ISO/IEC 24741:2024

International
Standard
ISO/IEC 24741
Third edition
Information technology —
2024-06
Biometrics — Overview and
application
Technologies de l'information — Biométrie — Aperçu général et
application
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms,definitions and abbreviated terms . 1
3.1 Terms and definitions .1
3.2 Abbreviated terms .1
4 Fundamentals of biometrics . . 2
4.1 Biometric characteristics .2
4.2 Biometric systems .3
5 History . 5
6 Overview of biometric technologies . 6
6.1 Finger and palm ridge recognition .6
6.1.1 Fingerprint imaging .6
6.1.2 Fingerprint comparison .7
6.1.3 Palm technologies .8
6.2 Face recognition .8
6.3 Iris recognition .9
6.4 Dynamic signature recognition . .9
6.5 Vascular recognition .10
6.6 Hand geometry recognition .10
6.7 Voice recognition .10
6.8 DNA recognition .11
6.9 Full body recognition.11
6.10 Gait recognition .11
6.11 Retina recognition .11
6.12 Keystroke recognition . 12
6.13 Scent and odour recognition . 12
6.14 Cardiogram recognition . 12
6.15 Multimodal biometrics . 12
7 General biometric system .12
7.1 Conceptual representation of general biometric system . 12
7.2 Conceptual components of a general biometric system . 13
7.2.1 Data capture . 13
7.2.2 Transmission . 13
7.2.3 Signal processing . 13
7.2.4 Data storage .14
7.2.5 Comparison .14
7.2.6 Decision .14
7.2.7 Administration . 15
7.2.8 Interface to external application . 15
7.3 Functions of general biometric system. 15
7.3.1 Enrolment . 15
7.3.2 Verification of a positive biometric claim .16
7.3.3 Identification .17
8 Example applications . 17
8.1 General .17
8.2 Physical access control .17
8.3 Logical access control . . .18
8.4 Time and attendance .18
8.5 Accountability .18
8.6 Electronic authorizations .18

© ISO/IEC 2024 – All rights reserved
iii
8.7 Government and citizen services .18
8.8 Border protection .19
8.8.1 ePassports and machine-readable travel documents .19
8.8.2 Automated border control (ABC) systems .19
8.8.3 Entry/exit systems .19
8.8.4 Visas .19
8.8.5 EURODAC . 20
8.9 Law enforcement . 20
8.10 Civil background checks . 20
8.11 Clustering . 20
9 Performance testing .20
9.1 General . 20
9.2 Types of technical tests . . .21
10 Biometric technical interfaces .22
10.1 Biometric data blocks (BDBs) and biometric information record (BIRs) . 22
10.2 Management of information on source of biometric data . 23
10.3 Service architectures . 23
10.4 The BioAPI application programming interface .24
10.5 The BioAPI interworking protocol (BIP) .24
11 Biometrics and information security .25
11.1 General . 25
11.2 Security of biometric data . 25
11.3 Presentation attack (spoofing) detection. 28
11.4 Integrity of the enrolment process . 28
12 Biometrics and privacy .29
12.1 General . 29
12.2 Privacy protections for biometric applications. 30
12.3 Proportional application of biometrics . 30
12.4 Biometric technology acceptability .31
12.5 Confidentiality of biometric data .31
12.6 Integrity of biometric data.31
12.7 Irreversibility of biometric data .32
12.8 Unlinkability of biometric information .32
13 Overview of biometric standardisation .32
13.1 Standards development organizations .32
13.2 Types of biometric standards . 33
13.2.1 Biometric data interchange format standards . 33
13.2.2 Biometric technical interface standards . 34
13.2.3 Biometric conformance testing standards . 34
13.2.4 Biometric sample quality standards . 35
13.2.5 Biometric application profile standards . 35
13.2.6 Biometric performance testing and reporting standards . 36
13.2.7 Biometric security standards .37
13.2.8 Biometric authentication standards .37
13.2.9 Standards on cross-jurisdictional and societal aspects of biometrics. 38
13.2.10 Biometric vocabulary standards . 39
13.3 Criteria for selecting a standard . 39
Bibliography . 41

© ISO/IEC 2024 – All rights reserved
iv
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 37, Biometrics.
