/What is biometrics?

What is biometric authentication?

It can be said that the key element in a biometric recognition system is the engine used. A biometric engine is understood as the set of mathematical processing implemented in a computer system that allows the recognition of a person based on one or more physiological characteristics.

Two stages are usually defined in all biometric processing.

• Biometric enrolment.
• Biometric matching. The biometric matching process can have two purposes: verification (1:1) or identification (1:N), as described above.

The functioning of each of the steps is explained below.

Biometric registration

Biometric enrolment consists of the generation of a biometric vector from a physiological characteristic of the person. For example, from the face, voice, fingerprint, iris, etc. The following image shows an explanation of the enrolment process for the specific case where the face is used as a biometric factor. In this case, the biometric vector is referred to as face vector.

1. The first step consists of obtaining a photograph containing the person’s face.
2. This image is sent to the biometric engine, which carries out the image processing. This is the most important step, since depending on the technologies used, the biometric engine will be more or less accurate. Later sections detail the evolution of biometric engines from models based on landmarks to current models based on Artificial Intelligence.
3. As a result, the biometric engine obtains a face vector, referenced as (x1, y1, z1…) in the above scheme. The face vector is a mathematical representation of the biometric characteristics of the person.
4. As a result of the enrolment process, the face vector is stored so that it can be used in a subsequent biometric comparison process. The face vector is stored in association with a person identifier. This identifier can be a fully anonymised value (e.g. a hash obtained from the person’s name or ID number).

This storage can be in a centralised database, distributed or even stored on the user’s mobile device.

Biometric comparison

The biometric matching process consists of generating a new face vector from a new capture of the person’s physiological characteristic, and comparing it to the previously stored face vector.

From a technical point of view, it is important to note that it is not pixel-by-pixel images that are being compared, but facial vectors.

The following image shows an explanation of the process for the specific case where the face is used as a biometric factor.

1. The first step consists of obtaining a new photograph containing the person’s face.
2. This image is sent to the biometric engine, which carries out the image processing.
3. As a result, the biometric engine obtains a face vector referenced as (x2, y2, z2…) in the above scheme.
4. The user identifier associated to the vector is obtained. This allows finding in the database the previously stored face vector, referenced as (x1, y1, z1…) in the previous scheme.
5. Subsequently, a comparison between the two previous vectors is carried out. The vector matching process does not involve the use of advanced technology. From a mathematical point of view, the cosine rule is usually used to determine how far apart the two vectors are.
6. Finally, the distance between vectors obtained in the previous point is normalised to represent the level of similarity between the compared vectors. In this way, vectors that are close to each other will obtain a high level of similarity. That is, they represent situations where the biometric comparison is successful. On the contrary, vectors that are far apart will obtain a low level of similarity. That is, they represent situations where the biometric comparison is not successful.

Evolution of biometric engines

To understand the above, it is necessary to distinguish between two types of biometric engine models.

• Old-school or minutiae biometric models.
• AI-based biometric models.

In both scenarios, a face vector is obtained from the biometric characteristic of a person, as explained above for the enrolment and matching processes, although the characteristics of this vector are totally different in terms of security, accuracy and privacy.

Modern AI-based biometric engines are 100 times more accurate than minutiae-based engines. They are also more accurate than people carrying out the facial recognition process. While the probability of error is not zero, the accuracy values achieved can exceed 99.999% accuracy, as will be discussed below.

Additionally, AI-based biometric engines have led to advances in terms of ensuring data protection and user privacy. Leading-edge biometric technologies that have reached the so-called “state of the art” have basic characteristics per se that make them private by design.

Biometric minutiae or “old-school” models

Old-school’ biometric engines were the most widespread until 2017 and are based on ‘landmarks’ or characteristic points to recognise, for example, a face.

This method involves taking measurements between multiple biometric feature points, such as a facial image. This is where the name bio-metrics comes from.

However, this type of modelling may entail a risk for data protection, since a person with the necessary knowledge of the system may be able to interpret the measurements represented by the characteristic points of the subject’s face (e.g. being a facial image: the distance between the eyes, between the ears, etc.), and thus obtain an estimate of the original image. And therefore, with this information, it might be possible to reconstruct the original image and identify the subject.

Moreover, these systems are mostly standardised, which means that their operation can be known by anyone (e.g. through the standard defined by ISO 19.785 – Information Technology Common Biometric Exchange Formats Framework).

While this makes these technologies interoperable (such as fingerprint recognition systems), it has security implications. An attacker who has access to the face vector generated by an “old-school” system could try to use that face vector for authentication in a different system that is interoperable with the first one. To mitigate this risk, the face vector can be encrypted.

Modern AI-based biometric models

The General Data Protection Regulation (EU Regulation 2016/679) sets out in Article 25 the principles of data protection by design and by default. 

These principles seek to ensure that, taking into account the state of the art, the costs and the nature, scope, context and purposes of the processing, and the risks that may arise, the most appropriate technical and organisational measures are implemented to ensure data protection principles and to protect the rights of data subjects. 

This can take many forms, but biometric recognition undoubtedly refers to the use of advanced and state-of-the-art technologies that provide a high level of protection, i.e. the “state of the art” technology in this field.

Additionally, data protection must be taken into consideration in the design of AI-based biometric engines, so that they incorporate technological elements that provide a sufficient guarantee for privacy.

Companies developing state-of-the-art technology have moved away from “old-school” models to models based on Artificial Intelligence and, more specifically, neural networks. The NIST, in the USA, evaluates the quality of the same, in November 2023, 539 algorithms evaluated.

Facial vectors generated with Artificial Intelligence have the following characteristics.

