EN 301 549 5.3 -- Biometrics

For reference only -- not part of a11ybot's automated checks.

What It Is

ETSI EN 301 549 v3.2.1 clause 5.3 states that where ICT uses biological characteristics, it shall not rely on a particular biological characteristic as the only means of user identification or for control of the ICT[1]. The clause's own notes clarify two things: the required alternative may itself be biometric (a different modality) or non-biometric, and the standard expects dissimilar modalities -- fingerprint, retina, voice, face -- because no single biological characteristic is present and usable across the whole population.

The Mechanism Failure

Biometric matchers are classifiers trained on a reference population. Every modality has an enrollment floor below which the signal does not exist: a fingerprint reader cannot capture a ridge pattern from a user who has no fingers, from worn prints (trades work, chemotherapy, epidermolysis bullosa), or from fingers the capacitive sensor reads as "dry." An iris scanner cannot resolve a usable template through certain cataracts, corneal scarring, nystagmus, or prosthetic eyes. A face-recognition login cannot land a match when the camera frames the user from a head-pointer mount, an eye-tracker rig, or a wheelchair headrest that holds the head off-axis, and the published false-non-match rates on faces with facial differences, heavy makeup, or partial paralysis are materially worse than the baseline. Voice biometrics cannot enroll users with dysarthria, laryngectomy, or a trach tube.

A banking app that accepts fingerprint and nothing else -- no PIN, no password, no hardware key -- is not "mostly accessible with an edge case." It is a door with one key shape and a population of users whose hands do not fit that shape. Clause 5.3 closes that door by forbidding the single-modality design, not by demanding the biometric itself be fixed.

The Fix

Pair every biometric gate with at least one alternative path that does not depend on the same biological characteristic. A PIN, password, passkey, hardware security key, or recovery code satisfies the clause; so does a second, dissimilar biometric modality, because 5.3's objection is to exclusivity, not to biometrics as a category. The alternative must be reachable without first passing the biometric check -- a "fingerprint failed, try again" loop that only exposes the PIN after three retries is still single-modal from the perspective of a user who cannot produce a print at all. Enrollment has to be accessible on the same terms: a system that lets a user log in with a PIN but forces fingerprint capture during account setup has moved the barrier, not removed it.

Physical-access ICT -- door entry, time clocks, secure-area turnstiles -- falls under the same rule. A badge reader paired with a fingerprint sensor satisfies 5.3; a fingerprint-only turnstile does not, regardless of whether a supervisor can override it during business hours.

How It Relates to WCAG

WCAG 2.2 added 3.3.8 Accessible Authentication (Minimum) and 3.3.9 Accessible Authentication (Enhanced), which forbid cognitive function tests (memorising, transcribing, puzzle-solving) as the sole authentication step unless an alternative is offered. EN 301 549 5.3 is broader in two directions: it covers identification and control of any ICT, not just web authentication, and it targets biological characteristics specifically rather than cognitive load. An authentication flow that passes 3.3.8 by offering a password can still fail 5.3 if the password path is only reachable after a fingerprint retry loop, and a door-entry biometric sits outside 3.3.8 entirely but is squarely in 5.3's scope.

Practical Implications

  • Every biometric login ships with a discoverable non-biometric path -- PIN, password, passkey, or hardware key -- surfaced before the biometric retry loop, not after it.
  • Physical-access biometrics pair with a badge, key, or equivalent credential available at the same entry point.
  • The alternative is available at the same time and location as the biometric. "Call IT on Monday" is not an alternative mode of operation.
  • Enrollment is accessible, not just matching. A system that requires a biometric capture to create the account has moved the failure from login to onboarding.
  • If two biometric modalities are used as the alternative pair, they must be genuinely dissimilar (fingerprint and face, not two fingerprint sensors) so that a user excluded by one is not excluded by the other.

Related Clauses

Sources