Search
Biometric data
In addition to biographic data, many ID systems collect fingerprints, iris scans, facial images, and/or other biometry to use for biometric recognition—automatic recognition of individuals based on their biological or behavioral characteristics (ISO/IEC 2382-37). This process involves comparing a template generated from a live biometric sample (e.g., a fingerprint or selfie) to previously stored biometric(s) to determine the probability that they are a match.
Biometric recognition encompasses both biometric identification—the process of searching against a biometric enrollment database to find and return the biometric reference identifier(s) attributable to a single individual (i.e. 1:n)—and biometric verification—the process of confirming a biometric claim through biometric comparison (i.e. 1:1) (ISO/IEC 2382-37). These processes can be used to perform two distinct tasks in foundational ID systems:
-
Deduplication of identity records. To ensure that each person in a database is unique, ID systems can use biometric identification to perform a duplicate biometric enrollment check. This involves comparing a template generated from a captured biometric against all or a subset of templates stored in biometric database to detect a duplicate registration (a 1:N search), after which the new template is added to the database. This process involves automation as well as manual checks to adjudicate matches.
-
Authentication of individuals. Some authentication protocols require biometric verification of the user. This involves a one-to-one (1:1) comparison of a template generated from a captured biometric against a single stored template (e.g., one stored on an ID card or mobile phone, or in a database).
Biometric recognition has rapidly proliferated in modern ID systems in part because it is currently the most accurate and efficient technology available for deduplicating large populations to ensure statistical uniqueness—particularly in countries without existing authoritative sources of identity information—and because it can provide a relatively high level of assurance during authentication. As such, biometrics can be a key ingredient in ensuring the trustworthiness of ID systems.
At the same time, however, biometrics are not required or appropriate in all contexts. In particular, the collection and use of biometric data presents some particular data protection and exclusion risks and can significantly add to the cost of the ID system and add operational complexity. The choice to use biometrics—as well as the particular type of biometric data collected—should be informed by these risks and costs, as well as the objectives, planned use cases, and other constraints to the ID system identified in the planning phase.
Additional analysis on biometric modalities and their use for authentication can be found in the ID4D Technology Landscape report. In addition, a more comprehensive ID4D Guide on Biometrics is forthcoming.
Types of biometrics
Countries that plan to use biometric recognition for deduplication and/or authentication can chose from a variety of biometric characteristics (i.e., “modes”). In general biometrics fall into two major categories:
-
Biological: fingerprints, face, iris, veins, etc.
-
Behavioral: keystroke dynamics, gait, signature, voice, etc.
This section provides a brief comparison of the primary biological biometrics used in national-scale ID systems for biometric recognition. For a more detailed evaluation some emerging biometric modalities (voice, vascular, DNA, etc.) see the ID4D Technology Landscape report.
Table 28. Comparison of biometric technologies commonly used in ID systems
Finger | Iris | Face | ||
USE |
Number available |
1-10 | 1-2 | 1 |
Ease of capture |
Easy to medium | Medium to hard | Easy | |
Adjudication |
Medium—requires trained fingerprint examiner |
Impossible with naked eye | Easy—any person can compare two faces | |
Accuracy for deduplication (1:N) assuming quality capture |
Very high depending on number of fingers used and population size | Very high with 2 irises | Low to medium, but improving over time | |
COST |
Capture device cost | 1-print (US$5-40), 2-print (US$200-250), 10-print (US$500-750) | US$ 500-1000 |
Varies from cheap webcam-type devices to more expensive smartphones/tablets |
Computing for duplicate enrollment check |
Medium to high—more complicated algorithms require high-end computer cluster with large memory |
Low to medium—iris matching algorithms are the most efficient as templates are stored in binary code | Medium to high—more complicated algorithms require high-end computer cluster with large memory | |
INCLUSION |
Failure to capture (FTC) |
<2-5% | ~1-2% | ~0% |
Children |
<6 years: may not be viable >6 years to adult: usable with software that accommodates for aging |
<1 year: may not be viable 1-5 years: challenging, requires parental assistance |
All ages with updates needed over time (accuracy improves at older ages because the face stabilizes) | |
Other groups with difficulties | Manual laborers, persons with disabilities, people with cuts on their fingers, people with diabetes |
May be more invasive than fingerprints, stigma in some cultures; difficult for persons with visual impairments or albinism |
Not always optimized for recognition of darker skin tones, some algorithms have difficulty for persons with albinism |
Source: Adapted from the Digital Identity Toolkit and Technology Landscape for Digital Development, and informed by expert consultations.
As shown in Table 28, different biometric modes vary in terms of their:
-
Accuracy. The accuracy with which the technology matches records. This includes the false match rate (FMR) and false non-match rate (FNMR) of the technology.
