Overview

Biometric processing—the use of facial recognition, fingerprint scans, and iris scans to verify passenger identity—has moved from pilot programs to operational deployment at U.S. commercial airports. Three federal agencies operate biometric programs in the airport environment: the Transportation Security Administration (TSA), U.S. Customs and Border Protection (CBP), and, through its enrollment infrastructure, the TSA's PreCheck program. Private companies, including CLEAR and the major U.S. airlines, operate additional biometric systems under federal oversight or in partnership with these agencies.

TSA Credential Authentication Technology (CAT-2)

The CAT-2 unit is a TSA checkpoint device that performs three functions: (1) authenticates the traveler's physical identification document, (2) confirms the traveler's boarding pass and Secure Flight pre-screening status, and (3) performs a 1:1 facial match—comparing a live photograph of the traveler to the photograph on the presented credential.

Key operational details:

• Deployment: TSA has deployed CAT-2 units and is scaling facial recognition technology across the checkpoint network. As of December 2024, TSA reported facial recognition technology at approximately 80 airports, with expansion planned through the FY 2026 appropriations period.
• Data retention: The CAT-2 system does not retain personal passenger information, per TSA system requirements.
• Opt-out: Travelers may opt out of the 1:1 facial match and instead be processed by TSA based on a valid ID and boarding pass.
• Manufacturer: IDEMIA, under contract with TSA.
• Cost: TSA funds CAT-2 procurement and deployment. The House FY 2026 DHS Appropriations bill includes $300 million for Computed Tomography and checkpoint screening technology.

CAT-2 replaces the earlier CAT-1 device, which authenticated documents but did not perform facial matching. The facial match capability addresses a longstanding vulnerability in manual document verification: human capability to match an unfamiliar face to a document photograph. According to the GAO's July 2022 assessment of CBP's facial recognition program (GAO-22-106154), biometric matching systems achieve higher accuracy rates on unfamiliar face-to-document comparisons than human reviewers relying on visual inspection alone.

TSA PreCheck Touchless ID

TSA PreCheck Touchless ID—also referred to as the Touchless Identity Solution (TIS)—is a next-generation identity verification system that allows eligible TSA PreCheck travelers to verify their identity at the checkpoint using facial matching, without presenting a physical ID or boarding pass.

How It Works

1. A TSA PreCheck traveler opts in through a participating airline (Delta, United, American, Southwest, or Alaska Airlines) by adding valid passport information to their airline profile.
2. The airline transmits a consent indicator on the traveler's mobile boarding pass.
3. At a dedicated Touchless ID lane, a TSA officer with a tablet and high-definition camera captures the traveler's image.
4. The system transmits the image to CBP's Traveler Verification Service (TVS) API, which matches it against the traveler's existing passport photo in the government database.
5. If matched, the traveler proceeds. Images are encrypted and deleted within approximately 24 hours.

Current and Planned Deployment

Current airports include Atlanta (ATL), Dallas Fort Worth (DFW), Chicago O'Hare (ORD), Denver (DEN), Detroit (DTW), Las Vegas (LAS), Los Angeles (LAX), Newark (EWR), New York JFK and LaGuardia (JFK/LGA), Phoenix (PHX), Salt Lake City (SLC), San Francisco (SFO), Seattle (SEA), and Reagan National (DCA). The Spring 2026 expansion is timed ahead of the 2026 FIFA World Cup, with priority given to host-city airports.

REAL ID Enforcement

The REAL ID Act of 2005 (Pub. L. 109-13, Title II) established minimum security standards for state-issued driver's licenses and identification cards. TSA began enforcement on May 7, 2025—the final deadline after multiple extensions since the Act's passage.

As of enforcement day, TSA spokesperson Daniel Velez stated that 81% of travelers already used a REAL ID or another approved form of identification. Beginning February 1, 2026, travelers 18 and older without a REAL ID-compliant credential may use TSA's ConfirmID process—an alternative identity verification procedure that carries a $45 fee and may result in additional screening and processing time.

REAL ID enforcement is relevant to biometric programs because it increases the value proposition of biometric identity verification: travelers with valid U.S. passports linked to TSA PreCheck Touchless ID bypass the credential presentation requirement entirely, reducing the checkpoint friction that REAL ID enforcement introduces for travelers with non-compliant state IDs.

