PAK-002

NADRA Automated Biometric Identification System (ABIS) for CNIC Enrolment De-duplication

Download PDF
Pakistan Middle East, North Africa, Afghanistan & Pakistan Lower middle income Scaled & Institutionalised Confirmed

National Database and Registration Authority (NADRA)

At a Glance

What it does Perception and extraction from unstructured inputs — Identification, verification and record linkage
Who runs it National Database and Registration Authority (NADRA)
Programme NADRA Automated Biometric Identification System (ABIS) for CNIC Enrolment De-duplication
Confidence Confirmed
Deployment Status Scaled & Institutionalised
Key Risks Governance and institutional oversight risks
Key Outcomes NADIR AFIS engine achieved >99.
Source Quality 5 sources — News article / media, Government website / press release, Report (multilateral / development partner)

The National Database and Registration Authority (NADRA) of Pakistan operates an Automated Biometric Identification System (ABIS) to ensure the uniqueness of Computerized National Identity Cards (CNICs) by detecting and preventing duplicate identities at the point of enrolment. Established under the NADRA Ordinance of 2000 (No. VIII of 2000), NADRA is an autonomous agency under Pakistan's Ministry of Interior responsible for managing the national population database and issuing identity credentials to all citizens. The ABIS performs one-to-many (1:N) biometric matching across the entire registered population — reported as approximately 120 million adults, representing roughly 96 per cent of the eligible population — each time a new CNIC application is submitted, to verify that the applicant does not already hold a card under a different identity.

The system's biometric matching capabilities have evolved through three distinct modalities. The first component was the Automated Fingerprint Identification System (AFIS), which has been operational since approximately 2007 and performs 1:N fingerprint matching using all ten fingerprints captured during enrolment. In April 2023, NADRA unveiled 'NADIR', an indigenously developed AFIS engine that replaced reliance on foreign biometric identification technology providers. According to NADRA, NADIR achieved accuracy exceeding 99.5 per cent in benchmarking conducted through the Fingerprint Verification Competition (FVC) in Italy, making Pakistan one of a small number of countries with indigenous AFIS capability. The second modality is facial recognition, which performs facial-image matching against the database to complement fingerprint deduplication. The third modality, iris recognition — branded as 'IRIS' — was launched in June 2023 using Iris ID iCAM R100 series infrared scanners. Iris recognition registers distinctive patterns within the ring-shaped region surrounding the pupil, converting these patterns into mathematical templates for matching. NADRA describes the iris modality as offering low false match rates and being 'near impossible to fake or imitate', since no two irises are identical and iris patterns remain stable throughout a person's life. The combined use of fingerprint, facial, and iris matching is intended to provide what NADRA terms 'immutable identity provision'.

The iris recognition system was piloted at NADRA headquarters before user acceptance testing at mega-centres in Islamabad, PECO Road Lahore, and DHK Karachi. NADRA has announced plans to roll out iris capture to all 700 of its registration centres nationwide. A notable feature of the iris programme is the enrolment of children's iris data during registration, since iris characteristics are stable from early childhood, addressing a gap in biometric identification for younger populations who may not have sufficiently developed fingerprints for reliable matching.

The CNIC issued through this process is digitally encoded with biometric data including fingerprints and photographs, with modern cards incorporating embedded microchips that securely store biometric information including iris scans. Each CNIC carries a unique 13-digit identification number that serves as the primary legal identity credential for Pakistani citizens aged 18 and above. The CNIC is effectively mandatory for participation in civic and economic life: without it, individuals cannot vote, obtain passports or driving licences, access formal banking services, purchase train tickets, or access public services.

The downstream social protection implications of NADRA's ABIS are substantial. The CNIC and its associated biometric verification infrastructure underpin Pakistan's major social assistance programmes, including the Benazir Income Support Programme (BISP) and the Ehsaas Kafalat Programme. BISP, Pakistan's flagship cash transfer programme since 2008, requires a valid CNIC for eligibility determination and uses NADRA's biometric verification for payment authentication at disbursement points. Payments are linked to CNIC and fingerprint records to reduce fraud. NADRA also operates the Citizen Biometric Verification System (CBVS), which provides real-time fingerprint-based identity verification for SIM card registration, banking know-your-customer compliance, and other downstream applications.

NADRA maintains a centralised National Data Warehouse hosting data on over 96 million citizens, with the biometric deduplication system operating against this central database. NADRA's Islamabad data centre facility has received recognition from the Uptime Institute. The system complies with international standards including OAuth 2.0, OpenID Connect (OIDC), NIST 800-63, TLS 1.2/1.3, ISO/IEC 27001, and ISO/IEC 24760.

