A PRIMER ON BIOMETRICS FOR ID SYSTEMS

A PRIMER ON BIOMETRICS FOR ID SYSTEMS A PRIMER ON BIOMETRICS FOR ID SYSTEMS

The World Bank Group’s Identification for Development (ID4D) Initiative prepared a Primer on Biometrics for ID Systems (Primer) as a reference document for practitioners, civil society organizations, development partners and other stakeholders on the responsible use of biometric recognition in official or government-recognized identification (ID) systems, such as national IDs, civil registration, population registers, and others. Over the past 30 years, countries have increasingly incorporated digital biometric recognition into these ID systems, either as part of identity proofing (de-duplication) and/or to provide verification and authentication to service providers. However, given the specialized and often proprietary nature of most biometric technology, the stakeholders mentioned above have not always had access to information they need to effectively consider the appropriate and responsible use of this technology. The Primer reflects experiences in a range of countries from different regions, with different legal systems, and at different stages of economic development. It also takes into account existing literature, international conventions, and norms and principles. It is based on evolving international good practice, as understood by ID4D.

What is in the Primer?

This Primer aims to help fill this knowledge gap, serving as an introduction to key biometrics-related terms and concepts. It also provides good practices and approaches for determining whether or not biometric recognition is necessary for an ID system and—if so—how to use it responsibly, considering several domains (e.g. technical, deployment, operational, and legal). The Primer includes:

Despite the potential benefits of biometric recognition in detecting duplicate registrations and enabling authentication, including security and inclusion advantages over other authentication methods in some cases, deploying these technologies in ID systems presents various challenges. These challenges range from operational, technical, and legal to ethical considerations and include, for example, data protection, security, performance, inclusion, biometric recognition for children and elderly persons, implementation in harsh environments, technology and vendor selection, literacy, cost, and more.

We hope this Primer will help countries more carefully weigh these potential benefits, challenges, and risks, and where biometric recognition is used, adopt good practices for minimizing risk and safeguarding inclusion and data protection.

What is not in the Primer?

The Primer does not advocate for the use of biometric recognition, or any particular biometric technology. Rather, it provides analysis and approaches for evaluating the use of the technology and design options for various contexts and applications. The use of biometrics for purposes beyond official ID systems—e.g., for the purpose of surveillance, law enforcement, public security—is outside the scope of this Primer. In addition, the Primer does not address the broader security and technological issues involved with ID systems, which are addressed in other materials, including in through international standards. As with any system that processes personal data, ID systems are vulnerable to attack or misuse given enough time, resources, and determination. The Primer is not intended to be a guide for planning World Bank operations. There is no guarantee that addressing all the issues raised in this Primer will result in successful use of biometrics in and ID system in a country—that will depend on many factors that must be considered, and which may be different from country to country. While every attempt has been made to be complete, there may be issues affecting the design, establishment of operation of the use of biometrics in an ID system that are not addressed in this Primer, or that are addressed in the context of certain assumptions, facts and circumstances that do not apply equally to every situation. Nothing in this Primer constitutes legal advice and no inference should be drawn as to the completeness, adequacy, accuracy or suitability of any of the analyses or recommendations as applied to any particular situation. This Primer is a reference tool only. As a result, when contemplating the use of biometric recognition for an ID system, policymakers, practitioners and other stakeholders must carefully balance these risks, as well as potential benefits and alternatives.

Biometrics in ID Systems Frequently Asked Questions (FAQs) How are biometrics used in ID systems?

The primary purpose of a biometric system is to use automated recognition technology to accurately
validate the identity of an individual. To do this, biometric systems utilize two phases:

  1. Enrollment or acquisition
  2. Matching and decision

And requires the following activities:

For more information on the workings of biometric systems, please see Section 1.

What is meant by biometric accuracy, false accepts, and false rejects?

Unlike password-based systems, where a perfect match between two “passwords” is necessary to validate
a user’s identity, a biometric system works probabilistically because two biometric samples are never
identical. Instead, a biometric system generates “scores” based on the level of confidence that two samples
are a match. Because of this probabilistic nature, there is a trade-off between two types of errors:

For more information on biometric performance metrics, please see Section 6.5.

