Biometric systems – those that identify individuals based on unique biological characteristics like fingerprints, retinal patterns, voice, or facial features – have long been considered the future of security protocols. Technological advances over the past decade in particular have made them much more widespread in practical application, but a new report form the National Research Council says that could be a mistake, as the systems are “inherently fallible.”

The report – commissioned by security-inclined bodies including DARPA, the CIA, and the Department of Homeland Security – found that while biometric systems are effective at certain specific tasks, the promise of biometrics has surpassed the actual technological delivery, and that could lead to serious problems as the systems are rolled out more and more widely.

The systems, the report argues, rely on probabilistic results, which by definition are imbued with a certain degree of uncertainty. Further, biometrics aren’t static; the characteristics largely perceived as positive identifiers actually can change over a person’s lifetime due to age, disease, or other factors. This can lead to false-positives or an inability for a system to make an ID at all. Further, the systems’ effectiveness is as reliant on human competence as it is on the technology itself.

This kind of inconsistency is obviously not ideal in situations where making a positive ID is critical to security of both information and personnel. But, the report says, that doesn’t mean biometric systems should be scrapped. What it does mean is that careful systems-level considerations need to be made when integrating biometrics into a security portfolio – and that security schemes need to be exactly that: portfolios.

Biometrics, uncertain though they may be, are still effective if employed in the proper ways, but there need to be secondary measures in place to back them up, and operators should employ them with the expectation that they will make errors, in some cases frequently. Because nobody is perfect, not even security tech’s next big thing.