In the second century B.C., the Chinese emperor Ts'In She was already authenticating specific seals with a fingerprint.
Fingerprints were first used in a commercial setting in 1858 by William James Herschel, a British administrator in India.
Having been put in charge of building roads in Bengal, he had his subcontractors sign contracts with their fingers.
That was an early form of biometric authentication and a sure way of finding them more quickly if they defaulted.
At the end of the 19th century, Bertillon, a French police officer, took the first steps in scientific policing.
He used body measurements taken of specific anatomical characteristics to identify reoffending criminals, which often proved successful.
French police in Paris (préfecture de police) started to initiate this process in 1888 with its Forensic Identification Unit (mug shot and anthropometry). Four prints were instituted in 1894, and tenprints were added in 1904.
In the U.K., the Metropolitan Police started the use of biometrics for identification in 1901.
In the U.S., it was initiated by the New York police in 1902 and by the FBI in 1924.
The measurement of unique patterns (aka behavioral biometrics)is not new either.
It goes back to the 1860s.
Telegraph operators using Morse code recognized each other by the way they would send dash and dot signals.
During World War II, allied forces used the same method to identify senders and authentication messages they received.
This process is the basic principle of biometric systems: to identify a person based on specific characteristics.
Biometrics is growing fast, particularly in the field of identity documents.
It generally combines other security technologies such as smart ID cards and chips (for electronic passports).
Identity and biometrics
There are three possible ways of proving one's identity:
Using something you have. This method is relatively easy to do, whether by using the key to one's vehicle, a document, a card, or a badge.
Utilizing something you know, a name, a secret, or a password.
Through what you are, your fingerprint, your hand, your face.
The use of biometrics has many benefits.
The leading one is the level of security and accuracy* that it guarantees. In contrast to passwords, badges, or documents, biometric data cannot be forgotten, exchanged, stolen, or forged.
*According to calculations made by Sir Francis Galton (Darwin's cousin), the probability of finding two similar fingerprints is one in 64 billion, even with identical twins (homozygotes).
It is in this sense that biometrics is inextricably linked to the question of identity.
Where is biometrics used? Use cases
Historically, applications using biometrics have been initiated by authorities for military access control, criminal or civil identification under a tightly regulated legal and technical framework.
Today, sectors, including banking, retail, and mobile commerce, demonstrate a real appetite for the benefits of biometrics.
Most importantly, awareness and acceptance have been boosted in the past seven years, as millions of smartphone users are unlocking their phones with a fingerprint or a face.
But what’s so special about biometrics?
Again, biometric systems are great wherever identification and authentication are critical.
Let’s quickly review the most typical use cases of biometric technologies:
Law enforcement and public security (criminal/suspect identification)
Military (enemy/ally identification)
Border,travel, and migration control(traveller/migrant/passenger identification)
Law enforcement biometrics are referring to applications of biometric systems that support law enforcement agencies.
This category can include criminal ID solutions such as Automated Fingerprint (and palm print) Identification Systems (AFIS). They store, search and retrieve, fingerprint images, and subject records.
Today Automated Biometric Identification Systems (ABIS) can create and store biometric information that matches biometric templates for the face (using the so-called mugshot systems), finger, and iris.
Live face recognition - the ability to perform face identification in a crowd in real-time or post-event - is also gaining interest for public security - in cities, airports, at borders, or other sensitives such as stadiums or places of worship.
Much is unknown about how defense agencies around the world use biometric data.
The fact is that information is difficult to come by and share as it is not public.
The United States military has been collecting faces, irises, fingerprints, and DNA data in a biometric identification system since January 2009.
The biometric program started as early as 2004 and initially collected fingerprints.
Who's in charge?
The Defense Forensics and Biometrics Agency (DFBA) manages the system, known as the DoD Automated Biometric Information System.
According to OneZero (6 November 2019), the 7.4 million identities in the database are, for the vast majority, coming from military operations in Iraq and Afghanistan.
For the period 2008-2017, the DoD arrested or killed 1,700 individuals based on biometric and forensic matches (U.S. Government Accountability Office web site - see page 2/59).
In the first half of 2019, biometric identification has been used thousands of times to identify non-U.S. citizens on the battlefield.
#3 Border control, travel, and migration
The electronic passport (e-passport) is a familiar biometric travel document. The second generation of such documents, also known as biometric passports, includes two fingerprints stored and a passport photo.
