Privacy-Preserving Biometric Authentication in Resource-Constrained Environments: A PRISMA Systematic Review of Multimodal and Fuzzy-Vault Methods

Abstract

As micro, small and medium-sized enterprises (MSMEs) compete with limited resources, lightweight systems are needed to secure their digital assets. Fuzzy vaults (FVs) are useful for protecting secrets and, when applied to biometric systems, provide error-tolerance and privacy to enrolled biometric features. Combining multiple biometric traits also improves performance against attacks like spoofing in multimodal (MM) authentication systems. However, the design of the FV and the biometric-fusion method applied can limit the system’s effectiveness. This study systematically evaluates recent studies on FVs and MM systems and presents an up-to-date review to identify gaps, give directions for future studies, and, ultimately, improve the design of these systems. The research targeting MSMEs was carried out in two parts, with the first search focused on MM systems and the second on FVs, following the PRISMA guidelines. The main findings include the need to optimise the resource intensity of FV systems for the authentication of large numbers of individuals. It also found the need to make the model compatible with other biometric modalities as greater focus is on minutiae features. By reviewing these systems, we aim to foster the development of lightweight MM FV models to provide privacy and security in MSMEs.

1. Introduction

Data volume, value and velocity have rapidly increased over the years. This increase in data has been greatly motivated by business organisations that have taken the course to digitise more aspects of their businesses [1]. These organisations have also found the need to manage their data using digital technologies, which enhances the smooth operation of their businesses and ensures that they stay competitive [2]. The move towards digitising their data assets is a significant leap for them; however, this move brings a corresponding increase in the surface area for cyberattacks, emphasising the need for enhanced resilience in authentication systems [3]. Among business organisations, a highly significant group is the MSMEs as they constitute 90% of all businesses globally, and 99% of businesses in the US, UK and EU combined [4,5]. MSMEs are defined by the UK government as having a maximum turnover of less than 50 million euros or a balance sheet total of less than 40 million euros and a staff strength of less than 250 [6]. This limited turnover causes such organisations to focus less on security and more on the day-to-day cost of running the business, putting them and their customers at a great security risk. Also, although small, such organisations are vital for many economies as, although individually their turnover may be small, overall, such organisations are numerous and hold many customers’ details. Thus, MSMEs need cost- and resource-efficient, yet highly robust biometric-authentication systems [7]. Limited resources are a vivid challenge faced by these organisations and this is evident in the nature and complexity of the many security systems they typically adopt compared to larger organisations, as seen in Figure 1.

According to the literature, about 86% of MSMEs have no effective cyber-attack-mitigation means. Moreover, many of these depend solely on antivirus software [8]. Security systems like firewalls are adopted to secure networks by checking each incoming and outgoing packet to decide which to accept or reject based on a defined policy [9]. As seen in Figure 1, firewalls and antivirus software are used in both large organisations and MSMEs. However, the limited computational power of the systems used causes MSMEs to employ basic firewalls, which may not permit features like the dynamic creation of additional tasks and can limit the effectiveness of their control action [10].

Authentication systems traditionally used knowledge- or object-based systems like passwords and key cards. However, using passwords and other knowledge-based or object-based methods provided limited data protection to data assets [11,12]. These methods are limited because passwords can be guessed—either manually or by guessing algorithms to generate a match that provides access. Although strong passwords are considered secure, users find it easier to remember weaker passwords and often depend on this [13,14]. Aside from having passwords guessed, genuine users can forget their passwords, temporarily or permanently denying them access to critical content [15]. It is also easy to lose key cards or have them fall into the wrong hands. The limitations of knowledge- and object-based approaches increased the focus on biometrics as a substitute or an extra level of protection for digital assets. Biometrics are unique traits that may be morphological, biomolecular or behavioural and are used to recognise an individual’s identity or verify a claimed identity, as seen in Figure 2. The use of biometrics in authentication goes a long way in terms of securing digital assets, but it brings about the need to ensure the privacy and security of biometric templates. This need occurs because, if the template is stolen, imposters can easily prepare a presentation attack and, if the biometric system allows, they can gain access to the genuine user’s digital assets. Recently, with advances in the development of artificial intelligence (AI), another concern for biometric-authentication systems is synthetic identity fraud. With this form of attack, the attackers do not necessarily need to steal the actual biometric template, but can simply synthetically compile fabricated personal information and use it to create an individual who digitally exists [16]. The synthetic identity can be used in creating a presentation attack that, without proper defence in the system, may then be used in carrying out fraud, leading to major financial losses. A form of attack like spoofing was one of the threats facing earlier biometric systems. These systems used a single trait for authentication. However, the introduction of more than one trait in authentication was a core solution to the pending limitation [17]. Biometric systems that combine more than one biometric trait for their operation are called multimodal (MM) biometric systems. The application of these systems to cater to the needs of MSMEs forms a major area of this review.

As mentioned earlier, MSMEs’ biometric systems need to protect biometric templates as they are processed to achieve authentication. Fuzzy vaults (FVs) [18] are, thus, a helpful tool that provides privacy for biometric data as they provide secret protection in biometric systems. This technology is valuable because it does not store the actual templates; instead, it utilises the template’s features to lock and unlock the protected secret. These systems, as applied to the needs of MSMEs, are another major area to be reviewed.

Considering biometric data privacy and security in MSMEs, this review focuses on the various designs of biometric systems that prevent unauthorised access, leakage, or misuse of biometric data while simultaneously protecting valuable assets. Figure 2 shows the taxonomy of biometric data privacy and security in MSMEs, as considered by this study. The study is a high-level study; however, to systematically review the topic, it starts by assessing the various biometric data sources and highlights some use cases in MSMEs. Biometric data sources capture the features of the biometric trait for processing. The choice of biometric trait adopted for authentication depends on various factors, such as the type of security required in the system, the level of accuracy obtainable from the modality, the ease of data acquisition from the modality, and more [19]. However, these traits must have a general characteristic that matches the description below [20]:

1. 

Universality: The feature must be present in all or most individuals using the system.

2. 

Distinctiveness: No two individuals should have the same characteristics or traits.

3. 

Permanence: A specific trait must be fixed in its representation and not change over time.

4. 

Collectability: The trait must be easy to acquire for authentication.

5. 

Acceptability: The use of the trait for authentication must be generally accepted by most people.

6. 

Performance: This measures the efficiency achieved by adopting a biometric trait for authentication.

After the capture, biometric processing technologies refer to the methods, algorithms, and systems used to process, analyse, and interpret biometric data to identify or verify individuals based on their unique physiological or behavioural traits. As seen in the taxonomy, after the initial biometric processing, another area of interest is biometric template security and privacy. This area examines the various methods that prevent a biometric template, which may be stored in a database, from being lost, misused, or stolen.

1.1. Distinctions from Existing Studies

There are quite a number of existing studies that are related to this research. This study distinguishes itself through its unique focus on MSMEs and resource-constrained environments, whereas other reviews, while comprehensive in their own right, are limited by their narrow scopes [21,22] or lack of practical business-contextualisation [23,24,25,26,27]:

Modality-Specific Limitations: Many sources focus exclusively on a single trait, such as finger-vein recognition [23], hand-based biometrics [24,25], fingerprint systems [26], or 3D biometrics [27]. They lack the broad multi-trait perspective applied to MSME needs.

Hardware/Platform-Specific Limitations: Ref. [28] is limited to smartphone-based behavioral biometrics. While relevant, it does not address the broader infrastructure needs of a small business enterprise.

Domain-Specific Niche Focus: Ref. [21] focuses narrowly on young children in learning analytics, and [22] focuses on distance learning. These may not offer generalisable security frameworks for the global business sector.

Generic Architectural Focus: Some studies [29,30,31] provide high-level surveys of biometric recognition, audio-visual systems, or continuous authentication. However, none of these cover the specific integration of FV-template protection for resource-constrained environments that this study considers.

Lack of Practical “Lightweight” Roadmaps: While several related studies discuss “future directions,”—as seen in later chapters, only this study explicitly aims to foster the development of lightweight MM FV models specifically tailored for businesses with limited turnover and staff.

1.2. Novelty of the Study

While recent surveys have reviewed biometric recognition, multimodal fusion, behavioural biometrics, hand-based biometrics, continuous authentication, template protection, or presentation attacks, these studies generally treat recognition performance, template protection, and deployment feasibility as separate concerns, as will be seen in Section 2.7. The present review differs by examining MM biometrics and FVs together through the specific lens of MSME deployment, where privacy, security, recognition accuracy, computational affordability, and operational risk must be considered simultaneously. The value of this approach is summarised in

Table 1. Insights from a combined review perspective in this study.

Combined Perspective	Unique Insight Produced
MM biometrics + FV	Accuracy gains from MM systems do not automatically translate into template security unless linked to protection mechanisms such as FVs.
FV + MSMEs	Stronger vault parameters may improve protection but may increase computational overhead, latency, and deployment cost.
MM biometrics + MSMEs	Multimodal systems may improve robustness, but they also increase sensor cost, processing complexity, and usability burden.
MM + FV + MSMEs	The best future direction is not just higher accuracy, but lightweight, attack-aware, template-protected multimodal designs suitable for constrained environments.

below.

To the best of the researchers’ knowledge, this is the first study that reviews both MM biometric systems and FV systems to identify gaps that, if focused on, will significantly advance biometric data privacy and security in MSMEs. The study also offers an up-to-date (from 2019 to 2024) systematic review carried out transparently and following the PRISMA 2020 guidelines. This study also highlights some of the latest and best datasets used in experimentation in the most recent studies, providing a basis for further design and evaluation of MM and FV-related systems. The review also explores the most recent and best feature extraction, classification, and fusion methodologies with the potential to improve privacy and security in biometric systems in MSMEs. The study finally summarises and evaluates past findings, with many pending issues and future directions highlighted.

1.3. Research Questions

Research questions form a fundamental base for a project or a review. These also set the study direction in any discipline based on the stated methodology.

Table 2. Table showing the research questions and the motivations.

Research Questions
Q1: How are multimodal biometric systems defined and structured in the literature, including their architectures and fusion strategies?
Q2: What are the fundamental design principles and operational mechanisms of fuzzy-vault schemes for biometric template protection?
Q3: Which biometric modalities are used in multimodal biometric systems, and how do they affect system performance?
Q4: How are multimodal biometric systems designed to enhance privacy and security?
Q5: Which datasets are used to develop and evaluate multimodal biometric systems?
Q6: How are fuzzy-vault schemes applied in biometric systems to improve privacy and security?

highlights the various questions guiding this review.

The main contributions of this paper can be summarised as follows:

• Analysing recent and best methods and applications of MM biometric and FV systems. This also shows the effectiveness of such studies.
• Highlighting the best databases available for use in recent studies, which may apply to novel studies.
• Identifying gaps in MM biometric and FV system studies that, if addressed, could enhance the performance of such systems in MSMEs.
• Recommending facial and iris traits as an efficient MM combination for quick authentication and to ensure reduced overheads when applying these MM biometrics to meet the needs of MSMEs.

The rest of the paper is organised as follows: In Section 2, an overview of the main areas related to MM and FV systems, including their structure and classification, is given. Section 3 gives the methodology applied in carrying out this study. Section 4 discusses in detail the findings from the study. Section 5 points to specific research gaps from the review. Finally, Section 6 concludes and gives directions for future research.

2. Biometric Privacy and Security in MSMEs

Over the years, biometric authentication has evolved from the early development of biometric systems to the present-day integrations of AI and blockchains, as highlighted in Figure 3.

Biometric privacy and security, as highlighted in earlier sections, is an important subject to focus on in any organisation that uses biometrics in some capacity. Although it is important to both large organisations and MSMEs, MSMEs are of particular interest in this review due to their limited resource capabilities, as established earlier. This section of the review provides a closer examination of the various techniques that serve as building blocks for MSME biometric security systems, including their functions, adopted traits, and an evaluation of their performance, among other aspects.

2.1. Multimodal and Fuzzy-Vault Systems in MSMEs

Due to the nature and complexity of the cybersecurity systems adopted by MSMEs, these organisations typically require affordable tools as they have a limited budget for cybersecurity [8,32]. They also prefer easy-to-use and comprehensible tools as they do not always have a dedicated cybersecurity team [32]. Finally, less time-consuming tools are selected as time is very valuable to these organisations [32].

The ISO/IEC 24745:2022 standard sets the requirements for biometric information protection, secure management and processing, threat analysis and countermeasures, binding biometric and identity references, and privacy protection [33].

The security requirements for biometric systems for protecting biometric information according to the standard [33] include:

-

Confidentiality: This ensures the system protects biometric data against unauthorised access or disclosure of its content.

-

Integrity: This property ensures that biometric data stays accurate and complete throughout the processing stages in biometric systems.

-

Renewability and revocability: A biometric system should ideally provide absolute resistance to attacks. However, this may not always be the case, so in the case of a compromised system leading to the loss of integrity of a biometric record, this property requires such a record to be revocable to prevent future unauthorised access.

-

Availability: This property requires that biometric information is accessible to authorised parties when needed.

In the MSME context, the security requirements are prioritised based on the organisation’s key valuable asset: the one on which their existence depends. Figure 4 shows an example that considers three types of MSMEs. In this scenario, MSMEs must prioritise based on the ranks shown to satisfy the nature of their business. If such organisations do not pay adequate attention to these areas, a cyberattack could cause serious damage to their business [34].

The adoption of biometrics in authentication systems in MSMEs comes with its challenges, including the issue of privacy. Biometric modalities are unique to individuals and do not change considerably throughout one’s lifetime. If the raw biometric data is stolen, the individual’s privacy may be compromised. Hence, there is a need to ensure the security and privacy of biometric data.

The privacy requirements according to the standard [33] include:

-

Irreversibility: Biometric data must be processed by irreversible algorithms before they may be stored to prevent alternative use of the captured data.

-

Unlinkability: This requires that biometric records cannot be recollected by linking stored templates across databases or applications.

-

Confidentiality: This property requires that biometric records are kept confidential and protected against access by unauthorised individuals.

The design of authentication systems in earlier times, thus, used a single biometric modality. However, such systems were later prone to attacks like spoofing, and such attacks caused major organisational losses due to record multiplicity (using multiple compromised helper data to reconstruct the original biometric data), among others. Biometric traits may be combined to form MM authentication systems, which overcome these limitations in unimodal systems [14,17,35]. MM biometric systems are, thus, setups that adopt more than one biometric modality to achieve identification or verification of a person’s identity. Following the first research question in Table 2, this definition will guide our understanding of the compositions of and variations in MM systems.

Some MM systems use separate multiple biometric traits; however, many combine them in various ways, usually through fusion. Fusion occurs at different levels depending on the position in the system, as seen in Figure 5. This includes:

• Sensor-level fusion (SLF) [36]
• Feature-level fusion (FLF) [37]
• Score/rank-level fusion (RLF) [38]
• Decision-level fusion (DLF) [39]
• Hybrid fusion-based approach (HFA) [40]

According to the ISO/IEC19795-1:2021 standard [41], the various biometric technologies typically have stages of biometric image acquisition and of biometric feature extraction, matching and creating a biometric data template that is securely stored in a database [42]. Biometric templates stored in databases make such databases a target for attacks, leading to the theft of biometric data if it is not stored securely enough.

