Biometric ID is an increasingly popular security measure across the world today, but what is it, and does it make sense for your company? Let’s take a closer look at the latest trend in security and whether it’s likely to stay around.
What Is Biometric ID?
Biometric ID is the process of using unique personal characteristics to identify a person. This is usually for security purposes, like restricting access to particular areas in companies, but law enforcement also uses a type of biometric ID when investigating crime scenes and trying to identify suspects in criminal investigations.
Most biometrics are not perfect, and therefore biometric security is not quite perfect, either. For example, if someone gets a cut on their fingertip, the biometric data for their fingerprint changes and no longer matches the information a company has on file. This is why most biometric verification systems look for matches that are close enough rather than precisely accurate.
What Is Biometric Verification?
Biometric verification is the part of biometric ID where the provided information is matched to a database to assess its accuracy. Many security systems have multiple-stage verification to ensure errors with one step don’t throw the whole system off.
History of Biometric ID
Biometric ID has a long history, with some evidence indicating the existence of basic systems as early as 500 BC. The earliest modern form that most people will recognize is using signatures for legal documents, which allows comparing one to another to see how well they match.
It is possible to forge signatures, so this is far from a perfect security measure, but it does work for most people in most situations. Electronic signature verification forms may track the exact writing technique, including pressure, to provide more accurate information, but these don’t always qualify as biometric ID.
The use of biometric data has become far more common since computers and scanning technology became widespread, with new systems entering the market. Biometric systems are often an excellent way to prevent identity theft because faking certain types of biometrics is nearly impossible, but errors still occur.
While signatures have been in use for a long time, fingerprints are a more recent biometric ID system. It came to the forefront in 1903 when a man named Will West arrived at a prison in Leavenworth.
The prison staff used biometric identifiers, including photographs and anthropometric measurements, to identify Will West as William West, with a known conviction for murder. This probably would have been the end of it if the real William West, who looked startlingly similar to Will, hadn’t already been a prisoner there.
The two were compared by several measures until, finally, someone took their fingerprints and realized the two men were quite different there. This demonstration of the failings of specific identification systems remains relevant today, with even modern facial recognition algorithms struggling to identify various groups. Thus, multi-stage identification is strongly preferred.
Types of Biometric ID
Here are the most common forms of accurate biometrics and identification systems currently in use.\
DNA matching uses an individual’s unique DNA to identify them, separate from most other people on the planet. DNA ID is a mostly-reliable technique, although analysis can be a little slow and is prone to contamination if not conducted properly. The likelihood of contamination is the main argument against using this as a primary form of ID.
DNA matching is also ineffective in rare cases, such as identical twins who share the same DNA.
This form of identification can be used without the individual present as long as you have some source of their DNA, such as spit, so it remains relatively common for law enforcement and medical purposes.
Ear biometrics use the shape of a person’s ear to identify them. This is relatively easy to spoof if people are looking for it and have sufficient references to create a fake ear, but it’s also not very well-known, and people may not plan for it. Ear-based biometrics are relatively rare, and most people probably won’t experience it for themselves.
Eyes – Iris
Iris recognition uses the unique patterns found in a person’s iris, which is the colored part on the front of their eye. Irises are relatively challenging to spoof, although too much expansion or contraction of the iris can throw the system off.
Irises also change slowly over time, so this is not a practical long-term biometric identifier unless updated regularly. It’s much more reliable in the short term and sees some use in secure facilities.
Eyes – Retina
Retina scanning is another way to identify people. This involves scanning blood veins in the back of the eye to create a unique pattern. This is relatively difficult to spoof, but as people who have sat for scans at the optometrist know, it can be hard to get a clear reading of the eye without several attempts.
Accordingly, retina scans are a slow but reliable technique. They’re too slow for many people, though, and the inconvenience of sitting for half a dozen scans or more means most people prefer types of biometric ID that are less of a hassle to use.
Retina scans remain relatively rare but may see more use as scanning technology gets more reliable.
Facial recognition is one of the most common types of biometric identification in use today. These systems use algorithms to identify multiple features on a person’s face and match those to a database.
However, the algorithms best identify Caucasian faces and struggle with Asian and African faces. Part of this may be due to the way algorithms are taught, but facial recognition software is fundamentally impractical in certain areas. Most companies who use this allow at least one alternate form of identification for security
Fingerprint analysis is one of the most classic forms of biometric ID, based on the assumption that two people are unlikely to have the same pattern. This is widely assumed correct, although nobody’s conclusively proven it.
The primary issue with fingerprint recognition is that there are few standards or agreements on how much something needs to match before it’s declared valid. Some places might accept only three or four points of identification, while other regions could require upwards of twenty. This means courts occasionally throw out fingerprint evidence.
Nevertheless, digital scanners mean fingerprints are making more of a comeback and even serving as an unlocking key for many household electronics. Computers can measure fingerprints with relatively high precision and will likely remain the preferred way to check them in the future.
Finger Geometry Recognition
Finger geometry recognition, also known as hand geometry recognition, is a modern verification technique that examines the specific geometry of the fingers and hand to produce points of reference. This includes factors like the height of parts of the hand, the thickness of the fingers, and the distance between the knuckles.
Geometry-based recognition is less precise than many other biometric identification systems, so it’s not a good choice for security-conscious areas. However, it works well for casual identification processes, so theme parks and similar businesses occasionally add it for smaller groups.
The main issue with finger geometry recognition is that it’s prone to failure if someone has a problem with their hands. Issues like allergies or illness can change the details of someone’s hand as things get inflamed. Such errors happen often enough that such recognition is usually just one of several options for people.
