In the second century B.C., the Chinese emperor Ts'In She was already authenticating specific seals with a fingerprint.
Fingerprints were first used in a commercial setting in 1858 by William James Herschel, a British administrator in India.
Having been put in charge of building roads in Bengal, he had his subcontractors sign contracts with their fingers.
That was an early form of biometric authentication and a sure way of finding them quickly if they defaulted.
At the end of the 19th century, Bertillon, a French police officer, took the first steps in scientific policing.
He used physical measurements of specific anatomical characteristics to identify reoffending criminals, which often proved successful.
French police in Paris (préfecture de police) initiated this process in 1888 with its Forensic Identification Unit (mug shot and anthropometry). Four prints were instituted in 1894, and tenprints were added in 1904.
In the U.K., the Metropolitan Police started using biometrics for identification in 1901.
In the U.S., it was initiated by the New York police in 1902 and by the FBI in 1924.
The measurement of unique patterns (behavioral biometrics)is not new either.
It goes back to the 1860s.
Telegraph operators using Morse code recognized each other by the way they would send dash and dot signals.
During World War II, allied forces used the same method to identify senders and authentication messages they received.
This process is the basic principle of biometric systems: identifying a person based on specific characteristics.
Biometrics is growing fast, particularly in the field of identity documents.
It generally combines other security technologies, such as smart I.D. cards and chips (for electronic passports).
Identity and biometrics
There are three possible ways of proving one's identity:
Using something you have. This method is relatively easy to do, whether by using the key to one's vehicle, a document, a card, or a badge.
Utilizing something you know, a name, a secret, or a password.
Through what you are, your fingerprint, your hand, your face.
The use of biometrics has many benefits.
The leading one is the level of security and accuracy* that it guarantees. In contrast to passwords, badges, or documents, biometric data cannot be forgotten, exchanged, stolen, or forged.
*According to Sir Francis Galton's (Darwin's cousin) calculations, the probability of finding two similar fingerprints is one in 64 billion, even with identical twins (homozygotes).
In this sense, biometrics is inextricably linked to the question of identity.
Where is biometrics used? Use cases
Historically, applications using biometrics have been initiated by authorities for military access control and criminal or civil identification under a tightly regulated legal and technical framework.
Today, sectors, including banking, retail, and mobile commerce, demonstrate a real appetite for the benefits of biometrics.
Most importantly, awareness and acceptance have been boosted in the past seven years, as millions of smartphone users are unlocking their phones with a fingerprint or a face.
But what's so special about biometrics?
Again, biometric systems are great wherever identification and authentication are critical.
Let’s quickly review the most typical use cases of biometric technologies:
Law enforcement and public security (criminal/suspect identification)
, Military (enemy/ally identification)
, Border, travel, and migration control(traveller/migrant/passenger identification)
Law enforcement biometrics refers to applications of biometric systems that support law enforcement agencies.
This category can include criminal I.D. solutions such as Automated Fingerprint (and palm print) Identification Systems (AFIS). They store, search and retrieve fingerprint images and subject records.
Today Automated Biometric Identification Systems (ABIS) can create and store biometric information that matches biometric templates for the face (using the so-called mugshot systems), finger, and iris.
Live face recognition - the ability to perform face identification in a crowd in real-time or post-event - is also gaining interest for public security - in cities, airports, borders, or other sensitives such as stadiums or places of worship.
Much is unknown about how defense agencies around the world use biometric data.
The fact is that information is difficult to come by and share as it is not public.
The United States military has collected faces, irises, fingerprints, and DNA data in a biometric identification system since January 2009.
The biometric program started as early as 2004 and initially collected fingerprints.
Who's in charge?
The Defense Forensics and Biometrics Agency (DFBA) manages the system, known as the DoD Automated Biometric Information System.
According to OneZero (6 November 2019), the 7.4 million identities in the database are, for the vast majority, coming from military operations in Iraq and Afghanistan.
For 2008-2017, the DoD arrested or killed 1,700 individuals based on biometric and forensic matches (U.S. Government Accountability Office website - see page 2/59).
In the first half of 2019, biometric identification was used thousands of times to identify non-U.S. citizens on the battlefield.