FVs [18] are one of the effective secret protection methods that can provide privacy when used in biometric-authentication systems, as they do not store the actual templates in a database; rather, features of the template are used to form a set A that is cryptographically bound to the secret being protected [43]. Chaff points (random noise points, represented as pairs (x, y) that are added to the “pool” of points) are introduced to hide the actual points formed by set A and provide additional protection by making it difficult to distinguish one from the other. To unlock the vault, another set B, extracted from a biometric template, is compared with set A, having the chaff points and unlocking the vault if it significantly overlaps set A above a predefined threshold. The traditional FV can be mathematically represented as follows:

Given that ${\mathbb{F}}_q$ is a finite field, let the locking set be

$$A=\{a_1,a_2,\dots ,a_t\}\subset {\mathbb{F}}_q.$$

(1)

Let the secret $\kappa$ be encoded as a polynomial

$$p\left(x\right)=c_0+c_{1}x+\cdots +c_{k-1}{x}^{k-1},deg\left(p\right)\le k-1,$$

(2)

where the coefficients $(c_0,\dots ,c_{k-1})$ represent the secret $\kappa$.

Vault Construction:

The genuine point set is defined as

$$G=\{(a_i,p\left(a_i\right)):a_i\in A\}.$$

(3)

A set of chaff points is generated as

$$C={\left\{(x_j,y_j)\right\}}_{j=1}^{r-t}$$

(4)

such that $x_j\notin A,y_j\ne p\left(x_j\right).$

The fuzzy vault is then formed as $V=G\cup C.$

Equivalently,

$$V={\left\{(x_i,y_i)\right\}}_{i=1}^r,$$

(5)

where exactly t points lie on the polynomial $p\left(x\right)$ and $r-t$ are randomly generated chaff points.

Unlocking:

Given an unlocking set

$$B=\{b_1,b_2,\dots ,b_t\}\subset {\mathbb{F}}_q,$$

(6)

the subset of vault points corresponding to B is

$$Q=\left\{\right(x,y)\in V:x\in B\}.$$

(7)

A Reed–Solomon decoding algorithm is applied to Q to reconstruct a polynomial $\widehat{p}\left(x\right)$ of degree of at most $k-1$.

If successful, the secret is recovered as $\widehat{\kappa }\leftarrow \widehat{p}\left(x\right).$

This cryptographic construction provides error tolerance since sets A and B do not have to be exact. The traditional model was applied to fingerprint templates and based on comparing preregistered features with newly presented ones, known as minutia points [18]. The model may cause noise effects; however, its error-tolerant feature provides the reliable person identification suitable for MSMEs [44]. This study looks at the FV model to understand how it has been previously designed to enhance biometric privacy and security, and to answer the second research question highlighted in Table 2.

2.2. Functionalities of MSME Biometric Systems

Biometric systems used by MSMEs have three basic modes of operation. These modes are highlighted in Figure 6 and described as follows:

1. 

Enrolment mode: This mode involves capturing an individual’s specific unique biometric reference identifiers using a biometric reader for storage in the organisation’s database on a template. The individual’s related information is also mapped to the biometric data during enrolment [45].

2. 

Identification mode: This is the process where a biometric reader captures an unknown individual’s biometric data and searches the organisation’s biometric database with many stored templates to match it with the most similar template to confirm the individual’s identity. This mode involves a one-to-N mapping, where N is the number of biometric templates stored [46]. The outcome of this mode is either a positive or a negative identification if the biometric data presented matches or does not match any of the stored ones, respectively. In MSMEs, this mode may be applied to security systems for digital surveillance.

3. 

Verification mode: The verification mode, on the other hand, is a process where a biometric reader captures an individual’s biometric data for confirmation of their identity, which must have been previously provided [45]. However, this stage involves comparing the newly received biometric details and those previously stored in the organisation’s database to confirm the biometric claim. This mode involves a one-to-one mapping [46]. The outcome of this mode is either a positive or a negative verification if the presented biometric data matches or does not match the one stored, respectively [47]. The verification mode is used by MSMEs for biometric login and during financial transactions, as seen in Figure 6.

2.3. Biometric Traits for Authentication in MSMEs

The choice of a biometric trait for authentication in a biometric system depends on various factors. However, it is primarily dependent on the specific application, environmental conditions and the inherent characteristics of the biometric modality itself [48]. Biometric capture acts as the first stage in any of the functional modes of a biometric system, as seen in Figure 6. Biometric features can be broadly divided into morphological, bio-molecular and behavioural features, as seen in the taxonomy highlighted in Figure 2. The different groups are itemised below as background to their application and in preparation for answering the third research question highlighted in Table 2.

2.3.1. Morphological Biometrics

Morphological biometrics is a group of traits characterising the physical structure of an individual. These features include a person’s face, fingerprint, iris, and retina.

1. 

Face: Facial recognition technologies have been an area of interest for years. As far back as the 1960s, Woodrow Wilson Bledsoe, the father of facial recognition, created a system capable of manually organising facial images using a RAND tablet. The metrics collected and recorded were later entered into a database. The tablet captured the vertical and horizontal coordinates of the eyes, mouth, nose, etc. When a new image of the individual was entered, it could select the closest match of images within its database with an accuracy of up to 90% [49,50]. Facial recognition technologies have evolved over the years. In recent years, many facial recognition applications have been seen in MSMEs, like employee attendance monitoring, access control, theft prevention, and more.

2. 

Fingerprint: The use of fingerprints for authentication is the most widely adopted biometric trait. Traditionally, fingerprint authentication was used by governments for immigration control, forensics, and more. However, more recently, it has been applied to mobile phones for unlocking and verification during mobile payment [51] and for inventory protection [52] by MSMEs. The use of fingerprints is most successful because, among all the biometric traits, it is the most persistent—it does not change during a person’s lifetime, and it is the most unique, as no two people have the same fingerprint [53]. The trait is not without limitations. Fingerprints can be used in presentation attacks on smartphones while a person is asleep against their will [54]. This trait, which was traditionally captured using contact-based fingerprint sensors, underwent a dynamic change due to hygiene requirements that required contactless acquisition due to the COVID-19 pandemic [55]. Although there are contactless fingerprint sensors [55], contact-based fingerprint sensors are more typically used in systems. On the other hand, considering hygiene and the possibility of presentation attacks, face-recognition systems are touchless and can detect when eyes are closed. Fingerprint patterns vary over a wide range. However, in comparison to facial recognition, fingerprints are distinct even between identical twins. The average facial recognition system has a significantly higher error rate when applied between a population of identical versus non-identical twins, making fingerprint verification vital to applications needing high security levels and when dealing with populations that may include identical twins [56].

3. 

Iris: The iris is the circular region between the lens and the cornea within the eye. As far back as 1953, F. H. Adler stated that the physical appearance of the iris is so unique from one person to another and proposed using photographs for identification instead of fingerprints [57]. The effectiveness of using the iris as a biometric trait for MSMEs depends on the success achieved in extracting the features of various segments within the iris. Extracting accurate features from the iris has recently become a key focus of research [58]. The iris is often used in law enforcement, physical access control, and more.

4. 

Retina: The retina is the unique arrangement of blood vessels behind the human eye. Retina identification systems have been commercially used since the 1970s. The eye is placed before a near-infrared irradiation scanner at about 8 cm to 1 m. The person is then to focus on some markers while the scanner captures the retina’s pattern for further processing [59]. The retina is a biometric trait currently widely used by MSMEs for identification. However, research shows that about 1 in 10,000 people will suffer from retinal detachment, causing a curtain-like cover to prevent proper vision and adversely affecting the use of this modality for recognition [60].

2.3.2. Bio-Molecular Biometrics

Bio-molecular biometric traits are more internal and may be tied to an individual’s genetic or molecular features. These features are less easily visually distinguished but are very unique from one person to the other.

DNA: Deoxyribonucleic acid (DNA) is a bio-molecular ladder-like double helix paired structure that contains millions of units within the human body. Each molecular unit is known as a nucleotide and has four pairs to complete the helix as follows: Adenine, Thymine, Cytosine, and Guanine [61]. DNA contains the biological genetic information of an individual and reproduces this information into ribonucleic acid (RNA). Scientific research revealed that RNA contains 64 genetic codons, each of which is a unique code. The analysis of the 64 codons of RNA enables the interpretation of the proteins [62]. Due to the uniqueness of DNA samples from one person to the other, the unchanging details they contain, and their ease of collection, DNA is widely used in forensic investigations, with DNA profiling techniques being used for the identification of individuals [63].

2.3.3. Behavioural Biometrics

Behavioural biometrics is a group of traits which define a person based on unique natural behavioural patterns and actions a person inherently carries out, rather than their physical characteristics. Some of these traits include how a person speaks, walks, and operates a phone or computer.

1. 

Keystroke: Keystrokes while using a computer or phone are not easily impersonated. Keystroke recognition takes into account details such as dwelling time and flight time. Thus, it is a promising biometric-authentication method for both employees and customers of MSMEs. Research has looked into cost effectiveness [64], and identifying human behaviour in a cross-scenario setting [65] among others.

2. 

Gait: Gait is a behavioural biometric that refers to an individual’s walking pattern. This pattern is unique enough to be used as a biometric trait for identification. A camera is used to capture the pattern and combine it with a neural network, which improves efficiency [66]. For the identification of individuals using gait, the technology focuses on the movement of the entire body. This includes the specific movement pattern of certain parts and other similar physical features, without necessarily capturing facial details. This biometric modality is applied in security systems to identify suspects, observe conditions affecting an employee’s ability to work, and generally improve lifestyle [67]. Delgado-Santos et al. [46] focused on ensuring privacy using gait identification technology. The study proposes GaitPrivacyON for mobile gait verification to provide accurate authentication without privacy loss. This method achieves a 96.6% area under the curve (AUC) over MotionSense (having 24 subjects), MobiAct (having 56 subjects), and OU-ISIR datasets (having 744 subjects) and provides privacy without supervision [46].

3. 

Handwriting: Handwriting biometrics has a valuable application in MSMEs for e-security and e-health. Kurowski et al. [68] studied the authentication of handwritten signatures using neural networks in an automated analysis. Using an electronic pen, the signatures were obtained, and the neural network was trained using the triplet loss method. The network then enumerates a fixed-length space representation and is qualified with a dataset of 10,622 signatures from 2264 participants. When applied to a neural network trained to detect forgery attempts exclusively, the trained network achieved an average of 11.114% EER for skilled forgery attempts and 5.77% EER when tested on random forgery attempts. Alonso-Martinez and Faundez-Zanuy [69] proposed that a logarithmic transformation should normalise signature scores before combining them. This method improved the identification rate from 86.11% when capital letters were used to 96.95% using signatures and 99.72% when both modalities were combined using the BIOSECUR-ID database. It had 400 subjects.

4. 

Voice: Voice recognition is yet another behavioural biometric that has been used recently with the advancement of the Internet of Things. In research, Salahaldeen et al. [45] showcase this modality’s suitability for authentication. A voice recognition system with two phases is proposed therein. The first phase is the enrolment phase, which involves pre-processing to remove noise from a raw digitised voice, feature extraction to capture the unique vocal features, training a model, and then stores these as a template in a database. The second phase is the verification phase to confirm the similarities between the presented voice sample and the stored template. Xinman et al. [70] proposed an Android-based MM biometric-authentication system that requires face and voice biometrics. An enhanced local binary pattern (LBP) coding-based feature-extraction method was applied to reduce the complexity of space and time. A Voice Activity Detection (VAD) method was also used to reduce the level of inaccurate judgments of voice, eliminate the invalid voice segment, and increase algorithm efficiency in low SNR scenarios. This method achieved an excellent accuracy, with a TAR of 100%, FRR of 0%, and FAR of 0%, using the XJTU MM database, which contains face images and voice samples from 102 volunteers, and shows a high level of effectiveness and the potential for implementation in MSMEs.

Table 3. Included studies adopting various biometric modalities.

Modality (Abbreviation)	Number	%	Modality (Abbreviation)	Number	%
EEG	5	1.99	Palm electrodermal activity (PED)	1	0.40
ECG	8	3.19	Wrist electrodermal activity (WED)	1	0.40
Face (F)	38	15.14	Perinasal perspitation (PPED)	1	0.40
Fingerprint (FP)	45	17.93	Vocal cord vibration (VCV)	1	0.40
Iris (I)	31	12.35	Periocular (P)	2	0.80
Palmprint (PP)	17	6.77	Lip motion (LM)	2	0.80
Palmvein (PV)	9	3.59	Blood volume pressure (BVP)	1	0.40
Thermal face (TF)	2	0.80	Skin temperature (ST)	1	0.40
Fingervein (FGV)	11	4.38	3D accelerometer signals (3AS)	1	0.40
Dorsal hand (DH)	3	1.20	Breath sound (BS)	1	0.40
Photoplethysmography (PPM)	1	0.40	Chest movement (CM)	1	0.40
Hand geometry (HG)	3	1.20	Finger dorsal texture (FDT)	1	0.40
Keystroke (KS)	3	1.20	Step counts (SC)	1	0.40
Ear (E)	10	3.98	Calorie burn (CB)	1	0.40
Retina (R)	1	0.40	Sclera (S)	1	0.40
Voice (V)	10	3.98	Pupil (P1)	1	0.40
Gait (G)	2	0.80	Signatures (S1)	5	1.99
DNA	2	0.80	Arm gesture (AG)	1	0.40
Finger-knuckle print (FKP)	8	3.19	Lip features (LF)	1	0.40
Fingernail (FN)	2	0.80	Mobile behavioural biometric sources (MB)	2	0.80
3D hand geometry (3H)	1	0.40	Eye movements (EM)	1	0.40
3D palmprint features (3P)	1	0.40	Touch dynamics (TD)	1	0.40
Dorsal vein (DV)	1	0.40	FMCW radar signal (FMC)	1	0.40
Wrist vein (WV)	1	0.40	UWB radar signal (UWB)	1	0.40
Heart rate (HR)	2	0.80	Mouth skeleton (MS)	1	0.40
Breathing rate (BR)	1	0.40	Laser signal (LS)	1	0.40

shows the distribution of all the traits in the included studies of this review.

2.4. Biometric Processing Systems

There are six basic blocks found within biometric systems. These blocks are highlighted in Figure 7.

1. 

Data Acquisition

A biometric sensor carries out the data acquisition in biometric systems. The type of sensor varies depending on the type of biometric trait being captured and could be a digital camera, digital scanner, CCD-based scanner, video camera, keypad, and more [71].

2. 

Pre-processing

Not every biometric trait and biometric system requires pre-processing. However, this stage takes the raw data captured by the sensor and removes noise, and is something which may also be needed to trim off any unnecessary parts. This stage may also be required to adjust the orientation and dimensions. The steps in pre-processing include: (1) binarisation, (2) boundary tracing, (3) keypoint detection, (4) establishment of coordinates, and (5) region-of-interest extraction [71,72].

3. 

Feature Extraction

After the pre-processing of the biometric data, further processing is carried out using feature-extraction algorithms to extract the desired details [73].

4. 

Database Template

The extracted biometric data is then stored on a template, which is securely stored in a database. The biometric template is a binary mapping of selected points of the extracted feature [73].

5. 

