Biometrics is not a new technology. Governments have used Automated Fingerprint Identification System (AFIS) for national security and in everyday policing since the 1970s and 1980s. With continual advances in computing, we are seeing both an increase in accuracy and a decrease in cost, in addition to the introduction of new and interesting types of biometrics. These trends, combined with widespread acceptance and adoption of devices capable of utilizing biometrics, are seeing a fundamental shift in the biometrics market from a smaller number of big government projects to a huge number of enterprise/commercial projects.
Let’s have a high-level look at what are biometrics, how the commercial use case is different from the government one and what considerations there are when implementing a biometrics system in the enterprise.
What are biometrics?
There are a number of definitions for biometrics and biometric systems; however, some are so vague that they could cover any electronic device that measures a characteristic of a person, like electronic scales or thermometers. As such, we will use this definition:
- Measurable physical and behavioral characteristics that enable the establishment and verification of an individual’s identity
- The process by which a person’s unique physical and other traits are detected and recorded by an electronic device or system as a means of confirming identity. It’s important to note that:
- It is specific to “electronic devices,” (i.e., any human comparison task actually is a forensic process)
- It mentions “establishment and verification” as they are two different processes.
The two different biometric processes are normally defined as:
- Identification (1:N, 1:n, 1 to Many, 1 to Few, watch list, etc.) is where the new biometric is searched against already enrolled biometrics to try and figure out if we have seen this individual before. This can be done with or without the person claiming an identity.
- Verification (1:1) is where the biometric is matched against a single enrolled biometric to confirm that it is the same person. This can only be done against a claimed identity (i.e., I am Derek, verify me).
Government vs. commercial use cases
The majority of government service delivery can be boiled down to:
- Who are you?
- Are you entitled to the service?
- If yes, deliver services.
Strangely enough, even criminal incarceration boils down to this: is the person we are placing in prison the same person who was convicted? Is the person that we are releasing indeed the correct person?
The first step is so fundamentally important that in some government domains, particularly around national/border security, every interaction with people is treated as if it is the first time (e.g., enrollment.) As part of these enrollment processes, the biometrics are used to determine if we have ever seen this individual before, in any context and under any identity. As such, the use of traditional biometrics (e.g., face and finger) are essentially mandatory because we have access to systems like National AFIS, crime scene fingerprints, photos of known or suspected terrorists, etc. Some countries also have the ability to share this information internally or internationally.
In the commercial sense, often the “who are you” part, or identifying the individual, has been done by an organization through the hiring process. This means that the verification in this sense isn’t about verifying it is “Derek Northrope,” but rather verifying whether “Employee 1234” should or should not have access to the information, systems or facilities.
But with a gym locker for example, we may not care about the true identity of the person paying for the service, just that the user opening the locker verifies against the person who paid for the service.
As such, the enrollment tends to be of a trusted source, and the important process is the verification process (i.e., ensuring that the claimed identity matches the enrolled identity and the person has authority to the information, money or facility they are trying to access).
This means that the need to rely on traditional biometrics is removed and, in some instances, the move towards newer types of biometrics that have no possible connection to “big government” and “criminal systems” like vascular, is seen as an advantage.
In addition, a lot of pure Match on Device (MoD) solutions can never perform the identification process during enrollment, so a user may have multiple “identities” on multiple devices using the same biometrics.
So, what sort of things do we need to consider when looking to implement a biometric solution in an enterprise or commercial sense?
The list of things to consider when implementing a biometric system can be quite large, so let’s focus on some of the bigger issues.
- Are there any legal, privacy, cultural or environmental factors that immediately disqualify certain biometrics? For example, non-contact biometrics are better in healthcare settings, while voice biometrics are more prone to error in high noise environments and a work environment may be too cold or too dirty for fingerprints to work.
- Do you need to plug it into a traditional biometric solution, face or fingerprint, ever? If yes, then those traditional biometrics are a given but may not be the only modality selected.
- Know your risk profile(s). The risk of a $5 transaction is very different from a $5 million transaction. So, the cost an organization is willing to spend to secure those transactions is markedly different. Do you have different risk profiles within the target solution, across multiple access channels? Maybe you should consider a multi-modal (more than one biometric type) solution.
- Know that biometrics are probabilistic and not deterministic. A PIN solution has one correct answer and everything else is wrong. Biometrics have a probability that the supplied biometric matches to an enrolled biometric, the yes/no decision is a threshold against that. In some situations, you want to err on the side of caution, physical access control for high secure environments, or err on the side of convince, entering a gym.
- Not all biometric solutions are the same. Some are good at verification only, some are easy to spoof and some are more susceptible to aging than others. There are also significant differences in speed, accuracy and usability not just between biometrics (e.g., face vs iris), but also within a biometric. A single finger swipe on a laptop is not the same as a 10-print live enrollment at border control, even though they are both fingerprints.
The list goes on…
While a lot more answers could be shared based on the organization and its need, it’s important to know what questions to ask when looking at biometrics systems. Remember, not all biometrics systems are created equal.
Derek Northrope is global biometrics community lead for Fujitsu and part of Fujitsu’s security business unit. He has over 15 years’ experience in biometrics and identity management, including large-scale systems integration and international standards development.