How do I establish if there is an operational need for integrating biometrics into an ID system?

Establishing a business or operational need involves investigating and documenting the costs, benefits, risks, and alternatives to biometric use. The primary role of biometrics as part of ID system is increased trust and confidence in a person’s uniqueness and identity and as a potential authentication mechanism. This can be achieved by using biometrics to check for duplicate identities (identification) or using biometrics to validate a person against a previously stored biometric for that individual (e.g., for authentication during transactions). The requirements for each of these functions will be unique to the local environment, and benefits must be balanced against the costs and risks (both security and privacy)—such as those related to data protection and privacy, inclusivity and non-discrimination—both of the biometric systems and potential alternatives (e.g., relying on existing forms of identification and demographic deduplication for identity proofing).

Such an evaluation should be done during the project planning phase, and involve technical and legal experts, as well as consultations with the public and other potential stakeholders (e.g., the relying parties who will use the system for identity services).

What is the difference between enrollment, verification (1:1), identification (1:N), and deduplication?

Biometric recognition involves several distinct processes:

The verification process is where a captured biometric is compared against a single individual’s existing biometric data within a database or stored on a credential. This is known as a one-to-one match (1:1). This comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator.

What is the difference between biometric and non-biometric identification and deduplication?

Enrollment in an ID system occurs through users providing their biographic data for registration. That captured data can then be compared against the enrollment database to ensure that the person is not already enrolled. Deduplication can be performed by comparing biometric data, biographic data, or a combination of both. The deduplication process lowers the risk of identity fraud by helping prevent people from obtaining multiple identities within an ID system that seeks to establish the uniqueness of enrollees, such as most foundational ID system. Biometric deduplication is used globally in over 130 developed and developing countries as part of the issuance process for national IDs, population and civil registers, or similar foundational ID systems.

For more information on biometric applications, please see Section 1.3.

what is the difference between biometric and non-biometric authentication and verification?

The verification process is where captured data is compared against a single individual’s existing data within a database. This is known as a one-to-one match (1:1). Verification can be performed by comparing biometric data, biographic data or a combination of both.Where biometrics are used, this comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator. Nonbiometric authentication uses either something you know (e.g., passwords or personal Identification numbers [PINs]) or something you have (e.g., a smart card or passport).

For more information on biometric applications, please see Section 1.3.

What modality or modalities of biometrics can be used for an ID system?

A variety of different biometrics can be used in ID systems; however, the most commonly used traits are fingerprint and iris for identity deduplication, as well as face for identity verification.

Fingerprints are currently the most commonly used modality for biometric recognition in systems such 58 PRIMER & FAQS as foundational IDs. This technology relies on the unique minutiae of a fingerprint and requires specific technology (fingerprint readers) for use. A fingerprint pattern under normal circumstances is permanent and unchanging; however, there are factors that can influence the quality of a person’s fingerprints such as employment types, age, and some medical conditions.

Iris recognition is a highly accurate and automated method of biometric identification of someone’s unique and stable eye patterns using pattern-recognition techniques on video. In comparison to other biometric modalities, iris recognition may also provide better protection against spoofing and other attacks. The distinct iris pattern is made up of a number of features within the eye muscle, such as collagenous fibres, crypts, colour, rifts, and coronas. The high stability of the modality is based on the iris pattern’s minimal change from formation prior to birth through the first two years of life.

Facial recognition technology (FRT) has undergone a technology revolution over the last five years. The greatly increased accuracy of FRT has led to the widespread adoption of FRT solutions for both foundational and functional types of ID systems particularly for 1:1 verification against a mobile device. This biometric technology is well-developed, and commonly engaged for many different use cases. For example, FRT is a fundamental component of international passport usage through International Civil Aviation Organization (ICAO) standards for e-passports and is commonly used as part of the passport issuance process. Smartphone devices and applications are increasingly using FRT to verify owners or users, which is leading to growing acceptance. However, there are some specific data protection and discrimination risks related to FRT---particularly when used for 1:N matching---due to the widespread availability of photos online, the ability to capture facial images at a distance, the increasing use of FRT for law enforcement, and bias in facial matching algorithms.

For more information on different biometric modalities, please see Sections 2, 3 and 4.

