Skip to main content

Confidential Biometrics

Confidential Biometrics is enabled by TACEO:Match, TACEO's service for biometric feature matching in MPC. No plaintext biometric data leaves the user's device or passes through a single party. TACEO's threshold MPC stack evaluates biometric comparisons directly on secret shares, so the underlying templates are never reconstructed by any node, any server, or TACEO itself.

Proven at global scale

TACEO co-architected the MPC protocol now running World's iris-code uniqueness system in production at global scale. The same threshold computation model - secret-share the sensitive data, compute on shares, verify the result - is the foundation Confidential Biometrics is built on.

Why biometrics are different

Biometric data is unlike a password or a private key. You can rotate a key; you cannot rotate your iris or your palm.

  • Irrevocable. A leaked biometric template exposes a user forever. There is no recovery path equivalent to "change your password."
  • Population-scale damage. Centralized biometric databases are prime target for attacks.
  • Device-only matching is limiting. Keeping templates on device protects privacy but blocks the cross-organization checks that matter most: uniqueness across a system, sybil detection, sanctions screening.
  • Central servers break the trust model. Sending raw templates to a verification server requires trusting that server completely - with data that can never be changed if trust is violated.

Any architecture that solves these problems needs to run the comparison without ever centralizing the template in plaintext. That is exactly what MPC enables.

How MPC solves it

The core mechanic: a biometric template is split into cryptographic secret shares and distributed across independent MPC nodes on the TACEO Network. No single node holds a meaningful fragment of the template. Comparison, matching, and uniqueness checks are then computed on the shares directly.

Step by step:

  1. Template enrollment. The biometric template (e.g. an iris code) is secret-shared on the user's device or dedicated hardware before it leaves. The shares are distributed to the MPC network. No complete template exists outside the device.

  2. Matching in MPC. When verification is requested, the MPC nodes cooperate to evaluate the comparison function (e.g. Hamming distance for iris codes) on their respective shares. Each node only ever sees its own share; the comparison result is the only output.

  3. Threshold security. Templates are protected by the threshold assumption we know from MPC protocols.

What this enables

Use caseWhy MPC makes it possible
Population-scale uniqueness / sybil resistanceCompare against an enrolled set without centralizing templates or revealing which record matched
Cross-org deduplicationOrganizations contribute to a joint check without sharing their underlying biometric data with each other
Anonymous identity verificationProve a biometric matches an enrolled identity without revealing which identity

Underlying service

The low-level concepts and service documentation live under TACEO:Match in the TACEO Services section.

For adjacent reading: