The Hidden Number That Decides if Your Biometric Door Opens

Here's a question that should stop you cold: A facial recognition system scans someone at the door and returns a match score of 87 out of 100. Should the door open?

The honest answer is: it depends on a number someone typed into a configuration panel. Not the quality of the camera. Not the sophistication of the algorithm. A threshold. A single number, set by a human being during installation, that determines whether 87 means "welcome" or "denied." Move that number to 85, and the door swings open. Set it at 90, and the person stands there in the rain, badge-slapping the intercom.

That's the thing most buyers of biometric access control systems never find out until they're already locked in — figuratively and sometimes literally.

The Threshold Nobody Talks About

Every biometric access control system works the same way at its core. A sensor captures a face. An algorithm converts that face into a mathematical template — a set of numerical relationships between key points. That template gets compared to a stored version from enrollment. The comparison produces a score. Then the system asks: is this score high enough?

"High enough" is the threshold. And here's the paradox baked into every biometric system on earth: the moment you move the threshold in one direction to reduce one type of error, you automatically increase the other.

Set the bar very high — require a near-perfect match before granting access — and impostors almost never get through. That's good. But legitimate users who aged a few years, grew a beard, or showed up under flickering parking garage lights? Rejected. Over and over. CDVI explains this tradeoff precisely: tighten the threshold to eliminate false acceptances, and you create a high false rejection rate. Relax it to stop rejecting authorized people, and impostors gain a foothold.

These two error types have formal names. The False Accept Rate (FAR) measures how often the system lets in the wrong person. The False Reject Rate (FRR) measures how often it turns away the right one. They move in opposite directions. Always. There is no threshold setting that eliminates both simultaneously — which means every deployed biometric system is a compromise someone chose. This article is part of a series — start with Deepfakes Outpacing Governance Authenticity Triage Crisis.

There's a concept called the Equal Error Rate (EER) — the operating point where FAR and FRR happen to be equal. It's the most commonly cited benchmark in biometric evaluations, and it's genuinely useful as a neutral comparison point. A lower EER means a system handles the tradeoff more gracefully overall. But here's the thing: nobody actually runs a system at its EER. They set a threshold based on what they're protecting, who's walking through, and which failure mode they'd rather explain to their security director.

The Nightclub Security Guard Analogy

Think of a biometric system like a security guard at a nightclub who has been told to check IDs — but also told to set his own standard for what counts as a match. If he requires the photo to perfectly match the person standing in front of him — same lighting, same expression, same exact angle — almost nobody gets in. He'd turn away regulars whose hair changed. He'd reject people who aged two years since their photo was taken.

So he loosens his standard. He lets people in if they roughly look like their ID. Now things flow better. But someone shows up with their older sibling's ID. The photo's close enough. In they go. The security guard didn't fail because he has bad eyesight. He failed because of where he drew his line.

This is exactly what happens in a miscalibrated biometric access system. The camera sees fine. The algorithm computes fine. The threshold is just set for the wrong environment.

Liveness Detection: The Gate Before the Gate

Here's where it gets genuinely interesting. Most people think the matching score is the final decision. It isn't. Before that score even matters, a well-designed system runs a completely separate check: is this a real human face, or a representation of one?

This is called Presentation Attack Detection (PAD) — or liveness detection — and it is its own independent technical problem, entirely separate from face matching. According to CyberLink's technical analysis, the most common presentation attacks include printed photographs, electronic displays showing someone's photo, video replays on a screen, and sophisticated 3D masks. Each of these can fool a matching algorithm — even a very good one — because the algorithm is measuring geometry and texture, not aliveness.

NIST ran a formal evaluation of 82 passive liveness detection algorithms — passive meaning they don't require the user to blink, nod, or perform any challenge action. At a True Acceptance Rate fixed at 99%, the top-ranked algorithm achieved a 100% True Rejection Rate across three different video presentation attack tests. Every spoofing attempt blocked. Every legitimate user passed through. That's the benchmark. The gap between that result and typical commercial deployments is... significant. Previously in this series: Deepfake Mrbeast Ad Just Cost This Woman 14k And Your Verifi.

The critical point: a system can have excellent liveness detection and mediocre matching, or excellent matching and weak liveness detection. These are separate subsystems. A buyer who only evaluates matching accuracy is leaving half the door unlocked.

Why "98% Accuracy" Is Almost Meaningless

This is the misconception that costs organizations the most — not in breach incidents, but in misplaced confidence. When a vendor says their system achieves 98% accuracy, the number sounds decisive. It isn't.

The reason people get this wrong isn't lack of intelligence — it's that "accuracy" is a perfectly sensible concept in most contexts. If a thermometer is 98% accurate, you have a pretty good idea what it means. Biometric accuracy doesn't work that way, because the number only holds at a specific threshold, under specific conditions, against a specific test population.

As Bayometric's technical breakdown makes clear, FAR and FRR values are threshold-dependent. A system that achieves 98% accuracy at one operating point might accept impostors 1 in every 50 attempts at that setting — or it might reject legitimate employees 20 times per day. Without knowing both FAR and FRR simultaneously, the accuracy figure is decorative.

Add environmental variables and the number degrades further. Innovatrics notes that poor capture quality from dirt, moisture, inconsistent lighting, or temperature shifts can cause legitimate users to be rejected regardless of threshold setting — the captured biometric simply doesn't match the clean enrollment template. A 98%-accurate system tested in a bright, controlled lab may perform very differently in a dimly lit underground parking facility in January.

At CaraComp, we spend a lot of time thinking about exactly this gap — the distance between benchmark performance and deployed performance. It's one of the more humbling aspects of facial recognition work: the algorithm isn't the hard part. Making it work reliably in the actual physical environment, at the actual threshold the security policy demands, is where most of the real engineering lives.

"The number of false acceptances and false rejections are directly related — as one goes up, the other goes down." — Biometric Update, 2026 physical access control analysis

The Multimodal Escape Hatch

There is one way to break out of the threshold tradeoff — and it doesn't involve a better camera or a more powerful algorithm. It involves combining modalities. Up next: Deepfakes Just Cost One Firm 25m Your Investigation Could Be.

A multimodal system that uses face recognition alongside fingerprint scanning, for example, can achieve a False Reject Rate of 4.4% compared to 42.2% for face recognition alone — at the same False Accept Rate of 0.1%. That's not a minor improvement. That's the difference between turning away nearly half your authorized users and turning away roughly 1 in 22. Same security level. Dramatically better experience.

The reason this works is mathematically elegant: each modality has its own distribution of match scores, its own failure cases, its own environmental sensitivities. Fingerprints fail in cold weather. Faces fail under sunglasses. Combined, the failure modes rarely overlap — so the system can hold firm on security while dramatically reducing the odds of rejecting a legitimate user.

This is why serious high-security deployments almost never rely on a single biometric factor. Not because any individual technology is insufficient, but because the threshold problem has no clean solution within a single modality.

The global biometric physical access control market is forecast to surpass $9.84 billion by 2028. A lot of that money is going to be spent on systems that work beautifully in a showroom demonstration and perform inconsistently in a real building with real lighting and real people who look slightly different on a Tuesday morning than they did on enrollment day.

So here's the question worth sitting with: if you were evaluating biometric access for a high-security site, which failure would worry you more — letting in the wrong person once, or rejecting the right person 20 times a day? Your answer to that question is your threshold setting. And knowing that the question exists puts you ahead of most buyers before they've even asked for a demo.

Accuracy is a threshold decision, not a camera feature. Everything else follows from that.