The IT Law Wiki
The IT Law Wiki

Definitions[]

Biometric authentication is

[a] method of generating authentication information for a person by digitizing measurements of a physical characteristic, such as a fingerprint, a hand shape, a retina pattern, a speech pattern (voiceprint), or handwriting.[1]
the automatic identification or authentication of human individuals on the basis of behavioral and physiological characteristics.[2]
a generic term for the process of verification. It involves presenting a biometric for query, comparing the presented biometric to a stored template or model, and determining whether the individual has made a legitimate claim.[3]
the measurement of a unique biological feature used to verify the claimed identity of an individual through automated means.[4]

Overview[]

Biometric authentication relies on a unique physical characteristic to verify someone's identity. Common biometric identifiers include fingerprints, written signatures, voice patterns, typing patterns, retinal scans, and hand geometry. The unique pattern that identifies a user is formed during an enrollment process, producing a template for that user.

When a user wishes to authenticate to the system, a physical measurement is made to obtain a current biometric pattern for the user. This pattern can then be compared against the enrollment template in order to verify the user’s identity.

Biometric authentication devices tend to cost more than password or token-based systems, because the hardware required to capture and analyze biometric patterns is more complicated. However, biometrics provide a very high level of security because the authentication is directly related to a unique physical characteristic of the user which is more difficult to counterfeit.

Limitations[]

Biometric methods are widely used to authenticate individuals who are physically present at the authentication point, for example for entry into buildings. Biometrics do not constitute secrets suitable for use in the conventional remote authentication protocols. In the local authentication case, where the claimant is observed and uses a capture device controlled by the verifier, authentication does not require that biometrics be kept secret.

Personal Identity Verification card[]

PIV cards are directed to store two electronic fingerprints on the cards to allow live scans of the cardholders’ fingerprints to be compared with previously stored fingerprint data to determine if there is a match.

Biometric authentication offers a high level of assurance of the cardholders’ identity, even when there is no guard or attendant at the access point to perform visual authentication.

References[]

  1. Internet Security Glossary, at 21.
  2. Who Goes There?: Authentication Through the Lens of Privacy, at 6.
  3. Biometrics Frequently Asked Questions, at 8 (Sept. 7, 2006) (full-text).
  4. FIPS 191 §5.1.

Sources[]

See also[]