The Systems Perspective on Biometrics

What is biometric identification?

Every time you swipe your fingerprint to unlock your phone, ask Siri a question or log into your online banking account with facial recognition software, you’re using biometrics. These systems are an alternative to traditional passwords that hackers might crack and are more secure, preventing unauthorized access.

Some of these modalities—such as fingerprint scanning, iris or retina scans and voice recognition—are commonly used by businesses and government agencies to verify identity. Others, like the shape of an ear or the way someone sits or walks, are less well known.

To be recognised, a person must have been previously recorded (known as enrolment) and a reference database created. Then the biometric system compares captured data to that reference database to confirm a match. A fallback process must also be in place to handle cases where the identifier fails, such as when a person loses their fingerprint or is injured and can’t use their face to log on.

How does it work?

The performance of any biometric identification system depends on the totality of its surrounding environment, whether it is other technologies, environmental factors, appeal policies shaped by security, business, or political considerations, and so forth. As such, it is important that systems architects take a systems perspective when designing a biometric application.

Hesitancy: Many people are hesitant to provide physical attributes like fingerprints, as they are worried about them being compromised. Transparency and education are key to addressing this issue.

What are the benefits?

Biometrics are a fast and convenient form of identification that can replace passwords or PINs for online security, such as when accessing an online banking account or applying for government benefits. They can also reduce time spent in front of computers by replacing forms and documents with a quick and seamless verification process.

Biometric identification is less likely to be compromised in a mass cyberattack or large-scale data breach than knowledge-based systems that use passwords, secret questions, and one-time passcodes sent via SMS. Because biometric identifiers are unique to each individual, they present a more challenging target for hackers.

Work group participants slightly favored using facial images over fingerprints, but they emphasized that there are no standards for formatting or “templatizing” raw biometric data (for example, storing only the coordinates of the pattern of lines on a fingernail or the positioning of features in a photograph). A single modality would also exclude populations whose data works poorly (such as fingers or faces) from the matching process.

What are the legal and ethical concerns?

Biometrics have the potential to be privacy invasive depending on the context and purpose in which they are used. They may also be subject to legal restrictions, for example some forms of biometric data are covered by IPP 2.

As with other types of personal information, it must only be collected and disclosed with an individual’s clear and informed consent. This requires that an organisation clearly explains the transaction context, and aims of the collection in a way that is easy for the person to understand.

It is also important that the correct individual is enrolled into a biometric system, which means that good quality, authenticated identity evidence must be presented during enrolment. This ensures that the biometric template is associated with the correct person, and reduces the risk of spoofing by impersonating someone else. Finally, it is essential that the organisation has transparent complaints and enquiry systems, as well as external avenues for redress in case of breaches or problems with a biometric identification solution.

Return to the home screen…