#3 Border control, travel, and migration
The electronic passport (e-passport) is a familiar biometric travel document. The second generation of such documents, also known as biometric passports, includes two fingerprints stored and a passport photo.
But think about it for one minute.
Over 1.2 billion e-passports were in circulation in 2021.
That means over 1.2 billion travelers have a standardized digital portrait in a secure document. It's a windfall for automatic border control systems (aka e-gates) and self-service kiosks.
The photo speeds border crossing through scanners, which use the recognition principle by comparing the face or fingerprints.
Check-ins and bag-drop solutions also increase speed and efficiency while maintaining high levels of security.
Needless to say, for airports and airlines, providing passengers with a unique and enjoyable travel experience is a business priority.
Biometrics provides here irrefutable evidence of the link between the passport and its holder.
Biometric authentication is done by comparing the face/fingerprint(s) seen/read at the border with the face/fingerprints in the passport microcontroller. If both biometric data match, authentication is confirmed.
Identification, if necessary, is done with the biographic data in the chip and printed.
Besides, many countries have built biometric infrastructures to control migration flows to and from their territories.
Fingerprint scanners and cameras at border posts capture information that helps identify travelers entering the country more precisely and accurately.
The same applies to consulates for visa applications and renewals in some states.
The U.S. Department of Homeland Security's Customs and Border Protection (CBP) declared that more than 43.7m individuals had been scanned at border crossings, outbound cruise ships, and elsewhere so far. This process helped stop 252 people from attempting to use another person's passport to cross the border. (V.B., 6 February 2020.)
We describe in detail three examples of biometric databases:
The U.S. Department of Homeland Security's IDENT biometric systemis the largest of its kind (over 200m people in the base and about 260m by 2022.)
The ambitious European Entry/Exit System (EES) will be implemented by the end of 2023.
#4 Healthcare and subsidies
Other applications, chiefly national identity cards, are widespread in European and Middle East countries or Africa for I.D. and health insurance programs, such as in Gabon.
With these biometric I.D. cards, fingerprints confirm the bearer's identity before accessing governmental services or healthcare.
Why is it so?
In Gabon, for example, even before the program started, it was clear to everyone that authorities had to implement all resources to avoid the health coverage program becoming a center of attention for neighboring countries' citizens.
This feature was crucial to ensure that the program's generosity would not collapse through the fraudulent use of rights.
Hence beneficiaries are individually identified so that access to care can be reserved for them. The authorities decided that the insured parties' identification would be nominative in implementing a Gabonese individual health insurance number.
Civil data, a photograph of the holder, and two fingerprints are digitized within the microprocessor, ensuring this data's encryption and protection.
Hospitals, pharmacies, and clinics use health insurance cards to check social security rights while protecting personal data confidentiality.
Terminals are performing checks with fingerprint sensors.
#5 Civil Identity, population registration, and voter registration
AFIS databases (Automated Fingerprint Identification System), often linked to a civil register database, ensure citizens' identity and uniqueness to the rest of the population in a reliable, fast, and automated way.
They can combine digital fingerprints, photos, and iris scans for higher reliability.
India's Aadhaar project is emblematic of biometric registration. It is the world's most extensive biometric identification system and the cornerstone of reliable identification and authentication in India.
The Aadhaar number is a 12-digit unique identity number issued to all Indian residents. This number is based on their biographic and biometric data (a photograph, ten fingerprints, and two iris scans).
1,370,020,912 Aadhaar IDs have been issued as of 20 May 2023, covering more than 99,9% of the Indian adult population.
Yes, you read that right: it's over 1.37 billion people. India's population was estimated at 1.42B in January 2023.
Initially, the project has been linked to public subsidy and unemployment benefit schemes, but it now includes a payment scheme.
According to Finance Minister Arun Jaitley in his speech of 1 February 2018, Aadhaar provides an identity to every Indian that has made many services more accessible to the people.
It has reduced the following:
Cost of delivery of public services,
Biometric voter verification at work: identification is made with a bar code and verification with a fingerprint.
Biometrics can also be critical for the "one person, one vote" principle.
Biometric access control systems help to prevent unauthorized individuals from accessing:
facilities (physical access control)
computer systems and networks (logical access control) based on biometric authentication.
