Again, biometric systems are great wherever identification and authentication are critical.
#1 Law enforcement and public security
Law enforcement biometrics are referring to applications of biometric systems that support law enforcement agencies.
This category can include criminal ID solutions such as Automated Fingerprint (and palm print) Identification Systems (AFIS). They store, search and retrieve, fingerprint images, and subject records.
Today Automated Biometric Identification Systems (ABIS) can create and store biometric information that matches biometric templates for face, finger, and iris.
Discover the work of forensic analysts in our video.
Live face recognition - the ability to perform face identification in a crowd in real-time or post-event - is also gaining interest for public security - in cities, airports, at borders, or other sensitives such as stadiums or places of worship.
These surveillance systems are being tested or used in many countries. They are, however, challenged and sometimes put on hold. Read California bans law enforcement from using facial recognition.
#2 Military - Know your enemy
Much is unknown about how defense agencies around the world use biometric data.
The fact is that information is difficult to come by and share as it is not public.
The United States military has been collecting faces, irises, fingerprints, and DNA data in a biometric identification system since January 2009. The biometric program started as early as 2004 and initially collected fingerprints.
The Defense Forensics and Biometrics Agency (DFBA) is managing the system, known as the DoD Automated Biometric Information System.
According to OneZero (6 Nov 2019), the 7.4 million identities in the database are, for the vast majority, coming from military operations in Iraq and Afghanistan.
For the period 2008-2017, the DoD arrested or killed 1,700 individuals based on biometric and forensic matches (U.S. Government Accountability Office web site - see page 2/59).
In the first half of 2019, biometric identification has been used thousands of times to identify non-U.S. citizens on the battlefield.
#3 Border control, travel, and migration
The electronic passport (e-passport) is a familiar biometric travel document. The second generation of such documents, also known as biometric passports, includes two fingerprints stored in addition to a passport photo.
But think about it for one minute.
Over 1.2 billion e-passports are in circulation in 2020.
That means over 1.2 billion travellers have a standardized digital portrait in a secure document. It's a windfall for automatic border control systems (aka e-gates) but also for self-service kiosks.
- The photo speeds up border crossing through the use of scanners, which use the principle of recognition by comparison of the face or fingerprints.
- Check-ins and bag-drop solutions also increase speed and efficiency while maintaining high levels of security.
Needless to say, that for airports and airlines, providing passengers with a unique and enjoyable travel experience is a business priority.
Biometrics provides here irrefutable evidence of the link between the passport and its holder.
- Biometric authentication is done by comparing the face/fingerprint(s) seen/read at the border with the face/fingerprints in the passport micro-controller. If both biometric data match, authentication is confirmed.
- Identification, if necessary, is done with the biographic data in the chip and printed.
Besides, many countries have set up biometric infrastructures to control migration flows to and from their territories.
Fingerprint scanners and cameras at border posts capture information that helps identify travellers entering the country in a more precise and reliable way. In some states, the same applies to consulates to visa applications and renewals.
We describe in details three examples of such application:
- The U.S. Department of Homeland Security's IDENT biometric system, the largest of its kind
- The European Union's EURODAC, serving 32 nations in Europe (biometrics for asylum seekers)
- The ambitious European Entry/Exit System (EES) to be put in place in 2020.
#4 Healthcare and subsidies
Other applications exist, chiefly national identity cards, widespread in European and the Middle East countries or Africa for ID and health insurance programs, such as in Gabon.
With these biometric ID cards, fingerprints are used to confirm the identity of the bearer of the card before he or she may access governmental services or healthcare.
Why is it so?
In Gabon, for example, even before the program started, it was clear to everyone that all resources should be implemented to avoid the health cover program turning into a center of attention for the citizens of neighbouring countries.
This feature was crucial to ensure that the generosity of the program would not lead to its collapse through the fraudulent use of rights.
Hence beneficiaries are individually identified so that access to care can be reserved for them. It has been decided that the identification of insured parties will be nominative with the implementation of a Gabonese individual health insurance number.
