Know and understand biometrics including the use of biometric data

ResourcesSubject NotesInformation Communication Technology ICTLesson Plan

Safety and Security – Recognition Systems (Biometrics)

1. Recognition systems – the wider context

Recognition systems are technologies that identify or verify an object, person or data without human intervention. The IGCSE ICT syllabus lists five main types:

  • Optical Mark Recognition (OMR) – reads marked bubbles on paper (e.g., exam answer sheets).
  • Optical Character Recognition (OCR) – converts printed or handwritten text into editable digital text (e.g., scanning a book).
  • Radio‑Frequency Identification (RFID) – uses radio waves to locate and identify tags attached to objects (e.g., stock‑taking, contactless payment cards).
  • Near‑Field Communication (NFC) – short‑range wireless communication for data exchange (e.g., mobile payments, smart‑card access).
  • Biometrics – uses unique physical or behavioural traits of a person to confirm identity (the focus of this note).

All five systems share the same basic idea – automatic identification – but differ in the type of data they process, the hardware required, and the typical applications. Understanding the whole list satisfies the “recognition systems” learning outcome (6.10) of the syllabus.

2. What is biometrics?

Biometrics is the scientific measurement and statistical analysis of a person’s physical or behavioural characteristics for the purpose of identification (1‑to‑1 verification) or identification (1‑to‑many). It provides a “something you are” factor for authentication.

3. Types of biometric data

  • Physiological (static) traits – fingerprint, iris/retina, facial geometry, hand geometry, DNA.
  • Behavioural (dynamic) traits – voice pattern, typing rhythm, gait, signature dynamics.

4. Components of a biometric system

Component Role in the system
Sensor / Capture device Acquires the raw biometric sample (scanner, camera, microphone, etc.).
Pre‑processing Cleans the sample – removes noise, normalises lighting, filters background sounds.
Feature extraction & template creation Derives a compact, encrypted mathematical representation (the template) from the processed sample.
Matcher Compares the presented template with stored templates using a similarity algorithm.
Database / Secure storage Holds encrypted templates; may be on a server, smart‑card, or secure element.
Decision module Applies a threshold to the similarity score and returns “accept” or “reject”.

5. How a biometric system works – process flow

  1. Enrollment – the user presents the trait; the sensor captures it, extracts features and stores the resulting template.
  2. Capture (verification/identification) – a fresh sample is taken each time the user attempts to log in.
  3. Matching – the temporary template is compared with the stored template(s).
  4. Decision – if the similarity score ≥ the system threshold, access is granted; otherwise it is denied.

6. Mapping the workflow onto the Systems Life‑Cycle (7.1‑7.6)

  1. Analysis – define security objectives (e.g., low FAR for a high‑security lab) and user requirements (speed, ease of use).
  2. Design – choose the biometric modality, sensor type, and decide where templates will be stored (local vs. central).
  3. Development – configure software, implement encryption, and integrate with existing authentication services (LDAP, Active Directory).
  4. Testing – run pilot trials, record FAR/FRR, test liveness detection, and adjust thresholds.
  5. Implementation – roll‑out hardware, train users, and publish policies on consent and data handling.
  6. Evaluation – monitor performance, audit logs, update software/firmware, and re‑enrol users if traits change.

7. Performance metrics (AO3 – analyse & evaluate)

  • False Acceptance Rate (FAR) – probability that an impostor is incorrectly accepted.
  • False Rejection Rate (FRR) – probability that an authorised user is incorrectly rejected.
  • Receiver Operating Characteristic (ROC) curve – plots FAR against FRR for different thresholds, illustrating the security‑usability trade‑off.
  • Template update – periodic re‑enrollment reduces FRR as traits change over time (e.g., ageing fingerprints).

8. Advantages of using biometrics

  • High assurance – traits are intrinsically linked to the individual.
  • Convenient – no passwords or tokens to remember or carry.
  • Reduces risk of lost, stolen or shared credentials.
  • Easy to combine with other factors for Multi‑Factor Authentication (MFA).

9. Disadvantages, risks and usability considerations

  • Biometric data cannot be “reset” if compromised.
  • FAR and FRR must be balanced; overly strict thresholds frustrate users.
  • Initial hardware and software costs can be high.
  • Environmental factors affect performance:
    • Lighting for facial or iris capture.
    • Dirty or wet fingers for fingerprint scanners.
    • Background noise for voice recognition.
    • Footwear or clothing for gait analysis.
  • Privacy concerns and legal restrictions (see Section 11).

10. Security & privacy controls

Technical controls

  • Encrypt templates at rest (e.g., AES‑256) and in transit (TLS/SSL).
  • Store only the template, not the raw image, to minimise data exposure.
  • Apply hashing / cancellable biometrics so a compromised template can be replaced with a new transformed version.
  • Use liveness detection (pulse detection, eye‑movement tracking, skin‑texture analysis) to prevent presentation attacks with fake samples.
  • Implement strict access‑control to the biometric database and maintain audit logs of all read/write operations.
  • Follow data‑minimisation – collect only the traits required for the intended purpose.

Organisational controls

  • Develop clear policies on consent, data retention, and the right to withdraw.
  • Conduct regular privacy impact assessments (PIAs) and security audits.
  • Provide staff training on correct usage, spoof‑prevention, and incident reporting.
  • Maintain a documented incident‑response plan for biometric data breaches.

