What Is Biometrics: Detailed Guide with Examples
Biometrics are becoming commonly used as an advanced layer within enterprises and personal security systems. In this guide, we will break down every facet of biometrics.
Read on to find out:
- What biometrics are and how they were developed
- The different types of biometrics
- Why biometrics are useful
- Real life use-cases of biometrics
- Why biometrics are controversial
- Answers to biometric FAQs
What Are Biometrics?
Biometrics Definition
History of Biometrics
The Beginning of Biometrics
Biometric Evolution
Biometrics in the 20th Century
Modern Biometrics
Types of Biometrics
Biological Biometrics
Behavioral Biometrics
How Do Biometrics Work?
Biometric System Overview
Authentication and Identification
Biometric Use Cases
Law Enforcement and Public Security (Criminal/Suspect Identification)
Military (Enemy/Ally Identification)
Border, Travel, and Migration Control (Traveler/Migrant/Passenger Identification)
Civil Identification (Citizen/Resident/Voter Identification)
Healthcare and Subsidies (Patient/Beneficiary/Health Professional Identification)
Physical and Logical Access (Owner/User/Employee/Contractor/Partner Identification)
Commercial Applications (Consumer/Customer Identification)
Advantages and Disadvantages of Biometrics
Pros of Biometrics
Cons of Biometrics
Biometric Security
Why Are Biometrics Controversial?
Biometric Vulnerabilities
Biometrics & Data Protection
Biometric Devices
Fingerprint Recognition
Face Recognition
Iris Recognition
FAQ
Are Biometrics Reliable?
How Accurate Are Biometrics?
What Are the Privacy Risks of Biometric Authentication?
How Secure is Biometric Authentication Data?
Recommended reading
What Are Biometrics?
Biometrics are used in cutting edge security technology — such systems use human features as identifiers for facial recognition. You can use biometrics to measure an individual’s unique physical characteristics and, thus, verify their identity. In order for biometric data to be useful, it needs to fulfill three things:
- It must be a high quality biometric template for further work.
- It must be enriched and updated.
- It must be strictrly protected.
Biometrics Definition
To summarize, biometrics are unique physical identifiers that can be utilized in automated recognition technology. Some examples of biometric characteristics include facial patterns, fingerprints, irises, voice and vein palm. From an etymological point of view, when you break down biometrics, you get two Greek words: bio (life) as well as metrics (to measure).
History of Biometrics
Biometrics have always been used as a method of facial recognition, even before it became incorporated into technology. Since the start of civilization, human beings have used facial features to identify both known and unknown people.
However, as populations increased and methods of travel became more convenient, recognizing faces based on looking at their features was much more difficult. Thus, biometrics evolved over time to meet the needs of an ever growing and evolving population. We have a few real examples of biometric usage throughout the history of civilization.
The Beginning of Biometrics
- Prehistoric cave paintings that are estimated to be 31,000 years old are surrounded by handprints. These prints are assumed to be a signature of sorts, done by the painter.
- There is evidence that ancient Babylonian business transactions were accompanied by fingerprint recordings.
- A Spanish explorer and writer from the 1500s, Joao de Barros, reported that Chinese merchants used fingerprints as part of their business transactions.
These are just a few examples — biometrics have been gathered and used in countless societies for centuries.
Biometric Evolution
As technology became more advanced, so did the methods of biometric acquisition and identification. In the mid-1800s, the industrial revolution was in full swing, and cities were growing rapidly. Because of this, there was a need to efficiently identify people. Authorities and merchants could no longer rely on local knowledge and their own experiences to identify these more mobile and larger populations.
Let’s take a look at two methods that justice systems used to identify criminals via biometrics. The first way was the Bertillon system, which was developed in France. With this system, body dimensions (such as height and arm length) were measured and recorded on cards. The other system was used in Asia, South America, and Europe and involved the formal use of indexing fingerprints.
Biometrics in the 20th Century
In the early 20th century, the Bertillon system was proven to be ineffective when two twin men in a Kansas penitentiary were found to have identical body measurements. It was obvious that a new method of biometric recording and recognition needed to be developed.