-
Universality. The presence and ease-of-capture of the biometric in members of the relevant population and in a variety of climates and weather conditions. Certain biometrics (like fingerprints) may be poor or damaged among certain groups and can lead to a failure to capture (FTC) a biometric sample or failure to enroll (FTE), as can adverse weather conditions, such as direct sunlight.
-
Stability. The permanence of the biometric over time (e.g., for children, or the elderly) or after disease or injury.
-
Collectability. The ease with which good quality samples can be acquired.
-
Usability. The ease with which individuals can interact with the technology used to capture the biometric data and its utility for different purposes (e.g., some biometric modes may be more convenient for authentication than others)
-
Cost. The hardware and software costs of collecting and matching samples during initial registration and—if used for authentication—at points of transaction.
In practice, many countries adopt a multimodal strategy and collect more than one type of biometric data. This is beneficial for multiple reasons:
-
More accuracy. More data points (e.g., fingerprints and iris scans or fingerprints and face) help ensure statistical uniqueness to a higher degree of accuracy, which may be necessary in large populations (see Gelb & Clark 2013b)
-
Improved inclusion and fault tolerance. More modes can help increase the possibility that all members of the population are able to provide a biometric sample (e.g., fingerprints may be difficult to collect for manual laborers, but iris scans may work).
-
Allows for the use of different biometrics (fusion) for deduplication and authentication. Certain biometric modalities may be optimal for conducting duplicate biometric enrollment checks (i.e., 1:N/N:N matching, while others may be optimal or sufficient for use during authentication (1:1 matching).
The choice of which biometrics to use—if any—will have implications in terms of the trustworthiness and inclusivity of the ID system, as well as potential risks. These issues are discussed below, with particularly attention to inclusion challenges, use with children, and concerns regarding privacy and exclusion. Practitioners will also need to make related decisions regarding the technical standards used for biometric recognition, as well as back-end systems used for biometric deduplication.
Figure 21. Key considerations for using biometrics
Inclusion | Reliability | Data Protection | Sustainability |
Certain biometrics may be difficult or impossible for some people to reliably provide, necessitating multimodal biometrics and/or appropriate technical and procedural measures to reduce exclusion. | Biometric deduplication may be the best solution to establish uniqueness in large population, however, not all biometric modes provide the same level of accuracy. | The use of biometrics creates additional risks to privacy and data protection that must be mitigated through legal, technical, and operational controls. | Biometrics can add significant costs to registration as well as the authentication infrastructure. |
Challenges for accuracy and inclusion
In deciding the set of biometrics to use, special attention needs to be given to the ability to collect these characteristics from the entire population. For example, there are specific groups and conditions—both of which may be overrepresented in developing countries—where FTE errors during enrollment and FNMRs during biometric verification are likely to be more common. Where individuals are unable to enroll, or where authentication procedures fail to confirm that a person is who they claim to be, this will lead to exclusion.
There are three categories of people that present difficulties for biometric recognition, including:
-
People who cannot physically provide an acceptable biometric (e.g., amputees, survivors of leprosy, etc.) to enroll in the first place
-
People for whom acquiring reliable biometric samples is difficult (e.g., manual laborers, elderly people, children, people with visual impairment, persons with albinism, etc.) which could make enrollment or authentication difficult
-
People who decline to provide their biometrics (e.g., because of religious or cultural constraints, such as the appropriateness of data capture techniques that require physical contact to get accurate readings)
In addition, there are other factors that can lead to accuracy and inclusion challenges with biometric recognition, including:
-
Environmental and procedural issues:
-
Harsh conditions, such as direct sunlight, excessive wind, dust, humidity, and dryness, etc.
-
Minimal training or low capacity of the operator capturing the biometrics
-
Lack of incentives and/or time for capturing quality data
-
Poorly implemented enrollment and quality assurance process
-
-
Biometric system characteristics:
-
Quality of the biometric scanners and software, including the Automated Biometric Identification System (ABIS) and other software development kits that may be used
-
The statistical nature of biometrics
-
Changing properties of biometric characteristics (i.e., facial appearance over time)
-
Non-optimum threshold setting for matching algorithm—i.e., the tradeoff between the FMR and FNMR
-
Some of these issues may be addressed through:
-
Designing a multi-biometric system (see above) to ensure that most people are able to provide at least one viable sample
-
Optimizing enrollment procedures, including by using:
-
Better capture devices and software with built-in quality assessment to improve data quality and reduce FTE
-
Quality Assurance Process and standards (e.g. NFIQ-II)
-
Conditioning materials (gels, alcohols, etc.) that improve finger image contrast
-
Uniform background for facial images
-
Choice of capture devices (small versus large scanners, 4-4-2 versus single fingerprint scanners, optical versus capacitive)
-
-
Implementing comprehensive training of operators to ensure understanding of and adherence to protocols
To ensure the inclusion of this group, it is vital that the identity provider develop transparent and practical methods of exception handling. For duplicate biometric enrollment checks during registration, this could involve identity proofing by other means, such as witnesses, alternate documents, demographic deduplication, and more. For authentication, there must be alternative methods of proving someone’s identity when biometric verification fails or is not possible, in order to ensure that people are not denied access to rights and services for which they are eligible and entitled. Exception handling procedures must be complemented by strong grievance redressal mechanisms to ensure that no one is excluded or unfairly treated as a result of the ID system. This is also true for any other type of authentication method and is not limited to the use of biometrics.