This third edition cancels and replaces the second edition (ISO/IEC TR 24741:2018), which has been
technically revised.
The main change is as follows:
— Guidance is given on the international standards that underpin the use of biometric recognition systems.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
v
Introduction
“Biometric recognition” is the automated recognition of individuals based on their biological and
behavioural characteristics. The field is a subset of the broader field of human identification science. Example
technologies include, among others: fingerprint recognition, face recognition, hand geometry recognition,
speaker recognition and iris recognition.
Some techniques (such as iris recognition) are more biologically based, whereas some (such as signature
recognition) are more behaviourally based, but all techniques are influenced by both behavioural and
biological elements. There are no purely “behavioural” or “biological” biometric systems.
“Biometric recognition” is frequently referred to as simply “biometrics”, although the term “biometrics”
has also historically been associated with the statistical analysis of general biological data. The word
“biometrics”, like “genetics”, is usually treated as singular. It first appeared in the vocabulary of physical
and information security around 1980 as a substitute for the earlier descriptor “automatic personal
identification” in use in the 1970s. Biometric systems recognize “persons” by recognizing “bodies”. The
distinction between person and body is subtle but is of key importance in understanding the inherent
capabilities and limitations of these technologies. Within the context of JTC 1/SC 37 documents, biometrics
deals with computer-based recognition of patterns created by human behaviours and biological structures
and is usually associated more with the field of computer engineering and statistical pattern analysis than
with the behavioural or biological sciences.
Today, biometrics is used to recognize individuals in a wide variety of contexts, such as computer and physical
access control, law enforcement, voting, border control, social benefit programs and driver licencing.

© ISO/IEC 2024 – All rights reserved
vi
International Standard ISO/IEC 24741:2024(en)
Information technology — Biometrics — Overview and
application
1 Scope
This document describes the history and purpose of biometrics, the various biometric technologies in
general use today (for example, fingerprint recognition, face recognition and iris recognition) and the
architecture of the systems and the system processes that allow automated recognition using those
technologies. It provides information on the application of biometrics in various business domains, such as
border management, law enforcement and driver licencing. It also provides information on the societal and
jurisdictional considerations that are typically taken into account in biometric systems.
Additionally, this document provides guidance on the use of the International Standards that underpin the
use of biometric recognition systems.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 2382-37, Information technology — Vocabulary — Part 37: Biometrics
3 Terms,definitions and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 2382-37 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https:// www .electropedia .org/
— ISO Online browsing platform: available at https:// www .iso .org/ obp
3.2 Abbreviated terms
For the purposes of this document, the following abbreviated terms apply.
ABC automated border control
API application programming interface
AFIS automated fingerprint identification system
ABIS automated biometric identification system
BDB biometric data block
BIAS biometric identity assurance services
BIR biometric information record

© ISO/IEC 2024 – All rights reserved
BIP Biometric Interworking Protocol
CBEFF Common Biometric Exchange Formats Framework
CNN convolutional neural network
DET detection error trade-off
DSV dynamic signature verification
DNA deoxyribonucleic acid
EU European Union
FBI Federal Bureau of Investigation
ICAO International Civil Aviation Organization
IR infrared
MAC message authentication code
MRTD machine-readable travel document
PET privacy enhancing technology
PCA principal component analysis
PIN personal identification number
RBR renewable biometric reference
SB security block
SBH standard biometric header
SOA service-oriented architecture
WSDL Web Service Description Language
4 Fundamentals of biometrics
4.1 Biometric characteristics
ISO/IEC 2382-37:2022 37.01.03 defines "biometrics" as an “automated recognition of individuals based on
their biological and behavioural characteristics”.
