Biometrics refers to the measurement of biological characteristics to identify individuals. This school of statistical analysis includes both a person’s physical and behavioral characteristics, which may involve mapping a certain population’s hand geometry to their online shopping habits.
Most commonly, biometrics is used for identity authentication within the realm of security. To this point, the practice of biometric data collection relies on unique physical traits to act as keys, verifying one person from the next.
What Is Biometrics?
Biometrics is the measurement of physical and behavioral traits that can be added to a database to then authenticate an individual’s identity.
A person’s identity isn’t determined by the things a person has, like a license, or can recall, like passwords, but rather the things they are, spanning biomarkers like fingerprints or one’s face.
“Good authentication is about making sure you are who you say you are,” said Alan Lipton, senior vice president of engineering at identity and access management company SecureAuth. “Biometric systems use computer algorithms, or digital recipes, to reduce your biometric sample to a sort of digital signature that captures the essential essence of what it means to be you.”
How Do Biometrics Work?
Biometrics can be measured in different ways — from a person’s gait to the shape of one’s ears — but each device will always require four main components.
A biometric device will always need a type of reader, sensor or scanner, depending on its mode of authentication. Part two includes a software that digitizes the input data into a standardized format to be compared within the third component, a database. Finally, an output interface is then needed to communicate the findings.
Once a biometric device is set to track a specific body measurement, it is then programmed to extract this information either actively, featuring user participation, or passively, where intel is gathered covertly, unbeknownst to the user.
“In simple terms, your biometrics ‘image’ is converted into a mathematical representation and stored either locally or remotely.”
“Will the user be aware of the request for input, as in consumer devices, or will there be no consent nor knowledge, as in surveillance applications?” said Sebastien Taveau, a founding member of the FIDO Alliance, a non-profit organization seeking to standardize authentication, and the former CTO of Validity Sensors, a human-interface company that pioneered smartphone fingerprint identification, which has since been acquired by Synaptics.
The initial input is collected and saved per person. This sample forms an individual’s template, or a reference page, that gets logged into a system during a process known as enrollment. Later inputs are compared with the template to either approve or deny authorization.
“In simple terms, your biometrics ‘image’ is converted into a mathematical representation and stored either locally or remotely,” Taveau said. “Any subsequent request for biometrics input via a captor will be matched against this template.”
Meanwhile, software running behind the scenes operates as a match engine, mapping biometric data through a programmed scoring system.
Specific to biometrics, all inputs must include an element of “liveness.” This is where hardware and software solutions work together, Taveau said, using cameras to check for eye movement or sending radio signals through a finger to check for blood flow density.
Types of Biometrics
Biometrics can be split into two main categories: physiological and behavioral.
Physiological biometrics identify an individual by their innate, physical characteristics, whereas behavioral biometrics measure the unique way an individual performs a certain action.
Examples of Physiological Biometrics
- Fingerprint scans
- Facial recognition
- Speech recognition
- Hand geometry
- Iris or retina scanning
- Vein patterns
- Smell recognition
- DNA matching
Examples of Behavioral Biometrics
- Writing a signature
- Keystroke rhythm and speed
- Mouse and finger movements while using a computer
- Social media activity
- Walking gait
- Online shopping patterns
Biometric Devices
There’s a chance that biometric devices are already included in your everyday routine. Unlocking your smartphone via facial recognition or making purchases with your fingerprint, for example, are biometric keys. Virtual assistants, like Siri or Alexa, use speech recognition to access a particular user’s reminders, upcoming calendar events or digital wallet. Smartwatches use biometric sensors to relay real-time health data.
“A lot of medical devices used in a private or home environment also include a biometric element,” Taveau said. “Cars are also getting there, as we see with the development of sleep detection systems.”
But before reaching the consumer market, biometric technologies were organically integrated into other fields, such as government and public services. So while banks have just begun swapping out their cards for facial and palm recognition, surveillance snapshots taken at public transit turnstiles and fingerprints at prisoner check-ins are applications long used to identify citizens by the transport and law enforcement sectors.
Another familiar setting that relies on biometric authentication are airports. Checkpoints, like those of the Transportation Security Administration or Customs and Border Protection, embed an assortment of biometric technologies throughout security measures. Contactless fingerprint scanners, biometric tablets and walk-through e-gates are several products developed by IDEMIA, which provides identity-related authentication services to these border-patrolling entities.
These biometric devices use a combination of advanced fingerprint, facial and iris recognition algorithms, said Lisa Shoemaker, the company’s vice president of corporate and government relations. Take for example, the MFACE, which monitors a continuous flow of people exiting and entering a designated area, or the CAT2, which validates document-credentialing at self-service kiosks.
“Your fingerprint, facial or iris recognition uniquely connects your physical identity with your digital identity,” Shoemaker said. “Biometrics can carry out authentication quickly and seamlessly at the wave of a hand or a glance.”
Pros of Using Biometrics
The foremost benefit of biometrics is replacing things — cards, keys and passwords — with innate identifiers already a part of you. In biometrics, identity authentication can no longer be lost, stolen or forgotten.
“Body measurements like your fingerprint, facial or iris recognition uniquely connect your physical and digital identities,” Shoemaker said.
This systemic tie to an individual makes biometrics difficult — if not impossible — to replicate, carrying the potential to replace token-based identification systems. Biometric authentication is efficient, nontransferable and generally remains the same over a person’s lifetime, barring any major injuries that may morph one’s appearance.
“Using biometric authentication is more accessible than entering a complex password several times daily,” she added. “It’s also a weapon against identity theft … and can be carried out as quickly and seamlessly with the wave of a hand or a glance.”
Cons of Using Biometrics
Some concerns involving biometrics are that they can be used without a person’s consent or knowledge — as in the case of surveillance — and that, in combination with artificial intelligence systems, these digital IDs are often embedded with racial bias.
“Along with positive social aspects … biometrics can also be used to limit personal freedoms,” said Sean Grimaldi, chief technology officer at VectorZero, a cybersecurity company that uses biometric multi-factor authentication.
Researchers at the National Institute of Standards and Technology found that the majority of the 189 facial recognition algorithms they studied exhibited bias, falsely identifying Black and Asian faces 10 to 100 times more than that of their white counterparts. Additionally, women were misidentified more than men, putting women of color in a particularly vulnerable position.
In the United States, facial recognition technology has been used to monitor people during the 2020 Black Lives Matter protests, as well as help Immigration and Customs Enforcement target and track people who enter the country.
“It’s surprisingly straightforward to hack many biometrics used in authentication ... One low-effort technique is to print a digital image of a fingerprint, put it on the scanner and then press your finger into it.”
“Many biometric techniques have severe implications for human rights, privacy and freedom of expression,” Grimaldi said.
And, despite the heightened level of security bio-locking a device may provide, it’s not exactly tamper-proof.
“It’s surprisingly straightforward to hack many biometrics used in authentication,” Grimaldi said. “One low-effort technique is to print a digital image of a fingerprint, put it on the scanner and then press your finger into it.”
Or you can try lifting a fingerprint with a jelly-like substance, such as in the gummy bear hack of 2002, when Tsutomu Matsumoto, a cryptographer based in Japan, fooled 11 fingerprint scanners using gelatine molds.
Additionally, keystroke tracking software can reliably identify one or several individuals across several devices by recording their language patterns, speed, typos, grade-level of writing capability and vocabulary. In the hands of malicious actors, this software can be used to emulate all of the above typing characteristics.
“Biometrics can capture more data than you may realize,” Grimaldi said.