What is Biometric Identification?
We use terminology on a daily basis, sometimes without fully understanding its true meaning. Technology is full of terminology that can even baffle the experts, and one area that often causes confusion is biometric identification and biometric authentication.
Biometric identification answers the question “who are you” and can be applied to both physical and digital scenarios. It is an established solution that is being used in many applications including law enforcement, defense, and border control.
Biometric identification usually applies to a situation where an organization needs to identify a person. The organization captures a biometric from that individual and then searches a biometric repository in an attempt to correctly identify the person. The biometric repository could be managed by a law enforcement agency, such as the Integrated Automated Fingerprint System (IAFIS) run by the FBI in the USA, or be part of a national identity system like India’s UIDAI system.
In the case with IAFIS, the FBI manages a repository that contains fingerprints, facial images, and other physical characteristics, including height, weight, hair, eye color, and even scars and tattoos. The database has more than 70 million criminal records alongside 34 million civil records that law enforcement agents have available on a 24x7x365 basis.
This system is a vital tool in assisting law enforcement agents with their criminal investigations by matching captured biometrics against a repository of known criminals. In this example, matching a captured biometric against a central repository is called a one-to-many match, as the biometric is not indexed.
What is Biometric Authentication?
Biometric authentication asks the question “can you prove who you are” and is predominantly related to proof of identity in digital scenarios. A system will challenge someone to prove their identity and the person has to respond in order to allow them access to a system or service.
Traditionally, the response involves presenting an authenticator, or factor, that is bound to that person. The system would then ask for a secret that the person knows, like a PIN/Password or a one-time-password (OTP) generated by a cryptographic process, or something the person has, such as a private key stored on a smartcard that is used as part of Public Key Infrastructure (PKI) authentication.
Biometric authentication involves use of a factor that is something a person is – a biometric identifier from a person can include a fingerprint, their voice, face, or even their behavior. This biometric is indexed against other identifiers, such as a user id or employee number, with the identifier being matched against a single stored biometric template – one-to-one match.
The biometric can then be used solely in an authentication system – a person touches their finger on a sensor embedded in a smart mobile device, used by the authentication solution as part of a challenge/response system. Is it my finger? Yes, then my smartphone is unlocked, or No it isn’t my finger and the smartphone remains locked.
Or, the biometric can be used as part of a multi factor biometric solution where the biometric is used in conjunction with other authentication factors, like a private key, or as part of a multi-modal biometric system where a combination of biometric modalities are used, such as voice and face.
One of the main differences between biometric identification and biometric authentication is that in identification there is a relatively simple match of a ‘live’ biometric with a stored biometric template. For authentication, the biometric is used as part of a biometric protocol that includes the use of standardized authentication processes including identity proofing, cryptographic protocols, identity assertion, and credential lifecycle management.
Using biometric authentication standards, such as IEEE 2410 Biometric Open Protocol Standard (BOPS), means that organizations are not inadvertently deploying biometric identification systems that are unsuitable as a modern authentication solution. Biometric identification is a mature solution and there is a risk that organizations could deploy a solution that feels like authentication on the surface, but is in fact an identification framework that doesn’t meet their requirements.
Alan Goode is the founder and managing director of Goode Intelligence, an independent research and consultancy company that provides quality advice to global decision makers in business and technology. He is a respected expert in information security and mobile security and has written a number of publications on these subjects.