NOTE 1 The all-encompassing term “biometrics” refers to the application of biology to the modern methods
of statistics. In the context of this document, biometrics consists of automated technologies that analyse human
characteristics for recognition purposes; the general application of statistics to biological systems is a separate
discipline.
ISO/IEC 2382-37:2022 37.01.02 defines “biometric characteristic” as a “biological and behavioural
characteristic of an individual from which distinguishing, repeatable biometric features can be extracted
for the purpose of biometric recognition.” So, biometric technologies are related to physical parts of the
human body or the behavioural traits of human beings, and the recognition of individuals based on either or
both of those parts or traits. A fuller explanation of the various biometric technologies is given in Clause 6.
NOTE 2 ISO/IEC 2382-37 recommends the use of the term “biometric” only as an adjective and deprecates its use as
a noun in places where "biometric characteristic" is more appropriate.

© ISO/IEC 2024 – All rights reserved
The ideal biometric characteristic for all applications would have the following properties:
— Distinctive: Different across all subjects.
— Repeatable: Similar across time for each subject, over a long time period (several years).
— Accessible: Easily presented to a capture device (for example, camera or fingerprint capture device or
finger-geometry measurement device).
— Universal: Observable on all people.
— Acceptable: The subject is prepared to use the biometric characteristic in the given application.
Unfortunately, no biometric characteristic has all of the above properties and practical biometric
technologies inevitably compromise on every point.
— There are great similarities among different individuals.
— Biometric characteristics change over time.
— Some physical limitations prevent presentation.
— Not all people have all characteristics.
— “Acceptability” is subjective.
Consequently, the challenge of biometric deployment is to develop robust systems to deal with the vagaries
and variations of human beings.
4.2 Biometric systems
[28]
It has been recognized since 1970 that there are three pillars of automated personal recognition for
access control applications:
a) something known or memorized;
b) something carried;
c) a personal physical or behavioural characteristic.
The underlying assumptions are that individuals authorized to access secure data will cooperatively make
positive claims (e.g. “I am authorized to access data on the system”) and can be counted on to protect
their personal identification numbers (PINs) and passwords. In such applications, biometric technologies
compete with PINs, passwords and tokens. For example, most web-based access control requires a user
ID and an associated password, not biometrics. Passwords have been more widespread than biometrics
in such applications because they are easily replaced, can vary across applications, require no specialized
acquisition hardware, can be created with different levels of security and are exactly repeatable under
conscious control.
However, in many applications, PINs, passwords and tokens cannot meet the security requirements. For
example, PINs, passwords and tokens cannot logically be used in applications where enrolled individuals
have little motivation to protect their accounts against use by others, such as with amusement parks.
Similarly, in applications where the claim is negative (e.g. “I am not enrolled in the system as Pat”) PINs,
passwords and tokens cannot logically meet the requirements of demonstrating the truth of the claim.
Biometric systems recognize individuals by observing physical and behavioural characteristics of their
bodies. Biometric characteristics are not as easy to transfer, forget or steal as PINs, passwords and tokens, so
they can be used in applications for which these other authentication methods are inappropriate. Biometrics
can be combined with PINs and tokens into “multifactor” systems for added security.
Although biometric technologies cannot directly “identify” individuals, they can link bodies to records of
attributes, hereinafter referred to as “identities”. Consequently, biometric recognition can become part of an
identity management system.
© ISO/IEC 2024 – All rights reserved
Biometric recognition is used in two main classes of applications.
1) Biometric verification applications, i.e. applications that use biometric comparison to verify a biometric
“claim of identity”.
2) Biometric identification applications, i.e. applications that search a database of the biometric references
of known individuals to find and return the identifier attributable to a single individual.
Biometric systems can also be used to “cluster” characteristics, labelling together those that come from the
same bodily source (i.e. from the same individual and biometric instance) even when the bodily source cannot
be attributed to any known individual. Such types of systems are gaining application in law enforcement.
