and search types. One or more of these may match your particular use case.
These tests are black box. The algorithm providers send their algorithms to NIST, and they are tested against all the other algorithms on identical setups.
Most importantly, the results of these tests are public, and you can view them yourself. The 1:1 testing is here, and the 1:N testing is here.
Oh, and the tests are listed by the algorithm provider, so if Omnigarde says they’ve been tested by NIST, you can look at the test results and find Omnigarde’s algorithm.
And if Vendor X says its algorithm tested well, but you can’t find Vendor X in the algorithm list, then you need to ask Vendor X which algorithm it’s using.
And if Vendor Y says it’s really accurate, but doesn’t state that the algorithm it uses was NIST tested…ask Vendor Y to prove its accuracy claims.
So that’s FRTE. And if your facial recognition vendor isn’t talking about FRTE…ask why.
I know that the experts say that “too much knowledge is actually bad in tech.” But based upon what I just saw from an (unnamed) identity verification company, I assert that too little knowledge is much worse.
As a biometric product marketing expert and biometric product marketing writer, I pay a lot of attention to how identity verification companies and other biometric and identity companies market themselves. Many companies know how to speak to their prospects…and many don’t.
Take a particular company, which I will not name. Here is the “marketing” from this company.
We claim high facial recognition accuracy but don’t publish our NIST FRTE results! (While the company claims to author its technology, the company name does not appear in either the NIST FRTE 1:1 or NIST FRTE 1:N results.)
We claim liveness detection (presentation attack detection) but don’t publish any confirmation letters! (Again, I could not find the company name on the confirmation letter lists from BixeLab or iBeta.)
Google Gemini.
So what is the difference between this company and the other 100+ identity verification companies…many of which explicitly state their benefits, trumpet their NIST FRTE performance, and trumpet their third-party liveness detection confirmation letters?
If you claim great accuracy and great liveness detection but can’t support it via independent third-party verification, your claim is “so what?” worthless. Prove your claims.
Now I’m sure I could help this company. Even if they have none of the certifications or confirmations I mentioned, I could at least get the company to focus on meaningful differentiation and meaningful benefits. But there’s no need to even craft a Bredemarket pitch to the company, since the only marketer on staff is an intern who is indifferent to strategy.
Google Gemini.
Because while many companies assert that all they need is a salesperson, an engineer, an African data labeler, and someone to run the generative AI for everything else…there are dozens of competitors doing the exact same thing.
But some aren’t. Some identity/biometric companies are paying attention to their long-term viability, and are creating content, proposals, and analyses that support that viability.
Take a look at your company’s marketing. Does it speak to prospects? Does it prove that you will meet your customers’ needs? Or does it sound like every other company that’s saying “We use AI. Trust us“?
And if YOUR company needs experienced help in conveying customer-focused benefits to your prospects…contact Bredemarket. I’ve delivered meaningful biometric materials to two dozen companies over the years. And yes, I have experience. Let me use it for your advantage.
Multimodal is often (though not exclusively) used to discuss the use of different biometric modalities. For example, when Motorola’s Biometric Business Unit was acquired, we joined an organization (Sagem Morpho) that specialized in three biometric modalities: finger, face, and iris.
As you can imagine, the “which biometric is best” wars simply do not apply to the multimodal folks. Unlike someone committed to tongue biometrics because that’s all they do, a multimodal biometric vendor can say “this one’s best here, this other one’s best there.”
After all, I was aware of the history of Iris ID (yet another New Jersey iris company) and its spinoff from LG, and although I don’t think I’ve ever met Mohammad Murad, I’ve certainly heard of him.
But Iris ID has branched off from just irises. Here’s what it exhibited at Identity Week America in September 2025:
“Highlighted in the Iris ID booth are the latest advances in multi-modal biometric technology, where iris and face recognition are combined in fully contactless solutions. These innovations are designed to deliver fast, frictionless throughput while ensuring accuracy and reliability, even in high-throughput environments.”
For what it’s worth, the Iris ID “001” algorithm tested in NIST FRTE 1:1 wasn’t an overwhelming world-beater, not even cracking the top 100 in any of NIST’s many, many categories (the best performance was in BORDER:BORDER).
Different moods, but both videos emphasize (not empathize) Bredemarket’s biometric product marketing expertise.
So what?
If your firm wants to speak to biometric prospects and customers, you need someone who speaks the language.
As a customer whose name I won’t mention recently said to me, “You have to know what FRTE [VENDOR NAME REDACTED] [NUMBER REDACTED] means.” (An algorithm submission to the U.S. National Institute of Standards and Technology Facial Recognition Technology Evaluation (FRTE), either the 1:1 test or the 1:N test.)
I just realized that I have never told the FULL story of FpVTE 2003 in the Bredemarket blog. I’ve only told the problem part, but not the solution part. Bad on me.
The problem part
I told parts of this in a 2023 post entitled “The Big 3, or 4, or 5? Through the Years.” One of the pivotal parts of the story was when the “big 4” became the “big 3.”
It happened like this:
These days the U.S. National Institute of Standards and Technology (NIST) is well known for its continuous biometric testing, but one of its first tests was conducted in 2003. At the time, there were four well-recognized fingerprint vendors:
Cogent Systems.
Motorola, which had acquired Printrak.
NEC.
Sagem Morpho, which had acquired Morpho.
There were a bunch of other fingerprint vendors, but they were much smaller, including the independent companies Bioscrypt and Identix.
I was a product manager at Motorola at the time, managing the server portion of the company’s automated fingerprint identification system (AFIS), Omnitrak. This featured a modernization of the architecture that was a vast improvement over the client-server architecture in Series 2000. The older product was still in use at the Royal Canadian Mounted Police (RCMP), but Motorola was in the process of installing Omnitrak in Slovenia and upgrading existing systems in Oklahoma and Switzerland.
“FpVTE 2003 consists of multiple tests performed with combinations of fingers (e.g., single fingers, two index fingers, four to ten fingers) and different types and qualities of operational fingerprints (e.g., flat livescan images from visa applicants, multi-finger slap livescan images from present-day booking or background check systems, or rolled and flat inked fingerprints from legacy criminal databases).”
So the companies listed above, among others, submitted their algorithms to FpVTE 2003. After the testing, NIST issued a summary report that included this sentence.
“Of the systems tested, NEC, SAGEM, and Cogent produced the most accurate results.”
You can see how this affected Motorola…and me. We were suddenly second-tier, via independent confirmation.
I’m a loser, baby. Google Gemini.
We first had to go to the RCMP and admit that we weren’t as accurate as other systems. This came at a particularly bad time, since the RCMP was engaged in a massive system upgrade of its own. While Motorola’s FpVTE performance was not the ultimate deciding factor, we lost the massive RCMP system to Cogent.
But Motorola did something else at the same time.
The solution part
The accuracy of an automated fingerprint identification system falls in the laps of the algorithm developers, whether the vendor develops its own algorithms or buys a third-party algorithm from another AFIS vendor.
Motorola developed its own algorithm…and one of the R&D leaders was Guy Cardwell.
Motorola held a User’s Conference after the FpVTE results announcement, and Cardwell spoke to our customers.
It wasn’t a flashy presentation with smoke and mirrors.
It wasn’t an accusatory presentation calling NIST a bunch of crooks.
It was basically Guy, on stage, saying that we didn’t do well.
And that we would do better.
Now of course that in itself means nothing unless we actually DID better. The R&D team went to work and improved the algorithm, and continued with other advances such as supporting complete 1000 pixel per inch systems as Sweden demanded.
But from a product marketing perspective, Motorola’s initial messaging to its customers was critically important.
Because if Motorola didn’t publicly address its FpVTE 2003 performance, then the only people talking about it would be Cogent, NEC, and Sagem Morpho.
I missed this announcement in December, but it carries an important message.
“Gatekeeper Systems, a pioneer in intelligent theft prevention solutions, today announced a significant enhancement to its FaceFirst® platform with the integration of technology from ROC.”
That’s the firm formerly known as Rank One Computing.
The important message is deeper in the press release.
““Facial recognition in retail must be fast, accurate, and accountable,” said Robert Harling, CEO of Gatekeeper Systems. “By embedding ROC’s NIST-verified algorithm directly into FaceFirst, we’re giving retailers a system that performs in real time and stands up to public, operational, and legal scrutiny. It’s AI you can trust—and accuracy you can prove.””