In the 1960s, the first semi-automatic facial recognition system was created. This system required the user to extract usable physical features, such as the eyes, ears, mouth, and nose in photographs. The system would then calculate ratios and compare them to reference data.
In 1969, the FBI began to develop a system that would automate fingerprint identification. At the time, the current process was manual, overwhelming, and time-consuming. The FBI and the NIST collaborated to study how to automate fingerprints.
The NIST found that there were two key challenges that needed to be addressed: identifying minutiae from scanned fingerprint cards and comparing/matching minutiae lists. The technology that would meet these challenges was developed in 1975, but it was very rudimentary. It continued to be developed over the next couple of decades.
In the 1990s, real-time facial recognition technology was pioneered; it was somewhat reliable, but moderately constrained by external factors. However, this development sparked a wildfire of interest in the facial recognition industry.
Modern Biometrics
Nowadays, biometrics are commonly used in security systems, phone unlocking features, and various other uses. Nearly every physical human characteristic can be measured — everything from DNA segment analysis and iris/retina recognition to finger geometry and walking style. We are in an age of biometrics, in which facial recognition and other kinds of recognition technologies are used in hospitals, schools, airports, prisons, and many more industries.
Types of Biometrics
Biometrics are divided into two main categories: biological and behavioral. Biological biometrics refer to the human body’s physiological features, whereas behavioral biometrics analyze characteristics like voice and signature.
Biological Biometrics
- Fingerprint: identifying an individual by identifying the ridges and valleys (minutiae) on the surface of their fingertips
- Hand: analyzing a hand’s geometric features, such as the width of the hand and the length of the fingers
- Iris: taking a high-contrast photo of somebody’s iris and mapping unique patterns
- Face: using eigenfaces or local feature analysis to authenticate or recognize an individual’s identity
- DNA: studying genetic sequences to identify a match
- Hand vein: this can be used to identify individuals by the vein patterns in their palm or finger
- Retina: accomplishing recognition by using the patterns of veins located in the back of the eye
- Ear shape: using a ray-producing algorithm that seeks out curved features on a photo of an ear
Behavioral Biometrics
- Keystroke: detailed timing information that measures when a person presses and releases each key on a keyboard
- Static signature: a signature on paper is digitized and then analyzed
- Dynamic signature: A digitizing tablet acquires a signature in real time
- Voice: a person’s unique voiceprint is compared to various templates
- Gait: using an individual’s walking style to determine their identity
Read more about biometric types here.
How Do Biometrics Work?
You may encounter the need to get past a security system during an average day — airports, hotels, hospitals, and even theme parks use biometrics as a security measure. Biometrics are considered to be far more secure than passwords or keys, as an individual’s physical traits can be easily stored, analyzed, and difficult to fake. Check out the video below for an overview of how the major forms of biometric identification work.
There are many types of biometrics — so we can’t just give you one quick answer on how biometrics work. Instead, we’ll take a look at some of the most common methods and break them down. First, you need to know the main components of a biometric system.
Biometric System Overview
All biometric systems use three main steps:
- Enrollment. When you use a biometric system for the first time, it will record your basic information, such as your ID number or name. Next, the system captures a photo or a recording of a specific trait of yours.
- Storage: Most biometric systems do not store the full recording or image. Rather, they analyze the trait that was captured and transform it into a graph or code. Some biometric systems will put the data onto a smart card, which you can use for identification purposes.
- Comparison: When you use the system again, it will compare the trait you present to it to the information it has on file. Depending on whether the information matches, the system will either accept or reject your identity claim.
Biometric systems also use the same three physical components:
- Sensor: This detects the characteristic that is used for identification purposes.
- Computer: This will read and store the data.
- Software: This will analyze, translate, and compare the characteristics.
Authentication and Identification
So, how exactly does a biometric system know that you are you? For the purposes of illustration, we’ll focus on biometric facial authentication, since it is one of the most widely used and fastest growing methods today.
Step 1: Create ID and biometric profile
The new profile can be created by uploading or taking a photo of their webcam or smartphone. Then, the ID and biometric template are saved in the biometric database.