What are the pros and cons of a multi-modal ID system?

The process of fusing (i.e., combining) different sources of information is called multibiometric or multimodal biometrics. It is in particular relevant for large-scale biometric identification and de-duplication systems with millions of enrollment records (for example the foundational ID systems used in India, the Philippines, and Indonesia). There are two major benefits to multibiometric recognition:

  1. Improved matching performance. Using multiple sources of biometric information will improve the overall matching performance leading to a lower FMR and FNMR. In particular for large-scale identification (e.g., de-duplication) systems, the use of multiple biometric sources is often required to yield an acceptable identification performance.
  2. Better inclusion and fault tolerance. Combining different biometric traits will ensure that the system can still be used even when certain biometric data is not available or unreliable because of low quality. The improved acquisition performance (i.e., better FTE, FTA, and FTC) will improve the fault tolerance and inclusion rate of individuals that are to be enrolled in a biometric system.

Improvements of multibiometric systems also come at a cost, in terms of added complexity, lower acquisition throughput, or increased price. For example, capturing multiple samples of the same finger will add complexity and increase the effort of the acquisition process. In addition, capturing fingerprints from different fingers may require more expensive fingerprint scanners or the use of multiple biometric traits may require additional capture devices increasing the overall cost of the system. Also, multibiometric systems will require additional storage capacity and increased bandwidth and computation resources.

Given the unique sensitivity of biometric data used for identification purposes, such data should only be collected where necessary for a narrowly defined and lawful purpose. Collecting more biometric data than necessary to establish uniqueness or for a specific use case would, therefore, not be justifiable and goes Acronyms and Abbreviations 59 against general data minimization principles. The potential for re-identification through linked data is also increased as there is more personal data being stored.

For more information on multimodal systems, please see Section 4 of the Primer.

Where can I find information about the potential drawbacks for a particular modality?

Fingerprints: Infants and small children that have not fully developed cannot yet have their fingerprint taken, and aging results in the loss of collagen, making the skin loose and dry, negatively affecting the quality of fingerprints acquired by sensors. Manual laborers and persons with disabilities may also have difficulty with fingerprints. Furthermore, risks and challenges in the use of fingerprint recognition include a wide array of spoofing possibilities, universal master print attacks, replay attacks (where stolen fingerprint data is sent to the host remotely) or other kinds of attacks

Face: Unlike other biometric modalities such as fingerprint or iris, facial images are easily available in high volume online through social media channels and can be silently acquired at a distance by cheap equipment (CCTV, smartphones). Facial characteristics can also be used to identify race, gender, ethnicity, and other characteristics that could potentially be used to discriminate or otherwise cause harm. Facial images can be easily captured and matched with the subject from which the biometric was taken without any action or knowledge required directly by the subject. Face recognition algorithms can show varying degrees of bias against certain demographics of a population if they have not been trained on a sufficiently diverse gallery of face images.

Iris: Iris systems can be expensive to implement, requiring relatively niche capture devices. Capture for iris systems is more controlled than some other modalities. Potential issues include eye rotation, pupil dilation, occlusion, movement, environment, eyelash obscuration, glare and height. Iris may also exclude subsets of the population, including those with common medical conditions such cataracts and glaucoma and those that commonly use glasses or contact lenses as well as people with albinism. Additionally, there is the potential for a higher failure to acquire for younger subjects and some racial sub-groups have little visible iris structure which may make capture difficult.

Voice: An individual’s unique voice print can be used for verification, validation, and authentication purposes but is generally not reliable for 1:N identification or deduplication. Because, an individual’s voice prints can change over time and due to several factors, such as sickness, environmental conditions etc. therefore, regular updates of individuals’ voice samples are generally necessary for voice recognition systems.

For more information on modality specific risks, please see Sections 2, 3 and 4.

How can biometric data be protected to help mitigate data protection and security risks?

Like other sensitive personal data, biometrics must be adequately protected from theft and misuse through a combination of legal, technical, and operational measures.

Technical mitigation methods include:

Operational mitigation methods include:

A comprehensive legal and regulatory framework will include data protection measures including:

For more information on mitigation methods, please see Sections 5, 6 and 7.