In I.T., biometric access control can complement user authentication and supports organizations'Identity and Access Management (IAM) policies.
Unlike codes, static passwords, one-time passwords, or access cards that rely on data that can be forgotten or lost, biometric authentication is based on who people are (and not what they have).
In the mobile world, smartphones (a form of I.T. system) now usually include fingerprint and facial recognition features.
The iPhone 5 was the first to introduce fingerprint recognition in 2013 (with TOUCH ID), and facial recognition became trendy with the iPhone X introduced in November 2017 (with FACE ID).
Many Android phones have this feature (combined with iris scanning).
#7 Commercial applications
KYC (Know Your Customer) or KYC check is the mandatory process of identifying and verifying the client's identity when opening an account and periodically over time. (source: what is KYC? – Thales).
Today, it is a significant element in the fight against financial crime and money laundering.
With biometrics, banks, fintech organizations, or even telecom operators can make customer mandatory KYC checks (Know Your Customer) faster and more efficiently using biometrics.
For example, call centers can use biometric voice matching to detect impersonators and slash account takeover fraud (ATO).
The pandemic has accelerated online digital onboarding and bank account opening as many branches were temporarily closed. Businesses have been developing mobile user-friendly onboarding processes, including facial recognition as a critical feature for identity verification.
In India, Aadhaar-based KYC for mobile connections and bank accounts is authorized (Aadhaar amendment act July 2019).
The UIDAI (Unique Identification Authority of India), in charge of the program, initially kept all authentication services free to lower the entry barrier.
It has only begun charging relying parties in 2019.
Since 2019, private organizations have been charged US$0.007 for Aadhaar authentication (for a yes/ no challenge) and US$0.3 for e-KYC transactions.
Retailers can leverage facial recognition to identify a premium customer or a former shoplifter as soon as they enter the store. If the system recognizes one, it alerts the store manager.
The technology is a powerful marketing enabler or can be applied to policing.
That's what U.K.'s The Guardianclaims (04 August 2019) as it states that it has become pointless to report shoplifting to the police in the country. Retailers must find solutions to tackle an estimated £700m ($900m)loss. They turn to facial recognition solutions.
According to the NYmag website (October 2018), U.S. retailers also use facial recognition. Most top U.S. companies have facial recognition in their plan or have investigated its potential. Walmart dropped it, Target is not communicating, Lowe's uses the technology, and Saks Fifth Avenue uses it in Canada.
However, privacy laws in Illinois, Texas, Washington, and California (as of January 2020) and New York state's SHIELD ( as of March 2020) will seriously challenge these efforts.
Civil liberties groups want an embargo on this technology and a precise democratic debate about the place facial biometrics should take in our lives.
According to Global Markets Insights, the global biometric market is expected to top USD 50 billion by 2024.
Non-AFIS will account for the highest biometrics market share, exceeding USD 18 billion by 2024.
Biometric applications in North America's security and government sectors drive regional market trends. With the U.S. at the helm, the study claims North America will represent more than 30% of the overall biometrics industry share by 2024.
The Asia Pacific region will also be witnessing robust growth.
Governmental initiatives like CRIC (China Resident Identity Card) and the push for facial recognition or India's Aadhaar have genuinely favored the commercialization of APAC's biometrics industry.
Multimodal biometrics combines several biometric sources to increase security and accuracy.
Multimodal biometric systems usually require two biometric credentials for identification, such as face and fingerprints, instead of one.
They can overcome limitations commonly encountered in unimodal systems.
For years, using several biometric features, such as the face and the iris or the iris and fingerprints, has considerably reduced error rates.
Biometrics can also enhance multi-factor authentication (MFA).
Geolocation, I.P. addresses, and keying patterns can create a powerful combination to authenticate users securely.
Advantages of biometric data
Whatever the method, what all these biometric techniques have in common is that they all collect human characteristics:
Universal, as they can be found in all individuals.
Unique, as they make it possible to differentiate one individual from another
Permanent, as they don't change over time
Recordable (with or without consent)
Measurable, allowing for future comparison
Forgery-proof (a face, a fingerprint)
Who needs biometrics?
A better question would be: what for?