Human-in-the-loop adjudication is maintained for potential duplicate matches identified by the ABIS. As noted in biometric identification literature, AFIS and ABIS deduplication systems are 'rarely 100 per cent automated' and require manual review of ambiguous matches by trained operators before a final determination is made on whether to reject an application as a duplicate or proceed with issuance. This is particularly critical given the high-stakes nature of the decision — incorrectly flagging a legitimate applicant as a duplicate would deny them their national identity credential and, consequently, access to social protection benefits and public services.

Documented concerns include data security incidents, with 2.7 million individuals' data reportedly compromised between 2019 and 2023 according to the Statelessness Encyclopedia Asia Pacific. Systematic exclusion risks affect stateless persons, transgender individuals, and migrant populations, while mandatory paternal or spousal linkage requirements in CNIC applications create barriers for women, children without identified fathers, and foundlings. Legal immunity provisions for NADRA officials and judicial restraints on court challenges have been identified as accountability gaps.

Classifications follow the DCI AI Hub Taxonomy. Hover over field labels for definitions.

AI Capabilities

Perception and extraction from unstructured inputs primaryAnomaly and change detection Classification

Use Cases

Identification, verification and record linkage primaryCompliance and integrity

Social Protection Functions

Implementation/delivery chain
Registration primaryAssessment of needs/conditions + enrolment
SP Pillar (Primary) The social protection branch: social assistance, social insurance, or labour market programmes. Social assistance
SP Pillar (Secondary) The social protection branch: social assistance, social insurance, or labour market programmes. Social insurance
Programme Name NADRA Automated Biometric Identification System (ABIS) for CNIC Enrolment De-duplication
Programme Type The type of social protection programme, classified under social assistance, social insurance, or labour market programmes. View in glossary Other
System Level Where in the social protection system the AI is applied: policy level, programme design, or implementation/delivery chain. View in glossary Implementation/delivery chain
Programme Description NADRA's ABIS performs 1:N biometric deduplication using fingerprint (AFIS/NADIR), facial recognition, and iris recognition (launched June 2023) against a database of approximately 120 million registered adults to ensure uniqueness of Computerized National Identity Cards (CNICs). The CNIC serves as the foundational identity credential for access to social protection programmes including BISP and Ehsaas.
Implementation Type How the AI output is produced: Classical ML, Deep learning, Foundation model, or Hybrid. Affects validation, compute requirements, and governance profile. View in glossary Classical ML
Lifecycle Stage Current stage in the AI lifecycle, from problem identification through to monitoring, maintenance and decommissioning. View in glossary Monitoring, Maintenance and Decommissioning
Model Provenance Origin of the AI model: developed in-house, adapted from open-source, commercial/proprietary, or accessed via third-party API. View in glossary Not documented
Compute Environment Where the AI system runs: on-premise, government cloud, commercial cloud, or edge/device. View in glossary On-premise
Sovereignty Quadrant Classification of data and compute sovereignty: I (Sovereign), II (Federated/Hybrid), III (Cloud with safeguards), or IV (Shared Innovation Zone). View in glossary II — Federated/Hybrid Governance
Data Residency Where the data used by the AI system is stored: domestic, regional, or international. View in glossary Domestic
Cross-Border Transfer Whether data crosses national borders, and if so, whether documented safeguards are in place. View in glossary Not documented
Decision Criticality The rights impact of the decision the AI supports. High criticality requires HITL oversight; moderate requires HOTL; low may operate HOOTL. View in glossary High
Human Oversight Type Level of human involvement: Human-in-the-Loop (active review), Human-on-the-Loop (monitoring), or Human-out-of-the-Loop (periodic audit). View in glossary HITL
Development Process Whether the AI system was developed fully in-house, through a mix of in-house and third-party, or fully by an external provider. View in glossary Mix of in-house and third-party
Highest Risk Category The most significant structural risk source identified: data, model, operational, governance, or market/sovereignty risks. View in glossary Governance and institutional oversight risks
Risk Assessment Status Whether a formal risk assessment, informal assessment, or independent audit has been conducted for this system. Not assessed
Documented Risk Events 2.7 million individuals' data compromised between 2019 and 2023 (reported by Statelessness Encyclopedia Asia Pacific). Systematic exclusion of stateless, transgender, and migrant populations from CNIC issuance documented by multiple civil society sources.