Matching

During identification or verification, the biometric system matches a received template with existing templates to establish a matching score. For identification, this template is mapped to all stored templates, while for verification, the received template is matched to a single proposed template and a matching score is obtained [73].

6. 

Decision-Making

The decision-making module makes logical decisions to accept or reject a received template due to its matching score [73].

2.5. Biometric Cryptosystems

Numerous recent studies of biometric systems have focused on ensuring their security. Privacy, however, is another area that is just as important, especially when applying biometrics within organisations. Biometric cryptosystems are methods that generate cryptographic keys from biometric measurements [74,75]. As seen in Figure 2, the technique can be further classified into key generation and key binding. Despite the availability of alternatives like homomorphic encryption and cancellable biometrics, as seen in the taxonomy in Figure 2, this review narrows its focus to biometric cryptosystems as these are generally less computationally intensive than homomorphic encryption [76], which may not be best suited for environments with low resource capabilities like MSMEs. Also, biometric cryptosystems like FVs adequately handle inherent biometric variability due to their inherent error-tolerance [77]. MSMEs, due to their resource limitation may use lower-cost sensors that can introduce noise [74]. It is, therefore, important to have error tolerance without trading off the security of the system. FVs also do not store raw biometric templates but rather store a secured cryptographic construct [77], thus reducing the risk of template leakage or misuse and increasing the MSMEs’ compliance with data protection regulations, as such organisations often lack dedicated data governance teams.

The phases involved in this method typically start with biometric capturing with a sensor, encrypting the biometric details into a template, and then using this template to match during authentication. These systems have a single node for storing all users’ biometric data [78,79]. Recent cryptographic systems are steadily improving and developing. The variants of the method are highlighted below.

1. Key Binding: Biometric-key-binding cryptosystems cryptographically link a secret key to a user’s biometric reference using an algorithm during enrollment. This cryptographically hashed encryption key is then stored along with helper data, preventing anyone but the owner of the biometric details from accessing it. Authentication is only successful when the same key is released in the authentication phase [80,81,82]. However, while using this method, if an attacker can locate the address of the hidden key, the attacker may then be able to retrieve the key from templates belonging to other users.

Various studies have adopted different key binding schemes. Two popular ones are FV and Fuzzy Commitment. A FV scheme allows for some error; an indivisible vault can be created by an unordered set’s encryption or decryption of a secret key. This method protects both the key and the set and is very applicable to MSMEs. In a study [83], FV was applied to generate and distribute a group secret key between items of wearable technology with a smartphone as a hub placed on the user’s waist. The study used the accelerometer of the smartphone as a sensor to obtain gait biometric data and applied FV to ensure secure transmission of sensitive healthcare data. By applying FV, the study enables multiple devices owned by a single user to obtain an identical key, while preventing other users from doing so even if they can mimic the individual’s gait [83]. The fuzzy commitment scheme, on the other hand, was applied in a gait-based biometric system for security enhancement in a study by Elrefaei and Al-Mohammadi [84]. Here, the CMU MoBo database was used, and for a 50-bit key, the lowest error rate was obtained with a quick walk during enrolment and verification, with a 0% FAR and FRR. The best error rate obtained with the CASIA A dataset was 0% FAR and FRR for a 45-bit key when the orientation to the image plane was 45 degrees [84].

2. Key Generation: Key generation methods generate cryptographic keys directly from individual biometric templates used in user verification. The system can generate the same key for an individual who provides the same biometric data. Thus, there is no need to be worried about the security of the cryptographic key; instead, the concern here is its discriminability. It could be quite testing to develop a system that maintains high entropy with a stable key [85]. Key generation methods include secure sketch, fuzzy extractor and quantisation schemes.

2.6. Performance Metrics for Biometric Systems

As highlighted earlier, the design of a biometric system significantly impacts its effectiveness in achieving security, privacy, cost-effectiveness, computational efficiency, and other objectives tailored to meet the needs of MSMEs. Asides from the design of biometric systems, the performance is also affected by environmental factors (like temperature, illumination conditions, and humidity) and the inherent nature of the biometric modality. The following are some of the important metrics used to assess the performance of a biometric system:

1. 

False Acceptance Rate (FAR): This metric is a type-II error that determines the rate of acceptance a system gives to an unauthorised person following multiple attempts [84]. FAR is given by Equation (8).

$$FAR={\displaystyle \frac{Fals{e}_{Positive}}{Fals{e}_{Positive}+Tru{e}_{Negative}}}$$

(8)

It is important to keep this rate as low as possible in a biometric system [38,64,70,84]. The FAR of a biometric system can be increased due to various factors, such as attacks on the system components. These attacks may occur at the hardware (such as sensors), or during data transmission or storage, among others. Also, specific limitations in security systems and design flaws may play a major role in affecting the FAR of a system.

2. 

False Rejection Rate (FRR): This metric is a type-I error, which determines the rate of failure a system has in granting access to an authorised person during multiple attempts [84]. FRR is given by Equation (9).

$$FRR={\displaystyle \frac{Fals{e}_{Negative}}{Fals{e}_{Negative}+Tru{e}_{Positive}}}$$

(9)

As with FAR, it is also important to keep this metric as low as possible [38,64,70,84]. However, in addition to the causes of increased FAR discussed, factors like low-quality biometric data and template quality due to low image quality, noise, low contrast and more can be responsible for an increase in this metric. Environmental factors (like different illumination or varying finger orientation/face pose) and inherent variability of the biometric modality (related to change in age or the occurrence of an accident) may affect the FRR of a system.

3. 

True Positive Rate (TPR): This may also be called Sensitivity, Recall or Genuine Acceptance Rate (GAR). This metric indicates the probability of a system authorising a genuinely registered user. TPR is given by Equation (10) [38,86].

$$TPR={\displaystyle \frac{Tru{e}_{Positive}}{Fals{e}_{Negative}+Tru{e}_{Positive}}}$$

(10)

TPR may also be calculated as

$$TPR=1-FRR$$

(11)

Thus, it is important to have this metric high in a biometric system to ensure better usability and fewer legitimate users being denied access.

4. 

True Negative Rate (TNR): This may also be called Specificity. This metric indicates the proportion of imposters correctly rejected by the system. TNR is given by Equation (12).

$$TNR={\displaystyle \frac{Tru{e}_{Negative}}{Fals{e}_{Negative}+Tru{e}_{Positive}}}$$

(12)

This metric may also be expressed as

$$TNR=1-FAR$$

(13)

For the good performance of a biometric system, it is, therefore, important to have this metric high.

5. 

Equal Error Rate (EER): In assessing the various performance metrics of a biometric system, it is important to note that there is an inherent trade-off between the FAR and the FRR. This trade-off is often visualised using an ROC curve, and the EER is the point where the FAR and FRR are equal, providing a single measure of system accuracy [38]. Thus, a lower EER indicates the better verification performance of a biometric system.

6. 

Accuracy: This is a measure of the proportionality of the rate at which registered users are permitted to make a number of attempts. Accuracy is mathematically represented in Equation (14) [87].

$$Accuracy={\displaystyle \frac{Tru{e}_{Positive}+Tru{e}_{Negative}}{Tru{e}_{Positive}+Tru{e}_{Negative}+Fals{e}_{Negative}+Fals{e}_{Positive}}}$$

(14)

Accuracy is a broader term that reflects the overall correctness of the system’s operation. EER, on the other hand, is a direct indicator of accuracy at a specific operating point (where the FAR equals the FRR). The accuracy of a biometric system is impacted by two errors, namely, sample acquisition error and performance error. Sample acquisition error is caused by the environment surrounding the system and is of two forms: failure to enrol (FTE) and fail to capture (FTC). FTE is a measure of the rate of actual users who are unsuccessfully registered and of samples rejected by the system, usually as a result of low quality or noisy images. Failure to Acquire (FTA) denotes the proportion of identification and verification attempts for which the method fails to obtain a sample.

7. 

F1 Score: This metric provides a balance between the sensitivity (usability) and precision (security) of a biometric system [88]. Thus, it is useful in measuring the trade-off between false acceptances and false rejections. F1 score is represented by Equation (15).

$$F1Score=2\ast {\displaystyle \frac{Sensitivity\ast Precision}{Sensitivity+Precision}}$$

(15)

A high level of precision but low sensitivity would make the system rarely accept an impostor, but may wrongly reject many genuine users. On the other hand, high sensitivity and low precision would mean that the system would accept most genuine users but also wrongly accept many impostors. Thus, the F1 score reflects the balance between both metrics.

Having highlighted the various performance metrics applied in evaluating biometric systems, it is important to note that the different evaluation settings of each study, including whether testing was same-dataset or cross-dataset, controlled or unconstrained, cross-session or intra-session, and whether presentation-attack or other adversarial evaluations were included, greatly affect the way results are interpreted and generalised to real-world MSME settings.

Table 4. Categorisation of studies by evaluation setting.

Evaluation Category	Description	Interpretation of Reported Results	Representative Studies
Same-dataset, controlled testing	Training and testing are conducted on the same dataset or under similar acquisition conditions	Results are useful for laboratory recognition performance but may overestimate real-world performance	[86,87,89,90,91,92,93]
Cross-dataset testing	Training and testing use different datasets or acquisition conditions	More indicative of generalisation across sensors, populations, or environments	[54,55,65,94,95]
Intra-session testing	Enrolment and testing samples are collected in the same session or under similar conditions	May produce optimistic performance estimates	[14,66,67,68]
Cross-session testing	Enrolment and testing occur across different sessions, time periods, or conditions	More realistic because it captures ageing, environmental variation, and acquisition differences	[12,96,97,98]
No attack evaluation	The system is evaluated only using genuine and zero-effort impostor comparisons	Shows recognition performance but not attack resilience	[19,38,48,57,58,72,99]
Presentation-attack evaluation	The system is tested against spoofing, replay, morphing, synthetic identities, or related attacks	More indicative of security-validated performance	[35,54,100,101,102,103]
Closed-set evaluation	Test identities are known or represented in the enrolled population	Useful for controlled identification scenarios	[40,104,105]
Open-set evaluation or unseen-condition evaluation	The system must handle unknown or unenrolled users	More realistic for operational deployment	[54,65,96,103,106,107,108,109]
Single-sensor testing	Samples are captured using the same device or sensor type	May not reflect device interoperability issues	[19,45,68,72]
Cross-sensor testing	Samples are captured using different devices, sensors, or acquisition platforms	More indicative of real-world deployment challenges	[51,54,55,94,109,110,111]

categorises the different evaluation settings to show what may be indicative of real-world applications.

2.7. State-of-the-Art Reviews on MM and FV Systems

A good number of studies have looked at MM biometric systems or FVs with different aims for their review. A study [29] conducted a comprehensive review of biometric recognition systems based on physiological and behavioural traits. This study highlighted both unimodal and MM biometric systems and presented a diagrammatic summary of all biometric modalities. It also identified various methods adopted and datasets used in experimental analyses.

Crescenzi-Lanna [21] conducted a systematic review to understand the application of MM-learning analytics on young children. The paper highlighted the performance analytics of the various MM systems, like face and speech recognition systems and pointed out issues hindering the improvement of such systems. One such point includes limited collaboration between computer science experts and other stakeholders due to ethical issues regarding young children.

In 2023, another review [22] focused on the need for continuous user identification technology. This was triggered by questions surrounding the issue of the credibility of online academic activities in higher education institutions during and after the COVID-19 global pandemic. The study highlighted that existing biometric systems lacked features to combine multiple inputs like voice, face and behavioural data in a realistic manner. Such systems also had numerous barriers, such as data protection issues during implementation. A study by Ryu et al. in 2021 [31] focused, similarly, on continuous MM authentication schemes in a systematic review. The study compared continuous MM authentication design based on the different combinations of biometric types (behavioural only, physiological only, or both), machine learning algorithms (unsupervised learning and semi-supervised learning), and fusion models. Rayani and Changder in 2023 [28] conducted a similar review. However, this study was primarily focused on behavioural biometrics on smartphones. Li et al. in 2024 [24] comprehensively reviewed hand-based MM biometric fusion. In the study, the researcher introduced the features of the levels of hand-based biometrics using four levels and highlighted six levels of fusion in MM systems. In conclusion, the study pointed out challenges regarding such systems and directions for future studies. Aftab et al. [25] undertook a similar review focused on hand-based MM biometrics, while Shaheed et al. [23] focused on finger-vein technology and were also able to highlight the methodology, challenges and directions for future studies.

Sumalatha et al. [26] conducted a comprehensive review of unimodal and MM biometric-authentication systems, emphasising the fusion methods, template-protection methods and attacks on such systems. The review highlighted research gaps, limitations and some possible solutions. The study [30] reviewed the existing literature on audio-visual recognition techniques, datasets from public databases and presentation attack algorithms. The study then highlighted the challenges identified in such literature. Mandalapu et al. [27] explored 3D biometrics with a focus on the hardware used and the datasets applied in the related literature. The review concluded with recommendations for future works, including the need for MM biometrics, generalisation of 3D reconstruction algorithms, and anti-spoofing metrics.

3. Review Methodology

The Preferred Reporting Items for Systematic Reviews and Meta-Analyses 2020 (PRISMA 2020) guidelines [112] are followed in this systematic review, and details are highlighted in this section.

3.1. Protocol and Registration

The review protocol gives a detailed method and layout for the review. This protocol encompasses the guidelines to be followed throughout the search for existing literature, all the way to the final selection, analyses and presentation of findings, which would benefit a researcher in this field. The key focus of this systematic review is to assess the different implementations of MM biometrics and FVs in the existing literature. The study will showcase limitations and possible future research directions, improving applicability to MSMEs. A systematic review is vital to ensure a thorough analysis is conducted and transparently reported. The PRISMA 2020 protocol is adopted because it concisely sets out the step-by-step methodology for a systematic review [112]. This systematic review was preregistered with the Open Science Framework (OSF) under the registration DOI https://doi.org/10.17605/OSF.IO/DXH7M (accessed on 2 June 2026), in accordance with PRISMA 2020 guidelines to ensure methodological transparency and reproducibility.

3.2. Eligibility Criteria

Enhancing the privacy and security of biometric systems in MSMEs is an extensive task. MM and FV systems have many applications, but go a long way towards achieving this aim. Although exploring both concepts together may achieve the stated aims, a closer look at each individually would be more effective. The research is, therefore, divided into MM and FV studies in order to have a detailed study of these areas. The outcomes are combined and analysed in this review at the end of the individual studies. This study focused on peer-reviewed journal papers from high-quality databases to ensure reliable findings. The documents must be recent and within the last 5 years of publication to ensure the conclusions address the latest issues regarding the various technologies. The impact factor is also an excellent metric to highlight the quality of a paper. Papers with impact factors of less than 3.0 were not included. The subject of biometric data is interdisciplinary and cuts across fields like medicine, computer science and engineering. This makes the number of possible papers to be considered for this review very large if there is no filter on the desired field. This study focuses on the computer science field, and studies with very little focus on this area are excluded. The resulting metrics need to be reported to evaluate the findings of different studies properly. Insufficient result metrics are, thus, a criterion applied for exclusion. Finally, papers with a limited focus on biometric data privacy and security are also excluded, as this is the overall focus of this review.