The “accountable” and “prove” part comes from ROC’s demonstrated results in NIST FRTE testing. As well as the fact that people using Gatekeeper Systems now know whose facial recognition algorithm they’re using.
It still shocks me when a company says that they’re using an algorithm, but don’t say whose algorithm they’re using.
Most identity and biometric marketing leaders know that their products should detect attacks, including injection attacks. But do the products detect attacks? And do prospects know that the products detect attacks? (iProov prospects know. Or should know.)
I’ve mentioned injection attack detection a couple of times on the Bredemarket blog, noting its difference from presentation attack detection. While the latter affects what is shown to the biometric reader, the former bypasses the biometric reader entirely.
But I haven’t mentioned how vendors can secure independent confirmation of their injection attack defenses.
“A new European technical standard, CEN/TS 18099:2025, has been published to address the growing concern of biometric data injection attacks. The standard provides a framework for evaluating the effectiveness of identity verification (IDV) vendors in detecting and mitigating these attacks, filling a critical gap left by existing regulations.”
“CEN, the European Committee for Standardization, is an association that brings together the National Standardization Bodies of 34 European countries.
“CEN provides a platform for the development of European Standards and other technical documents in relation to various kinds of products, materials, services and processes.”
And before you say that them furriner Europeans couldn’t possibly understand the nuances of good ol’ Murican injection attacks, look at all the countries that follow biometric interchange guidance from the American National Standards Institute (ANSI) and the National Institute of Standards and Technology (NIST).
So CEN is good.
But let’s get to THIS standard.
More on CEN/TS 18099:2025
The Biometric Data Injection Attack Detection standard can be found at multiple locations, including the aforementioned ANSI. From the current 2025 version:
“This document provides an overview of:
– Definitions of biometric data injection attacks;
– Use cases for injection attacks with biometric data on essential hardware components of biometric systems used for enrollment and verification;
– Tools for injection attacks on systems using one or more biometric modalities.
This document provides guidance for:
– Injection Attack Instrument Detection System (defined in 3.12);
– adequate risk mitigation for injection attack tools;
– Creation of a test plan for the evaluation of an injection attack detection system (defined in 3.9).”
Like (most) good standards, you have to buy it. Current Murican price is $99.
You can see how this parallels the existing standard for presentation attack detection testing.
Which brings us to iProov…and Ingenium
iProov is a company in the United Kingdom. This post does not address whether the United Kingdom is part of Europe; I assigned that thankless task to Bredebot. But iProov does pay attention to European stands, according to this statement:
“[iProov] announced that its Dynamic Liveness technology is the first and only solution to successfully achieve an Ingenium Level 4 evaluation and the CEN/TS 18099 High technical specification for Injection Attack Detection, following an independent evaluation by the ISO/IEC 17025-accredited, Ingenium Biometric Laboratories. Ingenium Level 4 builds on the requirements outlined in CEN/TS 18099, providing an increased level of assurance with an extended period of active testing and inclusion of complex, highly-weighted attack types.”
Ingenium’s injection attack detection testing is arranged in five levels/tiers. The first two correspond to the “substantial” and “high” evaluation levels in CEN/TS 18099:2025. The final three levels exceed the standard.
Level 4:
“Level 4: A 40-day FTE evaluation that further exceeds the CEN TS 18099:2025 standard. Level 4 maintains a high attack weighting while specifically targeting the IAI detection capabilities of your system. Although not a formal PAD (Presentation Attack Detection) assessment, this level offers valuable insights into your system’s PAD subsystem resilience.”
Because while they are technically different, injection attack detection and presentation attack detection are intertwined.
Does your product detect attacks?
And if you adopt a customer focus, the customer doesn’t really care about the TYPE of attack. The customer ONLY cares about the attack itself, and whether or not the vendor detected and prevented it.
Identity/biometric marketing leaders, does your product offer independent confirmation of its attack detection capabilities? If not, do you publicize your own self-assertion of detection?
Because if you DON’T explicitly address attack detection, your prospects are forced to assume that you can’t detect attacks at all. And your prospects will avoid you as dangerous and gravitate to vendors who DO assert attack detection in some way.