Step 2: Photo Capture
Next, photo from videostream, wedcam or smartphone captured and is then compared to the ID and biometric template. This ensures that the person is not using a stolen photo or ID.
Step 3: Liveness Face Map
While the photo capture process is ongoing, great biometric solutions will incorporate a liveness check. This ensures that the user is actually present and not trying to spoof the process.
Step 4: Result of identification
In case of any fraud the security service receives alarm notification and block operation or the user receives necessary service or passes to zone, as example. If all of the aforementioned checks are successful, the user will then be assigned account credentials — typically, a username and a password.
Step 5: Continuing User Authentication
Whenever the user wants to login to the account, they will just need to take a photo. Since a face map was captured during the enrollment process, the photo is sufficient to verify the user’s identity. The authentication process will only take a few seconds to complete.
Read more about biometric authentication and identification here.
Biometric Use Cases
Over the last few decades, biometrics were primarily used for law enforcement and military purposes; however, biometric applications are now expanding to a large number of industries. Banking, mobile commerce, retail, and other sectors all demonstrate a need for biometric identification. Furthermore, millions of smartphone users unlock their phones via facial or fingerprint recognition. To demonstrate the impact that biometric systems are having on the world market, we’ll take a look at a few real use cases.
Law Enforcement and Public Security (Criminal/Suspect Identification)
This category contains solutions to identify the identity of criminals, such as the Automated Fingerprint Identification System (AFIS). Such systems store, search for, and retrieve images of fingerprints and associated criminal records. There are also Automated Biometric Identification Systems (ABIS) that are used to create and store biometric data that match templates for fingerprints, irises, and faces.
Live face recognition is being used in many countries; these systems identify faces from a crowd in real-time. This is mainly applied to public security, and it is hotly contested. For instance, California has banned law enforcement from using such facial recognition systems.
Military (Enemy/Ally Identification)
This category is a little tricky to discuss, as countries keep most of their biometric information private. However, we do know that the U.S. military has been using a biometric identification system for irises, faces, DNA, and fingerprints since early 2009. The system is managed by the Defense Forensics and Biometrics Agency, and most of the identities contained in the database come from Iraq’s and Afghanistan’s military operations.
Border, Travel, and Migration Control (Traveler/Migrant/Passenger Identification)
E-Passports contain an electronic chip, along with at least one biometric identifier. Some e-passports contain two fingerprints along with a photo of the owner’s face. In 2020, over 1.2 billion e-passports were in circulation -meaning that a huge number of travelers keep a standardized digital photo inside of a secure document.
This is beneficial to border control systems and self-service kiosks alike. Border scanners use recognition to compare a person’s face or fingerprints to a person’s biometric identifiers in the passport — so this process is sped up drastically. Furthermore, bag-drop and check-in areas have increased in efficiency while also keeping up their high levels of security.
Cameras and fingerprint scanners that are used at border posts can obtain information that identify entering travelers in an accurate and dependable way. A few examples of biometric databases for travelers are the U.S. Department of Homeland Security’s Automated Biometric Identification System (IDENT), the EU’s European Dactyloscopy System (EURODAC), and the upcoming European Entry/Exit System (EES).
Civil Identification (Citizen/Resident/Voter Identification)
AFIS databases are often used to ensure a citizens’ identity and compare it to the rest of the population in an automated, dependable, and speedy manner. Typically, civil identification systems combine a photo with digital fingerprints and an iris scan. Such biometrics can be critical to ensure that each citizen has only one vote — but there are other applications besides this.
One example of biometric registration is India’s Aadhaar project. This is the most extensive biometric identification system in the world, and it’s the foundation of dependable authentication within India. Essentially, every Indian resident is issued a 12-digit unique identification number. The number is created from the citizen’s biometric and biographic data. As of September 10, 2020, over 99% of the Indian adult population has an Aadhar number — approximately 1.2 billion people in total.
The project was initially linked to unemployment benefits and public subsidies, but it also has reduced the cost of public service delivery and made new services more accessible to the general population.