Biometric verification systems verify claims (test hypotheses) regarding the source of a biometric data
record in a database. The claim can be made by the individual presenting a biometric sample (e.g. “I am the
source of a biometric data record in the database”) or the claim can be made about the source by another
actor in the system (“She is the source of a biometric data record in the database”). The claims can be positive
(“I am the source of a biometric record in the database”) or negative (“I am not the source of a biometric record
in the database”). Claims can be specific (“I am the source of biometric record A in the database”) or unspecific
(“I am not the source of any biometric record in the database”). Any combination of specific or unspecific,
positive or negative, first-person or third-person, is possible in a claim.
According to ISO/IEC 2382-37, an individual’s biometric data record in a database is referred to as a
“biometric reference” and the biometric sample used for comparison with the stored biometric reference
is referred to as a “biometric probe”. It is possible to either look for a “match” between the biometric probe
of an individual and an identified biometric reference stored in the database, or to search a population of
biometric references in a database for a match with the supplied biometric probe and return an identifier for
any reference that matches. In both cases, it is necessary to set thresholds for how close the similarity has
to be before the biometric probe and the biometric reference can be considered to have come from the same
bodily source (a “match”). Of course, errors can be made, either by a “false non-match” failing to correctly
declare a “match” when the probe and reference are indeed from the same bodily source, or by a “false
match” incorrectly declaring a match when the probe and reference are from different bodily sources. The
proportion of such errors over the total number of comparisons are referred to as the “false match rate” and
the “false non-match rate” for a given technology and a given population in a given application environment.
Systems requiring a positive claim to a specific enrolled reference treat the biometric reference as an
attribute of the enrolment record. These systems verify that the biometric reference in the claimed enrolment
record matches the probe sample submitted by the subject. Some systems, such as those for social services
and driver licencing, verify negative claims of no biometric data record already in the database by treating
the biometric reference as a record identifier or pointer. These systems search the database of biometric
pointers to find one matching the submitted biometric probe (this process is one of biometric identification).
However, the act of finding an identifier (or pointer) in a list of identifiers also verifies an unspecified claim
of enrolment in the database, and not finding a pointer verifies a negative claim of enrolment. Consequently,
the differentiation between “identification” and “verification” systems is not always clear and these terms
are not mutually exclusive.
Usernames, identification numbers, personal smart cards or security tokens are often used to enter specific
biometric claims into biometric verification systems.
For example, a subject can claim to be the source of the fingerprint biometric reference stored on an
immigration card. To prove the claim, the subject inserts the card into a card reader which reads the
reference record, then places their finger on the fingerprint capture device. The system compares the
biometric characteristics of the fingerprint on the reader with those of the reference recorded on the card.
The system can conclude, in accordance with defined thresholds, that the subject is indeed the source of
the reference on the card, and therefore is afforded the rights and privileges associated with the card. This
does, of course, assume that the card has not been forged. All that the biometric verification achieves is to
determine that the human being has presented biometric characteristics that are a close match to those
recorded on the card.
Simple “identification” can require the comparison of the submitted biometric sample with all of the
biometric references stored in the database. The state of California requires applicants for social service
benefits to verify the negative claim of no previously enrolled identity in the system by submitting

© ISO/IEC 2024 – All rights reserved
fingerprints from both index fingers. Depending upon the specific automated search strategy, these
fingerprints can be searched against the entire database of enrolled benefit recipients, or just the part of
the database corresponding to subjects of the same sex as the applicant, in order to verify that there are
no matching fingerprints already in the system. If matching fingerprints are found, the enrolment record
pointed to by those fingerprints is returned to the system administrator to confirm the rejection of the
applicant’s claim of no previous enrolment.
The number of comparisons to be made, and the prior probabilities that those comparisons will result in a
match (determination that biometric probe and reference have the same bodily source) depend upon both
the claim and the system architecture. The security risk posed by a wrong determination will also vary
by system function. Consequently, some systems are very sensitive to false matches (false positives), while
some systems are very sensitive to false non-matches (false negatives) for any comparison. Depending upon
the claim, either a false positive or a false negative can result in either a false acceptance or false rejection of
the claim.
