Biometrics: authentication and

identification (2019)
Version française  

Biometrics allows a person to be identified and authenticated based on a set of recognizable and verifiable
data, which are unique and specific to them. 

Biometric authentication is the process of comparing data for the person's characteristics to that person's
biometric "template" in order to determine resemblance. The reference model is first store in a database or
a secure portable element like a smart card. The data stored is then compared to the person's biometric data
to be authenticated. Here it is the person's identity which is being verified. 

In this mode, the question being asked is: "Are you indeed Mr or Mrs X?"

Biometric identification consists of determining the identity of a person. The aim is to capture an item of
biometric data from this person. It can be a photo of their face, a record of their voice, or an image of their
fingerprint. This data is then compared to the biometric data of several other persons kept in a database. 

In this mode, the question is a simple one: "Who are you?"

To know more about our biometric technology and solutions, visit our product pages.

Biometrics: trends
Faced with document fraud and identity theft, with new threats such as terrorism or cybercrime, and faced
with the understandable changes in international regulations, new technological solutions are gradually
being implemented. One of these technologies, biometrics, has quickly established itself as the most
pertinent means of identifying and authenticating individuals in a reliable and fast way, through the use
of unique biological characteristics. 

Today, many applications make use of this technology. 

That which in the past was reserved for sensitive applications such as the security of military sites is now
developing rapidly through applications in the public domain.

What is biometrics? Definition 

Biometrics is the science of analyzing physical or behavioral characteristics specific to each individual in
order to be able to authenticate their identity.

If we were to define biometry or biometrics in the most simple sense,  we would say the "measurement
of the human body". 

There are two categories of biometric technologies: 

Physiological measurements 
They can be either morphological or biological. These mainly consist of fingerprints, the shape of the
hand, of the finger, vein pattern, the eye (iris and retina), and the shape of the face, for morphological
analyses.

For biological analyses, DNA, blood, saliva or urine may be used by medical teams and police forensics.

Gemalto celebrates a decade of support for  West Virginia University's growing Department of Forensic
and Investigative Science. 

In 2007,  Cogent Systems – recently acquired by Gemalto – began donating biometric software, hardware,
and support services to the university, leading to the creation of Cogent Systems Laboratory located in
Oglebay Hall.  The lab is equipped with a professional  Automated Finger Identification System  (AFIS), 24
workstations for finger/palm analysis, 3 Livescans for enrolling prints, an Integrated Ballistics
Identification System (IBIS), and a teaching station. 

Behavioral measurements
The most common are voice recognition, signature dynamics (speed of movement of pen, accelerations,
pressure exerted, inclination), keystroke dynamics, the way objects are used, gait, the sound of steps,
gestures, etc. 

The different techniques used are the subject of ongoing research and development, and, of course, are
being constantly improved. 
To see how behavioral biometrics is gaining momentum in Banking, visit our October 2017 web dossier.

However, the different sorts of measurements do not all have the same level of reliability. Physiological
measurements are usually considered to offer the benefit of remaining more stable throughout the life of an
individual. For example, they are not as subject to the effects of stress, in contrast to identification by
behavioral measurement. 

When was biometrics first invented?

Biometrics addresses a longstanding concern to be able to prove one's identity, irrefutably, by making use
of what makes one different.

Going as far back as prehistoric times, man already had a feeling that certain characteristics such as the
trace of his finger were sufficient to identify him, and he "signed" with his finger.

History of biometrics
In the second century B.C., the Chinese emperor Ts'In She was already authenticating certain seals with a
fingerprint.

In the 19th century, Bertillon took the first steps in scientific policing. He used measurements taken of
certain anatomical characteristics to identify reoffending criminals, a technique which often proved
successful, though without offering any real guarantee of reliability. 

This budding use of biometrics was then somewhat forgotten, only to be rediscovered by William James
Herschel, a British officer, to be used for an entirely different purpose. Having been put in charge of
building roads in Bengal, he had his subcontractors sign contracts with their fingerprints. An early form of
biometric authentication and a sure way of being able to find them more easily if they defaulted… 
 In the UK, the Metropolitan Police started the use of biometrics for identification in 1901. 
 In the US, it was initiated by the New York police in 1902 and by the FBI in 1924. 
 The French police started to intitiate the same process in late 1902.

The measurement of unique patterns (aka behavioral biometrics)  is not new either. It goes back to the
1860s. Telegraph operators using Morse code recognized each other by the way they would send dash and
dot signals. 

 During World War II allied forces used the same method to identify senders and authentication messages
they received.

 This is the basic principle of biometrics: to identify a person based on certain unique characteristics.

