Biometric scanning devices are used to scan employee identification cards

Most importantly, awareness and acceptance have been boosted in the past seven years, as millions of smartphone users are unlocking their phones with a fingerprint or a face.

Again, biometric systems are great wherever identification and authentication are critical.

#1 Law enforcement and public security  

Law enforcement biometrics refers to applications of biometric systems that support law enforcement agencies.

This ​category can include criminal I.D. solutions such as Automated Fingerprint (and palm print) Identification Systems (AFIS). They store, search and retrieve fingerprint images and subject records.​

Today Automated Biometric Identification Systems (ABIS) can create and store biometric information that matches biometric templates for the face (using the so-called mugshot systems), finger, and iris.

Discover the work of forensic analysts​ in our video.

Live face recognition - the ability to perform face identification in a crowd in real-time or post-event - is also gaining interest for public security - in cities, airports, at borders, or other sensitives such as stadiums or places of worship. 

These surveillance systems are being tested or used in many countries. They are challenged and sometimes put on hold. Read California bans law enforcement from using facial recognition.

#2 Military - Know your enemy  

Much is unknown about how defense agencies around the world use biometric data.

The fact is that information is difficult to come by and share as it is not public.

The United States military has been collecting faces, irises, fingerprints, and DNA data in a biometric identification system since January 2009.

The biometric program started as early as 2004 and initially collected fingerprints.

Who's in charge?

The Defense Forensics and Biometrics Agency (DFBA) manages the system, known as the DoD Automated Biometric Information System.

According to OneZero (6 November 2019), the 7.4 million identities in the database are, for the vast majority, coming from military operations in Iraq and Afghanistan.

For 2008-2017, the DoD arrested or killed 1,700 individuals based on biometric and forensic matches (U.S. Government Accountability Office website - see page 2/59). 

In the first half of 2019, biometric identification has been used thousands of times to identify non-U.S. citizens on the battlefield.

#3 Border control, travel, and migration

The electronic passport (e-passport) is a familiar biometric travel document. The second generation of such documents, also known as biometric passports, includes two fingerprints stored and a passport photo.

But think about it for one minute.

Over 1.2 billion e-passports were in circulation in 2021.

That means over 1.2 billion travelers have a standardized digital portrait in a secure document. It's a windfall for automatic border control systems (aka e-gates) but also for self-service kiosks. 

• The photo speeds up border crossing through scanners, which use the recognition principle by comparing the face or fingerprints. 
• Check-ins and bag-drop solutions also increase speed and efficiency while maintaining high levels of security. 

Needless to say, for airports and airlines, providing passengers with a unique and enjoyable travel experience is a business priority.

Biometrics provides here irrefutable evidence of the link between the passport and its holder. 

• Biometric authentication is done by comparing the face/fingerprint(s) seen/read at the border with the face/fingerprints in the passport micro-controller. If both biometric data match, authentication is confirmed. ​​​​
• ​Identification, if necessary, is done with the biographic data in the chip and printed.
   

Besides, many countries have set up biometric infrastructures to control migration flows to and from their territories. 

Fingerprint scanners and cameras at border posts capture information that helps identify travelers entering the country more precisely and accurately.

The same applies to consulates for visa applications and renewals in some states.

The U.S. Department of Homeland Security's Customs and Border Protection (CBP) declared that more than 43.7m individuals had been scanned at border crossings, outbound cruise ships, and elsewhere so far. This process helped stop 252 people from attempting to use another person's passport to cross the border. (V.B., 6 February 2020.)

We describe in detail three examples of biometric databases:

• The U.S. Department of Homeland Security's IDENT biometric system​is the largest of its kind (over 200m people in the base and about 260m by 2022.)
• The European Union's EURODAC, ​​serving 32 nations in Europe (biometrics for asylum​ seekers)
• The ambitious European Entry/Exit System (EES) is to be put in place in 2022.

​#4 Healthcare and subsidies

Other applications, chiefly national identity cards, are widespread in European and Middle East countries or Africa for I.D. and health insurance programs, such as in Gabon. 

With these biometric I.D. cards, fingerprints are used to confirm the bearer's identity before accessing governmental services or healthcare. 

Why is it so?