But think about it for one minute.
Over 1.2 billion e-passports are in circulation in 2020.
That means over 1.2 billion travelers have a standardized digital portrait in a secure document. It's a windfall for automatic border control systems (aka e-gates) but also for self-service kiosks.
The photo speeds up border crossing through scanners, which use the recognition principle by comparing the face or fingerprints.
Check-ins and bag-drop solutions also increase speed and efficiency while maintaining high levels of security.
Needless to say, that for airports and airlines, providing passengers with a unique and enjoyable travel experience is a business priority.
Biometrics provides here irrefutable evidence of the link between the passport and its holder.
Biometric authentication is done by comparing the face/fingerprint(s) seen/read at the border with the face/fingerprints in the passport micro-controller. If both biometric data match, authentication is confirmed.
Identification, if necessary, is done with the biographic data in the chip and printed.
Besides, many countries have set up biometric infrastructures to control migration flows to and from their territories.
Fingerprint scanners and cameras at border posts capture information that helps identify travelers entering the country in a more precise and reliable way. In some states, the same applies to consulates to visa applications and renewals.
The U.S. Department of Homeland Security’s Customs and Border Protection (CBP) declared that more than 43.7m individuals have been scanned at border crossings, outbound cruise ships, and elsewhere so far. This process helped stop 252 people from attempting to use another person's passport to cross the border. (VB, 6 February 2020.)
We describe in details three examples of biometric databases:
The U.S. Department of Homeland Security's IDENT biometric system, the largest of its kind (over 200m people in the base and about 260m by 2022.)
The ambitious European Entry/Exit System (EES)to be put in place in 2022.
#4 Healthcare and subsidies
Other applications exist, chiefly national identity cards, widespread in European and the Middle East countries or Africa for ID and health insurance programs, such as in Gabon.
With these biometric ID cards, fingerprints are used to confirm the bearer's identity of the card before he or she may access governmental services or healthcare.
Why is it so?
In Gabon, for example, even before the program started, it was clear to everyone that all resources should be implemented to avoid the health cover program turning into a center of attention for the citizens of neighboring countries.
This feature was crucial to ensure that the program's generosity would not lead to its collapse through the fraudulent use of rights.
Hence beneficiaries are individually identified so that access to care can be reserved for them. The authorities decided that the identification of insured parties will be nominative with the implementation of a Gabonese individual health insurance number.
Civil data, a photograph of the holder, and two fingerprints are digitized within the microprocessor, ensuring the encryption and protection of this data.
Hospitals, pharmacies, and clinics use the health insurance card to check social security rights while protecting personal data confidentiality.
Terminals are performing checks with fingerprint sensors.
#5 Civil Identity, population registration, and voter registration
AFIS databases (Automated Fingerprint Identification System), often linked to a civil register database, ensure citizen's identity and uniqueness to the rest of the population in a reliable, fast, and automated way.
They can combine digital fingerprints, a photo, and an iris scan for higher reliability.
India’s Aadhaar project is emblematic of biometric registration. It is by far the world's most extensive biometric identification system and the cornerstone of reliable identification and authentication in India.
The Aadhaar number is a 12-digit unique identity number issued to all Indian residents. This number is based on their biographic and biometric data (a photograph, ten fingerprints, two iris scans).
1,278,721,364 people have an Aadhaar number as of 19 January 2021, covering more than 99% of the Indian adult population.
Yes, you read that right: it's over 1.27 billion people. India's population is estimated at 1.38B in 2020.
Initially, the project has been linked to public subsidy and unemployment benefit schemes, but it now includes a payment scheme.
According to Finance minister Arun Jaitley in his speech of 1 February 2018, Aahaar provides an identity to every Indian that has made many services more accessible to the people.
It has reduced:
Cost of delivery of public services,
Biometric voter verification at work: identification is made with bar code, verification with a fingerprint.
Biometrics can also be critical for the "one person, one vote" principle.
Biometric access control systems help to prevent unauthorized individuals from accessing:
facilities (physical access control)
computer systems and networks (logical access control) based on biometric authentication.
In IT, biometric access control can be a complementary user’s authentication factor and supports organizations’ Identity and Access Management (IAM) policies.
Unlike codes, static passwords, one-time passwords, or access cards that rely on data that can be forgotten or lost, biometric authentication is based on who people are (and not what they have).