Healthcare and Subsidies (Patient/Beneficiary/Health Professional Identification)
Various European, Middle Eastern, and African countries use national identity cards that correspond with health insurance programs — let’s take a look at Gabon, for example. The country wanted to avoid citizens of neighboring countries fraudulently taking advantage of their health coverage benefits.
Therefore, healthcare beneficiaries are biometrically identified so that only Gabonese citizens receive care. Each citizen receives a unique health insurance number, and the card’s microprocessor contains digitized civil data, two fingerprints, and a photograph of the insurance holder.
Physical and Logical Access (Owner/User/Employee/Contractor/Partner Identification)
Access control systems that use biometric identifiers can prohibit unauthorized individuals from entering facilities and computer networks. The former falls under physical access control, whereas the latter is logical access control.
In the IT industry, biometric access control can be used as an authentication factor for complementary users — in turn, supporting a company’s Identity and Access Management policies. Unlike one-time passwords, static passwords, codes, and access cards that depend on data that can be lost or forgotten, biometric authentication relies on features that people do or do not have.
In the mobile industry, smartphones (which are a type of IT system) often incorporate facial and fingerprint recognition features. The first phone to introduce fingerprint recognition was the iPhone 5 in 2013, via TOUCH ID. In November 2017, the iPhone X introduced mobile phone facial recognition through FACE ID. Nowadays, many Android phones also incorporate this feature, alongside iris scanning.
Commercial Applications (Consumer/Customer Identification)
Know Your Customer (KYC) is a mandatory process of verifying a client’s identity when they first open an account and over time. KYC is used to prevent money laundering and financial crime. Banks, telecom operators, and fintech organizations can all use biometrics to make mandatory KYC checks faster and more efficient.
Looking back at India’s biometric program, the country has authorized the utilization of Aadhaar-based KYC for bank accounts and mobile connections.
Retailers can also use facial recognition to identify previous shoplifters (as well as premium customers) the moment they enter the store. If the biometric system recognizes one of these individuals, an alert is sent to the store’s manager. Such technology can be powerful when applied to policing and when used as a marketing enabler.
Some retailers in the U.S. are also using facial recognition or are investigating its potential. However, various states, such as Texas, California, Illinois, Washington, and New York have enacted privacy laws that will seriously challenge innovation in this industry.
Read more about biometric use cases here.
Advantages and Disadvantages of Biometrics
Biometric solutions are growing in nearly every industry, and people tend to have more faith in modern biometric technologies are opposed to more traditional security systems. But why? We’ll show you the special advantages that biometrics have over other security measures.
Pros of Biometrics
- Security: Passwords that are based on letters, numbers, and symbols are becoming easier and easier to hack. Biometric technology enables solutions that are almost impossible to hack. While anybody can use a stolen password, it is much less easy to cheat a biometric algorithm and hack the mathematical model of its creation.
- Accuracy: When traditional security systems (PINs, passwords, and smart cards) are compromised, this can cost businesses a lot of money, time, and resources. However, biometric solutions use physical traits that will remain accurate at any time and at any place.
- Accountability: With other verification methods, anybody can access your account with your password or security number. With biometric security, however, your direct interactions are necessary to login to the system — therefore, you become 100% accountable for all of your account activities.
- Convenience: Your biometric credentials are unlikely to change, so you don’t have to worry about forgetting login information.
- Scalability: Biometrics are very scalable solutions for many kinds of projects — this is why they can be used in banking security systems, government projects, workforce management, and loads of other applications.
Cons of Biometrics
Of course, there are some downsides inherent to biometrics.
- Vulnerability: If your password or PIN is compromised, you can make a new one. However, if biometric data is stolen, it becomes the ultimate key in the hands of hackers — after all, we only have one set of fingerprints and one face. That's why these data should be stored in high secured infrastructure.
- False Positives: Often, biometric authentication systems rely on partial information (like a finite amount of data points). In 2018, an NYU team trained AI to crack fingerprint authentication with a 20% success rate. This was because most fingerprint scanners will only scan a small portion of the finger. Therefore, common elements can be used to fool these systems.