Biometrics is growing fast, particularly in the field of identity documents. It is generally combined with
other security technologies such as smart cards.

Identity and biometrics

There are three possible ways of proving one's identity: 

1. by means of something that you possess. Until now, this was something that was relatively easy to
do, whether it was by using the key to one's vehicle, a document, a card, or a badge.
2. by means of something that you know, a name, a secret or a password.
3. by means of what you are, your fingerprint, your hand, your face.

The use of biometrics has a number of benefits. 

The leading one is the level of security and accuracy* that it guarantees. In contrast to passwords, badges,
or documents, biometric data cannot be forgotten, exchanged, or stolen, and cannot be forged. 

*According to calculations made by Sir Francis Galton (Darwin's cousin), the probability of finding two
similar fingerprints is one in 64 billion even with identical twins (homozygotes). 

It is in this sense that biometrics is inextricably linked to the question of identity.

Where is biometrics used?

 These applications are predominantly introduced by national authorities, as the biometric enrollment and
management of a population's biomeric data call for a tightly regulated legal and technical framework. 

Law enforcement and biometrics

Law enforcement biometrics are refering to applications of biometric systems which support law
enforcement agencies. This category can include criminal ID solutions such  as Automated Fingerprint
(and palm print) Identification Systems (AFIS). They process, store, search and retrieve, fingerprint images
and subject records. 

Today Automated Biometric Identification Systems (ABIS) can create and store biometric information that
matches biometric templates for face, finger, and iris.

Discover the work of forensic analysts in our video.

Live face recognition - the ability to do face identification in a crowd in real-time or post-event - is also
gaining interest for homeland security – in cities, airports and at borders.  

 Biometrics and border control

The application which has been most widely deployed to date is the electronic passport (epassport),
particularly with the second generation of such documents also known as biometric passports, on which
two fingerprints are stored in addition to a passport photo. 

Biometrics provides irrefutable evidence of the link between the document and its holder. 

 Biometric authentication is done by comparing the fingerprint(s) read with the fingerprints in the
passport micro-controller. If both biometric data match, authentication is confirmed.
 Identification, if necessary, is done with the biographic data in the chip and printed.

Another advantage of this solution is that it speeds up border crossing through the use of scanners, which
use the principle of recognition by comparison of the face and/or fingerprints. 

In addition, many countries have set up biometric infrastructures to control migration flows to and from
their territories. 

Fingerprint scanners and cameras at border posts capture information that help identify travelers entering
the country in a more precise and reliable way. In some countries, the same applies in consulates to visa
applications and renewals.

Data acquisition requires reliable equipment to ensure optimum capture of photos and fingerprints,
essential for precision during comparison and verification.

We describe in details two well known examples of such application:

 The U.S. Department of Homeland Security's IDENT biometric system, the largest of its kind in
the world
 The European Union's EURODAC, serving 32 nations in Europe (biometrics for asylum seekers)

Healthcare and subsidies

Other applications exist, chiefly national identity cards, widespread in European and Middle East countries
or in Africa for ID and health insurance programs, such as in Gabon. 
With these biometric ID cards, fingerprints are used to confirm the identity of the bearer of the card before
he or she is given access to governmental services or healthcare. 

Why is it so?

In Gabon for example, even before the program started, it was clear to everyone that all resources should
be implemented to avoid the health cover program turning into a center of attention for the citizens of
neighboring countries and to ensure that the generosity of the program would not lead to its collapse
through the fraudulent use of rights. 

Hence beneficiaries are individually identified so that access to care can be reserved for them. It has been
decided that the identification of insured parties will be nominative with the implementation of a Gabonese
individual health insurance number. Civil data, a photograph of the holder and two fingerprints are
digitized within the microprocessor ensuring encryption and protection of this data. 

The health insurance card is used in hospitals, pharmacies and clinics, to check social security rights whilst
protecting the confidentiality of personal data. Checks are performed using terminals with fingerprint
sensors.

Civil Identity, population registration and voter registration

AFIS databases (Automated Fingerprint Identification System), often linked to a civil register database,
ensure the identity and uniqueness of the citizen in relation to the rest of the population in a reliable, fast
and automated way. They can combine digital fingerprints, a photo and an iris scan for greater reliability.

Civil identity and population registration

India’s Aadhaar project is emblematic of biometric registration. It is by far the world's largest biometric
identification system and the cornerstone of strong identification and authentication in India.

Aadhaar number is a 12-digit unique identity number issued to all Indian residents. This number is based
on their biographic and biometric data (a photograph, ten fingerprints two iris scans).