Civil data, a photograph of the holder, and two fingerprints are digitized within the microprocessor, ensuring the encryption and protection of this data.
Hospitals, pharmacies, and clinics are using the health insurance card to check social security rights while protecting the confidentiality of personal data. Terminals are performing checks with fingerprint sensors.
#5 Civil Identity, population registration, and voter registration
AFIS databases (Automated Fingerprint Identification System), often linked to a civil register database, ensure the identity and uniqueness of the citizen to the rest of the population in a reliable, fast, and automated way.
They can combine digital fingerprints, a photo, and an iris scan for higher reliability.
India’s Aadhaar project is emblematic of biometric registration. It is by far the world's largest biometric identification system and the cornerstone of reliable identification and authentication in India.
Aadhaar number is a 12-digit unique identity number issued to all Indian residents. This number is based on their biographic and biometric data (a photograph, ten fingerprints, two iris scans).
1,258,270,690 people have an Aadhaar number as of 24 June 2020, covering more than 99% of the Indian adult population.
Yes, you read that right: it's over 1.25 billion people.
Initially, the project has been linked to public subsidy and unemployment benefit schemes, but it now includes a payment scheme.
According to Finance minister Arun Jaitley in his speech of 1 February 2018, Aahaar is providing an identity to every Indian that has made many services more accessible to the people.
It has reduced:
- Cost of delivery of public services,
Biometric voter verification at work: identification is done with bar code, verification with a fingerprint.
Biometrics can also be critical for the "one person, one vote" principle.
To know more about this aspect, please visit our web dossier on biometric voter registration.
#6 Physical and logical access control
Biometric access control systems help to prevent unauthorized individuals from accessing:
- facilities (physical access control)
- computer systems and networks (logical access control) based on biometric authentication.
In IT, biometric access control can be a complementary user’s authentication factor and supports organizations’ Identity and Access Management (IAM) policies.
Unlike codes, static passwords, one-time passwords, or access cards that rely on data that can be forgotten or lost, biometric authentication is based on who people are (and not what they have).
In the mobile world, smartphones (a form of IT system) now usually include fingerprint and facial recognition features.
The iPhone 5 was first to introduce fingerprint recognition in 2013 (with TOUCH ID), and facial recognition became trendy with the iPhone X introduced in November 2017 (with FACE ID).
Today many Android phones have this feature (combined with iris scanning) too.
According to Counterpoint, more than 1B smartphones with fingerprint sensors were shipped in 2018, and those 1B smartphones will come with some form of face unlock solution in 2020.
#7 Commercial applications
KYC (Know Your Customer) or KYC check is the mandatory process of identifying and verifying the identity of the client when opening an account and periodically over time. (source: what is KYC? – Thales).
It is today a significant element in the fight against financial crime and money laundering.
With the use of biometrics, banks, fintech organizations, or even telecom operators can make customer mandatory KYC checks (Know Your Customer) faster and more efficiently using biometrics.
In India, the use of Aadhaar-based KYC for mobile connections and bank accounts is authorized (Aadhaar amendment act July 2019).
Retailers can leverage facial recognition to identify a premium customer or a former shoplifter as soon as they come into the store. If the system recognizes one, it sends an alert to the store manager.
The technology is a powerful marketing enabler or can be applied to policing.
- That’s what U.K.’s The Guardian claims (04 August 2019) as it states that it has become pointless to report shoplifting to the police in the country. Retailers have to find solutions to tackle an estimated £700m ($900m) loss. They turn to facial recognition solutions.
- According to the NYmag web site (October 2018), U.S. retailers are using facial recognition too. Almost all the top U.S. companies have facial recognition in their agenda or have at least investigated its potential. Wallmart dropped it, Target is not communicating on it, Lowe’s is using the technology, and Saks Fifth Avenue is using it in Canada.
However, privacy laws in Illinois, Texas, Washington, and California (as of January 2020) and New York state's SHIELD (( as of March 2020) will pose a serious challenge to these efforts.