Children and biometrics
One persistent inclusion challenge with ID systems that use biometrics is that many biometrics take time to develop or stabilize after birth. For example, the viability of the following modes depends on age (see also Table 28):
-
Fingerprints (6+ with update). The papillary ridge structure does not develop before the age of six, which means that reliable fingerprint minutiae—the points of comparison in a biometric template—are difficult to extract before that age. Furthermore, aversion to the capture process (i.e., squirming) makes it difficult to collect quality samples.
-
Iris (~1-2+). The iris is fully formed 1-2 years after birth but poses some difficultly in capture and requires significant assistance from the parents until around five years of age.
-
Photos (0+ with updating). Images of the face can be captured from birth, but they need to be updated frequently in the first years of life in order to be useful for automated recognition.
Given that it is currently not feasible to capture stable biological biometrics at birth—nor are there yet clear use cases as part of a foundational ID system—countries have a few options for the use of biometrics for children in an ID system. The first option is to enroll young children without biometric information—or with information that will change over time—and either add or update this information at a later date (e.g., at the first year of high school, for practical reasons). A second option is simply to only include older children and adults in the ID system. Typically, such solutions also include linking the child’s record with their parents (see Box 29), which can also help establish statistical uniqueness of a child at the point of birth registration.
Box 29. Examples of incorporating children into an ID system with biometrics or alternative methods of establishing uniqueness In the Indian state of Haryana, children are enrolled in Aadhaar using a parent’s number which is biometrically authenticated. The biometric data for the child must be uploaded when they turn five years old, and the identity re-registered at age 15. Peru’s ID system also collects infant biometric information (such as footprints and a photo) in combination with parent’s fingerprints. Countries may also implement a mandatory renewal period in order to update children’s biometrics and other information. In Argentina, for example, children are required to renew their ID at age 8. Indonesia’s population register (SIAK) covers all ages, however biometrics are collected at age 17 (or younger for married women) for the issuance of a national ID smartcard (e-KTP). A child’s identity record is created—and a unique ID number (NIK) assigned—at the time of birth registration, which is also when the child is included in the parents’ or guardian’s family registration book (KK) and a moment when the Ministry of Home Affairs checks if the child may have already been registered in the same KK (i.e. deduplication). A child ID card (KIA) is optional at any age up to the age of eligibility of an e-KTP. Source: Adapted from the Digital Identity Toolkit and Argentina Case Study (forthcoming). |
This is an area where technology is potentially changing fast, and companies and researchers are working to develop and test biometric capture devices specifically tailored for infants (e.g., foot geometry and ear shape).
Privacy concerns for biometrics
The processing of biometric data—whether in raw image or template format, and whether encrypted or not—must be subject to the same legal, procedural, and technical controls used to protect other types of sensitive PII. In addition to the general risks of processing any type of PII, however, there are some particularities about biometric data that introduce additional privacy concerns, including that:
-
Some additional personal information may be extracted from certain types of biometric data (e.g., gender, race, age, etc.)
-
If biometrics are compromised, they cannot be reissued like cards, passwords, or PINs—i.e., you only have one right index finger
-
Biometrics are uniquely linkable to a person, increasing the potential for correlating data about an individual
-
The ability to collect biometrics passively (e.g., through photos or video images) requires safeguards to protect consent
While legal measures (e.g., prohibiting the use of biometrics collected for the ID system for unauthorized surveillance or forensics) and technical controls (e.g., encryption of biometrics when stored and in transit) can improve the security of this data, no system is foolproof. For example, even if biometrics are stored as encrypted templates in order to eliminate the possibility of a thief accessing the original images, there is still the possibility that synthetic biometric images can be reconstructed from templates (see, for example Chu et al. 2012 and Cao & Jain 2015). (For this reason, keeping centrally-stored biometrics as templates does not substantially increase security; conversely keeping centrally-stored biometrics as images has additional benefits, such as the ability to generate new templates with a different algorithm). With improvements in artificial intelligence (AI) and machine learning, the ability to spoof biometrics is likely to become easier over time.
Therefore, although it may be more difficult to steal a biometric than a password, the potential consequences of this theft—e.g., the inability to reissue a biometric and the inherent linkability of the data—may be more severe. Practitioners must fully weigh these risks against the potential benefits of using biometric recognition.