Know and understand biometrics including the use of biometric data

Published by Patrick Mutisya · 14 days ago

ICT 0417 – Safety and Security: Biometrics

Safety and Security – Biometrics

What is Biometrics?

Biometrics is the scientific measurement and statistical analysis of people's physical and behavioural characteristics. These characteristics are used to verify a person's identity.

Common Types of Biometric Data

  • Physiological: fingerprint, iris/retina, facial features, hand geometry, DNA.

  • Behavioural: voice pattern, typing rhythm, gait, signature dynamics.

How Biometric Systems Work

  1. Enrollment: The user’s biometric trait is captured and stored as a template.

  2. Storage: Templates are saved in a secure database or on a smart card.

  3. Verification/Identification: The presented biometric sample is compared with the stored template(s) using a matching algorithm.

  4. Decision: If the similarity score exceeds a predefined threshold, access is granted; otherwise, it is denied.

Advantages of Using Biometrics

  • Provides a high level of assurance – traits are unique to individuals.

  • Convenient – no need to remember passwords or carry tokens.

  • Reduces risk of lost or stolen credentials.

  • Can be combined with other controls for multi‑factor authentication.

Disadvantages and Risks

  • Biometric data, once compromised, cannot be changed like a password.

  • False Acceptance Rate (FAR) and False Rejection Rate (FRR) can affect reliability.

  • High initial cost for hardware and software.

  • Potential privacy concerns and legal restrictions.

Security Considerations

When implementing biometric systems, consider the following safeguards:

  • Encrypt biometric templates both at rest and in transit.

  • Store templates in a tamper‑evident, access‑controlled database.

  • Use liveness detection to prevent presentation attacks (e.g., fake fingerprints).

  • Regularly audit and update matching algorithms to maintain accuracy.

Privacy and Legal Issues

Many jurisdictions have specific legislation governing the collection, storage, and use of biometric data (e.g., GDPR, BIPA). Key principles include:

  • Obtain explicit, informed consent from users.

  • Limit collection to the minimum data required.

  • Provide clear policies on data retention and deletion.

  • Allow individuals to access, correct, or delete their biometric records.

Typical Applications in ICT

  • Secure login to computers and mobile devices.

  • Access control for physical premises (e.g., doors, gates).

  • Time‑and‑attendance tracking.

  • Banking and financial services (e.g., ATM authentication).

  • Healthcare – patient identification and record access.

Comparison of Common Biometric Methods

MethodUniquenessCostTypical FAR / FRRCommon Uses
FingerprintHighLow–MediumFAR ≈ 0.001 %, FRR ≈ 1 %Smartphones, laptops, time‑clock systems
Iris/RetinaVery HighHighFAR ≈ 0.0001 %, FRR ≈ 0.5 %High‑security facilities, border control
Facial RecognitionMedium‑HighMediumFAR varies with lighting, FRR ≈ 2‑5 %Device unlock, surveillance, airport boarding
VoiceMediumLow–MediumFAR ≈ 0.5 %, FRR ≈ 3 %Phone banking, virtual assistants
Hand GeometryMediumMediumFAR ≈ 0.1 %, FRR ≈ 1 %Workplace access control

Steps to Implement a Biometric System in an Organisation

  1. Conduct a risk assessment and define security objectives.

  2. Select the appropriate biometric modality based on user population and budget.

  3. Choose hardware that includes anti‑spoofing features.

  4. Develop policies for data collection, storage, consent, and retention.

  5. Integrate the biometric solution with existing authentication infrastructure (e.g., LDAP, Active Directory).

  6. Train staff and users on proper use and privacy rights.

  7. Run a pilot, evaluate FAR/FRR, and adjust thresholds as needed.

  8. Deploy organisation‑wide, monitor performance, and schedule regular audits.

Key Terms

  • Template: Encrypted mathematical representation of a biometric sample.

  • False Acceptance Rate (FAR): Probability that an unauthorized person is incorrectly accepted.

  • False Rejection Rate (FRR): Probability that an authorized person is incorrectly rejected.

  • Liveness Detection: Techniques used to ensure the biometric sample comes from a live person.

  • Multi‑factor Authentication (MFA): Combining biometrics with something the user knows (password) or has (token).

Suggested diagram: Flowchart of a biometric authentication process (Enrollment → Storage → Capture → Matching → Decision).