The IT Law Wiki


Biometrics is

used alternatively to describe two different aspects of the technology: a characteristic or a process. As a characteristic: The measure of a biological (anatomical and physiological) and/or behavioral biometric characteristic that can be used for automated recognition. As a process: Automated methods of recognizing an individual based on the measure of biological (anatomical and physiological) and/or behavioral biometric characteristics.[1]
[a] measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity of an applicant. Facial images, fingerprints, and iris scan samples are examples of biometrics.[2]
automated methods of recognizing a person based on a physiological or behavioral characteristic. Among the features measured are face, fingerprints, hand geometry, handwriting, iris, retinal, vein, and voice. Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions.[3]


Biometric characteristics[]

Biometrics are automated methods of recognizing an individual based on measurable biological (anatomical and physiological) and behavioral characteristics. Identifying an individual's physiological characteristic involves measuring a part of the body, such as fingertips, eye irises or palm veins; identifying behavioral characteristics involves data derived from actions, such as speech and signature, the corresponding biometrics being speaker recognition and signature recognition. Biometrics commonly implemented or studied include: fingerprint, face, iris, voice, signature, and hand geometry. DNA can be regarded a biometric technology once data matching (i.e. comparing and/or linking information from different sources) can be performed reliably using automated methods. Many other modalities are in various stages of development and assessment.

Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions. As the level of security breaches and transaction fraud increases, the need for highly secure identification and personal verification technologies is becoming apparent. Biometric-based solutions are able to provide for confidential financial transactions and personal data privacy.

The need for biometrics can be found in federal, state and local governments, in the military, and in commercial applications. Enterprise-wide network security infrastructures, government IDs, secure electronic banking, investing and other financial transactions, retail sales, law enforcement, and health and social services are already benefiting from these technologies.

Utilizing biometrics for personal authentication is becoming convenient and considerably more accurate than current methods (such as the utilization of passwords or personal identification numbers (PINs). This is because biometrics links the event to a particular individual (a password or token may be used by someone other than the authorized user), is convenient (nothing to carry or remember) and accurate (it provides for positive authentication), can provide an audit trail, and is becoming socially acceptable and inexpensive.

Although biometric technologies vary in complexity, capabilities, and performance, they all share several elements. Biometric identification systems are essentially pattern recognition systems. They use acquisition devices such as cameras and scanning devices to capture images, recordings, or measurements of an individual's characteristics, and they use computer hardware and software to extract, encode, store, and compare these characteristics. Because the process is automated, biometric decision making is generally very fast, in most cases taking only a few seconds in real time.

Biometric processes[]

Although biometric technologies measure different characteristics in substantially different ways, all biometric systems involve similar processes that can be divided into two distinct stages: (1) enrollment and (2) verification or identification.

Enrollment stage[]

In enrollment, a biometric system is trained to identify a specific person. The person first provides an identifier, such as an identity card. The biometric is linked to the identity specified on the identification document. He or she then presents the biometric (e.g., fingertips, hand, or iris) to an acquisition device. The distinctive features are located; one or more samples are extracted, encoded, and stored as a reference template for future comparisons. Depending on the technology, the biometric sample may be collected as an image, a recording, or a record of related dynamic measurements. How biometric systems extract features and encode and store information in the reference template are based on the system vendor's proprietary algorithms.

Template size also varies, depending on the vendor and the technology. Although templates can range from 9 to 20,000 bytes, most are smaller than 1,000 bytes. Such small sizes allow for rapid comparison. Templates can be stored remotely in a central database or within the biometric device itself; their small size also allows for storage on smart cards or smart tokens.

Minute changes in positioning, distance, pressure, environment, and other factors influence the generation of a template, making each template likely to be unique, each time an individual's biometric data are captured and a new template is generated. Consequently, depending on the biometric system, a person may need to present biometric data several times in order to enroll. Either the reference template may then represent an amalgam of the captured data or several enrollment templates may be stored. The quality of the template or templates is critical in the overall success of the biometric application. Because biometric features can change over time, people may have to reenroll to update their reference template. Some technologies can update the reference template during matching operations.

The enrollment process also depends on the quality of the identifier the enrollee presents. The reference template is linked to the identity specified on the identification document. If the identification document does not specify the individual's true identity, the reference template will be linked to a false identity.

Verification or identification stage[]


Depending on the application, biometric systems can be used in one of two modes: verification or identification. Verification — also called authentication — is used to verify a person’s identity — that is, to authenticate that individuals are who they say they are. Identification is used to establish a person’s identity — that is, to determine who a person is.

In "verification systems," the step after enrollment is to verify that a person is who he or she claims to be (i.e., the person who enrolled). After the individual provides whatever identifier he or she enrolled with, the biometric is presented, which the biometric system captures, generating a trial template that is based on the vendor’s algorithm. The system then compares the trial template with this person’s reference template, which was stored in the system during enrollment, to determine whether the individual’s trial and stored reference templates match.

