A PRIMER ON BIOMETRICS FOR ID SYSTEMS

The primary purpose of a biometric system is to use automated recognition technology to accurately
validate the identity of an individual. To do this, biometric systems utilize two phases:

1. Enrollment or acquisition
2. Matching and decision

And requires the following activities:

• Acquistion or Collection of the biometric
• Comparison of the biometric to one or more enrolled individuals
• The use of a matching algoriothm to create a decision on identity

For more information on the workings of biometric systems, please see Section 1.
 

Unlike password-based systems, where a perfect match between two “passwords” is necessary to validate
a user’s identity, a biometric system works probabilistically because two biometric samples are never
identical. Instead, a biometric system generates “scores” based on the level of confidence that two samples
are a match. Because of this probabilistic nature, there is a trade-off between two types of errors: 

• False accept rate (FAR). The false accept rate is the proportion of verifications with wrongful claims of identity that are incorrectly confirmed. For example, during a verification transaction, if an impostor fingerprint happens to look sufficiently like the one enrolled, the algorithm decides that they are highly likely to be from the same characteristic and incorrectly verifies the user as the valid identity. This is a false accept as an impostor has been allowed access.
• False reject rate (FRR). The false reject rate is the proportion of verification transactions with truthful claims of identity that are incorrectly denied. For example, during a verification transaction, if the finger is placed on the sensor such that only part of the fingerprint is visible and the algorithm incorrectly fails to verify the user, this is known as a false reject, as the legitimate user has been denied access.

For more information on biometric performance metrics, please see Section 6.5.

Establishing a business or operational need involves investigating and documenting the costs, benefits, risks, and alternatives to biometric use. The primary role of biometrics as part of ID system is increased trust and confidence in a person’s uniqueness and identity and as a potential authentication mechanism. This can be achieved by using biometrics to check for duplicate identities (identification) or using biometrics to validate a person against a previously stored biometric for that individual (e.g., for authentication during transactions). The requirements for each of these functions will be unique to the local environment, and benefits must be balanced against the costs and risks (both security and privacy)—such as those related to data protection and privacy, inclusivity and non-discrimination—both of the biometric systems and potential alternatives (e.g., relying on existing forms of identification and demographic deduplication for identity proofing).

Such an evaluation should be done during the project planning phase, and involve technical and legal experts, as well as consultations with the public and other potential stakeholders (e.g., the relying parties who will use the system for identity services).

Biometric recognition involves several distinct processes:

• Enrollment is the process by which individuals are processed and their identity data is recorded into the ID system. This usually requires the individual to provide a strong link to their identity through one or more pieces of existing original documentation such as a birth certificate, driver’s license, or passport or possibly a qualified "introducer" for persons without documentation. Biometrics are captured at this point to establish a link, sometimes known as biometric binding, between the biometrics and the person.
• The identification process is where a captured biometric is compared against multiple individuals’ existing biometric data within a database. This is known as a one-to-many match (1:N). This generates a list of the most likely match candidates, usually ordered by their similarity. The position of a candidate in this list is known as the rank, with the top candidate (most similar) known as rank 1.
• Biometric deduplication uses an identification process to compare captured data against the Acronyms and Abbreviations 57 enrollment database to ensure that the person is not already enrolled to ensure the removal of any duplicates of the biometric identity data enrolled into a system’s database.
• The verification process is where a captured biometric is compared against a single individual’s existing biometric data within a database or stored on a credential. This is known as a one-to-one match (1:1). This comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator.

The verification process is where a captured biometric is compared against a single individual’s existing biometric data within a database or stored on a credential. This is known as a one-to-one match (1:1). This comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator.

Enrollment in an ID system occurs through users providing their biographic data for registration. That captured data can then be compared against the enrollment database to ensure that the person is not already enrolled. Deduplication can be performed by comparing biometric data, biographic data, or a combination of both. The deduplication process lowers the risk of identity fraud by helping prevent people from obtaining multiple identities within an ID system that seeks to establish the uniqueness of enrollees, such as most foundational ID system. Biometric deduplication is used globally in over 130 developed and developing countries as part of the issuance process for national IDs, population and civil registers, or similar foundational ID systems.

For more information on biometric applications, please see Section 1.3.

The verification process is where captured data is compared against a single individual’s existing data within a database. This is known as a one-to-one match (1:1). Verification can be performed by comparing biometric data, biographic data or a combination of both.Where biometrics are used, this comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator. Nonbiometric authentication uses either something you know (e.g., passwords or personal Identification numbers [PINs]) or something you have (e.g., a smart card or passport).

For more information on biometric applications, please see Section 1.3.

A variety of different biometrics can be used in ID systems; however, the most commonly used traits are fingerprint and iris for identity deduplication, as well as face for identity verification.

Fingerprints are currently the most commonly used modality for biometric recognition in systems such 58 PRIMER & FAQS as foundational IDs. This technology relies on the unique minutiae of a fingerprint and requires specific technology (fingerprint readers) for use. A fingerprint pattern under normal circumstances is permanent and unchanging; however, there are factors that can influence the quality of a person’s fingerprints such as employment types, age, and some medical conditions.

Iris recognition is a highly accurate and automated method of biometric identification of someone’s unique and stable eye patterns using pattern-recognition techniques on video. In comparison to other biometric modalities, iris recognition may also provide better protection against spoofing and other attacks. The distinct iris pattern is made up of a number of features within the eye muscle, such as collagenous fibres, crypts, colour, rifts, and coronas. The high stability of the modality is based on the iris pattern’s minimal change from formation prior to birth through the first two years of life.

