Biometric systems are widely used for authentication and identification. The False Match Rate (FMR) quantifies the probability of incorrectly matching a biometric template with a different user's template and serves as an indicator of system robustness against security threats.

We analyze biometric systems through two main contributions. First, we study untargeted attacks, where an adversary attempts to impersonate any user in the database. We compute the number of trials necessary for successful impersonation and derive both the critical population size (the maximum database size) and the critical FMR needed to ensure security against untargeted attacks as the database size grows.

Second, we address the biometric birthday problem, which quantifies the probability that two distinct users have matching biometric templates (meaning they can impersonate each other). We calculate approximate and exact collision probabilities and identify the corresponding critical population size and critical FMR thresholds required to limit biometric collision risks, especially in large-scale databases.

These thresholds provide actionable insights for designing biometric systems that mitigate impersonation and collision risks, particularly in large databases. However, our results show that current systems fail to achieve the necessary security level against untargeted attacks, even in relatively small databases, and they face significant challenges related to the biometric birthday problem as database sizes grow.