3.3. Search Strategy

The first step of the systematic literature review is the literature search. In this study, six databases were searched. The search included Scopus, IEEE Explore, Science Direct, Springer, Wiley, and Mendeley for two search terms.

The first search shown in

Table 5. Search protocol for MM studies.

Database	Search Term
Scopus	TITLE-ABS-KEY ((“multimodal”) AND (“biometric”) AND (“authentication” OR “verification” OR “identification”)) AND PUBYEAR > 2018 AND PUBYEAR < 2025
IEEE Explore	((“multimodal”) AND (“biometric”) AND (“authentication” OR “verification” OR “identification”))
Science Direct	(“multimodal”) AND (“biometric”) AND (“authentication” OR “verification” OR “identification”)
Springer	(“multimodal”) AND (“biometric”) AND (“authentication” OR “verification” OR “identification”)
Wiley	multimodal AND biometric AND (authentication OR verification OR identification) in Title
	multimodal AND biometric AND (authentication OR verification OR identification) in Abstract
	multimodal AND biometric AND (authentication OR verification OR identification) in Keywords
Mendeley	(“multimodal”) AND (“biometric”) AND (“authentication” OR “verification” OR “identification”)

was conducted on 6 June 2024. It included studies between 1 January 2019 and that date, while the second search shown in

Table 6. Search protocol for FV studies.

Database	Search Term
Scopus	TITLE-ABS-KEY (“fuzzy vault”) AND PUBYEAR > 2018 AND PUBYEAR < 2025
IEEE Explore	(“fuzzy”) AND (“vault”)
Science Direct	(“fuzzy”) AND (“vault”)
Springer	(“fuzzy”) AND (“vault”)
Wiley	fuzzy AND vault in Title; fuzzy AND vault in Abstract; fuzzy AND vault in Keywords
Mendeley	(“fuzzy”) AND (“vault”)

was conducted on 22 July 2024 and also included studies from 1 January 2019 to that date.

This search strategy yielded 708 results in Scopus, 286 in IEEE Xplore, 48 in Science Direct, 5274 in Springer, 47 in Wiley and 43 in Mendeley. This gave a total of 4261 results, as seen in Figure 8a.

This search strategy yielded 93 results in Scopus, 24 in IEEE Xplore, 9 in Science Direct, 2697 in Springer, 1 in Wiley and 96 in Mendeley. These individual searches gave 2920 results, as seen in Figure 8b.

3.4. Study Selection

The search outcomes from Scopus and IEEE were exported to a CSV file, while those from Science Direct and Wiley were exported to BibTeX files. The exported files were all then imported into Mendeley for further sorting. This part of the study was also carried out separately for the MM and FV studies. In Mendeley, the MM study contained 149 duplicates, and 5216 records could not be accessed. This study also had 36 records that were not in the English language. All of these studies were first removed from the collection of papers.

On the other hand, the FV study had 68 duplicates, 2315 unavailable records and 7 non-English papers, which were removed before the screening stage. The MM study had 1005 papers to be screened, while the FV study had 476 papers for screening. The screening was carried out using ASReview to ensure efficient sorting of the documents [113]. ASReview is AI-based and rearranges documents according to the order of perceived relevance based on the training model input by the researcher, while still giving the researcher the freedom of decision-making. During the screening process, the titles and abstracts were reviewed to exclude papers that were unrelated to this review’s aim. In the MM study, 399 papers were excluded, while 368 were excluded from the FV study. The details of papers retained after exclusion were downloaded to a spreadsheet for further screening. The following criteria for screening were based on the impact factors, and papers with impact factors of less than three were excluded. The final exclusions were based on documents with limited information and those retracted. After removing these, the remaining papers sought for retrieval were 122 and 49 for the MM and FV studies, respectively. Among those sought for retrieval, 20 full texts from the MM research were unable to be retrieved, leaving 102 papers to be accessed for eligibility. Based on the eligibility criteria in Figure 8a,b, more papers were excluded, leaving 97 and 35 papers in the MM and FV studies, respectively.

3.5. Inclusion

After the screening process, 132 papers were included by combining both study subsets. The distribution of the publications over the years is seen in Figure 9a,b, with the highest number being found in 2021 for both. Figure 9a,b show a peak in the included papers in 2021, as this year followed the global pandemic, which caused a surge in the number of cyber-attacks globally, causing researchers to carry out more studies in the field of cybersecurity [114]. The reduced in-person contact, which was enforced during the period, caused more organisations to opt for a remote mode of working to ensure that their businesses survived the pandemic. On a larger scale, governments and industries also invested more in cybersecurity to secure their investments. The Figures also show that the fewest inclusions were from 2024 because the search was conducted mid-year. The MM biometric search yielded 6406 records, as multimodality is widely applied in various areas besides computer science. However, many records that we had initially sought out were only indexed on other selected databases and were not directly available for retrieval. This unavailability caused a significant reduction in the number of papers that could be screened. This reduction in documents to be screened was similar for the FV search; however, the difference was that FV is a more specific method, which initially yielded fewer results, many of which mentioned the technique without a particular focus.

3.6. Data Extraction

After the papers selected for inclusion have been finalised by one researcher and vetted by the other three authors, the data extraction stage is the final stage. At this stage, each retrieved paper was carefully read through by one author, who filled out a spreadsheet with vital information, in line with the aims of this review. Based on this data extraction technique, only essential information was recorded to give a concise summary of the data needing evaluation, after which the extracted summary was reviewed by all the authors.

The following data were some of the content extracted from each paper: 1. title, 2. digital object identifier (DOI), 3. year of publication, 4. author, 5. publication source name, 6. study aim(s), 7. biometric traits adopted, 8. key method(s) adopted (feature extraction, fusion, classification, and more), 9. datasets adopted in the study for particular biometric traits, 10. metrics used in the evaluation of the study, 11. significant limitations suggested by the study, 12. suggested future works, and 13. attacks tested (if any). Any missing field that could not be identified was left blank.

3.7. Threats to Validity

Although an in-depth study was carried out with a clearly defined methodology, some threats to validity can affect the interpretation of generalisation of its findings. Some threats considered in this study are highlighted below.

1. 

General Selection Validity: This threat is caused by issues regarding search strings and limited academic databases. By focusing on studies from the last five years, those in English and other criteria listed in the search strategy, this may introduce a bias. To ensure that this threat was mitigated, the authors ensured that six well-known academic databases commonly used in the literature were searched, thereby introducing diversity in terms of perspectives. Search strings, if not properly selected, may affect the number of papers found. The authors, thus, carefully selected the keywords and the associated Boolean operators. Also, the same syntax was not applied to different databases; rather, syntaxes were applied based on each database’s guidelines.

2. 

Selection Bias from Impact-Factor-Based Inclusion Criteria: Another likely bias can be due to the impact factor being set to at least 3 as this may exclude the contribution of relevant studies from newer, specialised, or emerging journals. However, this criterion was applied as a quality-control measure to ensure that the review prioritised studies published in established, peer-reviewed venues with recognised scholarly influence. This was necessary as the field of biometric data privacy and security is broad and includes studies of varying methodological quality. The threshold also keeps the review manageable and focused on the literature with stronger academic visibility. Nevertheless, the authors recognise that the impact factor alone does not fully represent the quality or relevance of individual studies. As a result, the findings are interpreted with this limitation in mind, particularly for recent areas such as AI-enabled synthetic identity creation, deepfake-based biometric attacks, and lightweight biometric protection for MSMEs.

3. 

Reproducibility Issues: Reproducibility is a major issue with literature reviews, as not every aspect is sometimes clearly and transparently reported. This study, however, rigorously followed the PRISMA 2020 guidelines and documented all steps of the review, starting with the database selection to the final selection and reporting, aiding reproducibility.

4. 

Metric heterogeneity: In the survey, various metrics have been referenced. However, due to the use of a diverse range of datasets, the findings may be biased. This review takes this bias into account and analyses studies to clearly highlight the dataset used to arrive at their results.

4. Biometric System Privacy and Security in the Literature

The primary aim of this systematic literature review is to identify and analyse the best designs from recent studies related to MM biometric systems and FV systems, which have the potential to improve biometric data privacy and security in MSMEs. By examining these, we seek to discover some trends and directions for future studies.

4.1. Improvement of Biometric Identification

MM biometric systems combine two or more traits to improve privacy and security. Many studies have sought to enhance human identification by the fusion of traits. These studies are highlighted as we seek to answer the fourth research question seen in Table 2.

This review distinguishes between recognition performance and security-validated performance to avoid overstating security and privacy claims. Recognition performance refers to the ability of a multimodal biometric system to correctly identify or verify users under standard experimental conditions, typically using metrics such as accuracy, FAR, FRR, GAR, AUC, and EER. Security-validated performance, in contrast, refers to the demonstrated robustness of the system under adversarial conditions, including spoofing, replay, morphing, synthetic identity attacks, template compromise, and adversarial AI-based manipulation. Therefore, while many reviewed systems report low EER or high accuracy, these results are interpreted in this review as evidence of recognition effectiveness rather than conclusive evidence of security resilience, unless the original study explicitly conducted attack-based evaluation. This distinction is particularly important for MSMEs, where reliance on conventional accuracy metrics alone may underestimate operational security risks and lead to premature deployment of systems that have not been tested against realistic threats.

The facial trait, combined with other modalities, has been applied extensively and with good results in recent studies. Table 3 shows that over 15% of the papers included were based on this trait, which came second to fingerprint recognition, which is most applied and extensively studied.

Aside from fingerprint and facial traits, iris traits have gained much attention recently. Table 3 shows that over 12% of the included papers considered the iris. A combination of the top modalities—face, iris and fingerprint—was applied in several studies [37,87,99,115,116,117,118,119], and is summarised in

Table 7. Studies focused on the most common traits.

Ref.	Study Aim(s)	Traits	Method(s)	Dataset
[115]	Prevent adversary attacks & ensure template protection using an MM cancellable biometric system	FP, F, I	FLF|△	SDUMLA-HMT MM (DB1)|MCYT, CAS-PEAL R1, IITD PolyU (DB2)|CASIA-FP-V5, CASIA-F-V5, CASIA-I-V3 (DB3)|FVC2006, CAS-PEAL R1, CASIA-I-0V3 (DB4)
[116]	Provide secure digital platform for users to work with a biometric-authentication system for cloud storage	I, F, FP	△	CASIA Fingerprint, CASIA Iris & CASIA Face
[99]	Secure single-user data using biometric security in distributed applications	I, F, FP	□
[87]	Secure & authenticate MM biometric data using visual cryptography when transmitted as images via the internet	F, FP, I	□	I, FP, & F images of 106 individuals
[117]	Enhance application of MM systems to security-critical applications by adaptively combining scores from individual classifiers & to distinguish between spoofing attacks & noisy inputs	F, FP, I	△	CAS-PEAL, CASIA-F-V5, MCYT, FVC2006 DB1-A, CASIA-I-V1, IITD PolyU, MMU2
[37]	Provide biometric template security using MM biometric-authentication framework based on IoM hashing, AFH, & feature-level fusion	FP, F, I, FGV	FLF|△	FVC2002 for fingerprint, LFW for face, CASIA-v3-Interval for I, & UTFVP for FV
[118]	Enhance accuracy & generalisation of MM fusion using artificial intelligence	F, FP, I	SLF|FLF|RLF	CASIA-FingerprintV5, CASIA-IrisV4-Interval, WebFace 260 M
[119]	Analyse user awareness of MM biometrics & its acceptability for online transactions in the current dynamic world	FP, I, F, V	□

Legend: △ = Machine learning. □ = Deep learning.

.

MM biometric systems have demonstrated consistent superiority over unimodal counterparts in identification accuracy and security, though the evidence base is heterogeneous in terms of methodology, scale, and rigour. Studies can be meaningfully grouped into two thematic clusters: fusion strategy and performance and template-protection relevance.

Fusion Strategy and Performance. Across the reviewed studies, score-level fusion consistently yields competitive or superior error rates relative to feature-level alternatives. Su et al. [38] demonstrated this directly, with score-level sum-rule fusion achieving an EER of 1.27% compared to the feature-level DCA result of 0.1443%—a counterintuitive reversal that underscores the sensitivity of fusion performance to dataset size and modality pairing. Byeon et al. [118] similarly reported that score-level fusion achieved the highest retrieval accuracy of 99.6% across pixel-, feature-, and score-level configurations on large-scale datasets (WebFace 260 M, CASIA-Fingerprint-V5, CASIA-Iris-V4). However, high accuracy figures reported by Zhang et al. [70] (TAR = 100%, FAR = 0%) and Gayathri and Malathy [87] (95% accuracy, FAR = 0.45%) must be interpreted cautiously given the small, controlled datasets employed—102 subjects and 106 individuals, respectively—which structurally inflate performance relative to open-set benchmarks. By contrast, Wu et al. [95] report a more conservative accuracy of 79.33% on the ecologically richer TALKIN dataset (1012 individuals), providing a more credible lower-bound estimate of real-world performance. Heidari and Chalechale [86] contribute a less common modality pairing (fingernail and finger knuckle), achieving 94.75% identification accuracy with rank-level deep learning fusion, reinforcing the generalisability of MM fusion beyond conventional iris–face–fingerprint triplets.

Attack Resilience and Template Protection. A narrower subset of studies addresses security robustness explicitly. Walia et al. [115] provide the most comprehensive adversarial evaluation, testing false-accept, brute-force, ARM, and substitution attacks on a cancellable MM system across seven datasets, achieving an EER of $1.00\pm 0.1\%$. Goh et al. [37] extend template protection to a four-modality framework using IoM hashing and alignment-free hashing, reporting 0% EER for several bimodal combinations—though the near-perfect figures are likely an artefact of the same-database evaluation under constrained matching conditions. Critically, studies such as those conducted by Gayathri and Malathy [87] and the distributed-system work of [99] report strong accuracy outcomes without adversarial testing, a methodological gap that limits confidence in their security claims. Gupta et al. [117] partially address this by targeting the specific challenge of distinguishing spoofing from noise, achieving 99.5% accuracy and an EER of 0.5%, though evaluation remains confined to clean academic datasets.

The most consistently reported metric across the reviewed studies was the Equal Error Rate (EER). Across the reported EER values from Su et al. [38], Qian et al. [120], Walia et al. [115], Gupta et al. [117], and Goh et al. [37], the EER ranged from 0.00% to 1.8263%, with an unweighted mean of approximately 0.77% and a median of 0.75%, as shown in

Table 8. Descriptive quantitative synthesis of reported biometric performance metrics.

Metric	Number	Range	Mean	Median
EER (all reported values)	8	0.00–1.8263%	0.77%	0.75%
EER (best value per study)	5	0.00–1.413%	0.61%	0.50%
FAR	4	0.00–1.00%	0.36%	0.23%
FRR	4	0.00–16.93%	5.76%	3.06%
GAR/TAR/Sensitivity	4	83.07–100%	94.48%	97.43%
Accuracy	6	79.33–99.60%	93.03%	94.88%

. When only the best-performing EER value from each study was considered, to avoid over-representing studies that reported multiple fusion configurations, the mean EER decreased to approximately 0.61%, with a median of 0.50%. This suggests that the reviewed MM biometric systems generally achieved low verification error rates, although the results are not directly comparable because of dataset and protocol differences.