Civil liberties groups want an embargo on the technology and a precise democratic debate about the place that facial biometrics should take in our lives."We should decide as a society" summarizes WIRED (August 2019 video).
The debate is not over. Stay tuned.
Visit our web dossiers to learn more about current trends in biometrics and privacy, consent, and function creep.
The biometrics market
The global biometric market is expected to top USD 50 billion by 2024, according to Global Markets Insights.
Non-AFIS will account for the highest biometrics market share, exceeding USD 18 billion till 2024.
Biometric applications in security and government sectors of North America are driving the regional market trends. The study claims, North America, with the U.S. at the helm, will represent more than 30% of the overall biometrics industry share by 2024.
The Asia Pacific region will also be witnessing robust growth. Governmental initiatives like CRIC (China Resident Identity Card) and the push for facial recognition or India's Aadhaar have genuinely favoured the commercialization of the biometrics industry in APAC.
Why multimodal biometrics?
The most well-known techniques include fingerprints, face recognition, iris, palm , and DNA-based recognition.
Multimodal biometrics combines several biometric sources to increase security and accuracy.
Multimodal biometric systems usually require two biometric credentials for identification, such as face and fingerprints instead of one. They can overcome limitations commonly encountered in unimodal systems.
For several years now, the use of several biometric features in combination, for example, the face and the iris or the iris and fingerprints, has made it possible to reduce error rates considerably.
Biometrics can also enhance multi-factor authentication (MFA).
Geolocation, IP addresses, and keying patterns can create a powerful combination to authenticate users securely.
Advantages of biometrics
Whatever the method, what all these biometric techniques have in common is that they all collect human characteristics which are:
- Universal, as they can be found in all individuals
- Unique, as they make it possible to differentiate one individual from another
- Permanent, allowing for change over time
- Recordable (with or without consent)
- Measurable, allowing for future comparison
- Forgery-proof (a face, a fingerprint)
Who needs biometrics?
A better question would be: what for?
The simple truth is that solutions are related to the challenges to be met.
The justice system, for example, must take the necessary time to identify a criminal and cannot accept the slightest error. It will not be worried about a lengthy and costly process.
An everyday individual will seek to protect their personal property and have access to it quickly, at a reasonable price.
Governments and public administrations are, in their case, confronted with multiple issues at once.
Just think about it.
- They have to make it easier to cross borders while controlling illegal immigration, fight terrorism, cybercrime, or electoral fraud.
- They need to issue documents compliant with new international standards and regulations, guarantee the security of systems for the production, check of such materials, and data interoperability.
- And all this should be done within the limits of their budgets.
On this scale, only an innovative approach to global security which makes use of technological solutions and process which are adapted to the challenges can enable States to effectively address the issues they face and provide them with the means of building trust.
Is biometrics reliable?
Biometric authentication relies on statistical algorithms. It, therefore, cannot be 100 %-reliable when used alone.
"false rejections" or "false acceptances."
What's the story here?
- In one case, the machine fails to recognize an item of biometric data that does, however, correspond to the person.
- In the reverse case, it assimilates two items of biometric data that are not from the same person.
"False rejection" or "false acceptance" are symptoms that occur with all techniques used in biometrics.
How accurate is biometrics?
What's the problem?
Why would biometrics not be accurate?
Think about this one minute again.
The technical challenges of automated recognition of individuals based on their biological and behavioural characteristics are inherent to the transformation of analogue (facial image, fingerprint, voice pattern) to digital information (patterns, minutiae) that can then be processed, compared, and matched with effective algorithms.
There are about 30 minutiae (specific points) in a fingerprint scan obtained by a live fingerprint reader.
The U.S. Federal Bureau of Investigation (FBI) has evidenced that no two individuals can have more than eight minutiae in common.
Recognition decisions in biometric systems have to be taken in real-time and, therefore, computing efficiency is critical in biometric apps.
It is not the case in biometric forensics, where real-time recognition is not a requirement.
Facial recognition is the most natural means of biometric identification. The face recognition system does not require any contact with the person.