• Private: It is not possible to know who the vector represents simply by having access to it.
• Irreversible: It is not possible to retrieve the photo of the person from an AI-generated face vector.
• Non-interoperable: It is not possible to use a face vector generated by one manufacturer in the biometric engine of another manufacturer. Additionally, the face vector generated by one biometric model is incompatible with another version of the biometric model, even from the same manufacturer. Face vectors generated for one client and use case are also incompatible with vectors generated for another client.
• Encryption: The vector is encrypted with a unique key for each version, model and client.
• Revocable: It is possible to cancel and update the face vector in case a vector database is compromised.
• It does not include additional information about the person (health status, mood, gender, etc.) and does not allow inferences to be made about these characteristics.

The following sections elaborate on the characteristics of AI-based face vectors.

There are independent international bodies that evaluate biometric systems. NIST (National Institute of Standards and Technology) is a federal agency within the US Department of Commerce. NIST’s mission is to promote innovation and industrial competitiveness by advancing standards in ways that improve economic security and quality of life. 

It is the international benchmark for evaluating and classifying biometric engines. The presence in this classification serves to compare the performance of the biometric engine in different categories.

In the field of facial biometrics, the report of 21 November 2023 (see report) shows the evaluation of 539 biometric engines from 337 manufacturers, where it is estimated that almost all the systems evaluated are based on Artificial Intelligence.

The accuracy levels achieved with a model using Artificial Intelligence are much higher than those obtained by a landmark-based biometric system. For example, the evaluation of the best landmark-based biometric models obtain an accuracy of 95% in the LFW database while AI-based systems obtain accuracies above 99% and use other more complex databases to assess their accuracy (see evaluation).

Biometric authentication: technical explanation

In the following, the operation of AI-based biometric engines for vector generation is explained, with particular reference to the case of facial biometrics.

1. Obtaining a photograph of the person, containing the face.
2. Detection of the face in the previous image, and extraction of the face of interest, usually by cropping a segment of the image obtained in the previous point.
3. Normalisation of this to a lower resolution image (100×100 pixels, for example). At this stage, transformations can be applied to the image to improve its frontality and thus reduce the variability due to the specific context of the capture.
4. Processing of the previous image in a neural network. The internal processing of the neural network consists of a composition of non-linear functions that transform the image at each step of the algorithm. For example, an architecture known as ResNet101 could be used. This would have 101 components or processing stages. At each stage of the algorithm, the dimensionality of the image is reduced until it is transformed into a mathematical vector.

This vector typically has 512 components. That is, just as traditional physical space is defined by 3-dimensional vectors (x, y, z, or latitude, longitude and altitude), the space in which the face vector is defined has 512 dimensions.

As in physical space, the face vector indicates a specific direction in space. The specific direction in space is unique for each person.

A visual representation of this idea can be seen in the following image. In this example, images less than 100 km away belong to the same person. On the other hand, images more than 100 km away belong to different people. The closer the images are to each other, the more confidence there is that they belong to the same person.

It is important to note that in order to compare the similarity between two people it is not necessary to store the images. In this example, the images are used as a visual resource, but the most correct visualisation is actually the one in which only facial vectors are compared.

What is a biometric proof of identity?

It is important to note that the security of the biometric proof of identity is increased if the capture of the biometric characteristic is controlled.

In facial biometrics, this refers to the taking of a selfie-like photograph at the very moment when the user carries out an enrolment and verification process.

When the capture is integrated into the process, it ensures that the user cannot provide previously taken or even manipulated samples. It is also ensured that the person does not use a photograph available on social networks, or synthetically generated through generative Artificial Intelligence.

Additionally, the capture can be complemented with a request for an active action by the individual. This allows for a confirmation of the person’s willingness to perform this process (e.g. by asking them to move their head, this prevents the selfie from being taken automatically without their knowledge).

In relation to international standards, ISO 29.794-5 Information Technology-Biometric sample quality aims to define and specify methodologies for the calculation of objective and quantitative quality scores for facial images.

On the other hand, ISO 19.794-5 Information technology – Biometric data interchange formats specifies an enrolment format for storing, recording and transmitting the information of one or more facial images or a short video stream, as well as constraints, properties, attributes and best practices of facial images.

In any case, AI-based facial biometrics technologies can perform biometric matching on images that do not comply with the requirements of the above ISOs.

What are the main types of biometrics?

The assessment and choice of the type of biometric system to be used (facial recognition, voice, fingerprint, etc.) must be made for each case of use, taking into account its particularities. And, in particular, it must take into account the ease of the means of capture, as well as accessibility by all groups.

• For example, facial biometrics requires the use of a camera to capture the data, which can be a mobile phone, tablet, computer or any other type of camera integrated with the system.
• Voice biometrics, on the other hand, requires a microphone to record the audio, whether from a mobile device, computer, etc.
• For fingerprint biometrics, a high-resolution sensor or camera is required to read the fingerprint; this sensor can be embedded in a device, as is the case with mobile phones.

The choice of the biometric or set of biometric data used determines the accessibility and scope of the identification system. A facial biometric system is accessible to virtually all individuals, regardless of potential health problems or physical characteristics (e.g. scars), whether temporary or permanent.

Voice biometrics systems are also accessible to a very high percentage of people, with the sole exception of those with hearing or vocal sensory impairments that prevent them from expressing themselves orally.

When the systems are based on fingerprints, they can also be used by a large number of people, the majority of the population, but it must be taken into account that some illnesses and the performance of certain professions or manual jobs deteriorate the fingerprint data, making them difficult to recognise.

In any case, in terms of accessibility, any capture system should adhere to the WCAG 2.2 guidelines and aim to comply with level AA (see reference), as well as Directive (EU) 2016/2102 on the accessibility of websites and mobile applications of public sector bodies (see reference).