In the mobile world, smartphones (a form of IT system) now usually include fingerprint and facial recognition features.
The iPhone 5 was the first to introduce fingerprint recognition in 2013 (with TOUCH ID), and facial recognition became trendy with the iPhone X introduced in November 2017 (with FACE ID).
Today many Android phones have this feature (combined with iris scanning) too.
According to Counterpoint, more than 1B smartphones with fingerprint sensors were shipped in 2018, and 1B smartphones will come with some form of face unlock solution in 2020.
#7 Commercial applications
KYC (Know Your Customer) or KYC check is the mandatory process of identifying and verifying the client's identity when opening an account and periodically over time. (source: what is KYC? – Thales).
It is today a significant element in the fight against financial crime and money laundering.
With biometrics, banks, fintech organizations, or even telecom operators can make customer mandatory KYC checks (Know Your Customer) faster and more efficiently using biometrics.
In India, the use of Aadhaar-based KYC for mobile connections and bank accounts is authorized (Aadhaar amendment act July 2019).
Retailers can leverage facial recognition to identify a premium customer or a former shoplifter as soon as they come into the store. If the system recognizes one, it sends an alert to the store manager.
The technology is a powerful marketing enabler or can be applied to policing.
That’s what U.K.’s The Guardianclaims (04 August 2019) as it states that it has become pointless to report shoplifting to the police in the country. Retailers have to find solutions to tackle an estimated £700m ($900m) loss. They turn to facial recognition solutions.
According to the NYmag website (October 2018), U.S. retailers are using facial recognition too. Almost all the top U.S. companies have facial recognition in their plan or have investigated its potential. Walmart dropped it, Target is not communicating on it, Lowe’s uses the technology, and Saks Fifth Avenue is using it in Canada.
However, privacy laws in Illinois, Texas, Washington, and California (as of January 2020) and New York state's SHIELD ( as of March 2020) will pose a serious challenge to these efforts.
Civil liberties groups want an embargo on the technology and a precise democratic debate about the place that facial biometrics should take in our lives.
Non-AFIS will account for the highest biometrics market share, exceeding USD 18 billion by 2024.
Biometric applications in the security and government sectors of North America are driving the regional market trends. The study claims, North America, with the U.S. at the helm, will represent more than 30% of the overall biometrics industry share by 2024.
The Asia Pacific region will also be witnessing robust growth.
Governmental initiatives like CRIC (China Resident Identity Card) and the push for facial recognition or India's Aadhaar have genuinely favored the commercialization of APAC's biometrics industry.
Multimodal biometrics combines several biometric sources to increase security and accuracy.
Multimodal biometric systems usually require two biometric credentials for identification, such as face and fingerprints, instead of one.
They can overcome limitations commonly encountered in unimodal systems.
For several years now, the use of several biometric features in combination, for example, the face and the iris or the iris and fingerprints, has made it possible to considerably reduce error rates.
Biometrics can also enhance multi-factor authentication (MFA).
Geolocation, IP addresses, and keying patterns can create a powerful combination to authenticate users securely.
Advantages of biometrics
Whatever the method, what all these biometric techniques have in common is that they all collect human characteristics:
Universal, as they can be found in all individuals.
Unique, as they make it possible to differentiate one individual from another
Permanent, as they don't change over time
Recordable (with or without consent)
Measurable, allowing for future comparison
Forgery-proof (a face, a fingerprint)
Who needs biometrics?
A better question would be: what for?
The simple truth is that solutions are related to the challenges to be met.
For example, the justice system must take the necessary time to identify a criminal and not accept the slightest error. It will not be worried about a lengthy and costly process.
An everyday individual will seek to protect their personal property and have access to it quickly, at a reasonable price.
Governments and public administrations are, in their case, confronted with multiple issues at once.
Think about it.
They have to make it easier to cross borders while controlling illegal immigration, fight terrorism, cybercrime, or electoral fraud.
They need to issue documents compliant with new international standards and regulations, guarantee the security of systems for the production, check of such materials, and data interoperability.
And all this should be done within the limits of their budgets.
Is biometrics reliable?
Biometric authentication relies on statistical algorithms. It, therefore, cannot be 100 %-reliable when used alone.
"false rejections" or "false acceptances."
What's the story here?