4.2. Databases for Biometric Traits in the Literature

Various databases have been applied across the literature to train or evaluate different modules. These databases are highlighted in

Table 9. Databases and modality applied.

Modality	Dataset(s)	Subjects/Samples	Format	N
EEG	Own			4
	Physionet			1
ECG	ECG-ID [121]	90 (310 recordings)	500 Hz/12-bit	2
	PTB ECG [122]	294 (549 samples)	15 lead	2
	CapnoBase [123]	94 (50 simulated, 190 in vivo)	.csv/.mat	1
	BIDMC [124]	53 (53 samples)	125 Hz	1
	TROIKA [125]	12	125 Hz	1
	PTB-XL [126]	18,885 (21,837 recordings)	12 lead	1
	Own			2
Face	Face95 [127]	72 (1440 samples)	180 × 200 px	1
	CAS-PEAL [128]	1040 (99,594 samples)	360 × 480, TIFF	2
	SUDFace [129]	227	1920 × 1080/60 Hz video	1
	AT&T (ORL database) [130]	40 (400 samples)	92 × 112 px	3
	Yale face database [131]	15 (165 images)	GIF	3
	FASSEG dataset [132]	500+ samples	RGB and JPG	1
	GT [133]	50 (15 samples each)	JPEG/640 × 480 px	2
	AR face [134]	116 (26 samples each)	RAW/768 × 576 px	4
	CASIA-WebFace [135]	10,575 (494,414 images)		9
	LFW [136]	5749 (13,233 samples)	JPEG/250 × 250 px	4
	VGGFace [137]	2622 (2.6 million samples)		1
	Pubfig [138]	200 (60,000 images)		1
	FaceScrub (FS) [139]	695 (141,130 images)	96 × 96 px	1
	IMDb Wiki (IMDb) [140]	523,051 samples	256 × 256 px	2
	FERET [141]	1199 (14,126 images)		3
	PICStirling [142]			1
	WVU-Multimodal [143]	111 + 205 (557 + 1170 images)	BMP	1
	ImageNet [144]	2832 people (14,197,122 total images)		2
	Voxceleb [145]	1251 (153,516 videos)		1
	Voxceleb2 [146]	6112 (1,128,246 videos)		1
	UMIST [147]	20 (564 images)		1
	Web Face 260 M [148]	4 M people (260 M faces)		1
	CVL face [149]	114 (7 images each)	JPEG/640 × 480 px	1
	CMU-PIE [150]	68 (41,368 samples)		1
	REPLAY-ATTACK [100]	50	various	1
	XM2VTSDB (CDS001) [151]	295 (8 videos each)		1
	FRGCv2 [152]	200 (50,000 images)	JPEG/1704 × 2272 or 1200 × 1600 px	1
	CelebA [153]	10,000 (20 images each)		1
	Extended Yale B [154]	10 (5760 samples)		1
	Own			4

,

Table 10. Databases and modality applied (continued).

Modality	Dataset(s)	Subjects/Samples	Format	N
Fingerprint	FVC2006 [155]	150 fingers (12 samples each)	140 × 12/10 × 12 px	7
	CASIA [156]	500 people (20,000 images:5 images per 8 fingers)	BMP/328 × 356 px	6
	FVC2002 [157]	110 fingers (8 images each)	100 × 8/10 × 8	13
	FVC2004 [158]	120 fingers (12 images each)	100 × 8/10 × 8	9
	LivDet2015 [159]	4500 images		1
	SOCOFing [160]	600 (6000 images)	BMP/96 × 103	1
	MCYT [161]	100		2
	PolyU [110]	156 (1466 images)	BMP	1
	SDUMLA-HMT [162]	106 (3816 images)	BMP/320 × 240	1
	LivDet 2011 [163]	16,056 images	Various	2
	FCJ2020 [164]	50 (1200 images: 4 fingers each)	BMP	1
	ATVS [165]	3000+ images		2
	LivDet 2013 [166]	16,853 images	Various	1
	FVC2000 [167]	110 fingers (8 images each)	100 × 8/10 × 8	1
	Own			4
Iris	CASIA-Iris [168]	2800+ (54,601 images)	JPEG	19
	IITD PolyU iris [169]	218 (2180)	BMP	8
	MMU2 iris [170]	100 (995 images)	BMP/320 × 238 px	2
	UBIRIS [104]	261 (11,102 images)	TTIF/400 × 300 px	1
	SDUMLA-HMT [162]	106 (1060 images)	BMP/768 × 576 px	1
	ATVS [171]	200 (3200 images)		1
	Own			3

and

Table 11. Databases for multimodality.

Modality	Dataset(s)	Subjects/Samples	Traits	Number
Multimodal	MCYT Bimodal [161]	330 (12 samples each)	FP	1
	CMBD [172]	100	I, FP, F	2
	FYO Database [105]		PV, FGV, DH	1
	SDUMLA-HMT [162]	106	F, FGV, G, I, FP	3
	XJTU multimodal [173]	102	FP, F, I, V	1
	BIOMEX-DB [174]	51	EEG, V, F	1
	Own			3

to answer the fifth research question highlighted in Table 2.

Based on the included papers, researchers depend more on their personally collected datasets as sources of EEG and ECG signals. However, a good number of publicly available datasets for ECG found in the literature include TROIKA [125], ECG-ID [121], BIDMC [124] and more, as seen in Table 9. While the PTB-XL [126] dataset provides one of the largest ECG datasets (with freely accessible clinical 12-lead ECG waveforms, comprising 21,837 records from 18,885 patients) that can be adapted for biometric research, the ECG-ID [121] dataset was explicitly designed and evaluated for biometric authentication using ECG signals. The TROIKA [125], BIDMC [124], and CapnoBase [123] datasets are focused on other physiological monitoring aspects (heart rate or respiratory rate); however, they may also be adapted to identity verification.

As previously mentioned, facial traits are one of the most applied modalities in the included studies. This modality also has one of the widest ranges of publicly available databases, and very few studies used personally collected datasets that are not publicly available. Some of the most used datasets for facial data include the Chinese Academy of Sciences Institute of Automation (CASIA) Face dataset, which contains 494,414 face images of 10,575 real identities [135]. This dataset is large; however, due to its size, some faces may not be correctly detected and may be misclassified. The misclassification is not, however, expected to affect training models adversely, but rather to improve the model’s robustness.

The AR face dataset is another common public source for facial data found in the literature. Though smaller than CASIA-Webface, the database has 3000 RGB images with an average size of 768 × 576 pixels for 126 subjects [134] and provides a variation of emotions, illuminations, and subjects with/without glasses and scarves. Labelled Faces in the Wild (LFW) is the next most applied database for facial data. The dataset contains over 13,000 facial images collected from the web of 1680 subjects and applied in various studies on unconstrained face recognition [136]. LFW also has a mixture of both coloured and some greyscale images. ORL database (Our Database of Faces) contains 400 images from 40 distinct subjects and is widely used in the literature. The database has images of various facial expressions and light settings at different times. Each image is 92 × 112 pixels, with 256 grey levels per pixel [130]. Yale Face Database also contains face images with 11 different facial expressions per subject. The database is one of the few that has greyscale images and includes 165 images of 15 individuals in GIF format [131], which is available for public use. The Face-Recognition Technology (FERET) database is another well-used public dataset containing 14,126 images from 1199 individuals and 365 duplicate images. The duplicate images are images of the same individual taken at a different time, with some having a time-lapse of up to two years [141]. Databases like Yale [131], CAS-PEAL [128], and Pubfig [138] provide a variation in facial expressions and orientations, which help improve the robustness of a recognition model; however, SUDFace [129] provides a constant facial orientation and neutral facial expressions. It is also important for datasets to have racial diversity to help improve recognition in real-world situations. CAS-PEAL is, however, limited in this aspect as it largely represents the Mongolian race. As regards gender, most datasets try to have a reasonable balance, like VoxCeleb [145], which is 55% male and VoxCeleb2 [146], which is 61% male; however, the CVL face dataset has 90% male subjects, which deviates from the desirable gender distribution.

Fingerprint is another trait with many publicly available datasets, as highlighted in Table 10. One of the most used datasets is the Fingerprint Verification Competition (FCV) database, which was first implemented in 2000 and has other versions like 2002, 2004, and 2006. The database was put together to improve the evaluation of methods based on the fingerprint modality and was collected using various sensors. The Chinese Academy of Sciences Institute of Automation (CASIA)’s fingerprint database is also widely applied in studies. The 5th version of this dataset contains 20,000 fingerprint images of 500 subjects with five images per finger, comprising left and right thumb, second, third and fourth finger images.

The variety of iris databases is fewer in the included literature. However, a large number of studies have employed the CASIA-Iris dataset as a source of the iris trait. The most recent version of the dataset—the CASIA-IrisV4 [168], has 8-bit grey-level JPEG files and contains 54,601 iris images from over 1800 real subjects and 1000 virtual subjects. The database has six variants—CASIA-Iris-Interval, CASIA-Iris-Lamp, CASIA-Iris-Twins, CASIA-Iris-Distance, CASIA-Iris-Thousand, and CASIA-Iris-Syn [168]. The last three were only included in the database’s fourth version and not in previous versions. The IIT Delhi PolyU Iris database is also highly recurrent and was collected from 224 staff and students of IIT Delhi, New Delhi, India. As seen in the iris datasets, CASIA is also very common in palmprint studies. The dataset contains 5502 palmprint images from 312 different individuals.

Some less-featured modalities in the included studies and how frequently they occur has been highlighted in the Supplementary Materials.

MM datasets like SDUMLA-HTM, which combine multiple traits, are very useful. These datasets allow researchers to develop and thoroughly test MM biometric systems, which are consistently identified as significantly more effective in enhancing privacy and security compared to unimodal systems. Some MM datasets have also been highlighted in Table 11. These subsets of these datasets are also applicable for evaluating unimodal setups. Among these, the SDUMLA-HTM database is the most applied. This database includes five biometric traits—face, finger vein, gait, iris, and fingerprint—collected for each of the 106 subjects, comprising 61 males and 17 females between 17 and 31 years of age. This dataset was used in several MM studies [90,115,175] to evaluate systems based on different modalities.

4.3. Presentation-Attack Detection and Face Anti-Spoofing in Biometric Systems

Face recognition is widely adopted by MSMEs for remote onboarding, access control, and identity verification, but its security extends beyond the protection of stored templates. A second class of threat targets the sensor itself: an adversary presents fabricated or manipulated facial evidence at the point of capture to deceive the recognition pipeline before any cryptographic protection takes effect. Such threats are termed presentation attacks (PAs), and the countermeasures that detect them are known as Presentation-Attack Detection (PAD [35,89,176]. Face anti-spoofing (FAS) is the face-specific instantiation of PAD and is treated by recent studies as the dominant subproblem within biometrics [35,107,108]. The attack taxonomy spans printed photographs, screen-replay attacks (often betrayed by moiré patterns), video injection through virtual cameras, 3D masks that defeat depth-based liveness, and deepfake-assisted impersonation that composites the target’s identity onto an attacker’s live capture in real time. Liveness detection ranges from passive analysis of texture, frequency, depth, and reflectance cues to active user challenges; passive techniques are preferred in MSME contexts because they impose no friction on legitimate users. Two recent state-of-the-art contributions are particularly relevant to MSME deployment. Huang et al. [107] extended the Learnable Descriptive Convolutional Vision Transformer (LDCformer), which integrates a Learnable Descriptive Convolution into a Vision Transformer to model long-range dependencies of locally descriptive features for FAS. The work introduces three complementary training strategies: dual-attention supervision learns fine-grained liveness features under regional live and spoof attention maps; self-challenging supervision synthesises difficult training samples on the fly to sharpen feature discriminability; and a transitional triplet-mining strategy narrows the cross-domain gap while preserving the live–spoof transitional relationship, enlarging domain-generalisation capability. Reported results show that LDCformer trained under joint supervision of these strategies outperforms previous FAS baselines, which matters directly for MSMEs operating across heterogeneous deployment conditions and lacking the resources to collect domain-specific labelled spoof data. Where Huang et al. [107] target single-modality robustness, Chong et al. [108] address the MM setting. Their Cross-modal Transition-guided Network (CTNet) tackles two limitations: distribution discrepancies between training and testing domains are larger in MM FAS than in single-modal FAS because RGB, infrared, and depth streams are captured by heterogeneous sensors; and, at inference time one or more, modalities may be unavailable. The key insight is that cross-modal feature transitions are highly consistent for live samples but inconsistent across live–spoof pairs. CTNet exploits this asymmetry by first learning consistent cross-modal transitions among live samples to construct a generalised feature space, then learning the inconsistent transitions between live and spoof samples to identify out-of-distribution attacks. For MSMEs that increasingly purchase consumer smartphones and webcams with embedded RGB–IR or RGB–depth sensing, CTNet offers a feasible path to MM FAS without bespoke enterprise hardware. Together, refs. [107,108] indicate that FAS should be treated as a first-class component of any MSME-grade face-recognition pipeline rather than as an optional add-on.

4.4. AI-Generated Synthetic Identities and Emerging Biometric Threats

The maturation of generative artificial intelligence has fundamentally altered the biometric-threat landscape. Earlier presentation attacks relied on physical artefacts that left detectable cues such as moiré patterns or material reflectance signatures; AI-generated synthetic identities remove many of these signals because the attack medium is itself a learned distribution that imitates the statistical properties on which liveness detectors rely [177]. Two converging streams of generative attack are particularly consequential for MSMEs. The first is synthesis: Generative Adversarial Networks, Variational Autoencoders, and diffusion models can produce wholly novel faces that pass general-purpose quality checks and underpin synthetic identity fraud, in which a plausible but non-existent persona is enrolled into Know Your Customer (KYC) pipelines [16,178]. The second is manipulation: deepfake techniques that alter the face of a real target across four canonical categories—identity swap, face reenactment, attribute manipulation, and entire face synthesis—each deployable against face verification at enrolment or authentication [178,179]. Empirical evidence indicates that human inspectors and naive recognition pipelines are poorly equipped to flag high-quality deepfakes; in one frequently cited study, observers correctly identified deepfake videos only 24.5% of the time [180]. Closely related is the morphing attack, in which two or more facial identities are fused into a single image verifiable as either contributor. GAN-based morph generators, including MorGAN, MIPGAN-II, ReGenMorph, and Composite Face Image Attacks have been shown to defeat FaceNet, VGG-Face, and ArcFace under realistic conditions, threatening the integrity of document-based remote onboarding even when supporting documents appear authentic [101,102]. Defensive research has responded along three complementary lines. The first is dedicated deepfake and morphing detectors, whose principal weakness is poor cross-generator generalisation: detectors trained on one generative architecture frequently fail on samples from another. The second is multi-channel verification, combining facial evidence with behavioural biometrics, device fingerprinting, and AI-driven risk scoring so that no single channel can be unilaterally spoofed. The third is the design of more robust intrinsic features within the biometric pipeline itself, exemplified by the FAS work of Huang et al. [107] and Chong et al. [108], where domain-generalised and cross-modal liveness features provide a measure of defence against synthetic inputs even when dedicated detectors are out of date. For MSMEs, three operational consequences follow: face-only verification at onboarding is insufficient for high-trust decisions; layered defences combining detection with cryptographic template protection are required; and shared-infrastructure approaches under standards such as ISO/IEC 30107 [181] are particularly valuable for organisations that cannot independently maintain a generative-AI threat-monitoring capability.

