Identity & Access Control
False Acceptance Rate
The false acceptance rate is a biometric performance metric measuring how often a system incorrectly accepts an unauthorized person as a legitimate match, expressed as the proportion of impostor attempts that are wrongly granted.
In plain terms
The false acceptance rate is how often a biometric system lets in the wrong person. A fingerprint or face scanner that mistakes an impostor for the real user has produced a false acceptance. Lower is more secure, but pushing it down usually makes the system reject more genuine users too.
The false acceptance rate, abbreviated FAR, is a core performance metric for biometric authentication systems. It measures the frequency with which the system incorrectly accepts an impostor, meaning it declares a match between a presented biometric sample and a stored template that belong to different people. Expressed as a probability or percentage, the FAR captures the security-relevant failure mode of biometrics: granting access to someone who should not have it. From a security standpoint it is the metric that most directly reflects how easily an unauthorized person might be admitted by chance or by similarity.
Biometric matching is probabilistic rather than exact. Unlike a password, which either matches or does not, a biometric comparison produces a similarity score reflecting how closely a presented sample resembles the enrolled template. The system applies a decision threshold to that score: scores above the threshold are accepted as matches, and scores below are rejected. The false acceptance rate is determined by how many impostor comparisons happen to score above the threshold. Because no two captures of the same trait are ever identical and different people can produce similar-looking samples, some impostor acceptances are statistically inevitable unless the threshold is set very high.
The FAR cannot be understood in isolation, because it trades off directly against the false rejection rate, or FRR, which measures how often the system wrongly rejects a legitimate user. Raising the decision threshold makes the system stricter: fewer impostors are accepted, lowering the FAR, but more genuine users are also turned away, raising the FRR. Lowering the threshold has the opposite effect. This tension is fundamental to all biometric systems, and choosing a threshold is therefore a security-versus-usability decision rather than a purely technical one. The point at which the two rates are equal is called the equal error rate, or EER, and it is often used as a single summary figure to compare the overall accuracy of different biometric systems.
The appropriate operating point depends on the context and the consequences of each error. A high-security application, such as access to a sensitive facility or a critical system, will favor a low false acceptance rate even at the cost of more false rejections, because wrongly admitting an impostor is far more damaging than inconveniencing a legitimate user who must try again. A high-convenience application, such as unlocking a personal device, may tolerate a somewhat higher FAR to keep the experience smooth, often combining the biometric with other factors so that a single false acceptance does not by itself grant meaningful access. The right balance is a risk decision tied to what a wrongful acceptance would actually allow.
The false acceptance rate is also distinct from, though related to, the broader concept of false positives in detection systems. In both cases the system wrongly says yes, but the FAR specifically describes biometric matching of impostor attempts under normal conditions. It does not by itself account for deliberate spoofing or presentation attacks, where an adversary uses a fake fingerprint, a photograph, a mask, or a recording to defeat the sensor. Resistance to such attacks is measured separately, often through presentation attack detection metrics, and a system can have an excellent FAR against casual impostors while still being vulnerable to a determined spoofing attempt. Evaluating biometric security requires looking at both the statistical match rates and the system’s resistance to active deception.
In practice, the false acceptance rate is a key figure for anyone selecting, configuring, or assessing biometric authentication. It quantifies the chance of admitting the wrong person, it must be weighed against the false rejection rate and the equal error rate to understand the usability cost, and it should be considered alongside anti-spoofing capabilities rather than treated as a complete measure of security. Understanding the FAR makes clear why biometrics are usually deployed as one factor among several, and why the threshold behind a fingerprint or face unlock is a deliberate security decision rather than a fixed property of the technology.