In one case, the machine fails to recognize an item of biometric data that does correspond to the person. It's a false rejection.
The reverse case assimilates two items of biometric data that are not from the same person. It's a false acceptance.
"False rejection" or "false acceptance" are symptoms that occur with all biometric techniques.
How secure are biometric authentication technology and biometric data?
How accurate is biometrics?
What's the problem?
Why would biometrics not be accurate?
Think about this one minute again.
The technical challenges of automated recognition of individuals based on their biological and behavioral characteristics are inherent to the transformation of analog (facial image, fingerprint, voice pattern) to digital information (patterns, minutiae) that can then be processed, compared, and matched with effective algorithms.
There are about 30 minutiae (specific points) in a fingerprint scan obtained by a live fingerprint reader.
The U.S. Federal Bureau of Investigation (FBI) has evidenced that no two individuals can have more than eight minutiae in common.
Recognition decisions in biometric systems have to be taken in real-time and, therefore, computing efficiency is critical in biometric apps.
It is not the case in biometric forensics, where real-time recognition is not a requirement.
Facial recognition is the most natural means of biometric identification. The face recognition system does not require any contact with the person.
And the algorithms are getting extremely accurate with Artificial Intelligence.
According to a 2018 NIST study, the system developers have made massive gains in facial recognition accuracy in the last five years (2013- 2018).
NIST found that 0.2% of searches in a database of 26.6 photos failed to match the correct image, compared with a 4% failure rate in 2014.
It's a 20x improvement over four years.
The risks of error are related to very different factors.
We have noted that particular biometric techniques were more or less well suited to specific categories of persons. A specific system may work for women, but less well for men, or young people, but not for older people, for people with lighter skin, but less well for those with darker skin.
Other difficulties arise in particular with facial recognition, when the person dyes or cuts their hair, change the line of their eyebrows or grows a beard.
A verification photo taken with a low-quality model of camera can increase the risk of error. The accuracy of the identification relies on the reliability of the equipment used to capture data.
The risk of error also varies depending on the environment and the conditions of application. The lightmay differ from one place to another. The same goes for the intensity or nature of background noise. The person's position may have changed.
Also, in a biometric control application, the rejection or acceptance rates are intertwined and can be tuned according to acceptable risk levels.
It is not possible to modify one without impact the other one.
Why is it so?
In the case of a nuclear plant access control application, the rate of false acceptance will be hugely reduced. You don't want ANYONE to enter by chance.
This demand will also impact the rate of false rejections because you will tune the system to be extremely accurate.
You will probably use several authentication factors, including a valid ID in addition to biometrics (single mode or multimodal).
According to the Keesing Journal of Documents & Identity (March 2017), two complementary topics have been identified by standardization groups.
Ensure the captured image is from a person and not from a mask, a photograph, or a video screen (liveliness check or liveness detection)
Ensure that facial images (morphed portraits) or two or more individuals have not been joined into a reference document, such as a passport.
Biometrics suffers from the fact that the matching algorithms cannot be compared to the hashes of passwords, as we said.
This means that two biometric measures cannot be compared with each other without them, at some point, being "in plaintext" in the memory of the device doing the matching.
Therefore, biometric checks must be carried out on a trusted secure device, which means the alternatives are to have a centralized and supervised server, a trusted biometric device, or a personal security component.
Smart ID cards
This security need is why tokens and smart cards (IDs or banking cards now) are the ideal companions for a biometric system.
The South African electronic ID card uses biometrics.
Numerous national identity cards (Portugal, Ecuador, South Africa, Mongolia, Algeria, etc.) now incorporate digital security features based on the "Match-on-Card" fingerprint matching algorithm.
Unlike conventional biometric processes, the "Match-on-Card" algorithm allows fingerprints to be matched locally with a reference frame thanks to a microprocessor built into the biometric ID card without having to connect to a central biometric database (1:1 matching).
Biometric sensor cards
A biometric payment card with a sensor (where the thumb is)
Integrating a fingerprint scanner into smart cards is another form of delivering a safe and convenient way to authenticate people.
These biometric sensor cards open up a new dimension in identification with an easy-to-use, portable, and secure device.
They were launched in 2018 for the first time by the Bank of Cyprus and Thales for EMV cards (contactless and contact payment). They use fingerprint recognition instead of a PIN code to authenticate the cardholder.