CBP Biometric Entry-Exit Program

CBP operates the Biometric Entry-Exit Program under the authority of 8 U.S.C. § 1365b, which mandates a biometric entry-exit system for foreign nationals. The program uses facial recognition—via the Traveler Verification Service (TVS)—to match travelers against their passport photos stored in government databases.

Performance Data

Data Retention

CBP's data retention practices differ based on citizenship:

• U.S. citizens: Photographs are matched and deleted within 12 hours.
• Non-citizens: Photographs may be retained as a biometric entry or exit record. Press reporting indicates retention periods of up to 75 years for non-citizen records.

Biometric Exit Deployment

As of July 2022, CBP had deployed facial recognition for biometric exit at gate areas in at least 32 airports and for biometric entry processing at all airports with international arrivals. By late 2025, CBP reported piloting biometric exit at 57 airports.

On December 26, 2025, a final rule titled Collection of Biometric Data from Aliens Upon Entry to and Departure from the United States took effect, granting CBP legal authority to collect facial, fingerprint, and iris biometrics from non-citizens at all entry and exit points—airports, seaports, and land borders. This date is a regulatory authorization milestone; implementation at specific ports requires separate operational deployment.

CBP's biometric exit process at airports is conducted in partnership with airlines and airport authorities. Airlines may provide camera equipment at boarding gates, or CBP agents may use mobile devices with a specialized application at gates operated by smaller international carriers.

CLEAR+

CLEAR+ is a private identity verification service that uses biometrics (facial scans and fingerprints) to verify member identity at dedicated lanes in airport security areas. CLEAR+ does not replace TSA screening; it replaces the document-check step, allowing members to proceed directly to the physical screening lane—including the TSA PreCheck lane if the member holds both enrollments.

For airport operators, CLEAR's presence creates a commercial relationship: CLEAR typically leases space in the checkpoint queue area from the airport authority, generating non-aeronautical lease revenue. The pods and staffing are CLEAR's capital and operating expense; the airport provides the physical footprint.

Airline Biometric Programs

Major U.S. airlines have deployed biometric identity verification at airports, primarily through integration with TSA Touchless ID and CBP TVS:

Delta Air Lines Digital ID is the most publicly documented airline biometric program. It is available at 11 airports: ATL, DEN, DTW, LAS, LAX, LGA, JFK, PDX, SEA, SLC, and DCA. Travelers opt in through their SkyMiles profile by adding passport information and a Known Traveler Number. At equipped airports, Digital ID enables hands-free bag drop, TSA checkpoint verification, and boarding via facial recognition. Delta reported plans to expand Digital ID to all its hubs by the end of 2025, with the stated objective of a curb-to-gate biometric experience.

All five participating TSA Touchless ID airlines—Delta, United, American, Southwest, and Alaska—have enabled the Touchless ID consent indicator on their mobile boarding passes at equipped airports.

Industry Standards: IATA One ID and ICAO DTC

Two international frameworks are shaping the future trajectory of biometric processing at airports.

IATA One ID

IATA's One ID initiative defines a vision for a document-free passenger journey using digital identity and biometric recognition. The initiative has two components:

1. Digitalization of Admissibility: Passengers obtain government authorizations and demonstrate admissibility to travel digitally, before departure.
2. Contactless Travel: Passengers share biometric images and journey information in advance and move through airport touchpoints without presenting physical documents.

IATA's 2025 Global Passenger Survey, released November 5, 2025, surveyed international passenger preference regarding identity verification methods. The survey results are publicly available through IATA's publications. One ID standards are still under development. IATA has stated that it is "too early to determine One ID compliance" for current airport biometric implementations, but recommends that airports proceed with biometric solutions while ensuring systems are designed to accommodate future technology evolution.

ICAO Digital Travel Credential (DTC)

The International Civil Aviation Organization's Digital Travel Credential provides the technical basis for representing a passport in digital format. DTC Type 1 functions as a verifiable credential—a digital representation of the chip data on an ePassport, which can be shared with airlines and governments in advance of travel.