Gait is a relatively rarer style of biometric ID, and it doesn’t see much use in most areas. The idea is that people have different walking styles, so walking in a certain way can authenticate them. However, like many behavior-based systems, it’s prone to failure from environmental circumstances.
Issues like injuries or wearing different shoes can change someone’s gait. People may also get nervous and stride in different ways when they know someone is analyzing them, which can throw off the results. Gait-based testing systems also require more space than many others.
Together, the inefficiency and comparatively low accuracy of gait analysis make this a poor option in most areas. It’s more likely to see implementation as a backup verification system rather than a primary one.
Odor-based detection involves analyzing the specific combination of pheromones that a person gives off. Computers mostly do this because human-based sensing is both inaccurate and inconvenient.
Some places may use trained dogs or other animals to conduct odor-based identification. It’s possible to fool such systems if you plan for them, but it’s certainly an option for areas that only have everyday security needs.
Typing recognition is similar to gait verification in that it looks for specific physical behaviors. In this context, the exact timing of how someone types certain words can be used to distinguish them from others. This gets more accurate if there are many samples to compare a person’s typing to.
However, this is also a skill-based identification system, which can pose a problem in many environments. Some people only have minimal experience typing, and others do so mainly through touchscreens instead of a mechanical keyboard. Issues like using a different keyboard can also throw off someone’s typing.
Together, these issues mainly relegate typing recognition to the realm of interesting but impractical. If people are going to type something, most organizations would rather just use a password instead.
Vein recognition involves analyzing the pattern of blood vessels in either the palm or the fingertip. These are highly difficult to spoof, although blood vessels are much easier to see on some people than on others. However, blood vessels can change due to injury, so this isn’t a good long-term recognition system.
Vocal – Speaker Identification
Speaker identification systems aim to use vocal information and compare those to existing templates to find similarities. This is less about matching a specific word or sound and more about examining the general attributes of a voice.
Most places use this as a first-level check. This is particularly true in law enforcement, where identifying sounds can help find suspects. This process isn’t suitable for matching people exactly, but it can remove most obviously-wrong suspects and give a much smaller number of people to choose from.
To a lesser degree, speaker identification is useful for smart home assistants and similar technology. In these cases, a biometric ID can be used to match a user profile and any associated preferences. For example, if someone asks a smart assistant to play music, it can consult the person’s known preferences to find a match.
This is important because it shows the use and the value of having biometric identification outside of security or safety-focused areas. Useful technology sees more development, which encourages people to find more ways to use it until it finally hits maturity.
It’s also crucial to distinguish between speaker and speech recognition. Speaker recognition identifies who is speaking, while speech recognition determines what they say. Some systems use only one of these, while other systems use both.
Vocal – Speaker Authentication
Speaker authentication is similar to identification, but it focuses on repeating the same sound and matching it to a voiceprint or model. Verification is significantly more advanced than identification, so it sees use in secure facilities.
The main drawback of authentication is that it requires a specific saved model to compare things to. That can be hard to get if you don’t ask for it. This is why police often use speaker identification to find subjects but can’t run audio through a database to try and authenticate an exact match.
Identification vs. Verification
The difference between identification and verification is an essential component of biometric systems, including those used to prevent cybercrime like a ransomware attack.
Identification systems focus on determining who a person is from a series of results. This usually involves checking a database to find a match or at least something that’s close enough to the information provided.
Verification systems instead focus on determining if someone is who they claim. This means they’re comparing the data to a specific user already in the system. Both systems rely on having existing knowledge of a person, so biometric identification doesn’t work for anyone who isn’t already in the system.
Most security systems include both of these categories to cut down on errors. Identification usually comes first to see if there’s anyone in the database that matches, and then verification follows to prove that a physical person is who they claim. Multi-step identification is significantly more reliable, so the more secure something is, the more levels it will have.
Which Biometric Identification Systems Are the Best?
There are no universally perfect biometric identification systems. Iris and retina examinations, for example, have extremely high security and accuracy but low usability. Keystroke dynamics and voice recognition are easy to use but not viable for long-term identification.
This flaw is why companies that want to implement biometric ID must consider their needs and how practical it is to collect and use this information. Biometric ID plans can also be affected by local laws and regulations that affect details like the data you can gather and share with your company.
The issue here is that some forms of biometric identification are essentially medical information, and that’s often protected. Furthermore, saving the information somewhere makes it possible for someone else to access it and find ways to get around it.
A viable identification system has several components. Retina scans alone are a poor security measure, but a fingerprint scan, vocal authentication, a facial recognition scan, and entering a password on a number pad are much more challenging for someone to break through without extensive preparation.
Some places go further by embedding biometric information into chips inserted below the skin. Chips provide something to scan as an extra level of proof, although this also makes it easier to steal information unless it’s securely encrypted.
Spoofing Biometric ID
In the 1997 movie sci-fi Gattaca, a man considered genetically inferior impersonates someone else, considered more desirable, going as far as collecting urine and DNA samples to spoof tests as he tries to realize his dream of traveling into space.
While the movie is fictional, most of the biometric systems they use are not. It’s easier to spoof some forms of biometric ID than others, especially if it’s something that you can prepare ahead of time. For example, blood and urine samples are comparatively easy to fake, especially if you have a willing partner in the process.
Things like retina scans are much harder to fake and harder to implement. Someone could realistically try to fail such scans on purpose and then ask for an alternate identification that’s easier to fake. This even applies to DNA testing, which is outstanding in identification but not as good for verification.
Biometric identification systems will see continued use and growth in the years to come. They’re not necessary for every situation, but can be used to protect some of your most important assets.
One way or another, biometric ID is here to stay. The only real question is how you’re going to apply it.