Biometrics are physical (e.g., fingerprint or vein pattern) or behavioral (e.g., gait or handwriting) traits that are unique to an individual. Biometric technologies use these unique and measurable qualities to perform security actions in lieu of traditional security measures, specifically passwords.
First, a user is expected to provide documentation of their identity. This documentation can be specific to the trait or tied to the individual as well.
For example, the registration of your fingerprint on your phone allows you to access your phone with your fingerprint in the future, but it does not tie your fingerprint to your personal identity.
Conversely, in some high-security situations, for example immigration documentation, the biometric identification can be made simultaneously to both the documentation and to your identification. For example, you may have a fingerprint and facial recognition image attached to your passport so that an airport official can confirm both that you are the owner of the passport and that the passport is valid to the personal identification on file.
For this reason, even the best biometric identification system is only as effective as its ability to discern your biometrics and the veracity of the information stored in the system.
Note that, while we will differentiate briefly between biometric identification and biometric authentication below, for much of the discussion, they can be used interchangeably.
Biometrics can be very secure, but also cumbersome, expensive, and invasive. Within an organization, consider a password manager for your security needs.
Whenever you save a new password, the data is hashed, salted, and encrypted locally on your computer before being uploaded to TeamPassword via an encrypted connection. with this level of encryption, it is impossible for nefarious actors to intercept your passwords.
Sign up today for a free 14-day TeamPassword trial and protect your company's digital assets from cybercriminals.
What does biometric identification mean?
Throughout this article, we are going to explain exactly what biometrics means in different contexts. However, the simple answer is that biometric identification is the use of personal traits, physical or behavioral, for security purposes.
You probably use biometrics to open your smartphone. Depending on how old your smartphone is, that might be using your thumbprint to open the screen or the phone performing facial recognition.
Biometric identification is found across many different industries. For example, you’ve probably experienced some forms of biometric identification at airports and hospitals.
Biometric authentication vs. biometric identification
As mentioned above, biometric identification is really only half of what biometrics can accomplish. The other main task is called biometric authentication.
Biometric authentication is when a computer is tasked with determining the resemblance of a person to their template by measuring some trait. In essence, the computer is tasked with answering the question: “Are you person X?” This is accomplished according to the steps below:
- Before the authentication actions, the template must be stored. That is, the template is registered to the system.
- Then, when the person seeks authentication, their scanned information is compared to the stored data.
Biometrics identification is slightly more complicated. In this case, the computer is tasked with determining the identity of an individual. Here, the question to be answered is: “Who are you?” This is accomplished by the following steps:
- Sensors record one or more traits of an individual whose identity is to be determined. These can be physical traits such as fingerprints or behavioral traits such as gait.
- The collected information is then compared to the stored biometric data of different people in a database.
This part is quite technical and so I recommend interested people spend some time on Wikipedia as we are really only going to gloss over the basics. You can find more information here (biometrics) and here (entropy). Be warned though, as the rabbit hole on entropy is deep!
Essentially the ability of a biometric technology to discriminate among different individuals is based on the amount of entropy they can encode and use when matching.
The entropy of a random variable in information theory (which is different from the entropy used in physics) is the average level of uncertainty inherent in the variable’s possible outcomes.
The following are used as performance metrics for biometric systems (their definitions can all be found on the Wikipedia pages linked above):
- False match rate (FMR, also called FAR (false accept rate))
- False non-match rate (FNMR, also called FRR (false reject rate))
- Receiver operating characteristic or relative operating characteristic (ROC)
- Equal error rate or crossover error rate (EER or CER)
- Failure to enroll rate (FTE or FER)
- Failure to capture rate (FTC)
- Template capacity
What are the types of biometrics?
As alluded to above, there are two types of biometrics: physical measurements and behavioral measurements. Let’s take a look at both below and then consider a list of specific types of biometrics used for identification and authentication.
Physiological measurements can be separated into morphological and biological types:
- Morphological identifiers: The main morphological identifiers are fingerprints, hand shape, vein pattern, face shape, and the eye (iris and retina).
