In 2022, I received an award for something that few software developers get recognised for: nearly eliminating examination malpractice at an institution of over 6,000 students. The system that earned that award was a biometric-based Computer-Based Testing (CBT) platform that I designed and deployed (check my list of awards). The results were startling: a 98% decrease in examination malpractice.
This article is a detailed account of how we got there. Not the polished conference-paper version, the real one, with the decisions we agonised over, the failures we recovered from, and the architecture decisions that made the difference.
The Scale of the Problem
Examination malpractice in Nigerian universities is not a minor inconvenience; it is a systemic crisis. Before our biometric CBT was in place, examination halls were plagued with issues: impersonation (students paying others to sit exams on their behalf), mass cheating from printed materials hidden in clothing, and collusion between invigilators and students.
The traditional response was more vigilance, stricter rules, and stronger penalties. None of it worked at scale. What was needed was a technical solution that made impersonation and other vices structurally impossible, not just risky.
System Architecture Overview
The biometric CBT system is not simply a test-delivery platform with a fingerprint reader bolted on. It is an integrated pipeline that connects identity verification, examination delivery, real-time monitoring, and result computation into a single, auditable chain.
The Core Components
At its heart, the system consists of four tightly integrated modules:
- Biometric Enrolment Module — Students' fingerprints are captured and stored in encrypted form during first-year registration. Each print is linked to the student's matric number, course registration, payment and semester record.
- Exam Session Authentication Module — On exam day, students authenticate before receiving their one-time password to log in to the CBT app. No fingerprint match, no exam access — period.
- Exam Delivery Engine — A time-bound, browser-locked interface that disables copy-paste, screenshot functions, and background applications. Questions are randomised per student from a question bank.
- Result and Audit Pipeline — Answers are submitted server-side in real time. The result record is immutable once the session closes.
Biometric Data Handling
Biometric data is never stored as raw fingerprint images. We store a non-reversible template — a mathematical representation that can be matched against a new scan but cannot be reconstructed into an image. This is crucial for both privacy and regulatory compliance. All templates are encrypted at rest using AES-256 and accessed only through the authentication service, never directly from application code.
The Challenges Nobody Warns You About
The technical architecture is the part everyone asks about. The challenges nobody warns you about are operational.
Dry and worn fingerprints. For students whose fingers were affected by heat or manual work, false reject rates were our biggest early problem. We solved this by allowing up to five scan attempts before escalating to the administrator. We also capture up to four fingerprints (two fingers from both hands) during the enrolment phase to reduce this kind of issue to the barest minimum.
Network failures during live exams. The system had to remain functional during network drops. We implemented local session caching so that an in-progress exam would continue even if connectivity was lost, with answers syncing to the server on reconnection.
Hardware standardisation. Different labs had different network infrastructures and operating systems. Maintaining a standard across the board is critical to the success of this system.
Issues to Be Taken Care of During Deployment of the Biometric CBT System
- One-time password usage: Each generated password must be valid for only one login session. Once it has been used successfully to log in, it should expire immediately and become invalid for reuse.
- Password expiration time: Every generated password must have a short validity period, such as 5 minutes from the time of generation. If it is not used within that period, it should expire automatically.
- Cross-centre usability of login details: Login credentials generated for a candidate must not work in another examination centre.
- Biometric verification accuracy: The system should reliably verify candidates’ biometric data before granting access, with proper handling for failed or unreadable biometric captures.
- Duplicate login prevention: A candidate should not be allowed to log in on multiple devices or in multiple centres at the same time using the same credentials.
- Real-time synchronization across centres: All centres should be connected to a centralized server or synchronized database so that password status, login status, and biometric validation are updated in real time.
- Centre and candidate mapping validation:
The system should confirm that only registered candidates for a particular exam session can use generated credentials, even if they log in from another approved centre.
- Administrative override control: Any manual intervention, such as regenerating passwords or bypassing biometric verification, should be restricted to authorised personnel and properly logged.
Results and Impact
The numbers speak clearly. The deployment reduced documented examination malpractice by 92%. These are not percentage improvements in an abstract metric — they represent thousands of students assessed fairly, and the restored integrity of academic credentials.
The 2022 award I mentioned at the start was presented by the institution for "the singular role in the development of a special exam model introduced during the COVID lockdown." During COVID, we adapted the CBT system to also support online examination, a rapid pivot that kept exams running when physical campuses were closed.
What Nigerian Universities Should Know Before Investing
If your institution is considering a biometric CBT system, here is my honest advice based on years of deployment experience:
- Budget for enrolment infrastructure — the quality of your stored biometric templates determines the quality of every future verification. Rushed enrolment creates false rejects at exam time.
- Design for offline resilience from day one. Nigerian power and connectivity conditions mean your system must work gracefully without either.
- Invest in invigilator training. The technology is only as effective as the process around it. An untrained invigilator granting manual override to everyone who fails to scan undermines the whole system.
- Plan for the long tail of edge cases — amputees, students with skin conditions, hardware failures. Every exception is a potential malpractice vector if not handled by policy.
The technical problem of examination malpractice is solvable. The evidence from our deployments is clear. What it requires is not just hardware procurement, but thoughtful system design, operational discipline, and institutional commitment. If you are working on a similar problem or want to discuss a deployment at your institution, reach out — I am happy to consult.
This is exactly the kind of detailed breakdown we needed. We've been considering a biometric CBT rollout for two semesters now and the point about false reject rates from worn fingerprints is something our vendor completely glossed over. The three-attempt escalation protocol is a smart fix — we'll be borrowing that pattern. Thank you for sharing the operational realities, not just the architecture diagram.