In Gabon, for example, even before the program started, it was clear to everyone that authorities had to implement all resources to avoid the health cover program turning into a center of attention for neighboring countries' citizens.

This feature was crucial to ensure that the program's generosity would not collapse through the fraudulent use of rights. 

Hence beneficiaries are individually identified so that access to care can be reserved for them. The authorities decided that insured parties' identification will be nominative with implementing a Gabonese individual health insurance number. 

Civil data, a photograph of the holder, and two fingerprints are digitized within the microprocessor, ensuring this data's encryption and protection. 

Hospitals, pharmacies, and clinics use health insurance cards to check social security rights while protecting personal data confidentiality.

Terminals are performing checks with fingerprint sensors.

#5 Civil Identity, population registration, and voter registration  

AFIS databases (Automated Fingerprint Identification System), often linked to a civil register database, ensure citizens' identity and uniqueness to the rest of the population in a reliable, fast, and automated way. 

They can combine digital fingerprints, photos, and iris scans for higher reliability.

Civil identity and population registration

India's Aadhaar project is emblematic of biometric registration. It is the world's most extensive biometric identification system and the cornerstone of reliable identification and authentication in India.

The Aadhaar number is a 12-digit unique identity number issued to all Indian residents. This number is based on their biographic and biometric data (a photograph, ten fingerprints, two iris scans).

1,322,356,588 Aadhaar IDs have been issued as of 27 January 2022, covering more than 99% of the Indian adult population.

Yes, you read that right: it's over 1.3 billion people. India's population was estimated at 1.4B in January 2022.

Initially, the project has been linked to public subsidy and unemployment benefit schemes, but it now includes a payment scheme.

According to Finance minister Arun Jaitley in his speech of 1 February 2018, Aadhaar provides an identity to every Indian that has made many services more accessible to the people. 

It has reduced:

• Corruption, 
• Cost of delivery of public services,
• Go-betweens.

Biometric voter verification at work: identification is made with bar code, verification with a fingerprint.

Voter registration

​Biometrics can also be critical for the "one person, one vote" principle.

Please visit our web dossier on biometric voter registration ​to know more about this aspect.​

#6 Physical and logical access control

Biometric access control systems help to prevent unauthorized individuals from accessing:

• facilities (physical access control)
• computer systems and networks (logical access control) based on biometric authentication.

In I.T., biometric access control can complement user authentication and supports organizations'Identity and Access Management (IAM) policies.

Unlike codes, static passwords, one-time passwords, or access cards that rely on data that can be forgotten or lost, biometric authentication is based on who people are (and not what they have).

In the mobile world, smartphones (a form of I.T. system) now usually include fingerprint and facial recognition features.

The iPhone 5 was the first to introduce fingerprint recognition in 2013 (with TOUCH ID), and facial recognition became trendy with the iPhone X introduced in November 2017 (with FACE ID).

Many Android phones have this feature (combined with iris scanning).

#7 Commercial applications

KYC (Know Your Customer) or KYC check is the mandatory process of identifying and verifying the client's identity when opening an account and periodically over time. (source: what is KYC? – Thales).

Today, it is a significant element in the fight against financial crime and money laundering.

With biometrics, banks, fintech organizations, or even telecom operators can make customer mandatory KYC checks (Know Your Customer) faster and more efficiently using biometrics.

The pandemic has accelerated online digital onboarding, and bank account opening as many branches were temporarily closed. Businesses have been developing mobile user-friendly onboarding processes, including facial recognition as a critical feature for identity verification.

In India, Aadhaar-based KYC for mobile connections and bank accounts is authorized (Aadhaar amendment act July 2019).

The UIDAI (Unique Identification Authority of India), in charge of the program, initially kept all authentication services free for all to lower the barrier to entry.

It has only begun charging relying parties in 2019.

Since 2019, private organizations are charged US$0.007 for Aadhaar authentication (for a yes/ no challenge) and US$0.3 for e-KYC transactions. 

Retailers can leverage facial recognition to identify a premium customer or a former shoplifter as soon as they come into the store. If the system recognizes one, it alerts the store manager.

The technology is a powerful marketing enabler or can be applied to policing.