4.5. Review of FVs in the Literature

The FV, originally proposed by Juels and Sudan [18], to provide error tolerance in biometric key binding, has since been extended across multiple modalities and cryptographic strategies. The reviewed studies cluster around three primary biometric modalities—fingerprint, face, and iris—each presenting distinct design challenges.

Fingerprint-based FV schemes seen in Table 12 constitute the largest group, reflecting the modality’s dominance in the broader biometric literature. Lai et al. [182] addressed the symmetric encryption problem inherent in conventional FV implementations by introducing vectorial secret binding with Shamir’s secret-sharing for error correction. Rahman et al. [183] took a minutiae-protection approach, augmenting genuine points with chaff to generate secure templates, validated against correlation attacks, achieving a GAR of 96.67% and FAR of 0.06%. Chitra and Sujitha [184] and Baghel et al. [185] each improved robustness against brute-force and correlation attacks through minutiae pre-alignment and PCA-based filtering, respectively. Dimensionality reduction received dedicated attention from Divyabharathi et al. [186], whose discrete cosine-transform approach reduced feature vector dimensionality by a factor of approximately 48. Li et al. [187] extended template protection to a one-factor scheme combining Minimum Hash Signature with a Secure Extended Feature Vector, achieving a security validated EER of 0.32% on FVC2002 DB2—one of the more competitive reported values across the fingerprint FV literature. Lai et al. [75] addressed the broader performance-versus-privacy trade-off using Index-of-Maximum (IoM) hashing on vectorial biometrics, though the authors acknowledged that extensions to variable-length representations such as IrisCode remained an open challenge.

Facial FV schemes seen in Table 13 address the complementary problems of feature representation and key derivation. Rathgeb et al. [188] constructed an unlinkable deep-face FV by mapping deep-convolutional-feature vectors to integer-valued sets, achieving an FNMR below 1% and FMR below 0.01%—security validated strong results, though obtained under same-database conditions. Kuznetsov et al. [189] introduced code-based cryptographic extractors to confer quantum resistance during key generation from facial data, albeit with comparatively high error rates (FRR of 6.7–8.3%), exposing a persistent accuracy–security tension not resolved by either deep learning or extractor testing. Juneja [190] approached the related problem of illumination and contrast variation through hybrid face rectification, achieving up to 99.09% accuracy on the CMU-PIE dataset, though without security validation or direct integration into an FV or template-protection pipeline.

Iris-based and MM FV schemes remain comparatively sparse. De Oliveira Nunes et al. [191] addressed the practical but under-studied problem of helper data loss by proposing a secure non-interactive re-enrolment protocol (SNUSE), reporting average re-enrolment times of only 13.2 ms against enrolment and authentication times of 945.9 ms and 848.7 ms, respectively—a latency profile that warrants further optimisation for MSME access-control scenarios. Asthana et al. [192] demonstrated the cross-modal applicability of a key-binding mechanism across iris and fingerprint datasets, achieving security validated FAR values of 0.0509% and 0.0475%, respectively, at 256-bit key lengths. Collectively, the reviewed FV studies show consistent progress in security robustness and feature-level efficiency, yet share a common limitation: evaluations are conducted on controlled unimodal datasets, and MM FV fusion—which would directly address non-universality and improve resilience—remains largely unexplored.

Other less-featured biometric combinations among the included studies are also highlighted in Table 14.

Table 12. Included studies on FV with fingerprint as a unimodal trait.

Ref.	Study Aim(s)	Traits	Method(s)	Dataset	Limitation(s)||Future Work(s)
[186]	To locate an effective finger impression acknowledgement procedure	FP	Arrangement free FV-based unique mark cryptosystem	1140 right finger pictures (2-D) gained from 114 subjects.
[75]	Balance performance & privacy/security protection in feature vector-based biometrics.	FP	b-band Mini Vaults	FVC2002DB1&2, FVC2004DB1&2	Extend method to unordered variable-sized representation & key generation schemes
[183]	Develop parameterised minutiae-based approach to generate secure biometric templates	FP	FV	FVC2002, FVC2004, FCJ2020	Extend method to cancellable template approach with machine learning to provide alerts for cyberattacks on template
[184]	Enhance template protection	FP	Prealigned Minutiae Based FV	FVC2002 DB2	Inconsistent feature representations, feature order, & need for localisation||Resolve inconsistent feature representations & others|Implement Multibiometric FV
[185]	Prevent identity theft & secure FP information in a database	FP	FV	FVC2002DB1&2, FVC2004DB1
[187]	Solve privacy issues & provide template protection	FP	Minimum Hash Signature|Secure Extended Feature Vector|FV	FVC2002DB1-3, FVC2004DB1-3	Secure & efficient cancellable indexing in a large-scale biometric identification|Biometric based cryptosystems

Table 12. Included studies on FV with fingerprint as a unimodal trait.

Ref.	Study Aim(s)	Traits	Method(s)	Dataset	Limitation(s)||Future Work(s)
[186]	To locate an effective finger impression acknowledgement procedure	FP	Arrangement free FV-based unique mark cryptosystem	1140 right finger pictures (2-D) gained from 114 subjects.
[75]	Balance performance & privacy/security protection in feature vector-based biometrics.	FP	b-band Mini Vaults	FVC2002DB1&2, FVC2004DB1&2	Extend method to unordered variable-sized representation & key generation schemes
[183]	Develop parameterised minutiae-based approach to generate secure biometric templates	FP	FV	FVC2002, FVC2004, FCJ2020	Extend method to cancellable template approach with machine learning to provide alerts for cyberattacks on template
[184]	Enhance template protection	FP	Prealigned Minutiae Based FV	FVC2002 DB2	Inconsistent feature representations, feature order, & need for localisation||Resolve inconsistent feature representations & others|Implement Multibiometric FV
[185]	Prevent identity theft & secure FP information in a database	FP	FV	FVC2002DB1&2, FVC2004DB1
[187]	Solve privacy issues & provide template protection	FP	Minimum Hash Signature|Secure Extended Feature Vector|FV	FVC2002DB1-3, FVC2004DB1-3	Secure & efficient cancellable indexing in a large-scale biometric identification|Biometric based cryptosystems

Table 13. Included studies on FV with facial trait.

Ref.	Study Aim(s)	Traits	Method(s)	Dataset	Limitation(s)||Future Work(s)
[182]	Solve symmetric encryption-decryption issue by improving exact secret retrieval for genuine input.	FP, F	Symmetric keyring encryption	FVC2002, FVC2004 & FVC2006 & an LFW dataset
[188]	Improve privacy of FV scheme, & suit facial feature vectors	F	FV-based|□	FERET, FRGCv2 (529/533 subjects)	A password or a multi-biometric FV scheme to improve security|Improve polynomial reconstruction method’s runtime
[193]	Address privacy issues & attacks & collusion attacks	F, DV	Improved FV & Blockchain network	CASIA-FaceV5, 11k Hands dataset	Issues when large number of users demand high transactions/second|Limited biometric trait compatibility|Data dependency||Implement Hyperledger based blockchain|Extend method to other traits|Explore data augmentation, transfer learning, or domain adaptation techniques|Integrate method into Self-Sovereign Identity systems, & digital wallets
[189]	Simplify storage & distribution processes of cryptographic keys	F	□|Code-based crypto. extractors	lfw, CelebA	Apply other modalities|Improve method’s performance & security
[194]	Secure original biometrics in databases	F, FP	3D jigsaw transform & optical encryption	9 facial image sample images|9 fingerprint sample images	Implement multi-level cancellable biometric security system & deep learning for biometric storage & transmission
[190]	Solve recognition issues in F recognition systems	F	Rule-based Hybrid F Rectification & Content Region Extraction Model	Yale, Extended-Yale, & CMU-PIE	Implement facial recognition of individuals in a group image|Facial recognition of masked faces

Legend: □: deep learning.

Table 13. Included studies on FV with facial trait.

Ref.	Study Aim(s)	Traits	Method(s)	Dataset	Limitation(s)||Future Work(s)
[182]	Solve symmetric encryption-decryption issue by improving exact secret retrieval for genuine input.	FP, F	Symmetric keyring encryption	FVC2002, FVC2004 & FVC2006 & an LFW dataset
[188]	Improve privacy of FV scheme, & suit facial feature vectors	F	FV-based|□	FERET, FRGCv2 (529/533 subjects)	A password or a multi-biometric FV scheme to improve security|Improve polynomial reconstruction method’s runtime
[193]	Address privacy issues & attacks & collusion attacks	F, DV	Improved FV & Blockchain network	CASIA-FaceV5, 11k Hands dataset	Issues when large number of users demand high transactions/second|Limited biometric trait compatibility|Data dependency||Implement Hyperledger based blockchain|Extend method to other traits|Explore data augmentation, transfer learning, or domain adaptation techniques|Integrate method into Self-Sovereign Identity systems, & digital wallets
[189]	Simplify storage & distribution processes of cryptographic keys	F	□|Code-based crypto. extractors	lfw, CelebA	Apply other modalities|Improve method’s performance & security
[194]	Secure original biometrics in databases	F, FP	3D jigsaw transform & optical encryption	9 facial image sample images|9 fingerprint sample images	Implement multi-level cancellable biometric security system & deep learning for biometric storage & transmission
[190]	Solve recognition issues in F recognition systems	F	Rule-based Hybrid F Rectification & Content Region Extraction Model	Yale, Extended-Yale, & CMU-PIE	Implement facial recognition of individuals in a group image|Facial recognition of masked faces

Legend: □: deep learning.

Table 14. Included studies on FV with other traits.

Ref.	Study aim(s)	Traits	Method(s)	Dataset	Limitation(s)||Future Work(s)
[195]	Generating M-bit key with high randomness & bit generation rate for wearable IoT devices	G	FV-based group key distribution	ZJU-GaitAcc, RealWorld (HAR)	Perform online tests with realistic scenarios|Imitation attack consideration|Apply MM biometric-fusion-based secure methods
[196]	Access control using simultaneous multi-biometric inputs	I, FP	Fuzzy Commitment & FV	FVC2002, IITD-DB1, CASIA-Iris-Interval, XM2VTSDB	Error-correcting codes for I & F databases to increase performance
[191]	Creating a non-interactive user re-enrollment of thousands of users in seconds when helper data is lost.	FP, I	Secure Non-interactive User at Scale re-Enrollment & Authentication systems	FVC2000-DB1&2, IITD Iris v1	Expansion to support: Computational & reusable FE/FV schemes|Other biometrics & devices like smartphones|Handle adversaries, without significant overheads
[197]	Creating secure access to cloud & autonomous vehicles		FV, Fuzzy Commitment, & Fuzzy Extractor	None	Extend method to provide a one-time ticket for pick-up services in autonomous driving|Implementation/evaluation of prototype of proposed method.
[198]	Secure patient details from Body Sensor Network using biometric key authentication	ECG	Fuzzy Extractor & FV		Develop effective communication protocol & physical layer for improved security|An effective routing protocol for enhanced overall efficiency.
[199]	Create functional verification of complex computation blocks & their integration into a system	ECG	CoDeCoVe & FV		Testbench generates constrained random test vectors|Design & production of test vectors is limited to designer’s expertise||Design & implementation of RTL model|Integrate design & verification tools into single platform
[200]	Highlight the pros & cons of fuzzy commitment & FV		FV & Fuzzy Commitment	NSRDB (18 subjects, sampling rate: 128 Hz)|EDB (79 subjects, 250 Hz)	Enhance ECG signal processing precision|Improve binary sequence generation process efficacy|Highlight ways to reduce polynomial computations
[201]	Develop efficient MM biometrics human authentication system & E to improve recognition.	PP, E	Hybrid FV-Cuckoo Search algorithm
[202]	Develop a secure authentication service for Body Area Network sensors & others		Rotational Assisted FVs		Reduce communication overhead by reducing the number of chaff points without affecting security level
[203]	Provide enhanced authentication system for low memory devices	E	FV	AMI, CP, IITD-v1, IITD-v2 & USTB-v2	Improvement of FRR|Simulation of attacks
[192]	Develop cryptographic key security method	I, FP	Key binding	IITD Iris, CASIA-FP-V5	Poor quality input images|Improper sensor interaction||Introduce MM scenarios under dynamic environment|Adapt method to other traits|Study image quality effects on method
[204]	Enhance multi-biometric template security	FP, PP	FV		Wavelet transform for performance improvement Introduce other biometric traits
[205]	Develop FV scheme based on fixed-length templates for dynamic signature verification	S1	FV	Real signatures of 48 users, with 20 genuine signatures/user, MCYT, DS2 BioSecure	Unlinkability & renewability properties not satisfied||Skilled forgery system analysis|Achieve renewability & unlinkability using XOR logic function combining original template with password before vault creation & apply encryption technique
[44]	Store/protect key data by fuzzy Physical Unclonable Function template	None	FV
[206]	Fulfil ISO/IEC 24745 requirement|Protect biometric data against offline attacks	Any	Modified FV schemes	Auxiliary alignment data required for pre-alignment is not highlighted	Addressing pre-alignment processes of minutiae-based fingerprint representations
[207]	Provide secure operation of smart manufacturing IIoT|Provide secure automated secret key recovery for IIoT devices	DNA	DNA-based FV.		Scalability
[208]	Achieve hiding several separate secrets using a single FV	Any	Multi-secret FV	None
[209]	Improve accuracy & reliability of authentication	E	SIFTBCS based on FV	AMI, USTB-v2, IITD-v1&v2, CP	Noisy/low-quality biometric data sensitivity||Improve FRR at lowest possible FAR|Test method with attack vectors|Implement pre-processing|Apply other modalities & MM biometrics
[210]	Enhance security using MM biometric	FP, E	Modified region growing algorithm|Local Gabor XOR pattern|ONN
[211]	Generate deep & cancellable biometric feature as template protection	PP, PV	Deep learning		Introduce techniques like CNN & ICANet|Apply method to IoTand in cloud-based mobile applications

Table 14. Included studies on FV with other traits.

