Biometrics refers to the measurement of biological characteristics to identify individuals. This school of statistical analysis includes both a person’s physical and behavioral characteristics, which may involve mapping a certain population’s hand geometry to their online shopping habits.
Most commonly, biometrics is used for identity authentication within the realm of security. To this point, the practice of biometric data collection relies on unique physical traits to act as keys, verifying one person from the next.
What Is Biometrics?
Biometrics is the measurement of physical and behavioral traits that can be added to a database to then authenticate an individual’s identity.
A person’s identity isn’t determined by the things a person has, like a license, or can recall, like passwords, but rather the things they are, spanning biomarkers like fingerprints or one’s face.
“Good authentication is about making sure you are who you say you are,” said Alan Lipton, senior vice president of engineering at identity and access management company SecureAuth. “Biometric systems use computer algorithms, or digital recipes, to reduce your biometric sample to a sort of digital signature that captures the essential essence of what it means to be you.”
How Do Biometrics Work?
Biometrics can be measured in different ways — from a person’s gait to the shape of one’s ears — but each device will always require four main components.
A biometric device will always need a type of reader, sensor or scanner, depending on its mode of authentication. Part two includes a software that digitizes the input data into a standardized format to be compared within the third component, a database. Finally, an output interface is then needed to communicate the findings.
Once a biometric device is set to track a specific body measurement, it is then programmed to extract this information either actively, featuring user participation, or passively, where intel is gathered covertly, unbeknownst to the user.
“In simple terms, your biometrics ‘image’ is converted into a mathematical representation and stored either locally or remotely.”
“Will the user be aware of the request for input, as in consumer devices, or will there be no consent nor knowledge, as in surveillance applications?” said Sebastien Taveau, a founding member of the FIDO Alliance, a non-profit organization seeking to standardize authentication, and the former CTO of Validity Sensors, a human-interface company that pioneered smartphone fingerprint identification, which has since been acquired by Synaptics.
The initial input is collected and saved per person. This sample forms an individual’s template, or a reference page, that gets logged into a system during a process known as enrollment. Later inputs are compared with the template to either approve or deny authorization.
“In simple terms, your biometrics ‘image’ is converted into a mathematical representation and stored either locally or remotely,” Taveau said. “Any subsequent request for biometrics input via a captor will be matched against this template.”
Meanwhile, software running behind the scenes operates as a match engine, mapping biometric data through a programmed scoring system.
Specific to biometrics, all inputs must include an element of “liveness.” This is where hardware and software solutions work together, Taveau said, using cameras to check for eye movement or sending radio signals through a finger to check for blood flow density.
Types of Biometrics
Biometrics can be split into two main categories: physiological and behavioral. Physiological biometrics identify an individual by their innate, physical characteristics. Behavioral biometrics, meanwhile, measure the unique way an individual performs a certain action.
A common type of physiological biometrics, fingerprint scans can be used to unlock smartphones or grant access to other secure systems and facilities. There are four main types of fingerprint scanners, including optical scanners, capacitive scanners, ultrasonic scanners and thermal scanners.
Facial recognition software is often implemented in newer smartphone models to unlock phones, verify mobile purchases and confirm the download of new apps. It can also be used for law enforcement purposes to identify persons of interest or used alongside eye-tracking software.
Voice recognition uses AI to identify specific, individual voices, which can be used to secure voice-activated systems or personalize user experiences on devices. Some virtual assistants like Amazon Alexa apply voice recognition to call users by name and customize app functions based on their unique voice.
One of the oldest types of biometrics, hand geometry identifies individuals based on the shape and structure of their hand. Hand geometry systems measure the length, width, depth and surface area size of a hand, and have historically been used for access control and to track attendance at events.
Iris or Retina Scanning
Both of these methods of biometrics scan parts of the eyes to identify individuals. Iris scanning views the patterns of a person’s iris (the colorful, circular part located at the front of the eye). Retina scanning captures an image of a person’s retina and its unique blood vessels (located at the back of the eye).
Also called vein pattern recognition, vascular pattern recognition or vein matching, this biometric looks for differences in vein patterns for identification. Vein pattern recognition applies infrared light to illuminate veins underneath the skin, and is often used on fingers, hands or arms.
DNA matching involves analyzing a sample of DNA to identify its human source, and is often used in healthcare and forensics. DNA can be extracted from biological materials like hair, saliva, skin or blood, and may be compared to existing DNA samples in a database for authentication purposes.
While walking is a very common movement, a gait and its patterns remain unique to every individual. Walking gait biometrics can be useful for identifying a person of interest who has their face covered, is a long distance away or is seen over a video recording.
Keystroke Rhythm and Speed
A keystroke describes the pressing of a key on a computer’s keyboard, and varies depending on the user. The speed, frequency and force of keystrokes can help identify who may be using the keyboard, as well as how long the computer session lasted.
Mouse and Finger Movements While Using a Computer
Computer movements, like where a mouse is tracking on-screen or where a finger is tracing on a touchscreen, can determine which individual is using these devices. Mouse dynamics collect data on a user’s fine motor movements and patterns, making even the tiniest jolts or pauses an indicator of the user’s identity.