• That's what U.K.'s The Guardian claims (04 August 2019) as it states that it has become pointless to report shoplifting to the police in the country. Retailers have to find solutions to tackle an estimated £700m ($900m)loss. They turn to facial recognition solutions.
• According to the NYmag website (October 2018), U.S. retailers also use facial recognition. Almost all the top U.S. companies have facial recognition in their plan or have investigated its potential. Walmart dropped it, Target is not communicating on it, Lowe's uses the technology, and Saks Fifth Avenue uses it in Canada.

However, privacy laws in Illinois, Texas, Washington, and California (as of January 2020) and New York state's SHIELD ( as of March 2020) will pose a serious challenge to these efforts.

Civil liberties groups want an embargo on this technology and a precise democratic debate about the place that facial biometrics should take in our lives.

The debate is not over. Stay tuned.

Visit our web dossiers to learn more about current trends in biometrics and privacy, consent, and function creep. 

The biometrics market 

According to Global Markets Insights, the global biometric market is expected to top USD 50 billion by 2024.

Non-AFIS will account for the highest biometrics market share, exceeding USD 18 billion by 2024. 

Biometric applications in the security and government sectors of North America are driving the regional market trends. With the U.S. at the helm, the study claims North America will represent more than 30% of the overall biometrics industry share by 2024. 

The Asia Pacific region will also be witnessing robust growth.

Governmental initiatives like CRIC (China Resident Identity Card) and the push for facial recognition or India's Aadhaar have genuinely favored the commercialization of APAC's biometrics industry.

Why multimodal biometrics?

The most well-known techniques include fingerprints, face recognition, iris, palm​, and DNA-based recognition. 

Multimodal biometrics combines several biometric sources to increase security and accuracy.

Multimodal biometric systems usually require two biometric credentials for identification, such as face and fingerprints, instead of one​.

They can overcome limitations commonly encountered in unimodal systems. 

For several years now, using several biometric features in combination, such as the face and the iris or the iris and fingerprints, has considerably reduced error rates.

Geolocation, I.P. addresses, and keying patterns can create a powerful combination to authenticate users securely.

Advantages of biometric data

Whatever the method, what all these biometric techniques have in common is that they all collect human characteristics:

• Universal, as they can be found in all individuals.
• Unique, as they make it possible to differentiate one individual from another
• Permanent, as they don't change over time
• Recordable (with or without consent)
• Measurable, allowing for future comparison
• Forgery-proof (a face, a fingerprint)

Who needs biometrics?

A better question would be: what for?

The simple truth is​ that solutions are related to the challenges to be met.​ 

For example, the justice system must take the necessary time to identify a criminal and not accept the slightest error. It will not be worried about a lengthy and costly process. 

An everyday individual will seek to protect their personal property and have access to it quickly, at a reasonable price. 

Governments and public administrations are, in their case, confronted with multiple issues at once. 

Think about it.

• They have to make it easier to cross borders while controlling illegal immigration, fight terrorism, cybercrime, or electoral fraud.
• They need to issue documents compliant with new international standards and regulations, guarantee the security of production systems, check such materials, and data interoperability.
• And all this should be done within the limits of their budgets.  

Is biometrics reliable?

Biometric authentication relies on statistical algorithms. It, therefore, cannot be 100 %-reliable when used alone. 

"false rejections" or "false acceptances."

​What's the story here?

• In one case, the machine fails to recognize an item of biometric data that does correspond to the person. It's a false rejection.
• The reverse case assimilates two biometric data items that are not from the same person. It's a false acceptance.

"False rejection" or "false acceptance" are symptoms that occur with all biometric techniques. 

How secure are biometric authentication technology and biometric data?

How accurate is biometrics in 2022?

​What's the problem? 

Why would biometrics not be accurate?

Think about this one minute again.

The technical challenges of automated recognition of individuals based on their biological and behavioral characteristics are inherent in transforming analog (facial image, fingerprint, voice pattern) to digital information (patterns, minutiae) that can then be processed, compared and matched with effective algorithms.

Fingerprints

There are about 30 minutiae (specific points) in a fingerprint scan obtained by a live fingerprint reader. 

The U.S. Federal Bureau of Investigation (FBI) has evidenced that no two individuals can have more than eight minutiae in common.