- Biological identifiers: These are mainly used in medicine or by the police and include DNA, blood, saliva, or urine.
There are many behavioral measurements used for biometric identification. They include voice recognition, signature dynamics (the speed, acceleration, inclination, and pressure of pen strokes), keystroke dynamics (similar to signature dynamics but relating to how you type), the way we use objects, gait, the sound of steps, and gestures.
Specific types of biometrics
The following are some specific biometric identification examples.
- DNA matching: This is as straightforward as it is scary.
- Ear: Surprisingly, ear shapes are unique and can be used for identification.
- Eyes (iris recognition): Iris features have been the focus of biometric identification research for a long time.
- Eyes (retina recognition): The retina is also being used.
- Face recognition: Facial features including the overall shape and pattern are currently being used for identification.
- Fingerprint recognition: The fingerprint has been used to identify people for a couple thousand years!
- Finger geometry recognition: The next step in fingerprint identification is actually using the 3D geometry of the finger.
- Gait: Made famous in a Mission Impossible movie, people have unique gaits and they can be measured using cameras.
- Hand geometry recognition: Similar to recognizing the geometry of a finger, the whole hand can be measured.
- Odor: Every individual produces unique odors from their mouth, etc., and it is totally not disgusting to identify people using this.
- Typing recognition: The force and speed, not to mention finger choice, when typing can be used to identify a person.
- Vein recognition: The vein pattern of a finger or hand can be used for biometric identification.
- Voice: A speaker’s voice can be used for biometric identification and authentication.
- Signature recognition: While signatures of different sorts have been used with varying success for thousands of years, now the way a person signs (from the pressure on the pen to the speed and acceleration of pen strokes) can now be used for more accurate identity verification.
Advantages of biometric identification
The following are only some of the advantages of biometric identification. Biometrics are:
- Universal: We all have them.
- Unique: We all have different ones.
- Permanent: The ones we have (usually *) don’t change.
- Recordable: You can record them (but hopefully you ask us first).
- Measurable: You can turn them into numbers for future comparison.
- Forgery-proof: We keep them with us and you can’t take them (usually **).
* There is the possibility that, e.g., your face is damaged in an accident and then you cannot use it for facial recognition. This is an example of one of the ongoing controversies with biometric identification.
** There was a Malaysian car thief who cut off a victim’s finger to steal their Mercedes. This is an example of another of the ongoing controversies with biometrics.
Why is biometric identification controversial?
Biometrics have many advantages, but no technology is without disadvantages and those of biometrics are particularly unsettling.
Surveillance humanitarianism in times of crisis: While humanitarian efforts are noble in their motivations, i.e., helping those in times of need, different groups may have different specific goals and segmenting people through biometrics could lead to questionable distributions of aid.
Human dignity: The use of biometrics has been a boon to authoritarian regimes and led to the dehumanizing processing of individuals as they can become a set of values.
Privacy and discrimination: Any data obtained during biometric enrollment could be used nefariously without consent. Many of the traits measured could disclose physical or neurological disorders that could lead to discrimination.
Danger to owners of secured items: As mentioned above, if a finger or iris is needed as part of a larger crime, it could put someone at bodily harm.
What are some effective attacks on biometric identification?
The two main types of attacks that can be performed against biometrics are presentation attacks and cancelable attacks.
Biometrics are useful security tools, but like all tools they are not immune to their own threats or controversies. In the never-ending hunt for stronger and simpler security—and, indeed, simpler often means stronger—biometrics will almost certainly continue playing a role.
From iris, face, or thumbprint recognition on your smartphone, to the futuristic biometrics identification showcased in the latest spy thrillers, biometrics are here to stay as part of the security ecosystem.
Whether you use SSO, a passwordless login, biometrics identification, or any other futuristic password solution, a strong password manager should be part of your security protocol. TeamPassword makes it safe and easy to share passwords throughout your organization.
If you’re unsure where to begin, sign up for a TeamPassword free trial to secure your shared passwords once and for all.