Verification is often referred to as 1:1 (one-to-one) matching. Verification systems can contain databases ranging from dozens to millions of enrolled templates but are always predicated on matching an individual’s presented biometric against his or her reference template. Nearly all verification systems can render a match/no-match decision in less than a second. A system that requires employees to authenticate their claimed identities before granting them access to secure buildings or to computers is a verification application.

In "identification systems," the step after enrollment is to identify who the person is. Unlike verification systems, no identifier need be provided. To find a match, instead of locating and comparing the person’s reference template against his or her presented biometric, the trial template is compared against the stored reference templates of all individuals enrolled in the system. Identification systems are referred to as 1:N (one-to-N, or one-to-many) matching because an individual’s biometric is compared against multiple reference templates in the system’s database.

There are two types of identification systems: positive and negative. Positive identification systems are designed to ensure that an individual’s biometric is enrolled in the database. The anticipated result of a search is a match. A typical positive identification system controls access to a secure building or secure computers by checking anyone who seeks access against a database of enrolled employees. The goal is to determine whether a person seeking access can be identified as having been enrolled in the system.

Negative identification systems are designed to ensure that a person’s biometric information is not present in a database. The anticipated result of a search is a non-match. Comparing a person’s biometric information against a database of all who are registered in a public benefits program, for example, can ensure that this person is not “double dipping” by using fraudulent documentation to register under multiple identities.

Another type of negative identification system is a surveillance system that uses a watch list. Such systems are designed to identify people on the watch list and alert authorities for appropriate action. For all other people, the system is to check that they are not on the watch list and allow them normal passage. The people whose biometrics are in the database in these systems may not have provided them voluntarily. For instance, for a surveillance system, the biometrics may be faces captured from mug shots provided by a law enforcement agency.

No match is ever perfect in either a verification or an identification system, because every time a biometric is captured, the template is likely to be unique. Therefore, biometric systems can be configured to make a match or no-match decision, based on a predefined number, referred to as a threshold, that establishes the acceptable degree of similarity between the trial template and the enrolled reference template. After the comparison, a score representing the degree of similarity is generated, and this score is compared to the threshold to make a match or no-match decision.

For algorithms for which the similarity between two templates is calculated, a score exceeding the threshold is considered a match. For algorithms for which the difference between two templates is calculated, a score below the threshold is considered a match. Depending on the setting of the threshold in identification systems, sometimes several reference templates can be considered matches to the trial template, with the better scores corresponding to better matches.


Biometric applications can provide very high levels of authentication especially when the identifier is obtained in the presence of a third party to verify its authenticity, but as with any shared secret, if the digital form is compromised, impersonation becomes a serious risk. Thus, just like PINs, such information should not be sent over open networks unless it is encrypted.


Biometric technologies involve the direct use of an individual’s physical characteristics and seek to establish the most reliable link between a person and information. The intimate nature and potentially permanent direct association of biometric information with an individual raises privacy concerns regarding risk to the individual from data loss and surveillance (biometric data collection at a distance).

Measurement and recording of a physical characteristic could raise privacy concerns where the biometric identification data is shared by two or more entities. If compromised, substituting a different, new biometric identifier may have limitations (e.g., you may need to employ the fingerprint of a different finger). Biometric authentication is best suited for access to devices, e.g., to access a computer hard drive or smart card, and less suited for authentication to software systems over open networks.



"Downsides to biometrics include the fact that not all people can use all systems, making a backup authentication method necessary (and consequently increasing vulnerability); the fact that revocation is not possible for current systems (the saying goes that most individuals 'have only two thumbs'); and that remote enrollment of a biometric measure (sending one's fingerprint or iris scan over the Internet, for example) may defeat the purpose and is easily compromised."[4]

Leading biometric technologies[]

A growing number of biometric technologies have been proposed over the past several years, but only in the past few years have the leading ones become more widely deployed. Some technologies are better suited to specific applications than others, and some are more acceptable to users. There are seven leading biometric technologies:

  1. Facial recognition
  2. Fingerprint recognition
  3. Hand geometry
  4. Iris recognition
  5. Retina recognition
  6. Signature recognition, and
  7. Speaker recognition

Emerging/Future biometric technologies[]

Newer biometric technologies using diverse physiological and behavioral characteristics are in various stages of development. Some are commercially available, some may emerge over the next 2 to 4 years, and others are many years from implementation. These technologies include:

  1. Vein scan
  2. Facial thermography
  3. DNA matching
  4. Odor sensing
  5. Blood pulse measurement
  6. Skin pattern recognition
  7. Nailbed identification
  8. Gait recognition
  9. Ear shape recognition


  1. Biometrics Identity Management Agency, Biometrics Glossary, at 15 (Ver. 5) (Oct. 2010) (full-text).
  2. 12 FAM 090 (full-text).
  3. Biometrics Consortium, "Introduction to Biometrics" (full-text).
  4. Who Goes There?: Authentication Through the Lens of Privacy, at 6.


See also[]