11. Legal, ethical and organisational issues (eSafety & Data‑Protection)

Link to eSafety & Data‑Protection (IGCSE ICT)
Consent – explicit, informed consent must be obtained before any biometric data is collected.
Right to withdraw – users can request deletion of their templates at any time.
Retention – define a clear retention period; delete templates when no longer needed.
Regulatory frameworks – GDPR (EU), BIPA (Illinois, USA) and similar laws require transparency, accountability and impact assessments.
Ethical use – avoid unauthorised surveillance, discrimination, or use of data for purposes beyond the original agreement.

12. Audience & copyright considerations

When designing a biometric system the target audience influences the choice of modality and the level of user‑interface support. For example, a school attendance system for children aged 11‑16 would likely use a low‑cost fingerprint reader with simple visual cues, whereas a corporate research lab might prefer iris scanners with stricter liveness detection.

Biometric software is subject to copyright and licensing. Schools must verify that any commercial SDK or library used is properly licensed for educational use, and they should keep records of licences in line with the ICT “Copyright and licensing” requirements.

13. Typical ICT applications

  • Device unlock – smartphones, laptops, tablets.
  • Physical access control – doors, gates, turnstiles.
  • Time‑and‑attendance systems.
  • Banking and financial services – ATM authentication, mobile payments.
  • Healthcare – patient identification, secure access to electronic health records.
  • Border control and airport boarding (e‑gates).

14. Comparison of common biometric methods

Method Uniqueness Typical cost Typical FAR / FRR Common uses
Fingerprint High Low–Medium FAR ≈ 0.001 % FRR ≈ 1 % Smartphones, laptops, time‑clock systems
Iris / Retina Very high High FAR ≈ 0.0001 % FRR ≈ 0.5 % High‑security facilities, border control
Facial recognition Medium‑high Medium FAR varies with lighting FRR ≈ 2‑5 % Device unlock, surveillance, airport boarding
Voice Medium Low–Medium FAR ≈ 0.5 % FRR ≈ 3 % Phone banking, virtual assistants
Hand geometry Medium Medium FAR ≈ 0.1 % FRR ≈ 1 % Workplace access control

15. Steps to implement a biometric system in an organisation

  1. Perform a risk assessment and set clear security objectives.
  2. Select the most suitable biometric modality based on user demographics, environment and budget.
  3. Choose hardware with anti‑spoofing / liveness detection features.
  4. Develop policies covering data collection, storage, consent, retention and the right to withdraw.
  5. Integrate the biometric solution with existing authentication infrastructure (e.g., LDAP, Active Directory, SSO).
  6. Provide training for staff and users on correct usage, privacy rights and incident reporting.
  7. Run a pilot, measure FAR/FRR, adjust thresholds and fine‑tune environmental settings.
  8. Roll out organisation‑wide, monitor performance, conduct regular audits and update software/firmware.

16. Practical ICT tasks linked to the syllabus (File management, image editing, layout, styles, proofing, graphs/charts, document production, databases, presentations, spreadsheets, website authoring)

These activities can be used as classroom tasks or exam practice to demonstrate the practical skills required by the IGCSE ICT syllabus.

  1. File management – Create a folder structure for a biometric project (e.g., Enrollment/, Templates/, Logs/) and set appropriate access permissions.
  2. Image editing – Use a raster editor to crop and enhance a fingerprint image before it is fed to a template‑creation tool.
  3. Layout & styles – Design a user‑friendly enrolment form in a word processor, applying consistent heading styles and colour‑coding for required fields.
  4. Proofing – Run spell‑check and accessibility checks on the enrolment policy document.
  5. Graphs / charts – Plot a ROC curve in a spreadsheet using sample FAR/FRR data and interpret the trade‑off.
  6. Document production – Produce a concise privacy impact assessment (PIA) report, inserting a table of legal requirements.
  7. Database – Design a simple relational database (e.g., tables Users, Templates, AuditLog) and write basic SQL queries to retrieve a user’s template.
  8. Presentation – Create a slide deck that explains the biometric workflow, including the flowchart shown in the figure below.
  9. Spreadsheets – Calculate average FAR and FRR from pilot test data, using conditional formatting to highlight values that exceed policy thresholds.
  10. Website authoring – Build a small intranet page (HTML/CSS) that publishes the organisation’s biometric consent form and links to the data‑retention policy.

17. Key terms (quick reference)

  • Template – Encrypted mathematical representation of a biometric sample.
  • False Acceptance Rate (FAR) – Likelihood that an impostor is accepted.
  • False Rejection Rate (FRR) – Likelihood that a genuine user is rejected.
  • Liveness detection – Techniques that verify the sample comes from a living person (e.g., pulse, eye‑movement).
  • Multi‑factor authentication (MFA) – Combining biometrics with something the user knows (password) or has (token).
  • Cancellable biometrics – Transformations that allow a compromised template to be revoked and replaced.
Suggested diagram: Flowchart of a biometric authentication process – Enrollment → Secure storage of template → Capture → Matching → Decision (Accept/Reject).

Create an account or Login to take a Quiz

71 views
0 improvement suggestions

Log in to suggest improvements to this note.