- Physical Changes. If a biometric trait is stored and then changed, the system may no longer recognize the user. This could happen from retina transplants, a burnt finger, tattooed hands, or something else.
Biometric Security
After biometric data is received and mapped, it is stored for future usage. Usually, the information is encrypted and then stored either in the device or on a remote server. While biometric systems are not impenetrable, they are still more secure than traditional security systems.
Advanced biometrics are being used to safeguard valuables and sensitive documents. For instance, Citibank has incorporated voice recognition into their identification system, and Halifax Bank is testing out heartbeat verification sensors.
Biometrics are used in e-Passports — for instance, in the U.S., these passports contain a chip with a digitized fingerprint (or iris) and a photograph of the user’s face. Furthermore, technology is incorporated that prevents the data from being skimmed by fraudulent data readers.
Biometric scanners have become increasingly more sophisticated — for example, Apple’s iPhone X uses 30,000 data points to authenticate the user’s identity via data matching. According to Apple, the chance of mistaking one’s identity is only one in a million. The LG V30 phone combines voice and face recognition technology with fingerprint scanning — and this data is kept on the phone, rather than a server, for increased security.
Why Are Biometrics Controversial?
Biometric solutions certainly offer many advantages, but there is still plenty of controversy surrounding the industry — mainly revolving around privacy concerns. Two major risks are:
- The usage of biometric data for hidden means. As soon as a third party receives biometric data, a risk occurs that they may use that information for purposes to which the user has not consented.
- Data could be captured during transmission to the system’s database and re-used in another transaction.
Either way, the user is losing control over their own information, which poses a privacy risk.
Biometric Vulnerabilities
The challenge with biometric security is that it is possible for scanners to be tricked. Because biometric authentication is reliant on statistical algorithms, it cannot be totally reliable when used by itself. Take fingerprint cloning, for instance. At one Black Hat cybersecurity conference, it was demonstrated that you could use molding plastic or candle wax to make a fingerprint impression. Using the impression, you can reliably clone the fingerprint in under one hour.
Other areas of risk (and possible remedies) include:
- The physical robustness of users’ devices. The device, along with any other user equipment, should be designed in a way that renders it resistant to environmental deterioration or direct physical attack. If the device or any associate UI equipment is attacked, no biometric data nor any associated transmission protocols should be acquired as a result. Furthermore, the device should be able to sense any suspicion of “tampering” activity and report it to the central system. A device’s degree of openness to attack, coupled with the possibility of data acquisition, as a result, will suggest the amount of vulnerability. The consequences of device failure should be incorporated into risk assessment.
- The security of connections between the host system and authentication points. Such connections may simply be a direct link between the biometric device and the host controller (like a personal computer). However, it could also be a more sophisticated network, in which multiple devices are connected to the host controller. This could be complicated even further by repeater nodes.
- The security of 3rd party networks. If the overall biometric system utilizes a third party network (for instance, connecting to corporate networks remotely via the Internet), careful consideration must be given to the end to end connection between the back end application server and the host controller. Let’s say that authentication is done at the host controller — you must think about what data is passed back to the application server and what the chances are of capturing this data by monitoring the connection.
- Biometric Device Inherent Performance. The chances of a biometric device being hoodwinked by a fraud contribute to vulnerability; such attempts may be made by presenting live samples or by using “dummy” appendages.
Biometrics & Data Protection
The U.S.federal government does not have a concrete legal stance on biometric data protection; however, some states have passed their own biometric privacy laws. For instance, let’s look at New York’s SHIELD act. It was signed into law in July 2018, and it requires every business or person that owns computerized, private data of New York residents to safeguard the confidentiality, security, and integrity of the data. If a business does not comply with the SHIELD act, they could receive a civic penalty of $5,000 per transgression.
The EU’s General Data Protection Regulation (GDPR) addresses biometric data and prohibits the processing of “personal data relating to the physiological, physical, or behavioral characteristics of a person” — for instance, facial images and fingerprint data. This is protected alongside biographical data such as marital status, gender, date of birth, and address. Now, this doesn’t mean that the information may not be gathered. Rather, the data may not be shared with 3rd parties without the individual’s consent. Furthermore, residents of the EU have the right to withdraw their consent at any time. There are a couple of exceptions, namely if it must be shared with a 3rd party for legal claims or social security. The EU’s GDPR was also brought into U.K. law, despite Brexit.
