Encoded Biometric Template

Detects encoded biometric template artifacts rather than the word "fingerprint". Matches the ISO/IEC 19794 family modality magic markers (FMR\0 finger minutiae, FIR\0 finger image, FAC\0 face, IIR\0 iris — also the ANSI/INCITS 378 FMR header) and base64 blobs explicitly labelled as a biometric / fingerprint / iris / face template. Real biometric exfiltration moves as encoded templates, not plaintext.

Type

regex

Engine

universal

Confidence

high

Confidence justification

High confidence. The FMR/FIR/FAC/IIR + NUL signature is a standards-defined biometric record header that does not occur in ordinary text, and the labelled-base64 branch requires an explicit biometric-template label adjacent to a long base64 blob. False positives are unlikely outside documentation that deliberately quotes these markers.

Jurisdictions

global, eu

Regulations

GDPR, CCPA/CPRA

Frameworks

ISO 27001, NIST CSF, SOC 2

Data categories

biometric, pii

Scope

narrow

Risk rating

9

Platform compatibility

Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9])(?:(?:FMR|FIR|FAC|IIR)\x00|(?:biometric|fingerprint|finger minutiae|iris|face|facial|palm)[\s_-]?template[\s\S]{0,40}?[A-Za-z0-9+/]{40,}={0,2})

Corroborative evidence keywords

biometric, template, minutiae, enrollment, fingerprint, iris, facial recognition, ISO 19794

Proximity: 300 characters

Should match

• FMR
minutiae record exported from the enrollment device — ISO 19794-2 / ANSI 378 finger minutiae magic marker FMR\0
• Header bytes FAC begin the ISO 19794-5 face record. — ISO 19794-5 face record magic marker FAC\0
• fingerprint template: TUZSAGVuY29kZWRiaW9tZXRyaWN0ZW1wbGF0ZWJsb2JkYXRh1234== — Labelled-base64 fingerprint template blob
• biometric_template QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVowMTIzNDU2Nzg5YWJj — Labelled-base64 biometric template blob (underscore separator)

Should not match

• Please collect the visitor fingerprint at the front desk on arrival. — Prose mention of fingerprint without an encoded template blob or marker
• The FMRI scanner is scheduled for maintenance next Tuesday. — Near-miss ("FMRI" word) with no NUL byte and no template blob
• The design template was approved by the marketing team yesterday. — Generic "template" with no biometric label and no base64 blob

Known false positives

• Documentation that quotes the FMR/FIR/FAC/IIR magic markers, or a biometric-template label that happens to sit near an unrelated long base64 string. Mitigation: Require corroborative keywords (minutiae, enrollment, ISO 19794) within the proximity window and treat hits inside obvious documentation/spec text as informational.

References

• ISO/IEC 19794-2 — Biometric data interchange formats, Part 2 finger minutiae data (FMR)
• ANSI INCITS 378-2009 fingerprint template format (FMR magic header)