The simple truth is that solutions are related to meeting the challenges.
For example, the justice system must take the time to identify a criminal and not accept the slightest error. It will not be worried about a lengthy and costly process.
An everyday individual will seek to protect their personal property and have access to it quickly, at a reasonable price.
Governments and public administrations are, in their case, confronted with multiple issues at once.
Think about it.
They have to make it easier to cross borders while controlling illegal immigration and fighting terrorism, cybercrime, or electoral fraud.
They need to issue documents compliant with new international standards and regulations, guarantee the security of production systems, and check such materials and data interoperability.
And all this should be done within the limits of their budgets.
Is biometrics reliable?
Biometric authentication relies on statistical algorithms. It, therefore, cannot be 100 %-reliable when used alone.
"false rejections" or "false acceptances."
What's the story here?
In one case, the machine fails to recognize an item of biometric data that does correspond to the person. It's a false rejection.
The reverse case assimilates two biometric data items that are not from the same person. It's a false acceptance.
"False rejection" or "false acceptance" are symptoms that occur with all biometric techniques.
How secure are biometric authentication technology and biometric data?
How accurate is biometrics in 2023?
What's the problem?
Why would biometrics not be accurate?
Think about this one minute again.
The technical challenges of automated recognition of individuals based on their biological and behavioral characteristics are inherent in transforming analog (facial image, fingerprint, voice pattern) to digital information (patterns, minutiae) that can then be processed, compared and matched with effective algorithms.
There are about 30 minutiae (specific points) in a fingerprint scan obtained by a live fingerprint reader.
The U.S. Federal Bureau of Investigation (FBI) has evidenced that no two individuals can have more than eight minutiae in common.
Recognition decisions in biometric systems must be taken in real-time. Therefore, computing efficiency is critical in biometric apps.
It is not the case in biometric forensics, where real-time recognition is not a requirement.
Facial recognition is the most natural means of biometric identification. The face recognition system does not require any contact with the person.
And the algorithms are getting extremely accurate with Artificial Intelligence.
According to a 2018 NIST study, the system developers have made massive gains in facial recognition accuracy in the last five years (2013- 2018).
NIST found that 0.2% of searches in a database of 26.6 photos failed to match the correct image, compared with a 4% failure rate in 2014.
In NIST'S 2020 tests, the best algorithm had a failure rate of 0,08%.
It's a 50x improvement over six years.
The risks of error are related to very different factors.
We have noted that particular biometric techniques were more or less well-suited to specific categories of persons. A typical system may work for women, but less well for men or young people, but not for older people, for people with lighter skin, but less for darker skin.
Other difficulties arise, particularly facial recognition when the person dyes or cuts their hair, changes the line of their eyebrows or grows a beard.
A verification photo taken with a low-quality camera model can increase the risk of error. The identification accuracy relies on the reliability of the equipment used to capture data.
The risk of error also varies depending on the environment and the conditions of the application. The lightmay differ from one place to another. The same goes for the intensity or nature of background noise. The person's position may have changed.
Also, in a biometric control application, the rejection or acceptance rates are intertwined and tuned according to acceptable risk levels.
It is not possible to modify one without impacting the other one.
Why is it so?
In the case of a nuclear plant access control application, the false acceptance rate will be hugely reduced. You don't want ANYONE to enter by chance.
This demand will also impact the rate of false rejections because you will tune the system to be highly accurate.
You will probably use several authentication factors, including a valid I.D. and biometrics (single mode or multimodal).
According to the Keesing Journal of Documents & Identity (March 2017), two complementary topics have been identified by standardization groups.
Ensure the captured image is from a person and not from a mask, a photograph, or a video screen (liveliness check or liveness detection)
Ensure that facial images (morphed portraits) or two or more individuals have not been joined into a reference document, such as a passport.
Biometrics suffers because the matching algorithms cannot be compared to the hashes of passwords, as we said.
This means that two biometric measures cannot be compared with each other without them, at some point, being "in plaintext" in the memory of the device doing the matching.
Therefore, biometric checks must be carried out on a trusted secure device, which means the alternatives are to have a centralized and supervised server, a trusted biometric device, or a personal security component.