Recognition decisions in biometric systems have to be taken in real-time, and, therefore, computing efficiency is critical in biometric apps.

It is not the case in biometric forensics, where real-time recognition is not a requirement. 

Facial recognition

Facial recognition is the most natural means of biometric identification. The face recognition system does not require any contact with the person. 

The 1200 million electronic passports​ in circulation in 2021 provide a huge opportunity to implement face recognition at international borders. 

And the algorithms are getting extremely accurate with Artificial Intelligence. 

According to a 2018 NIST study, the system developers have made massive gains in facial recognition accuracy in the last five years (2013- 2018).

NIST found that 0.2% of searches in a database of 26.6 photos failed to match the correct image, compared with a 4% failure rate in 2014.

There's more.

In NIST'S 2020 tests, the best algorithm had a failure rate of 0,08%.

It's a 50x improvement over six years.

The risks of error are related to very different factors. 

• We have noted that particular biometric techniques were more or less well suited to specific categories of persons. A specific system may work for women, but less well for men or young people, but not for older people, for people with lighter skin, but less well for darker skin. 
• Other difficulties arise, particularly facial recognition, when the person dyes or cuts their hair, changes the line of their eyebrows or grows a beard. 
• A verification photo taken with a low-quality camera model can increase the risk of error. The identification accuracy relies on the reliability of the equipment used to capture data. 
• The risk of error also varies depending on the environment and the conditions of the application. The light may differ from one place to another. The same goes for the intensity or nature of background noise. The person's position may have changed. 

Also, in a biometric control application, the rejection or acceptance rates are intertwined and tuned according to acceptable risk levels.

It is not possible to modify one without impact the other one. 

Why is it so?

In the case of a nuclear plant access control application, the rate of false acceptance will be hugely reduced. You don't want ANYONE to enter by chance.

This demand will also impact the rate of false rejections because you will tune the system to be highly accurate. 

You will probably use several authentication factors, including a valid I.D. in addition to biometrics (single mode or multimodal).

According to the Keesing Journal of Documents & Identity (March 2017), two complementary topics have been identified by standardization groups.

• Ensure the captured image is from a person and not from a mask, a photograph, or a video screen (liveliness check or liveness detection) ​
• Ensure that facial images (morphed portraits) or two or more individuals have not been joined into a reference document, such as a passport.

Can facial recognition systems be fooled in 2021? 

Read our web review on top facial recognition trends​if you want to know more.

​Other biometric devices: Tokens & biometric cards 

 Biometrics suffers from the fact that the matching algorithms cannot be compared to the hashes of passwords, as we said.

This means that two biometric measures cannot be compared with each other without them, at some point, being "in plaintext" in the memory of the device doing the matching. 

Therefore, biometric checks must be carried out on a trusted secure device, which means the alternatives are to have a centralized and supervised server, a trusted biometric device, or a personal security component.

Smart ID cards

This security need is why tokens and smart cards (I.D.s or banking cards now) are the ideal companions for a biometric system. 

Numerous national identity cards (Portugal, Ecuador, South Africa, Mongolia, Algeria, etc.) now incorporate digital security features based on the "Match-on-Card" fingerprint matching algorithm. 

Unlike conventional biometric processes, the "Match-on-Card" algorithm allows fingerprints to be matched locally with a reference frame thanks to a microprocessor built into the biometric I.D. card without having to connect to a central biometric database (1:1 matching). 

Biometric sensor cards

A biometric payment card with a sensor (where the thumb is)
 

Integrating a fingerprint scanner into smart cards is another form of delivering a safe and convenient way to authenticate people.

These biometric sensor cards open up a new dimension in identification with an easy-to-use, portable, and secure device.

They were launched in 2018 for the first time by the Bank of Cyprus and Thales for EMV cards (contactless and contact payment). They use fingerprint recognition instead of a PIN code to authenticate the cardholder.

There's more.

The cards support access, physical or online identity verification services.

As the user's biometric data is stored on the card, not on a central database, customer details are highly protected if the bank suffers a cyber-attack. Likewise, if the card was to become lost or stolen,  the holder's fingerprint could not be replicated.