Biometric system deployment costs vary significantly based on scope, scale, and integration requirements. Implementation involves capital costs for checkpoint infrastructure modifications, kiosk and camera equipment, data connectivity, and software integration with federal systems. Airport operators should evaluate specific project scopes and consult with technology vendors and federal agencies regarding eligible funding sources.

Privacy and Legal Framework

Federal

Biometric programs operated by TSA and CBP are governed by the Privacy Act of 1974 (5 U.S.C. § 552a), and each agency publishes Privacy Impact Assessments (PIAs) and System of Records Notices (SORNs) for its biometric systems.

TSA's stated privacy safeguards for Touchless ID include: opt-in only (travelers may decline and use standard ID presentation), encryption of images, deletion of images within approximately 24 hours, and no sharing with law enforcement databases.

A bipartisan Traveler Privacy Protection Act has been introduced in Congress. The bill would prohibit TSA from making facial scans effectively compulsory and would require prompt deletion of biometric data. A 2024 subcontractor breach exposed approximately 190,000 biometric images collected through the TSA program.

State Biometric Privacy Laws

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is the strictest U.S. state biometric privacy law. BIPA requires private entities to provide written notice and obtain written consent before collecting biometric identifiers—including facial geometry—and provides a private right of action with liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation.

In August 2024, Illinois amended BIPA to limit damages in the most common claim type: for violations of the notice-and-consent requirement, a defendant is now liable for only one violation per person, regardless of the number of biometric collection events.

BIPA has influenced biometric data practices beyond Illinois. Companies operating in other states have adjusted their biometric data handling to align with BIPA's standards, as data transfer across state boundaries makes jurisdiction-specific compliance complex. A growing number of states have enacted or proposed similar biometric privacy statutes. Airport operators and their concessionaires that deploy biometric systems at tenant-operated touchpoints (e.g., airline check-in kiosks, lounge access) may wish to evaluate compliance obligations under the applicable state's biometric privacy framework.

Financial and Operational Dimensions for Airport Operators

Biometric deployment at airports involves costs and revenue opportunities distributed across federal agencies, airlines, and airport operators:

• TSA-funded equipment: CAT-2 units and TIS kiosks are procured and deployed by TSA. Airport operators provide the physical checkpoint space but do not bear the equipment capital cost.
• Terminal modifications: Airports expanding or reconfiguring checkpoint areas to accommodate biometric lanes may incur capital costs for construction, electrical, and data connectivity work. These costs are eligible for AIP or BIL-era grant funding to the extent they qualify as airport development.
• CBP biometric exit: CBP's gate-area camera deployment involves coordination between CBP, airlines, and airport operators. Airlines provide cameras at their gates; CBP provides agents or the mobile application. Airport operators may be asked to facilitate data connectivity and physical installation.
• CLEAR+ lease revenue: CLEAR occupies space in the pre-screening queue area under lease agreements with airport operators, generating non-aeronautical revenue.
• Airline biometric gates: Airlines deploying biometric bag drops or boarding gates at their leased terminal space invest their own capital, though the airport may participate through common-use infrastructure decisions.
• Cybersecurity and data protection: TSA Security Directive SD 1580/82-2022-01 imposes cybersecurity requirements on airport and airline operators of TSA-regulated systems. Biometric data systems that interact with TSA or CBP systems are within the scope of these requirements.

Sources and Further Reading

• IDEMIA, "Credential Authentication Technology (CAT-2)," August 2024
• TSA PreCheck Touchless ID via ASRC Federal/Washington Exec, January 3, 2026
• TSA, REAL ID Enforcement Final Rule, May 6, 2025
• GAO-22-106154, "Facial Recognition Technology: CBP Traveler Identity Verification," July 2022
• Pangiam, "Assessing CBP's Use of Facial Recognition Technology," August 2022
• CBP Biometric Entry-Exit Final Rule, effective December 26, 2025
• IATA, "One ID"
• IATA, "Powering the Future of Contactless Travel," October 29, 2025
• Privacy Act of 1974 (5 U.S.C. § 552a)
• 740 ILCS 14, Illinois Biometric Information Privacy Act (BIPA)