Smart ID cards
This security need is why tokens and smart cards (I.D.s or banking cards now) are the ideal companions for a biometric system.
The South African electronic I.D. card uses biometrics.
Numerous national identity cards (Portugal, Ecuador, South Africa, Mongolia, Algeria, etc.) now incorporate digital security features based on the "Match-on-Card" fingerprint matching algorithm.
Unlike conventional biometric processes, the "Match-on-Card" algorithm allows fingerprints to be matched locally with a reference frame thanks to a microprocessor built into the biometric I.D. card without connecting to a central biometric database (1:1 matching).
Biometric sensor cards
A biometric payment card with a sensor (where the thumb is)
Integrating a fingerprint scanner into smart cards is another form of delivering a safe and convenient way to authenticate people.
These biometric sensor cards open up a new dimension in identification with an easy-to-use, portable, and secure device.
They were launched in 2018 for the first time by the Bank of Cyprus and Thales for EMV cards (contactless and contact payment). They use fingerprint recognition instead of a PIN code to authenticate the cardholder.
The cards support access and physical or online identity verification services.
ACustomer details are highly protected if the bank suffers a cyber-attack because the user's biometric data is stored on the card, not on a central database; likewise, if the card was to become lost or stolen, the holder's fingerprint could not be replicated.
Put in another way: the biometric identifiers are checked locally and protected, as they are stored solely on the card. They never leave the card.
Biometrics can fulfil two distinct functions, authentication, and identification, as we said.
Identification answers the question, "Who are you?". In this case, the person is identified as one, among others (1: N matching). The person's data to be identified are compared with those stored in the same or possibly other linked databases.
Authentication answers the question: "Are you really who you say you are?". In this case, biometrics allows the person's identity to be certified by comparing the data they provide with pre-recorded data for the person they claim to be (1:1 matching).
These two solutions call upon different techniques.
In general, identification requires a centralized biometric database that compares several persons' biometric data.
Authentication can do without such a centralized database. The data can be stored on a decentralized device, like one of our smart cards.
For data protection, a process of authentication with a decentralized device is preferred. Such an approach involves less risk.
The token (I.D. card, military card, health card) is kept in the user's possession, and their data does not have to be stored in any database.
Conversely, if an identification process requiring an external database is used, the user does not have physical control over their data, with all the risks involved.
Why are biometrics controversial?
Biometric security offers many advantages (authenticating and identifying strongly) but is not without controversy. This challenge is linked to privacy and citizens' ability to control information about themselves.
Two types of risks can be identified:
The use of biometric data to other ends (aka function creep) than those agreed by the citizen either by service providers or fraudsters. As soon as biometric data is in the hands of a third party, there is a risk that such data may be used for purposes different from those to which the person concerned has given their consent.
Thus, there may be cases of unwanted end use if such data is interconnected with other files or used for types of processing other than those initially intended. for
The risk of re-use of data presented for biometric checks. The data can be captured during transmission to the central database and fraudulently replicated in another transaction.
A result is a person losing control over their data, which poses privacy risks.
In practice, data protection authorities seem to prefer solutions that feature decentralized data devices.
Do you want to see how biometric data are protected around the world?
Biometrics and data protection
The "United Nations Resolution" of 14 December 1990, which sets out guidelines for computerized personal data files regulation, does not have any binding force.
On a more global basis, legal deliberations rely primarily on personal data provisions in the broad sense.
But such provisions sometimes prove to be poorly adapted to biometrics.
On the contrary, the new E.U. regulation replaces the existing national laws as of May 2018.
The Thales TrUE Technology approach aims to deliver responsible products and services that build trust for both users and service providers, which is the key to building a safer, greener and more inclusive society.
Fully adapted to the current Covid context, Thales provides highly accurate biometric authentication and identification methods for smooth and secure user experiences. Thales solutions offer full compliance with GDPR and support ‘touch less’ use cases such as access man...
For more information regarding our services and solutions contact one of our sales representatives. We have agents worldwide that are available to help with your digital security needs. Fill out our contact form and one of our representatives will be in touch to discuss how we can assist you.
Please note we do not sell any products nor offer support directly to end users. If you have questions regarding one of our products provided by e.g. your bank or government, then please contact them for advice first.