Put it in another way: the biometric identifiers are checked locally and protected, as they are stored solely on the card. They never leave the card.

Biometric security

Biometrics can fulfil two distinct functions, authentication, and identification, as we said. 

Identification answers the question, "Who are you?". In this case, the person is identified as one, among others (1: N matching). The person's personal data to be identified are compared with other persons stored in the same database or possibly other linked databases. 

Authentication answers the question: "Are you really who you say you are?". In this case, biometrics allows the person's identity to be certified by comparing the data they provide with pre-recorded data for the person they claim to be (1:1 matching). 

These two solutions call upon different techniques. 

In general, identification requires a centralized biometric database that allows several persons' biometric data to be compared. 

Authentication can do without such a centralized database. The data can simply be stored on a decentralized device, such as one of our smart cards. 

For data protection, a process of authentication with a decentralized device is to be preferred. Such an approach involves less risk. 

The token (I.D. card, military card, health card​) is kept in the user's possession, and their data does not have to be stored in any database. 

Conversely, if an identification process requiring an external database is used, the user does not have physical control over their data, with all the risks involved. 

Why are biometrics controversial?

Biometric security offers many advantages (authenticating and identifying strongly) but is not without controversy.​ This challenge is linked to privacy and citizens' ability to control information about themselves.​​

Two types of risks can be identified: 

1. The use of biometric data to other ends (aka function creep) than those agreed by the citizen either by service providers or fraudsters. As soon as biometric data is in the hands of a third party, there is a risk that such data may be used for purposes different from those to which the person concerned has given their consent.
   Thus, there may be cases of unwanted end use if such data is interconnected with other files or used for types of processing other than those for which it was initially intended. 
2. The risk of re-use of data presented for biometric checks. The data can be captured during their transmission to the central database and fraudulently replicated in another transaction. 

A result is a person losing control over their data, which poses privacy risks. 

In practice, data protection authorities seem to prefer solutions that feature decentralized data devices. 

Do you want to see how biometric data are protected around the world?

​

Biometrics and data protection

 The "United Nations Resolution" of 14 December 1990, which sets out guidelines for computerized personal data files regulation, does not have any binding force. 

​On a more global basis, legal deliberations rely primarily on personal data provisions in the broad sense.

But such provisions sometimes prove to be poorly adapted to biometrics. ​

On the contrary, the new E.U. regulation replaces the existing national laws as of May 2018.

The General Data Protection Regulation is directly applicable in all 27 Member States of the European Union and the U.K. as of May 2018.  

And biometric data are clearly defined and protected.

Can this be true?​ Yes.

In a nutshell, it establishes:

1. A harmonized framework within the E.U., 
2. The right to be forgotten, 
3. "Clear" and "affirmative" consent, 
4. Severe penalties for failure to comply with these rules. 

Note that outside the European Union, the level of protection differs depending on the legislation in force. Assuming – that is – that there is any such legislation.

An example is the United States, where three states (Illinois, Washington, and Texas) protected biometric data, and.. 47 did not in 2019.

But things may move faster in 2022.

The California Consumer Privacy Act is a significant step forward for the country. It enhances privacy rights and consumer protections for California residents and is applicable as of 1 January 2020.

Why is it important?

The CCPA may serve as a model for a future federal legal framework.

To know more about biometric data protection in the E.U. and U.K. (GDPR), in the United States (CCPA), and recent changes in India, discover our dossier dedicated to privacy regulations biometric data​.

Putting biometric systems to work for digital security

Thales has its technology which, combined with its impartial stance on the source of biometric data, allows it to help everyone put their trust in the digital world.

Thales is an expert in strong identification solutions with more than 200 civil I.D., population registration, and law enforcement projects incorporating biometric security.

As an independent force, the company can recommend the most suitable solution in each case.

Thales attaches great importance to assessing risks, which may not always be visible to the general public and private operators' capacity to manage such risks.

We remain convinced that biometrics offers significant benefits for guaranteeing identity.​​

​

Which of the following is the most widely used wireless network encryption?

What is the most common protocol for website encryption?

Is the use of the Internet smartphones or other devices to send or post content intended to hurt or embarrass another person?

Is it against the law for keyloggers to be deposited on your hard drive by the company you work for?