← Concepts
Security OperationsSY0-701 · Task 4.6

Biometrics — SY0-701

Biometrics for Security+ SY0-701: understand FMR vs FNMR, presentation attacks, and why biometrics are probabilistic — not secrets.

WHAT IT IS

Biometrics is a measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant (NIST SP 800-12 Rev. 1). In authentication, it represents the "something you are" factor — one of three distinct authentication factor types recognized by NIST SP 800-63-4: something you know, something you have, and something you are.

Physical characteristics include fingerprints, palm prints, facial features, iris patterns, and retina patterns. Behavioral characteristics include typing cadence, smartphone grip angle, and voice prints (NIST SP 800-63-4).

Mental model

Think of biometric authentication as a probabilistic comparison, not a lookup. Unlike a password (which is either correct or incorrect — deterministic), a biometric sample is measured, converted to a reference template, and then compared against a stored template using a similarity score. The system declares a match when that score crosses a configured threshold. This means biometric comparison is inherently probabilistic, not deterministic — a fact that shapes every security decision around its use (NIST SP 800-63B, Section 5.2.3).

When to use it

Biometrics cannot stand alone as an authenticator. NIST SP 800-63B (Section 5.2.3) specifies that biometrics can only function as part of multi-factor authentication paired with a physical authenticator — not as a standalone factor.

ScenarioAppropriate?Why
Fingerprint scan only to unlock a systemNoBiometric alone is not a complete authenticator per NIST SP 800-63B
Fingerprint + hardware tokenYesSatisfies "something you are" + "something you have"
PIN + hardware tokenYes"Something you know" + "something you have" — no biometric needed
Biometric to verify a PIV card holderYesBiometric sample compared to data on the activated physical card (FIPS 201-3)

COMMON MISCONCEPTION

The trap: treating biometric characteristics as secrets.

NIST SP 800-63B states explicitly that "biometric characteristics do not constitute secrets." This matters because the security model for biometrics is fundamentally different from a password. A password is a secret value that must be kept confidential to be useful. A fingerprint or facial geometry, by contrast, can be observed, photographed, or lifted from surfaces. The system's resistance to compromise comes from liveness detection and presentation attack detection (PAD), not from the secrecy of the characteristic itself.

A second, related misconception is that a zero False Match Rate is achievable or even desirable. Lowering the match threshold to reject more impostors simultaneously increases the rate at which legitimate users are rejected (False Non-Match Rate). These two error rates are in tension, and configuring a biometric system means accepting a tradeoff between them.

How it shows up on the exam

The cognitive target here is distinguishing how biometrics differ from other authentication factors and recognizing the consequences of those differences.

Candidates often confuse False Match Rate (FMR) and False Non-Match Rate (FNMR):

  • FMR (sometimes called false acceptance rate in older literature) — the proportion of zero-effort impostor attempt samples falsely declared to match the compared non-self template (NIST SP 800-76-2 via NIST glossary). A high FMR means impostors can get in.
  • FNMR — the rate at which legitimate users are denied. A high FNMR means authorized users are locked out.

Watch for questions that ask which error rate represents a security risk versus a usability risk. A misconfigured threshold that favors security (low FMR) raises FNMR and creates availability problems for legitimate users.

Also watch for questions about presentation attacks — NIST SP 800-63-4 defines a presentation attack as a "presentation to the biometric data capture subsystem with the goal of interfering with the operation of the biometric system." NIST SP 800-63B recommends that systems implement presentation attack detection (PAD), described as an automated determination of a presentation attack that may involve measuring anatomical characteristics or detecting involuntary reactions to verify that a biometric sample originates from a living subject physically present at capture (NIST SP 800-63-4 via NIST glossary).

Signal phrases to recognize: "something you are," "false acceptance," "false rejection," "liveness detection," "presentation attack," "probabilistic," "PAD," "spoof."

Related concepts

  • Identity Lifecycle — biometric enrollment is a step in establishing and managing a digital identity over time.
  • Federation and SSO — federated identity systems may carry assurance levels derived from the authenticator types (including biometrics) used at the originating identity provider.
  • Access Control Models — the authentication factor type (including biometrics) informs the assurance level that access control policies may require before granting access to resources.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.