The 1200 million electronic passports in circulation in mid-2019 provide a huge opportunity to implement face recognition at international borders.
And the algorithms are getting extremely accurate with Artificial Intelligence.
According to a 2018 NIST study, the system developers have made massive gains in facial recognition accuracy in the last five years (2013- 2018).
NIST found that 0.2% of searches, in a database of 26.6 m photos, failed to match the correct image, compared with a 4% failure rate in 2014.
It's a 20x improvement over four years.
The risks of error are related to very different factors.
- We have noted that particular biometric techniques were more or less well suited to specific categories of persons. A particular system may work for women, but less well for men, or young people, but not for older people, for people with lighter skin, but less well for those with darker skin.
- Other difficulties arise in particular with facial recognition, when the person dyes or cuts their hair, change the line of their eyebrows or grows a beard. We can imagine cases of "false acceptance" when the photo taken modifies distinctive character traits in such a way that they match another item of biometric data stored in the database.
- A verification photo, taken with a low-quality model of camera, can noticeably increase the risk of error. The accuracy of the identification relies entirely on the reliability of the equipment used to capture data.
- The risk of error also varies depending on the environment and the conditions of application. The light may differ from one place to another, and the same goes for the intensity or nature of background noise. The person's position may have changed.
Also, in a biometric control application, the rejection or acceptance rate are intertwined and can be tuned according to an acceptable level of risk. It is not possible to modify one without impact the other one.
Why is it so?
In the case of a nuclear plant access control application, the rate of false acceptance will be hugely reduced. You don't want ANYONE to enter by chance.
This demand will also impact the rate of false rejections because you will tune the system to be extremely accurate.
You will probably use several authentication factors, including a valid ID in addition to biometrics (single mode or multimodal).
According to the Keesing Journal of Documents & Identity (March 2017), two complementary topics have been identified by standardization groups.
- Make sure the captured image has been done from a person and not from a mask, a photograph or a video screen, (liveliness check or liveness detection)
- Make sure that facial images (morphed portraits) or two or more individuals have not been joined into a reference document, such as a passport.
Can facial recognition systems be fooled in 2020?
If you want to know more, read our January 2020 web review on top facial recognition trends.
Other biometric devices: Tokens & biometric cards
Biometrics suffers from the fact that the matching algorithms cannot be compared to the hashes of passwords, as we said.
This means that two biometric measures cannot be compared with each other without them, at some point, being "in plaintext" in the memory of the device doing the matching.
Biometric checks must, therefore, be carried out on a trusted secure device, which means the alternatives are to have a centralized and supervised server, a trusted biometric device, or a personal security component.
Smart ID cards
This security requirement is why tokens and smart cards (IDs or banking cards now) are the ideal companions for a biometric system.
The South African electronic ID card uses biometrics.
Numerous national identity cards (Portugal, Ecuador, South Africa, Mongolia, Algeria, etc.) now incorporate digital security features, which are based on the "Match-on-Card" fingerprint matching algorithm.
Unlike conventional biometric processes, the "Match-on-Card" algorithm allows fingerprints to be matched locally with a reference frame thanks to a microprocessor built into the biometric ID card without having to connect to a central biometric database (1:1 matching).
Biometric sensor cards
A biometric payment card with a sensor (where the thumb is)
The integration of a fingerprint scanner into smart cards is another form of delivering a safe and convenient way to authenticate people.
These biometric sensor cards open up a new dimension in identification with an easy-to-use, portable, and secure device.
They were launched in 2018 for the first time by the Bank of Cyprus and Thales for EMV cards (contactless and contact payment). They use fingerprint recognition instead of a PIN code to authenticate the cardholder.
The cards support access, physical or online identity verification services.
As the user's biometric data is stored on the card, not on a central database, customer details are highly protected if the bank was to suffer a cyber-attack. Likewise, if the card was to become lost or stolen, the holder's fingerprint could not be replicated.
Put it in another way: the biometric identifiers are checked locally and protected, as they are stored solely on the card. They never leave the card.