1,2 3 billion people have an Aadhaar number as of February 2019, covering more that 99% of the Indian
adult population. Initially the project has been linked to public subsidy and unemployment benefit
schemes but it now includes a payment scheme.

According to  Finance minister Arun Jaitley in his speech of 1 February 2018, Aahaar is providing an
identity to every Indian has made many services more accessible to the people. It has reduced corruption,
cost of delivery of public services and middlemen.

Financial inclusion is expected to be a key application of Aadhaar authentication with Aadhaar Pay, a

new payment scheme announced in 2017.

Voter registration

Biometrics can also be key for the "one person, one vote" principle. To know more on this aspect please
visit our web dossier on biometric voter registration.
 Visit our April 2018 web dossier to learn more on current trends in biometrics.

The biometrics market 

The global biometric is expected to top USD 50 billion by 2024 according to Global Markets Insights.

Non-AFIS will account for the highest biometrics market share, exceeding USD 18 billion till 2024. 

Biometric applications in security and government sectors of North America are driving the regional
market trends. In fact, the study claim, North America with U.S. at the helm will represent more than 30%
of the overall biometrics industry share by 2024. 

Asia Pacific will also be witnessing solid growth. Governmental initiatives like CRIC (China Resident
Identity Card) and the push for facial recognition or India's Aadhaar have deeply favored the
commercialization of biometrics industry in APAC.

Biometric technologies: combining security and

comfort
Biometrics offers a broad range of techniques and can be used in a wide variety of different domains,
ranging from State security to the comfort of individuals. 

These technologies are mainly used in the sectors of forensic identification, identity management, as well
as for  biometric access control both in private and public institutions. The effectiveness of this technology
is closely linked to the use of data processing. Data is stored in files to enable rapid and reliable
identification, which in turn guarantees both comfort and security. 

The most well-known techniques include fingerprints, face recognition, iris, palm and DNA-based
recognition. Research is currently opening the way for new types of biometrics, such as ear shape or facial
thermography. 

Whatever the method, what all these biometric techniques have in common is that they all collect
characteristics which are:

 universal, as they can be found in all individuals

 unique, as they make it possible to differentiate one individual from another
 permanent, allowing for change over time
 recordable, as the characteristics of an individual cannot be collected without their consent
 measurable, allowing for future comparison
 and forgery-proof.

To increase security and accuracy, multimodal biometrics combines several biometric sources. 

Multimodal biometric systems usually require two biometric credentials for positive identification such as
face and fingerprints instead of one. They are able to overcome limitations  commonly encountered in
unimodal systems. 

Biometrics for all?

 Not exactly.  

The simple truth is that solutins are totally related to the challenges to be met. 

The justice system, for example, which must take the necessary time to identify a criminal and cannot
accept the slightest error, will not be worried by a long and costly process. 

An everyday individual will seek to protect their own personal property and have access to it easily, at a
reasonable price. 

Governments and public administrations are in their case confronted with multiple issues at once:
making it easier to cross borders while controlling illegal immigration, fighting terrorism, cybercrime or
electoral fraud, issuing documents compliant with new international standards and regulations,
guaranteeing the security of systems for the production, issuing and checking of such documents, and data
interoperability within the limits of their budgets.  

On this scale, only an innovative approach to global security which make use of technological solutions
and process which are adapted to the challenges to be met, can enable States to effectively address the
issues they face and provide them with the means of building trust.

The reliability of biometrics

Biometric authentication relies on statistical algorithms. It therefore cannot be 100 %-reliable when used
alone. 

"false rejections" or "false acceptances"

What's the story here?

 In one case, the machine fails to recognize an item of biometric data that does however correspond
to the person. 
 In the reverse case, it assimilates two items of biometric data that are not in fact from the same
person. 

"False rejection" or "false acceptance" are symptoms which occur with all techniques used in biometrics. 

Why multi-modal biometrics?

 For a number of years now, the use of several biometrics in combination, for example the face and the iris
or the iris and fingerprints, has made it possible to reduce error rates considerably.

But this reliability depends on the acquisition tools and algorithms used being of good quality. Though this
solution may appear attractive in principle, identification requires the implementation of a centralized
server, with a particularly secure architecture.

How accurate is biometrics?

What's the problem? 

Why would biometrics not be accurate?

Think about this one minute again.

The technical challenges of automated recognition of individuals based on their biological and behavioral
characteristics are inherent in to the transformation of analog (facial image, fingerprint, voice
pattern...)to digital information (patterns, minutiae) that can then be processed and compared/matched
with effective algorithms.