Ref.	Study aim(s)	Traits	Method(s)	Dataset	Limitation(s)||Future Work(s)
[195]	Generating M-bit key with high randomness & bit generation rate for wearable IoT devices	G	FV-based group key distribution	ZJU-GaitAcc, RealWorld (HAR)	Perform online tests with realistic scenarios|Imitation attack consideration|Apply MM biometric-fusion-based secure methods
[196]	Access control using simultaneous multi-biometric inputs	I, FP	Fuzzy Commitment & FV	FVC2002, IITD-DB1, CASIA-Iris-Interval, XM2VTSDB	Error-correcting codes for I & F databases to increase performance
[191]	Creating a non-interactive user re-enrollment of thousands of users in seconds when helper data is lost.	FP, I	Secure Non-interactive User at Scale re-Enrollment & Authentication systems	FVC2000-DB1&2, IITD Iris v1	Expansion to support: Computational & reusable FE/FV schemes|Other biometrics & devices like smartphones|Handle adversaries, without significant overheads
[197]	Creating secure access to cloud & autonomous vehicles		FV, Fuzzy Commitment, & Fuzzy Extractor	None	Extend method to provide a one-time ticket for pick-up services in autonomous driving|Implementation/evaluation of prototype of proposed method.
[198]	Secure patient details from Body Sensor Network using biometric key authentication	ECG	Fuzzy Extractor & FV		Develop effective communication protocol & physical layer for improved security|An effective routing protocol for enhanced overall efficiency.
[199]	Create functional verification of complex computation blocks & their integration into a system	ECG	CoDeCoVe & FV		Testbench generates constrained random test vectors|Design & production of test vectors is limited to designer’s expertise||Design & implementation of RTL model|Integrate design & verification tools into single platform
[200]	Highlight the pros & cons of fuzzy commitment & FV		FV & Fuzzy Commitment	NSRDB (18 subjects, sampling rate: 128 Hz)|EDB (79 subjects, 250 Hz)	Enhance ECG signal processing precision|Improve binary sequence generation process efficacy|Highlight ways to reduce polynomial computations
[201]	Develop efficient MM biometrics human authentication system & E to improve recognition.	PP, E	Hybrid FV-Cuckoo Search algorithm
[202]	Develop a secure authentication service for Body Area Network sensors & others		Rotational Assisted FVs		Reduce communication overhead by reducing the number of chaff points without affecting security level
[203]	Provide enhanced authentication system for low memory devices	E	FV	AMI, CP, IITD-v1, IITD-v2 & USTB-v2	Improvement of FRR|Simulation of attacks
[192]	Develop cryptographic key security method	I, FP	Key binding	IITD Iris, CASIA-FP-V5	Poor quality input images|Improper sensor interaction||Introduce MM scenarios under dynamic environment|Adapt method to other traits|Study image quality effects on method
[204]	Enhance multi-biometric template security	FP, PP	FV		Wavelet transform for performance improvement Introduce other biometric traits
[205]	Develop FV scheme based on fixed-length templates for dynamic signature verification	S1	FV	Real signatures of 48 users, with 20 genuine signatures/user, MCYT, DS2 BioSecure	Unlinkability & renewability properties not satisfied||Skilled forgery system analysis|Achieve renewability & unlinkability using XOR logic function combining original template with password before vault creation & apply encryption technique
[44]	Store/protect key data by fuzzy Physical Unclonable Function template	None	FV
[206]	Fulfil ISO/IEC 24745 requirement|Protect biometric data against offline attacks	Any	Modified FV schemes	Auxiliary alignment data required for pre-alignment is not highlighted	Addressing pre-alignment processes of minutiae-based fingerprint representations
[207]	Provide secure operation of smart manufacturing IIoT|Provide secure automated secret key recovery for IIoT devices	DNA	DNA-based FV.		Scalability
[208]	Achieve hiding several separate secrets using a single FV	Any	Multi-secret FV	None
[209]	Improve accuracy & reliability of authentication	E	SIFTBCS based on FV	AMI, USTB-v2, IITD-v1&v2, CP	Noisy/low-quality biometric data sensitivity||Improve FRR at lowest possible FAR|Test method with attack vectors|Implement pre-processing|Apply other modalities & MM biometrics
[210]	Enhance security using MM biometric	FP, E	Modified region growing algorithm|Local Gabor XOR pattern|ONN
[211]	Generate deep & cancellable biometric feature as template protection	PP, PV	Deep learning		Introduce techniques like CNN & ICANet|Apply method to IoTand in cloud-based mobile applications

5. Open Research Issues in MSME Biometric Systems

Although considerable progress has been made in developing FV and MM biometric systems suitable for MSME deployment, the included studies collectively expose a series of unresolved technical, operational, and security challenges. The section not only enumerates the limitations of individual works, but it also synthesises them across coherent technical paradigms such that recurring research gaps and emerging priorities can be easily identified. The discussion concludes by drawing out four cross-cutting challenges that recur across paradigms and represent the highest-priority directions for future research aimed at MSMEs.

5.1. FV Schemes for Resource-Constrained IoT and Wearable Environments

Several studies have applied FV constructions to low-power, embedded, and wearable platforms that are highly relevant to MSMEs operating in manufacturing, logistics, and connected healthcare contexts. Sun et al. [195] proposed an FV-based group-key-distribution method for wearable IoT devices using gait, generating an M-bit key with high randomness across devices on the same body. Bauspies et al. [206] demonstrated a two-factor DNA-based FV implemented on both a laptop and a Raspberry Pi 3B+ for Industrial IoT (IIoT) smart manufacturing, using a 13th-order polynomial and showing that the laptop required roughly 25% fewer clock cycles than the embedded device. Hodgkiss and Djahel [202] developed a rotational-assisted FV for Body Area Network (BAN) sensors, achieving an average execution time of 0.191 ms for 100 points and testing the design against brute-force attacks. Three recurrent limitations emerge across this group. First, evaluations are typically conducted under controlled or simulated conditions; in particular [195], lacks realistic online testing and does not assess resilience to attacks such as walking-posture imitation or machine-vision-based gait synthesis. Second, the schemes are constructed around unimodal data, leaving MM fusion—a known route to stronger device-level security—largely unexplored. Third, scalability and overheads persist as the central engineering tension. Scalability analysis grounded in the reported figures reveals a compounding overhead problem: the 25% clock-cycle penalty incurred on the Raspberry Pi 3B+ relative to a laptop [206] is measured at a fixed 13th-order polynomial; because FV polynomial degree must grow with the size of the genuine point set to maintain security, migrating from unimodal to MM feature fusion—which typically doubles or triples the feature dimensionality—would proportionally increase both the degree and the chaff-point density required to obscure the genuine set, amplifying the embedded-device penalty multiplicatively rather than additively. Concretely, if the 0.191 ms execution time reported at 100 points [202] scales linearly with chaff-point count, achieving the chaff densities of 500–1000 points routinely recommended in the biometric cryptosystem literature to attain adequate brute-force resistance would project execution times of approximately 0.96–1.91 ms per authentication transaction on equivalent hardware—a range that remains individually tolerable but becomes untenable under the concurrent multi-user or MM load typical of MSME deployments. The embedded-device penalty quantified by [206] illustrates the computational headroom problem on low-power hardware, while [202] continues to incur communication overhead linked to chaff-point density. Future work in this paradigm should, therefore, prioritise attack-resilient testing under realistic deployment, MM fusion strategies appropriate for embedded devices, and lightweight optimisations that reduce chaff-point load and computational footprint without weakening security.

5.2. Cloud-Centric and Distributed Biometric Authentication

Cloud connectivity, blockchain ledgers, and autonomous services enlarge the attack surface that MSMEs must defend, motivating two notable contributions. Jiang et al. [197] combined FVs, fuzzy commitment, and fuzzy extractor primitives into a three-factor cloud-assisted authentication scheme integrating biometrics, passwords, and smart cards for autonomous vehicles, achieving a computational time of 8 s for 1000 authentication messages and a total communication cost of 5152 bits. Sharma et al. [193] addressed record-multiplicity, brute-force, and collision attacks through a decentralised FV implemented on an Ethereum-based blockchain using face and dorsal-hand-vein traits, reporting 99.8% accuracy on CASIA-Face V5 and 11k Hands with a 1 MB block size and 516 transactions per block. Despite their methodological diversity, both works share three common limitations. They are restricted to a narrow set of biometric modalities—only face and dorsal hand vein in [193]—and are likely to encounter data-dependency issues when scaled. They have not been validated through prototype deployment under realistic transactional load: [197] still requires implementation and prototype evaluation. Finally, they face scalability ceilings, with Ethereum throughput becoming a bottleneck under high user volumes in [193]. Promising directions include implementing one-time-ticket protocols for autonomous pickup services [197], migrating decentralised FV designs to Hyperledger-style permissioned blockchains, broadening biometric trait compatibility through transfer learning, data augmentation, and domain adaptation [193], and exploring deployment in emerging contexts such as Self-Sovereign Identity (SSI), the metaverse, and digital wallets.

5.3. Biosignal-Based Cryptosystems for Healthcare

Healthcare-oriented MSMEs increasingly require biometric protection for sensitive physiological data exchanged over Body Sensor Networks (BSNs) and similar platforms. Mahendran and Velusamy [198] proposed an electrocardiogram (ECG)-driven biometric key authentication scheme that achieved 99.9% sensitivity and 99.9% positive predictability, with 40% higher data-transmission efficiency than a Bayesian baseline and 20% lower energy consumption than fuzzy commitment. Zheng et al. [200] performed a critical comparison of fuzzy commitment and FV in ECG-based key distribution, reporting an FRR of 3.37% on NSRDB and 1.57% on EDB for fuzzy commitment, and an EER of 4.51% on EDB and 3.24% on NSRDB for FV (with FRR of 5%). The study also confirmed that FV’s FAR decreases as the polynomial order increases. Together, these works show that while ECG-based cryptosystems achieve attractive baseline performance, they remain hampered by the absence of effective communication and physical-layer security mechanisms, the lack of efficient routing protocols suited to constrained healthcare networks, and computational inefficiencies in polynomial reconstruction. Improving the precision of ECG signal processing, optimising the binary-sequence generation pipeline, and reducing polynomial computation cost are, therefore, high-priority directions, complemented by purpose-built routing and physical-layer designs that deliver enhanced overall efficiency for MSME-grade medical IoT deployments.

5.4. Fingerprint-Template Protection and Minutiae-Based FV Schemes

Fingerprint-based template protection is the most heavily represented theme in the included literature, reflecting the modality’s prevalence in MSME-grade access control. Rahman et al. [183] proposed a parameterised minutiae-based approach achieving 96.67% GAR and 0.06% FAR on FVC2002, FVC2004, and FCJ2020. Chitra and Sujitha [184] developed a pre-aligned minutia-based FV that reached 89% GAR at 0.72% FAR for degree 8 and 75% GAR at 0.01% FAR for degree 12. Li and Wang [187] introduced the Novel Minimum Hash Signature (NMHS) and Secure Extended Feature Vector (SEFV) constructions, recording a best EER of 0.32% on FVC2002DB2, an enrolment time of 0.0034 s on FVC2002DB1, and an average authentication time of 0.00457 s. Asthana et al. [192] proposed a cryptographic key-binding scheme for iris and fingerprint evaluated on IIT Delhi Iris and CASIA-FingerprintV5, with FAR values of 0.0475% and 0.0509%, respectively, at 256 bits per key. Sujitha and Chitra [204] extended FV protection to a fingerprint-and-palmprint multi-biometric template, achieving 95% GAR and an FRR of 0.05. Abou elazm et al. [194] secured face and fingerprint imagery via a 3D jigsaw transform combined with Fractional Fourier Transform (FRFT) optical encryption, reporting EER, FAR, and FRR values of $9.3997\ast {10}^{-15}$, $2.6288\ast {10}^{-17}$, and $1.8969\ast {10}^{-13}$ on average. A consistent set of limitations runs through these contributions. Most schemes are evaluated only on fingerprint or fingerprint-plus-one-other-modality data, leaving broader MM compatibility unaddressed [184,192,204]. Performance is sensitive to input image quality, sensor interaction, feature ordering, and the need for accurate localisation [184,192], all of which constrain real-world deployment. Several schemes also exhibit security gaps: cancellable indexing for large-scale identification is not supported in [187], and rigorous attack-vector evaluation is missing in [183,192,204]. Future work should prioritise extending these schemes to genuine MM operation; integrating cancellable template approaches with machine-learning-based intrusion detection to flag attacks on template databases [204]; improving robustness to image quality variation and dynamic environments [192]; exploring multi-level cancellable architectures and deep-learning-based storage and transmission [194]; and applying the wavelet transform or related signal-processing techniques to enhance discriminative performance [204].

5.5. Face-Based Biometric Cryptosystems

Three studies illustrate the trajectory of face-based cryptosystems for MSME applications. Rathgeb et al. [188] adapted the FV scheme to facial feature vectors extracted by deep convolutional neural networks, achieving FNMR < 1% and FMR < 0.01%. Kuznetsov et al. [189] applied Keras FaceNet and Face-Recognition deep models combined with code-based cryptographic extractors targeting post-quantum resilience, reporting FRR/FAR pairs of 8.3%/7.4% and 6.7%/9.7% for the two embedding networks. Juneja [190] addressed environmental robustness via a multi-stage hybrid model with rule-based face rectification, content-region extraction, and an Adaptive Weber and Speeded Up Robust Features (AWSURF) component, achieving 92.88%, 91.77%, and 99.09% accuracy on Yale, Extended-Yale, and CMU-PIE, respectively. The shared limitation is the unimodal focus: none of these systems integrate complementary traits, and the polynomial-reconstruction runtime in [188] requires further optimisation. Practical extensions include MM fusion to harden face-based vaults [188], joint performance and security optimisation of the cryptographic extractor [189], and broader real-world facial scenarios such as recognition of individuals within group images and recognition of masked faces [190].

5.6. Multi-Biometric Fusion with FV

A small but important subset of works targets MM fusion at the FV layer. Chang et al. [196] enforced simultaneous presentation of all genuine biometric samples by combining iris and fingerprint within a fuzzy commitment and FV framework. Kandasamy [201] proposed a Hybrid FV-Cuckoo Search algorithm operating on palmprint and ear, reporting FNMR of 0.45, FMR of 0.12, a Jaccard coefficient of 0.54, a Dice coefficient of 0.35, and a GAR of 0.62. While these designs improve security beyond unimodal baselines, they share two limitations: their performance margin can be widened through the use of error-correcting codes, particularly for iris and face databases [196], and they have not been subjected to rigorous attack simulations to verify robustness [201]. Strengthening these schemes through error correction, principled adversarial modelling, and integration with cancellable template approaches is the clear next step.

5.7. Specialised FV Schemes for Ear and Signature Modalities

Beyond the dominant traits, several studies adapt FV to less-explored modalities suitable for niche MSME contexts. Kaur and Kumar [203] proposed the Binary Robust Independent Elementary Features-based Biometric Cryptosystem (BRIEFBCS) for fast, compact ear-based authentication on low-memory devices, achieving 0.9499 maximum accuracy on the CP dataset and a best FRR of 0.1758 on IITD-v2. In another paper [209], also describes a Scale Invariant Feature Transform-based Biometric Cryptosystem (SIFTBCS) for ear data that exhibits sensitivity to noisy inputs. Ponce-Hernandez et al. [205] developed an FV scheme based on fixed-length templates for dynamic signature verification with a verification and key-recovery time of 40 ms; the design satisfies irreversibility but fails the unlinkability and renewability conditions. Across this group, common research priorities are lowering FRR at the smallest achievable FAR; evaluating the schemes against diverse attack vectors; applying preprocessing pipelines to mitigate sensor noise; extending support to additional modalities and full MM fusion [203]; and, in the signature case, achieving unlinkability and renewability through XOR-based combination of the template with a password followed by an encryption layer before vault formation, alongside skilled-forgery analysis [205].