Biometrics can fulfil two distinct functions, authentication and identification, as we said.
Identification answers the question, "Who are you?". In this case, the person is identified as one among a group of others (1: N matching). The personal data of the person to be identified are compared with the data of other persons stored in the same database or possibly other linked databases.
Authentication answers the question: "Are you really who you say you are?". In this case, biometrics allows the identity of a person to be certified by comparing the data that they provide with pre-recorded data for the person they claim to be (1:1 matching).
These two solutions call upon different techniques.
Identification, in general, requires a centralized database that allows the biometric data of several persons to be compared.
Authentication can do without such a centralized database. The data can simply be stored on a decentralized device, such as one of our smart cards.
For data protection, a process of authentication with a decentralized device is to be preferred. Such a process involves less risk.
The token (ID card, military card, health card) is kept in the user's possession, and their data does not have to be stored in any database.
Conversely, if an identification process requiring an external database is used, the user does not have physical control over their data, with all the risks which that involves.
Why are biometrics controversial?
Biometric security offers many advantages (to authenticate and identify strongly) but is not without controversy. This challenge is linked to privacy and citizen's ability to control information about themselves.
Two types of risks can be identified:
- The use of biometric data to other ends (aka function creep) than those agreed by the citizen either by service providers or fraudsters. As soon as biometric data is in the hands of a third party, there is a risk that such data may be used for purposes different from those to which the person concerned has given their consent.
There may thus be cases of unwanted end use if such data is interconnected with other files, or if it is used for types of processing other than those for which it was initially intended.
- The risk of re-use of data presented for biometric checks. The data can be captured during their transmission to the central database and fraudulently replicated in another transaction.
A result is a person losing control over their data, which poses risks in terms of privacy.
In practice, data protection authorities seem to give preference to solutions that feature decentralized data devices.
Do you want to see how biometric data are protected around the world?
Biometrics and data protection
The "United Nations Resolution" of 14 December 1990, which sets out guidelines for the regulation of computerized personal data files, does not have any binding force.
On a more global basis, legal deliberations thus rely to a vast extent on provisions relating to personal data in the broad sense. But such provisions sometimes prove to be poorly adapted to biometrics.
On the contrary, the new E.U. regulation replaces the existing national laws as of May 2018.
The General Data Protection Regulation is directly applicable in all 27 Member States of the European Union and the U.K. as of May 2018.
And biometric data are clearly defined and protected.
Can this be true? Yes.
In a nutshell, it establishes:
- A harmonized framework within the E.U.,
- The right to be forgotten,
- "Clear" and "affirmative" consent,
- Severe penalties for failure to comply with these rules.
Note that outside the European Union, the level of protection differs depending on the legislation in force. Assuming – that is – that there is any such legislation.
An example is the United States, where three states (Illinois, Washington, and Texas) protected biometric data, and.. 47 did not in 2019.
But things may move faster in 2020.
The California Consumer Privacy Act is a significant step forward for the country. It enhances privacy rights and consumer protection for residents of California and is applicable as of 1 January 2020.
Why is it important?
The CCPA may serve as a model for a future federal legal framework.
To know more about biometric data protection in the E.U. and U.K. (GDPR), in the United States (CCPA) and recent changes in India, discover our dossier dedicated to privacy regulations and biometric data.
Putting biometric systems to work for digital security
Thales possesses its technology, recognized worldwide, which, combined with its impartial stance on the source of biometric data, allows it to help everyone put their trust in the digital world.
An expert in strong identification solutions with more than 200 civil ID, population registration, and law enforcement projects that incorporate biometric security, Thales can act as an independent force in proposing and recommending the most suitable solution in each case.
Thales attaches a great deal of importance to the assessment of risks, which may not always be visible to the general public, and to the capacity of private operators to manage such risks.
Similarly, legal and social implications are also very significant.
Though Thales keeps an open mind about biometric techniques, it remains no less convinced that, whatever the choice of biometric, this technology offers significant benefits for guaranteeing identity.