Fingerprints
There are about 30 minutiae (specific points) in a fingerprint scan obtained by a live fingerprint reader.
The US Federal Bureau of Investigation (FBI) has evidenced that no two individuals can have more than 8
common minutiae.

Recognition decisions in biometric systems have to be taken in real time and, therefore, computing
efficiency is key in biometric apps.

It is not the case in biometric forensics where real-time recognition is not a requirement. 

Facial recognition
Facial recognition is the most natural means of biometric identification. The face recognition system does
not require any contact with the person.The 1000 million electronic passports in circulation in mid 2017
provide a huge opportunity to implement face recognition at international borders. Guidelines to improve
the quality of the reference picture embedded in the epassport micro-chip are provided by the ISO/IEC
19794-5 standard and used by the International Civil Aviation Organization 9303 standard for passport
photographs.

According to the Keesing Journal of documents & Identity (March 2017) , 2 complementary topics have
been identified by standardization groups.

 Make sure the captured image has been done from a person and not from a mask, a photograph or
a video screen, (liveliness check or liveness detection) 
 Make sure that facial images (morphed portraits) or two or more individuals have not been joined
into a reference document such as a passport.

The risks of error are related to very different factors. 

 Take the example of a person with their biometric characteristics. We have noted that particular
biometric techniques were more or less well suited to certain categories of persons. The difficulties are
related to ergonomic factors of which we do not yet have a firm grasp or understanding. A certain system
 may work for women, but less well for men, or for young people but not for older people, for people with
lighter skin, but less well for those with darker skin. 
 Other difficulties arise in particular with facial recognition, when the person dyes or cuts their
hair, changes the line of their eyebrows or grows a beard. We can imagine cases of "false acceptance"
when the photo taken modifies distinctive character traits in such a way that they match another item of
biometric data stored in the database. 
 Other errors are also possible depending on the technologies used during the biometric enrollment
phase. A verification photo taken with a low-quality model of camera can noticeably increase the risk of
error. The accuracy of the identification relies entirely on the reliability of the equipment used to capture
data. 
 The risk of error also varies depending on the environment and the conditions of application. The
light may differ from one place to another, and the same goes for the intensity or nature of background
noise. The person's position may have changed. 

In the laboratory, under perfect conditions, in a controlled environment and using adapted technologies, the
rate of error in detection of a face varies between 5 and 10 %. 

In addition, in a biometric control application, the rejection or acceptance rate are intertwined and can be
tuned according to an acceptable level of risk. It is not possible to modify one without impact the other
one. 

Think about it.

In the case of a nuclear plant access control application, the rate of false acceptance will be extremely
reduced. You don't want ANYONE to enter by chance.

This will also impact the rate of false rejections because you will tune the system to be extremely accurate.
You will probably use several authentication factors including a valid ID in addtional to biometrics (single
mode or multimodal).

If you want to know more, read our May 2018 web review on top facial recognition trends.

Tokens and smart biometric ID cards 

 Biometrics suffers from the fact that the matching algorithms cannot be compared to the hashes of
passwords, as we said.

This means that two biometric measures cannot be compared with each other without them, at some point,
being "in plaintext" in the memory of the device doing the matching. 

Biometric checks must therefore be carried out on a trusted device, which means the alternatives are to
have a centralized and supervised server, a trusted terminal, or a personal security component.

Smart ID cards
This is why tokens and smart cards (IDs or banking cards now) are increasingly used as the ideal
companions for a biometric system. 
 

Numerous national identity cards (Portugal, Ecuador, South Africa, Mongolia, Algeria, etc.) now
incorporate digital security features, which are based on the "Match-on-Card" fingerprint matching
algorithm. Unlike conventional biometric processes, the "Match-on-Card" algorithm allows fingerprints to
be matched locally with a reference frame thanks to a microprocessor built into the biometric ID card and
without having to connect to a central biometric database (1:1 matching). 

Biometric sensor cards

Another form of delivering a safe and convenient way to authenticate people has been enabled with the
integration of fingerprint scanner into smart cards.
These biometric sensor cards open up a new dimension in identification with an easy-to-use, portable and
secure device.
They are being launched in 2018 for the first time by Bank of Cyprus and Gemalto for EMV
contactless and contact payment. They use fingerprint recognition instead of a PIN code to authenticate the
cardholder.

There's more.

The cards can also be tailored to support access, physical or online identity verification services.

As user's biometric data is stored on the card, not on a central database, customer details are highly
protected if the bank was to suffer a cyber-attack. Likewise, if the card was to become lost or stolen,  the
holder's fingerprint could not be replicated.
 Put it in another way: the biometric identifiers are checked locally and protected, as they are stored
solely on the card. They never leave the card.