And you will lose money.
Regardless of whether you are in the United States, United Kingdom, or the European continent…losing money is not good.
So don’t lose money. Tell your prospects about your attack detection. Or have Bredemarket help you tell them. Talk to me.
Biometric product marketing expert. This is NOT in the United Kingdom.
As I write this, contactless fingerprint scanners cannot submit their prints to the U.S. Federal Bureau of Investigation’s (FBI) Next Generation Identification (NGI) system.
But the FBI does certify such scanners under a special category.
“Hungarian border police are exploring the use of contactless biometric technology made by German startup IDloop in border control and law enforcement….
“The product [CFS flats] was first introduced in 2024 and is the world’s first 3D contactless fingerprint scanner certified by the FBI, according to the firm.”
Note the last four words.
Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims. So they just says that THE FIRM SAYS it’s certified, and it’s the first.
Well, IDloop is half right.
Is IDloop’s CFS flats FBI certified?
The way to check certification is to go to the Certified Products List web page at the FBI Biometric Specifications website. You can go there yourself: https://fbibiospecs.fbi.gov/certifications-1/cpl
And if you do, scroll down to the “Firm” area and look for IDloop in the list of firms.
Yes, it’s there, and it has a certification under the Personal Identity Verification (PIV) specification, originally dated 10/30/2024, modified 1/28/2026.
From the CPL.
Here’s the description:
“CFS flats contactless, up to 4-finger, capture device at 500 ppi (PIV-071006) (original 10/24; algorithm update 1/26) Note: Device images a 3-dimensional object, but testing was primarily 2-dimensional – Not for use with CJIS systems.”
Again, the FBI isn’t allowing contactless submissions to CJIS systems such as NGI, in part because the Appendix F specifications assume analysis of fingerprint images on a 2-dimensional object. Obviously very, very difficult with contactless devices that capture 3-dimensional objects.
“Introducing CFS flats—the world’s first FBI-certified 3D contactless fingerprint scanner.“
Um…perhaps I should share a bit of my personal history, for those who don’t know.
From 2009 to 2017 I worked for a company called MorphoTrak. Know where this is going?
But I’m not going to focus on my former employer.
Initial CPL search
Remember that unusual sentence that appears in IDloop’s description of its PIV certification?
“Device images a 3-dimensional object, but testing was primarily 2-dimensional”
I assert that if we can find ANY contactless product in the Certified Products List that uses that same language and was certified before 10/30/2024, then IDloop’s claim of being first is…somewhat inaccurate.
So I checked.
From the CPL.
Two products received PIV certification before October 2024, MorphoWave XP (July 2020) and MorphoWave TP (May 2024). The first was originally certified over 4 years BEFORE the IDloop product.
“MorphoWave XP (formerly MorphoWave Compact) contactless, up to 4-finger, livescan device at 500 ppi (PIV-071006) (alternate enrollment processing 6/23; name change 2/22; contrast stretch 9/21; original 7/20) Note: Device images a 3-dimensional object, but testing was primarily 2-dimensional – Not for use with CJIS systems.”
Subsequent CPL search
And what if you search for the word “contactless” instead and just look at the 4-finger PIV certifications?
If you do so, you can find certifications from 2019 and earlier for products from Advanced Optical Systems (October 2015 May 2017), Safran Morpho (November 2015, under the original name “Finger On The Fly”), and Thales (May 2019). All years BEFORE the IDloop product.
IDloop, meet Advanced Optical Systems
While Advanced Optical Systems is no more, let’s look at the description for that original AOS product.
“ANDI OTG
contactless, up to 4-finger, livescan capture system at 500ppi (PIV-071006). Note: Device images a 3-dimensional object, but testing was only 2-dimensional – Not for use with CJIS systems”
“Huntsville, AL, November 30, 2015 (Newswire.com) –Advanced Optical Systems, Inc made the historic announcement today that their revolutionary, zero-contact “On The Go” fingerprint technology, ANDI® OTG, is the first non-contact fingerprint system to be certified by the US Federal Bureau of Investigation (FBI). The FBI added the device to the agency’s Certified Product List (CPL) on November 27th, 2015.”
Bredemarket 