Everyone’s handwriting is different, making signature recognition an effective biometric technique. Static signature recognition involves writing a signature on a sheet of paper, and having the signature scanned, digitized and analyzed based on its shape. Dynamic signature recognition involves signing on a digital tablet, so shape analysis can happen in real time.
Social Media and Online Shopping Activity
While surfing the web, many algorithms in the background keep note of it all, and curate user profiles to track people’s interests, most-visited websites, geographic location and likely demographics. These profiles of data are frequently leveraged by recommendation engines to personalize online experiences, but may also be used to help identify specific users.
Biometric devices may already be in your everyday routine, whether that’s unlocking your smartphone via facial recognition, making purchases with your fingerprint, interacting with a virtual assistant that uses speech recognition to access your personal reminders, or getting real-time health data from your smartwatch that’s equipped with biometrics sensors.
Before reaching the consumer market, biometric technologies were organically integrated into other fields, such as government and public services. So while banks have just begun swapping out their cards for facial and palm recognition, surveillance snapshots taken at public transit turnstiles and fingerprints at prisoner check-ins are applications long used to identify citizens by the transport and law enforcement sectors.
Another familiar setting that relies on biometric authentication are airports. Checkpoints, like those of the Transportation Security Administration or Customs and Border Protection, embed an assortment of biometric technologies throughout security measures. Contactless fingerprint scanners, biometric tablets and walk-through e-gates are several products developed by IDEMIA, which provides identity-related authentication services to these border-patrolling entities.
These biometric devices use a combination of advanced fingerprint, facial and iris recognition algorithms, said Lisa Shoemaker, the company’s vice president of corporate and government relations. Take for example, the MFACE, which monitors a continuous flow of people exiting and entering a designated area, or the CAT2, which validates document-credentialing at self-service kiosks.
“Your fingerprint, facial or iris recognition uniquely connects your physical identity with your digital identity,” Shoemaker said.
Pros of Using Biometrics
Biometrics Don’t Need Keys and Passwords
The foremost benefit of biometrics is replacing things — cards, keys and passwords — with innate identifiers already a part of you. In biometrics, identity authentication can no longer be lost, stolen or forgotten.
“Body measurements like your fingerprint, facial or iris recognition uniquely connect your physical and digital identities,” Shoemaker said.
Biometrics Are Difficult to Replicate
This systemic tie to an individual makes biometrics difficult — if not impossible — to replicate, carrying the potential to replace token-based identification systems. Biometric authentication is efficient, non-transferable and generally remains the same over a person’s lifetime, barring any major injuries that may morph one’s appearance.
“Using biometric authentication is more accessible than entering a complex password several times daily,” Shoemaker said. “It’s also a weapon against identity theft … and can be carried out as quickly and seamlessly with the wave of a hand or a glance.”
Cons of Using Biometrics
Biometrics May Be Used Without Consent or Knowledge
Some concerns involving biometrics are that they can be used without a person’s consent or knowledge — as in the case of surveillance — and that, in combination with artificial intelligence systems, these digital IDs are often embedded with racial bias.
“Along with positive social aspects … biometrics can also be used to limit personal freedoms,” said Sean Grimaldi, chief technology officer at VectorZero, a cybersecurity company that uses biometric multi-factor authentication.
Biometrics May Apply Biased Algorithms
Researchers at the National Institute of Standards and Technology found that the majority of the 189 facial recognition algorithms they studied exhibited bias, falsely identifying Black and Asian faces 10 to 100 times more than that of their white counterparts. Additionally, women were misidentified more than men, putting women of color in a particularly vulnerable position.
In the United States, facial recognition technology has been used to monitor people during the 2020 Black Lives Matter protests, as well as help Immigration and Customs Enforcement target and track people who enter the country.
“Many biometric techniques have severe implications for human rights, privacy and freedom of expression,” Grimaldi said.
Biometrics Aren’t Fully Tamper-Proof
Despite the heightened level of security bio-locking a device may provide, it’s not exactly tamper-proof.
“It’s surprisingly straightforward to hack many biometrics used in authentication,” Grimaldi said. “One low-effort technique is to print a digital image of a fingerprint, put it on the scanner and then press your finger into it.”
Or you can try lifting a fingerprint with a jelly-like substance, such as in the gummy bear hack of 2002, when Tsutomu Matsumoto, a cryptographer based in Japan, fooled 11 fingerprint scanners using gelatine molds.
Additionally, keystroke tracking software can reliably identify one or several individuals across several devices by recording their language patterns, speed, typos, grade-level of writing capability and vocabulary. In the hands of malicious actors, this software can be used to emulate all of the above typing characteristics.
As Grimaldi explained, “Biometrics can capture more data than you may realize.”
Frequently Asked Questions
What is biometrics?
Biometrics is the measurement of an individual's unique physical and behavioral characteristics, often used as a form of identification.
What is biometric data?
Biometric data is any data relating to human physiological or behavioral traits that can be used to identify a person. This kind of data can include fingerprints, facial structure, eye patterns, gait or keystrokes.
What is the purpose of biometrics?
Biometrics help automatically recognize or authenticate the identity of a specific person, and are utilized for security, surveillance or personalization purposes.