Risk Dimensions

Data-related risks
Consent or lawful basis gapData quality failureRepresentation bias
Governance and institutional oversight risks
Inadequate grievance or redressInsufficient human oversightPurpose limitation failureRegulatory non-complianceUnclear accountabilityWeak documentation or auditability
Market, sovereignty and industry structure risks
Jurisdictional hosting riskOpaque supply chainVendor lock-in
Model-related risks
Opacity or limited explainabilitySubgroup bias

Impact Dimensions

Accountability, transparency and redress
No accessible or effective remedyNo identifiable decision owner
Autonomy, human dignity and due process
Inability to contest or appeal outcomeLoss of individual agency or autonomyOpaque or unexplained decision
Equality, non-discrimination, fairness and inclusion
Disparate error rates across groupsReinforcement of structural inequitySystematic exclusion from benefits or services
Privacy and data security
Disproportionate surveillance or profilingLoss of individual control over personal dataPrivacy violation or data breach
Systemic and societal
Deepened digital divide
  • Grievance mechanism
  • Human oversight protocol
CategorySensitivityCross-System LinkageAvailabilityKey Constraints
National ID and biometric databasesSpecial categoryLinks data across multiple systemsCurrently available and usedBiometric data (10 fingerprints, facial images, iris scans from 2023) for approximately 120 million adults; centrally stored in NADRA National Data Warehouse; linked to CNIC 13-digit unique identifier; downstream linkages to BISP, banking, SIM registration, electoral systems

Biometric Update (2023) 'NADRA adds iris to automated biometric identification platform with Iris ID', Biometric Update, 5 June. Available at: https://www.biometricupdate.com/202306/nadra-adds-iris-to-automated-biometric-identification-platform-with-iris-id (Accessed: 24 March 2026).

View source News article / media

Express Tribune (2023) 'NADRA launches cutting-edge AFIS technology for biometric identification', Express Tribune, 18 April. Available at: https://tribune.com.pk/story/2412599/nadra-launches-cutting-edge-afis-technology-for-biometric-identification (Accessed: 24 March 2026).

View source News article / media

Pakistan Observer (2023) 'NADRA upgrades biometric identification system by adding IRIS recognition', Pakistan Observer, June. Available at: https://pakobserver.net/nadra-upgrades-biometric-identification-system-by-adding-iris-recognition/ (Accessed: 24 March 2026).

View source News article / media

Radio Pakistan (2023) 'NADRA launches Iris Recognition System for identity verification, citizen de-duplication', Radio Pakistan, 4 June. Available at: https://www.radio.gov.pk/04-06-2023/nadra-launches-iris-recognition-system-for-identity-verification-citizen-de-duplication (Accessed: 31 October 2025).

View source Government website / press release

Statelessness Encyclopedia Asia Pacific (2025) 'Pakistan', SEAP. Available at: https://seap.nationalityforall.org/digital-id/regional-overview/south-asia/pakistan/ (Accessed: 24 March 2026).

View source Report (multilateral / development partner)
Deployment Status How far the system has progressed into real-world operational use, from concept/exploration through to scaled and institutionalised. View in glossary Scaled & Institutionalised
Year Initiated The year the AI system was first initiated or development began. 2000
Scale / Coverage The scale and geographic or population coverage of the deployment. Approximately 120 million adults (~96% of eligible population); 700 NADRA registration centres nationwide; iris recognition deployed at mega-centres in Islamabad, Lahore, and Karachi with nationwide rollout planned
Funding Source The source(s) of funding for the AI system development and deployment. Government of Pakistan (statutory funding under NADRA Ordinance 2000)
Technical Partners External technology vendors, academic partners, or development partners involved. Iris ID (iCAM R100 series scanners for iris capture); NADIR AFIS engine developed indigenously by NADRA
Outcomes / Results NADIR AFIS engine achieved >99.5% accuracy in Fingerprint Verification Competition (FVC) benchmarking. System underpins CNIC issuance for ~120 million adults. Downstream verification ecosystem includes BISP/Ehsaas cash transfer authentication, SIM registration, banking KYC, and electoral verification. Iris modality added in June 2023 with children's enrolment capability.
Challenges No comprehensive data protection legislation in Pakistan (reliance on NADRA Ordinance and PECA 2016); documented data breach affecting 2.7 million records (2019-2023); exclusion of stateless, transgender, and migrant populations; mandatory paternal/spousal linkage requirements create barriers for women and foundlings; legal immunity for NADRA officials limits accountability; vendor details for original AFIS (pre-NADIR) not publicly documented; hosting infrastructure details not publicly specified.

How to Cite

DCI AI Hub (2026). 'NADRA Automated Biometric Identification System (ABIS) for CNIC Enrolment De-duplication', AI Hub AI Tracker, case PAK-002. Digital Convergence Initiative. Available at: https://socialprotectionai.org/use-case/PAK-002 [Accessed: 1 April 2026].

Change History

Created 30 Mar 2026, 08:41
by v2-import (import)