Identity Primer: What Are Biometrics?
The word "Biometric" is a combination of "bio" (human) and "metric" (measurement). In simple terms it is all about measuring things about humans that make them different from other humans. The biometric that most people are familiar with is the fingerprint, but as we will find out in this post there are lots of other biometrics with their own strengths and weaknesses. This is a complex, diverse field of science. This post will just cover the highlights, but later posts will go into more detail.
A biometric modality describes a type of measurement. The most common modality is the fingerprint, which has actually been used for identification since ancient Babylon. Other common biometrics are the iris (colored part of the eye), and face. These three probably constitute 95+% of biometrics used in practice. However, other biometrics include voice, how a person walks, retina, hand geometry, ear shape, heartbeat, typing style and even smell. It turns out that humans are full of unique things if you look hard enough. This is the result of random variations in genetics and the womb. Identical twins even have unique biometrics!
Prior to computers, fingerprints were matched by humans using something called the Henry Classification System. Fingerprints on cards were organized into categories based on the pattern type and stored in filing cabinets. To make a match, a person identified the category of the print and started manually comparing the print to the cards in the filing cabinet. It was a tedious and lengthy process and finding a match normally took months. Luckily, matching in modern biometrics systems is 100% automated, with humans sometimes called in to make a final determination. Contrary to what you might see in Hollywood, computers don't match images, they match a mathematical representation of the image called a template. There are many reasons for this, but most importantly templates are much smaller than images and much easier for computers to match. For example, a fingerprint image is typically around 500,000 bytes, while a fingerprint template can be as small as 200 bytes.
The process of converting a biometric image to a template is called extraction, and it is a very CPU intensive process. For example, to convert a medium sized face image to a template will typically take around half a second, an eternity in computer terms. Since matching only happens with templates, this process has to happen any time you present a biometric image to a system. When you put your finger on your phone to unlock it, most of the time it takes to unlock your phone is taken up by the extraction process. Matching is almost instantaneous in a phone application.
Automated Fingerprint Identification System (AFIS)
In a biometric system we are usually matching a sample against a database called a gallery. If you get a background check from the FBI, they are checking your fingerprints against their gallery of 70 million criminals. When you unlock you phone you are searching a gallery of a few examples (3-5) of your finger. Although both of these processes involve biometric matching, they are considered to be fundamentally different. When you unlock your phone, your phone is checking to see if you are who you claim to be (the phone owner), a process called verification. This is also called 1:1 matching because you are matching a sample against one person in your gallery. With a background check or a crime scene you don't know whether the sample is in your gallery or not so you compare it against all of the records to see if there is a match, a process called identification. This process is also called 1:N matching because you have to compare it to every person in your gallery. As you might expect, identification is a lot harder than verification because of the size of the gallery.
Whenever we talk about biometrics, one of the first questions that comes up is about accuracy. It seems people really want to have one number for accuracy so they can say something like "my biometric safe is 99% accurate!" Sadly, the real situation is a bit more complex than that. And if you dig deeper it is way, way more complex. But I will stick for one level of complexity for now. It turns out there are two types of errors a biometric system can make, and no amount of pressure from marketing can make us compress that to one because, well, math. A system can erroneously match someone it shouldn't, like when people mistake me for Hugh Grant. That type of error is called a false match. The second type of error is when the system does not match someone who should match, called a false non-match. To understand the accuracy of a biometric system, you have to understand both of these probabilities. Consider a typical biometric system used to control access to a facility. A false match means you allow someone in who shouldn't be allowed. A false non-match means you block someone who should be allowed. False non-matches are annoying; false matches are dangerous. Biometric systems can be tuned to optimize one factor over another, but it is a trade-off. If you decrease false matches, you increase false non-matches and vice-versa. There is no free lunch.
In most security applications, the system is tuned to minimize false matches to a very, very low number because letting an unauthorized person into your facility is very bad, but annoying your employees is less bad. An interesting counterpoint to this is a place like Disneyland who uses biometrics to prevent re-use of season passes. In their application, if they happen to let in a few people trying to cheat the system it isn't as bad as annoying their paying customers so they likely optimize the other way. In modern biometrics, false matches are extremely rare unless the system is biased to minimize non-matches to an absurd degree. If you have ever used a biometric system I am sure you have been a victim of a false non-match. However, most of these are caused by poor sensors or user error (sorry, blaming the victim here) and not by problems in the matchers themselves. One exception to this is the US Visit system, used to check foreigners entering the US against a biometric watch list. This system originally used only two index fingers but as the database grew past 100 million records they started to get false matches because two fingers weren't unique enough so they had to switch to checking eight fingers, which is expected to be completely unique across the world population for the foreseeable future. It is important to note, however, that these false matches were because the fingerprint templates were close, not the actual fingerprints. It is still believed that fingerprints are "effectively" unique. There is no way to prove this, however.
As someone who is deeply concerned about privacy, and often conflicted about my chosen industry, I do want to close this post with a discussion of how biometrics can harm privacy. Biometrics can absolutely be used to create a totalitarian state, a panopticon, 1984, or any other nightmare scenario you can imagine because they can provide automated tracking of individuals to a high degree of accuracy. Camera technology has advanced so much that tiny cameras you won't even notice can easily capture your face, and somewhat less easily capture your iris or fingerprints without your knowledge. These biometrics can be searched against databases without your consent or knowledge. Stores can track how often you visit and who accompanies you. That evidence can be subpoenaed and used against you. If you have ever had an FBI background check the FBI can retain your fingerprints and search them whenever a crime is committed. All the bad stuff is there. However, your phone does pretty much the same thing, but in a way that is much easier to process.
I wish the answer were as easy as "outlaw biometrics" or "don't let them capture your biometrics" or wear funny makeup. But those options are gone and the genie is out of the bottle. Like most technology, biometrics can used for good or evil, and for security, forensics, fraud prevention, and a host of other applications biometrics are an invaluable tool. If you are concerned about your privacy, the best option is to continue to push for transparency and accountability. Organizations should be held accountable in court or in the marketplace if they are misusing your biometrics.