The cards support access, physical or online identity verification services.
As the user's biometric data is stored on the card, not on a central database, customer details are highly protected if the bank suffers a cyber-attack. Likewise, if the card was to become lost or stolen, the holder's fingerprint could not be replicated.
Put it in another way: the biometric identifiers are checked locally and protected, as they are stored solely on the card. They never leave the card.
Biometrics can fulfill two distinct functions, authentication, and identification, as we said.
Identification answers the question, "Who are you?". In this case, the person is identified as one, among others (1: N matching). The person's personal data to be identified are compared with other persons stored in the same database or possibly other linked databases.
Authentication answers the question: "Are you really who you say you are?". In this case, biometrics allows the person's identity to be certified by comparing the data they provide with pre-recorded data for the person they claim to be (1:1 matching).
These two solutions call upon different techniques.
In general, identification requires a centralized biometric database that allows the biometric data of several persons to be compared.
Authentication can do without such a centralized database. The data can simply be stored on a decentralized device, such as one of our smart cards.
For data protection, a process of authentication with a decentralized device is to be preferred. Such an approach involves less risk.
The token (ID card, military card, health card) is kept in the user's possession, and their data does not have to be stored in any database.
Conversely, if an identification process requiring an external database is used, the user does not have physical control over their data, with all the risks involved.
Why are biometrics controversial?
Biometric security offers many advantages (to authenticate and identify strongly) but is not without controversy. This challenge is linked to privacy and citizen's ability to control information about themselves.
Two types of risks can be identified:
The use of biometric data to other ends (aka function creep) than those agreed by the citizen either by service providers or fraudsters. As soon as biometric data is in the hands of a third party, there is a risk that such data may be used for purposes different from those to which the person concerned has given their consent.
There may thus be cases of unwanted end use if such data is interconnected with other files or used for types of processing other than those for which it was initially intended.
The risk of re-use of data presented for biometric checks. The data can be captured during their transmission to the central database and fraudulently replicated in another transaction.
A result is a person losing control over their data, which poses privacy risks.
In practice, data protection authorities seem to give preference to solutions that feature decentralized data devices.
Do you want to see how biometric data are protected around the world?
Biometrics and data protection
The "United Nations Resolution" of 14 December 1990, which sets out guidelines for the regulation of computerized personal data files, does not have any binding force.
On a more global basis, legal deliberations thus rely mostly on provisions relating to personal data in the broad sense. But such provisions sometimes prove to be poorly adapted to biometrics.
On the contrary, the new E.U. regulation replaces the existing national laws as of May 2018.
And biometric data are clearly defined and protected.
Can this be true? Yes.
In a nutshell, it establishes:
A harmonized framework within the E.U.,
The right to be forgotten,
"Clear" and "affirmative" consent,
Severe penalties for failure to comply with these rules.
Note that outside the European Union, the level of protection differs depending on the legislation in force. Assuming – that is – that there is any such legislation.
An example is the United States, where three states (Illinois, Washington, and Texas)protected biometric data, and.. 47 did not in 2019.
But things may move faster in 2021.
The California Consumer Privacy Act is a significant step forward for the country. It enhances privacy rights and consumer protection for California residents and is applicable as of 1 January 2020.
Why is it important?
The CCPA may serve as a model for a future federal legal framework.
To know more about biometric data protection in the E.U. and U.K. (GDPR), in the United States (CCPA), and recent changes in India, discover our dossier dedicated to privacy regulations and biometric data.
Putting biometric systems to work for digital security
Thales has its technology which, combined with its impartial stance on the source of biometric data, allows it to help everyone put their trust in the digital world.
Thales is an expert in strong identification solutions with more than 200 civil ID, population registration, and law enforcement projects that incorporate biometric security.
As an independent force, the company can propose and recommend the most suitable solution in each case.
Thales attaches a great deal of importance to assessing risks, which may not always be visible to the general public, and to private operators' capacity to manage such risks.
The company remains convinced that biometrics offers significant benefits for guaranteeing identity.
For more information regarding our services and solutions contact one of our sales representatives. We have agents worldwide that are available to help with your digital security needs. Fill out our contact form and one of our representatives will be in touch to discuss how we can assist you.
Please note we do not sell any products nor offer support directly to end users. If you have questions regarding one of our products provided by e.g. your bank or government, then please contact them for advice first.