So, how do companies that gather biometric data protect your security? There are four key ways that a company can keep sensitive information safe:
- Restriction: The less people who receive access to biometric data, the better. Companies should encrypt all biometric data — including facial geometry, fingerprint, voices, and other features. By doing so, these companies can restrict malicious hackers and insiders from using or replicating biometric information.
- Selection: Since there are certain vulnerabilities associated with biometrics, companies should carefully determine which information they would like to secure. Not every data set is in need of biometric protection. Companies can increase data security by prioritizing data groups that require biometric validation.
- Identification: Many companies are using biometrics as simply one part of a multi-factor authentication system, alongside passwords and other factors that limit access to sensitive information. And this authentication system, in turn, is a component of a broader identity and access management plan. By implementing a wider identity and access solution, admins can be notified if a suspicious user is trying to gain access to a company account.
- Integration: Instead of reworking an entire cybersecurity plan, companies often integrate biometrics into their existing systems. A planning committee takes the risks of biometric storage into account and facilitates well-planned integration and implementation to assuage risks.
Read more about biometric security here.
Biometric Devices
Biometric devices are classified into two types — physiological and behavior. Physiological ones validate facial features, hand geometry, irises, and more, whereas behavioral systems check signature, voices, and keystroke. We’ll give you a brief overview on some common biometric devices, but for a closer look, read more about biometric devices here.
Fingerprint Recognition
To capture the minutiae of a fingerprint, a sensor captures a live image — which is then processed and used to create a digital template and extract features. There are several different kinds of fingerprint sensors, such as optical, capacitive, ultrasonic, thermal, and pressure-based ones.
Face Recognition
For face recognition, a person’s facial features are captured in an image by a facial biometric sensor. Then, the image is processed and biometrics are extracted using either a normal camera (for visible light capture) or an IR camera (for heat patterns). Some smartphones even combine an infrared light, a light projector, and an infrared camera to capture a facial image.
Iris Recognition
An iris scanner illuminates an iris with infrared light; this allows it to pick up on unique patterns that are invisible to the naked eye. Scanners will exclude eyelids, eyelashes, and specular reflections. The end result is a pixel set that only contains the iris. Next, the eye’s colors and lines are analyzed and a bit pattern is extracted, digitized, and compared to stored templates.
FAQ
Are Biometrics Reliable?How Accurate Are Biometrics?
Even though there is room for error with biometrics, they are still highly accurate under proper conditions. According to a study carried out by the National Institute of Standards and Technology, accuracy has improved significantly over the last several years — moving from a 4% failure rate in 2014 to a 0.2% failure rate in 2018. Accuracy will continue to increase as the industry develops further.
Biometrics’ risk of error relates to several factors:
- The age of the person and the tone of their skin
- Facial hair or dyed hair
- Low-quality camera model
- Busy environment
What Are the Privacy Risks of Biometric Authentication?
If a company shares biometric data with a third party, there is potential for misuse. This is why many countries have developed privacy laws prohibiting businesses from sharing your biometric details with third parties without an individual’s permission. However, there is also the risk of data breaches and compromised enrollment.
How Secure is Biometric Authentication Data?
The data that is stored in a biometric database can be more vulnerable than other kinds of data; after all, you can’t change your fingerprint like you can change a password. Some pieces of your physical identity could be duplicated, giving people access to hack into your account.
Furthermore, if you live in a country or a state where there is no conclusive biometric privacy law, you may be at risk of companies giving your information to a third party. That being said, there are still ways that you can protect your biometric data.
For instance, keep your software up to date. If your device notifies you that there is a new update or patch, install it immediately. This will reduce the chances of your device being vulnerable to any security issues. Also, use biometric authentication as part of a multi-factor authentication approach. Furthermore, make sure that your accounts that use biometrics are protected by a unique, strong password.