5.8. Scalability, Re-Enrolment, and Vectorial Biometric Privacy

Another paradigm concerns the operational scalability of biometric cryptosystems. The Secure Non-Interactive User at Scale Re-Enrolment (SNUSE) scheme [191] supports secure, non-interactive re-enrolment of large user populations, achieving an average enrolment time of 945.9 ms, an average authentication time of 848.7 ms, and an average re-enrolment time of 13.2 ms on fingerprint and iris data. Lai et al. [75] addressed the trade-off between performance and privacy in vectorial biometrics through Index-of-Maximum (IoM) hashing tuned to preserve discriminative biometric vectors. The principal limitation in both is restricted modality coverage and scheme generality. SNUSE [191] requires more secure computational circuits to handle the varied matching-distance representations of biometrics beyond fingerprint and iris, and could be extended to additional reusable cryptographic binding schemes and broader device classes such as smartphones. The IoM hashing approach in [75] could be expanded to binary representations such as IrisCode and unordered, variable-sized representations like fingerprint minutiae, and could be migrated from a key-binding to a key-generation scheme. In both cases, the central engineering tension is extending the model to handle more attacks and a wider range of traits without a considerable increase in overheads—a constraint that is especially acute for MSMEs.

5.9. Deep Learning-Based Cancellable Biometrics

Deep learning is being increasingly applied to template protection. The security-oriented biometric feature-extraction technique (S-DCTNet) [211] generates deep, cancellable biometric features and currently relies on KNN and SVM for classification. The principal opportunity is to broaden the model family by incorporating architectures such as CNN and ICANet, and to evaluate deployment in cloud-based and IoT-enabled mobile applications—both directions that align naturally with the distributed, resource-constrained operating contexts typical of MSMEs.

5.10. Cross-Cutting Research Priorities

Across the paradigms above, four challenges recur and constitute the highest-priority directions for MSME-focused biometric privacy and security research. First, MM extension is almost universally identified as a route to stronger protection: the unimodal schemes in [183,184,187,188,189,192,195,203,204,211] each note the integration of complementary traits as a primary future direction. Second, systematic-attack evaluation is conspicuously absent or incomplete in many works [183,192,195,201,203,204,205], so rigorous testing against realistic adversarial scenarios—including imitation, brute-force, presentation, and skilled-forgery attacks—is essential before MSME deployment. Third, scalability and overhead control remain pivotal: schemes targeting IoT, blockchain, and large user populations [191,192,193,202,206] face overheads that grow with stronger security, motivating lightweight cryptographic constructions and efficient fusion strategies tailored to MSMEs’ resource constraints. Fourth, sensor and quality robustness limits real-world performance, since input image quality, sensor variability, and environmental conditions undermine field deployment [190,192,203]; preprocessing pipelines, quality-aware enrolment, and quality-adaptive matching are all needed to translate laboratory results into MSME-grade systems. Taken together, these synthesised directions provide a structured agenda for advancing FV and MM biometric systems beyond their current state of research, with explicit attention being paid to the real-world operational realities of constrained budgets, heterogeneous devices, and limited security expertise that distinguish MSMEs from larger enterprises.

5.11. Real-World Deployment Constraints in MSME Environments

Despite the cryptographic and accuracy advantages of MM FV systems, their translation into MSME deployments introduces a cluster of practical constraints that are not adequately addressed by laboratory benchmarks alone.

Computational Latency. MM systems that combine deep-convolutional-feature extractors with cryptographic template-protection pipelines impose substantial inference overhead. Shuvo et al. (2023) [212] observed that deep learning models are “computationally expensive, power-hungry, and require large memory,” with inference ordinarily offloaded to high-performance cloud infrastructure, a model that introduces unacceptable round-trip latency in access-control scenarios requiring sub-second response times. On the template-protection side, the polynomial reconstruction step intrinsic to the FV scheme adds further latency; Geißner et al. (2025) [213] identified decoder acceleration as an open priority specifically because existing reconstruction algorithms remain a bottleneck in practical deployments. Collaborative edge–cloud partitioning has been proposed as a mitigation: Oroceo et al. (2022) [214] demonstrated that offloading face-recognition inference across an edge–cloud hierarchy reduces per-query latency, though this architecture itself presupposes reliable network connectivity—a condition that cannot be assumed in MSME settings operating in bandwidth-limited or intermittent-connectivity environments.

Hardware Cost. Near-infrared (NIR) iris cameras and high-resolution face sensors represent non-trivial capital expenditures that may be prohibitive for cost-sensitive organisations. As noted in comparative sensor assessments, iris and face modalities rely on “relatively expensive image sensors for large-scale deployment” compared with lower-cost physiological alternatives [111]. For MSMEs deploying authentication at multiple entry points or workstations, hardware procurement costs scale linearly, making the total cost of ownership a significant barrier to adoption.

Usability and Failure-to-Enrol. User acceptance of biometric authentication is strongly mediated by perceived convenience and speed, where systems impose lengthy or multi-step acquisition procedures—common in MM pipelines requiring sequential capture—abandonment rates and failure-to-enrol (FTE) incidents increase [26,30]. Illumination variation, occlusion, and sensor placement inconsistencies compound FTE rates in uncontrolled MSME environments that lack the controlled lighting of enterprise installations. The multi-step enrolment process of a FV system, which includes feature quantisation, chaff generation, and vault locking, further extends session duration beyond the tolerance of operationally time-pressed users [188].

Privacy and Regulatory Compliance. MSME operators must navigate biometric data governance obligations—including ISO/IEC 24745:2022 [33] template irreversibility and unlinkability requirements and regional data protection frameworks—without the dedicated compliance infrastructure of large enterprises. Template protection via the FV scheme is specifically designed to address irreversibility and cancellability [188,213], yet the operational burden of audit logging, consent management, and incident response remains substantial for organisations with limited IT capacity. Collectively, these constraints argue for lightweight, edge-native architectures with streamlined enrolment workflows as preconditions for viable MSME deployment.

Interoperability. When enrolled templates are acquired using one vendor’s sensor but subsequently matched against probes from a different device (a routine occurrence as organisations upgrade hardware incrementally), recognition performance degrades significantly since biometric systems are typically designed under the implicit assumption of sensor homogeneity [109]. This cross-device matching problem is more acute in MM systems, where each modality may carry its own proprietary feature-extraction algorithm whose internal score distributions are vendor-opaque and, therefore, non-trivially combinable with outputs from a different supplier’s pipeline [215]. Score-level fusion is widely adopted as the pragmatic workaround precisely because it requires only the final matching scores rather than access to raw feature representations, thereby preserving a degree of cross-vendor compatibility [109]; however, this approach introduces its own challenge, as scores from heterogeneous sources occupy different numerical ranges and require normalisation before fusion, adding an additional processing stage that increases both latency and system complexity. Abdul Cader et al. [216] further note that current biometric deployments predominantly rely on proprietary algorithms, and that standardised cross-device interoperability testing protocols remain insufficiently adopted, limiting the ability of MSME operators to benchmark or validate mixed-vendor configurations before deployment. While ISO/IEC 19784-1 (BioAPI 2.0) provides a standardised API framework intended to enable multi-vendor component integration, compliance with this standard does not eliminate the underlying score-distribution mismatch problem and imposes an integration overhead that resource-limited organisations are ill-equipped to absorb [217]. A summary of each study reviewed is provided in the Supplementary Materials.

5.12. Integration of MM Biometrics and FV as a Unified Protection Pipeline for MSMEs, Along with Their Indicative Complexity and Cost Trade-Offs

Table 15. Indicative summary of computational overhead trends.

Component	Main Operations	Indicative Complexity Trend	Latency/Cost Implication for MSMEs	Trade-Off
Feature extraction	Pre-processing, segmentation, embedding extraction	Increases with image size, model depth, and number of modalities	Lightweight handcrafted or compact CNN models may run locally; large deep models may require GPU/cloud support	Higher feature quality may improve recognition but increases compute and memory demand
FV construction	Polynomial evaluation, genuine/chaff point generation, vault storage	Increases with number of genuine points, chaff points, and polynomial degree	Usually acceptable during enrolment, since enrolment is less frequent than verification	More chaff and higher degree improve security but increase storage and decoding cost
FV unlocking/polynomial reconstruction	Matching query points, selecting candidate genuine points, polynomial interpolation/reconstruction	Cost grows with vault size, chaff density, tolerance, and degree	Can become a verification bottleneck on low-resource devices if parameters are too large	Stronger protection may increase authentication latency
Score-level MM fusion	Normalisation, weighting, score combination	Usually linear in number of modalities	Generally lightweight and suitable for MSMEs	Simple and efficient, but may not capture complex modality relationships
Feature-level MM fusion	Concatenation or transformation of feature vectors	Increases with combined feature dimension	May increase memory use and matching cost	Can improve discriminative power but may increase computational burden
Deep/learned fusion	Neural fusion, attention, joint representation learning	Increases with model depth and feature dimensionality	May require GPU or cloud resources for real-time use	Potentially strong performance but higher deployment cost
Template protection/encryption	Hashing, encryption, key binding, secure storage	Depends on cryptographic method and template size	Lightweight symmetric encryption is usually feasible; complex protocols may add delay	Improves privacy/security but adds processing and implementation complexity

provides an indicative summary of computational overhead trends rather than exact benchmarking values, since the reviewed studies use different datasets, hardware platforms, feature extractors, and implementation settings. The aim is to make the resource implications more interpretable for MSME deployment.

In a unified MM–FV system, MM biometrics and FV should not be treated as separate components. The MM subsystem provides complementary biometric evidence from two or more traits, while the FV subsystem provides protected binding or storage of the biometric-derived features. A typical pipeline involves biometric acquisition, quality assessment, preprocessing, feature extraction, feature or score fusion, FV locking during enrolment, and FV unlocking during verification. The effectiveness of the whole system depends on the interaction between these stages with each contributing to the overall effect on MSMEs, as seen in Table 15. Poor-quality biometric samples can reduce feature reliability, which may weaken fusion accuracy and increase FV unlocking failure. Similarly, stronger FV parameters such as higher chaff density or polynomial degree may improve template protection but increase verification latency. Therefore, MM recognition performance and FV template protection must be jointly optimised rather than evaluated independently. To analytically synthesise the unified protection pipeline for MSMEs,

Table 16. Comparison of the effect of the discussed approaches on MSMEs.

Approach Category	Main Contribution	Main Limitation	Reason for Performance Variation	MSME Implication	Representative Studies
Unimodal biometrics	Simpler implementation; lower acquisition cost	Vulnerable to single-trait failure and spoofing	Depends heavily on modality quality and dataset conditions	Suitable for low-cost systems but weaker resilience	[45,57,66,67,71]
MM biometrics without FV	Improved recognition reliability and robustness	May still expose templates if protection is weak	Fusion method and modality complementarity affect results	Useful if lightweight fusion is used	[12,14,15,70,120,218,219]
FV-based unimodal systems	Protects biometric templates using cryptographic binding	May suffer from reconstruction errors and attack exposure	Chaff density, polynomial degree and tolerance affect performance	Good privacy potential but must be computationally tuned	[43,184,185,188,203,205,209]
MM–FV systems	Combines recognition robustness with template protection	More complex integration and higher overheads	Feature quality, fusion level and FV parameters jointly affect results	Most promising, but requires lightweight design	[193,196,201,204]
Deep learning-based MM systems	High recognition performance	Requires more computation, data and hardware	Model size, training data and protocol strongly affect results	Feasible only with compression, edge optimisation or hybrid deployment	[118,220,221,222,223,224]
Attack-aware systems	Better evidence of real-world security	Less frequently evaluated and harder to compare	Threat model and attack dataset affect results	Essential before deployment in risk-sensitive MSMEs	[35,101,102,103,176,225]

compares the reviewed approaches based on their contributions, limitations, sources of performance variation, and implications for MSME deployment.

5.13. MSME-Oriented Implementation Recommendations

Having highlighted the effects of various design approaches in Section 5.12, it is obvious that for MSME deployment, the most practical direction is not necessarily the most complex MM or FV design, but the design that offers an acceptable balance between recognition accuracy, template protection, attack resilience, latency, memory usage, and implementation cost, among others.

Table 17. Practical design decision recommendations for MSMEs.

Design Decision	Recommended MSME-Oriented Option	Reason
Modalities	Face + iris or face + fingerprint	Balances distinctiveness, availability and acquisition practicality
Fusion level	Score-level or decision-level fusion	Lower computational cost than feature-level/deep fusion
Feature extraction	Lightweight CNNs or compact handcrafted/deep hybrid methods	Reduces hardware dependence
FV parameters	Moderate polynomial degree and chaff density selected through latency-security tuning	Avoids excessive verification delay
Evaluation protocol	Same-dataset plus cross-dataset or cross-session testing	Gives stronger evidence of generalisation
Security testing	Include spoofing, replay, morphing and template compromise scenarios	Avoids relying only on recognition accuracy
Deployment metrics	Report verification time, memory, model size and hardware used	Makes results actionable for MSMEs
Quality control	Include sample-quality assessment before fusion and FV unlocking	Reduces operational failure

gives practical recommendations for the choice of various components for the implementation of lightweight MM–FV systems in MSMEs.

6. Conclusions and Future Works

This study systematically reviewed recent advances in MM biometric systems and FV-based biometric template protection, paying particular attention to their relevance for MSMEs. The review shows that contemporary MM biometric systems frequently report strong recognition performance, particularly through the use of face, iris and fingerprint traits, which together accounted for a substantial proportion of the modalities identified in the reviewed literature. Face and iris are especially promising for rapid MM authentication because both traits can be captured from the facial region, potentially reducing acquisition burden and improving user convenience. However, the findings also show that high recognition accuracy alone is insufficient for MSME deployment unless it is accompanied by template protection, adversarial validation and computational feasibility.

The central conclusion of this review is that future research should move beyond treating MM recognition performance, FV template protection and MSME deployment constraints as separate issues. Instead, these concerns should be addressed together. From this combined perspective, three priority research challenges emerge. First, there is a need for lightweight MM–FV integration, where multiple biometric traits are fused with FV-based protection without imposing excessive computational, storage or hardware overheads. This is particularly important for MSMEs, where limited infrastructure may restrict the use of large deep learning models, complex fusion architectures or computationally expensive FV-parameter settings.

Second, future systems require standardised adversarial evaluation. Many reviewed studies report accuracy, FAR, FRR, GAR or EER under controlled conditions, but fewer evaluate performance under realistic threats such as spoofing, replay, morphing, synthetic identity attacks, template compromise or adversarial manipulation. As a result, reported recognition performance should not be interpreted as security-validated performance unless attack-aware testing is explicitly conducted. For MSME environments, this distinction is critical because over-reliance on laboratory-optimised accuracy may underestimate operational risk.

Third, there is a need for quality-aware deployment pipelines. Practical MM–FV systems should include mechanisms for assessing sample quality, sensor reliability, feature quality, fusion confidence and vault unlocking reliability before making authentication decisions. Such pipelines would help reduce failure rates caused by poor image quality, noisy acquisition conditions, sensor variation or unstable biometric samples. They would also support more realistic deployment by linking recognition performance, template protection and operational decision-making.

Overall, this review indicates that MM biometrics and FV-based template protection remain promising directions for improving biometric privacy and security in MSMEs. However, their practical value depends on the development of systems that are not only accurate, but also lightweight, attack-aware, quality-sensitive and transparently evaluated. A rigorously tested MM–FV framework that balances recognition performance, security-validated robustness, computational affordability and deployment practicality represents a strong direction for future biometric-authentication systems in MSME contexts.