5 History
Biometric characteristics have been used for centuries in a non-automated way. Parts of our bodies and
aspects of our behaviour have historically been used, and continue to be used, as a means of identification.
The use of fingerprinting dates back to ancient China, individuals are remembered and identified by their
face or by the sound of their voice, and signatures are the established method of authentication in banking,
for legal contracts and many other ways of life.
The modern science of recognizing people based on physical measurements owes much to the French police
[4]
clerk, Alphonse Bertillon, who began his work in the late 1870s. The Bertillon system involved multiple
measurements, including: height, weight, the length and width of the head, width of the cheeks, and the
lengths of the trunk, feet, ears, forearms, and middle and little fingers. Categorization of iris colour and
pattern was also included in the system. By the 1880s, the Bertillon system was in use in France to identify
repeat criminal offenders. Use of the system in the United States (US) for the identification of prisoners
began shortly thereafter and continued into the 1920s.
Although research on fingerprinting, began in the late 1850s, knowledge of the technique did not become
[16][26]
widespread in the western world until the 1880s when it was popularized scientifically by Sir Francis
[20] [60]
Galton and in literature by Mark Twain. Galton’s work also included the identification of individuals
from profile facial measurements.
By the mid-1920s, fingerprinting had completely replaced the Bertillon system within the U.S. Bureau of
Investigation (later to become the Federal Bureau of Investigation). However, research on new methods of
[45]
human identification continued in the scientific world. Handwriting analysis was recognized by 1929
[55]
and retinal identification was suggested in 1935. However, at this time, none of these techniques were
automated.
Work in automated speaker recognition can be traced directly to experiments with analogue filters done in
[49] [13] [50]
the 1940s and early 1950s. With the computer revolution picking up speed in the 1960s, speaker
[58]
and fingerprint pattern recognition were among the very first applications in automated signal
processing. By 1963, a wide, diverse market for automated fingerprint recognition was identified, with
potential applications in credit systems, industrial and military security systems and for personal locks.
[59] [6][21]
Computerized face recognition research followed. In the 1970s, the first operational fingerprint
and hand geometry recognition systems were fielded, results from formal biometric system tests were
[44] [39][17]
reported, measures from multiple biometric devices were combined and government testing
[38]
guidelines were published.
Running parallel to the development of hand recognition technology, fingerprint recognition was making
progress in the 1960s and 1970s. During this time, a number of companies were involved in automating the
identification of fingerprints to assist law enforcers. The manual process of comparing fingerprints against
criminal records was laborious and used up too much manpower. Various fingerprint identification systems
developed for the FBI in the 1960s and 1970s increased the level of automation, but these were ultimately
based on fingerprint comparisons by trained examiners. Automated fingerprint identification systems
(AFIS) were first implemented in the late 1970s, most notably by the Royal Canadian Mounted Police in

© ISO/IEC 2024 – All rights reserved
1977. The role of biometrics in law enforcement has grown exponentially since then and AFIS are used by
a significant number of police forces across the globe. Building on this early success, biometric applications
are now being explored in a range of civilian markets.
In the 1980s, fingerprint capture devices and speaker recognition systems were connected to personal
[19]
computers to control access to stored information. Based on a concept patented in the 1980s, iris
[14]
recognition systems became available in the mid-1990s. Today, there are close to a dozen approaches
used in commercially available systems, utilizing hand and finger geometry, iris and fingerprint patterns,
face images, voice and signature dynamics, computer keystroke, and hand/finger vein patterns.
Today’s speaker verification systems have their roots in technological achievements of the 1960s, while
biometric technologies such as iris, finger vein, and face recognition are relative newcomers to the industry.
Research in universities and by biometric vendors throughout the globe is essential for refining the
performance of existing biometric technologies, while developing new and more di
...