Biometrics and information security

Biometrics can fulfill two distinct functions, authentication and identification as we said. 

Identification answers the question "Who are you?". In this case, the person is identified as one among a
group of others (1:N matching). The personal data of the person to be identified are compared with the data
of other persons stored in the same database or possibly other linked databases. 

Authentication answers the question: "Are you really who you say you are?". In this case, biometrics
allows the identity of a person to be certified by comparing the data that they provide with pre-recorded
data for the person they claim to be (1:1 matching). 

These two techniques solutions call upon different techniques. 

Identification in general requires a centralized database which allows the biometric data of several
persons to be compared. 

Authentication can do without such a centralized database. The data can simply be stored on a
decentralized device, such as one of our smart cards. 

For the purposes of data protection, a process of authentication with a decentralized device is to be
preferred. Such a process involves less risk. 

The token (ID card, military card, health card) is kept in the user's personal possession and their data does
not have to be stored in any database. 

Conversely, if an identification process requiring an external database is used, the user does not have
physical control over their data, with all the risks which that involves. 

Why are biometrics controversial?

Biometrics offer many advantages (to strongly authenticate and identify) but is not without controversy.
This is linked to privacy and citizen's ability to really control information about him/herself.

2 types of risks can be identified: 

 The use of biometric data to other ends than those agreed by the citizen either by service
providers or fraudsters. As soon as biometric data is in the possession of a third party, there is always a risk
that such data may be used for purposes different to those to which the person concerned has given their
consent.
There may thus be cases of unwanted end use if such data is interconnected with other files, or if it is used
for types of processing other than those for which it was initially intended. 

 The risk on the biometric database and data presented for biometric check. The data can be
captured during their transmission to the central database and fraudulently replicated in another
transaction. 

The result is a person losing control over their own data which poses major risks in terms of privacy. 
 In practice, data protection authorities seem to give preference to solutions which feature decentralized
data devices. 

For Gemalto, whether it is a matter of biometrics or not, the identity of a person, provided by their country,
should be under his/her control. 

Visit our July 2018 web dossier on Biometrics must answer the big questions right: privacy, consent and
function creep. 

Want to see how biometric data are protected around the world?

Biometrics and data protection

While there are hardly any legal provisions in the world that are specific to biometric data, despite the very
specific character of such data, the French Data Protection Act of 1978, officially entitled the "Loi relative
à l'informatique, aux fichiers et aux libertés " [English title: Act on Information Technology, Data Files
and Civil Liberties] sets out specific requirements for biometric data.

 The "United Nations Resolution" of December 14, 1990, which sets out guidelines for the regulation of
computerized personal data files does not have any binding force. 

On the contrary, the new EU regulation replaces the existing national laws as of May 2018.

Can this really be true? Yes.

On April 14, 2016, the draft General Data Protection Regulation was adopted by the European Parliament.
Its provisions will be directly applicable in all 27 Member States of the European Union and the UK in
May 2018.  And biometric data are clearly defined.

It is now replace the directive dating from 1995. 

In a nutshell:

1. it establishes a harmonized framework within the EU, 

2. the right to be forgotten, 
3. "clear" and "affirmative" consent, 
4. and, amongst other things, serious penalties for failure to comply with these rules. 
On a more global basis, legal deliberations thus rely to a very large extent on provisions relating
topersonal data in the broad sense. But such provisions sometimes prove to be poorly adapted to
biometrics. 

Finally, it should be pointed out that outside the European Union the level of protection differs depending
on the legislation in force. Assuming – that is – that there is any such legislation... 

Another example is the United States where 3 states (Illinois, Washington and Texas) clearly
protect biometric data and 47 don't.In February 2019,  four Massachusetts State Senators presented a billto
enact a biometric data protection law.

To know more about biometric data protection in the EU and UK (GDPR), in the United States and recent
changes in India, read our dossier dedicated to privacy regulations and biometric data.

Putting biometrics to work for digital security

Gemalto possesses its own technology, recognized worldwide, which, combined with its impartial stance
on the source of biometric data, allows it to help everyone put their trust in the digital world.

An expert in strong identification with more than 200 civil ID, population registration and law enforcement
projects that incorporate biometrics, Gemalto is able to act as an independent force in proposing and
recommending the most suitable solution in each case. 

Gemalto attaches a great deal of importance to the assessment of risks which may not always be visible to
the general public, and to the capacity of private operators to manage such risks. Similarly, the legal and
social implications are also very important.

Though Gemalto keeps an open mind with regard to biometric techniques, it remains no less convinced
that, whatever the choice of biometric, this technology offers major benefits for guaranteeing identity.