Facial recognition technology (FRT) has undergone a technology revolution over the last five years. The greatly increased accuracy of FRT has led to the widespread adoption of FRT solutions for both foundational and functional types of ID systems particularly for 1:1 verification against a mobile device. This biometric technology is well-developed, and commonly engaged for many different use cases. For example, FRT is a fundamental component of international passport usage through International Civil Aviation Organization (ICAO) standards for e-passports and is commonly used as part of the passport issuance process. Smartphone devices and applications are increasingly using FRT to verify owners or users, which is leading to growing acceptance. However, there are some specific data protection and discrimination risks related to FRT---particularly when used for 1:N matching---due to the widespread availability of photos online, the ability to capture facial images at a distance, the increasing use of FRT for law enforcement, and bias in facial matching algorithms.

For more information on different biometric modalities, please see Sections 2, 3 and 4.

The process of fusing (i.e., combining) different sources of information is called multibiometric or multimodal biometrics. It is in particular relevant for large-scale biometric identification and de-duplication systems with millions of enrollment records (for example the foundational ID systems used in India, the Philippines, and Indonesia). There are two major benefits to multibiometric recognition:

1. Improved matching performance. Using multiple sources of biometric information will improve the overall matching performance leading to a lower FMR and FNMR. In particular for large-scale identification (e.g., de-duplication) systems, the use of multiple biometric sources is often required to yield an acceptable identification performance.
2. Better inclusion and fault tolerance. Combining different biometric traits will ensure that the system can still be used even when certain biometric data is not available or unreliable because of low quality. The improved acquisition performance (i.e., better FTE, FTA, and FTC) will improve the fault tolerance and inclusion rate of individuals that are to be enrolled in a biometric system.

Improvements of multibiometric systems also come at a cost, in terms of added complexity, lower acquisition throughput, or increased price. For example, capturing multiple samples of the same finger will add complexity and increase the effort of the acquisition process. In addition, capturing fingerprints from different fingers may require more expensive fingerprint scanners or the use of multiple biometric traits may require additional capture devices increasing the overall cost of the system. Also, multibiometric systems will require additional storage capacity and increased bandwidth and computation resources.

Given the unique sensitivity of biometric data used for identification purposes, such data should only be collected where necessary for a narrowly defined and lawful purpose. Collecting more biometric data than necessary to establish uniqueness or for a specific use case would, therefore, not be justifiable and goes Acronyms and Abbreviations 59 against general data minimization principles. The potential for re-identification through linked data is also increased as there is more personal data being stored.

For more information on multimodal systems, please see Section 4 of the Primer.

Fingerprints: Infants and small children that have not fully developed cannot yet have their fingerprint taken, and aging results in the loss of collagen, making the skin loose and dry, negatively affecting the quality of fingerprints acquired by sensors. Manual laborers and persons with disabilities may also have difficulty with fingerprints. Furthermore, risks and challenges in the use of fingerprint recognition include a wide array of spoofing possibilities, universal master print attacks, replay attacks (where stolen fingerprint data is sent to the host remotely) or other kinds of attacks

Face: Unlike other biometric modalities such as fingerprint or iris, facial images are easily available in high volume online through social media channels and can be silently acquired at a distance by cheap equipment (CCTV, smartphones). Facial characteristics can also be used to identify race, gender, ethnicity, and other characteristics that could potentially be used to discriminate or otherwise cause harm. Facial images can be easily captured and matched with the subject from which the biometric was taken without any action or knowledge required directly by the subject. Face recognition algorithms can show varying degrees of bias against certain demographics of a population if they have not been trained on a sufficiently diverse gallery of face images.

Iris: Iris systems can be expensive to implement, requiring relatively niche capture devices. Capture for iris systems is more controlled than some other modalities. Potential issues include eye rotation, pupil dilation, occlusion, movement, environment, eyelash obscuration, glare and height. Iris may also exclude subsets of the population, including those with common medical conditions such cataracts and glaucoma and those that commonly use glasses or contact lenses as well as people with albinism. Additionally, there is the potential for a higher failure to acquire for younger subjects and some racial sub-groups have little visible iris structure which may make capture difficult.

Voice: An individual’s unique voice print can be used for verification, validation, and authentication purposes but is generally not reliable for 1:N identification or deduplication. Because, an individual’s voice prints can change over time and due to several factors, such as sickness, environmental conditions etc. therefore, regular updates of individuals’ voice samples are generally necessary for voice recognition systems.

For more information on modality specific risks, please see Sections 2, 3 and 4.

Like other sensitive personal data, biometrics must be adequately protected from theft and misuse through a combination of legal, technical, and operational measures.

Technical mitigation methods include:

• Appropriate data security measures and controls to protect the integrity and confidentiality of biometric data, having regard to the increased risk associated with such data, including encryption, template protection, digital certificates, and public key infrastructure (PKI).
• Access controls must be securely managed.
• Data must be separated and anonymised.
• Data access and movement must be logged and traceable.
• Third Party external access restrictions must be in place for templated data.

Operational mitigation methods include:

• Operators must be sufficiently trained in use of the system.
• Robust governance structures and audit procedures must be in place.
• Data Protection Impact Assessments (DPIA) and threat modelling must take place.
• Regular technical performance reviews must be undertaken.
• Designating a data protection officer.

A comprehensive legal and regulatory framework will include data protection measures including:

• Demonstrating a clear lawful basis for the processing of biometric data
• Collecting biometric data only where necessary for limited, lawful purposes
• Minimizing collection of biometric data that is necessary
• Ensuring biometric data is kept accurate and for no longer than necessary
• Being transparent with users about the processing of biometric data
• Requiring appropriate organizational and technological security measures in respect of biometric data
• Carefully controlling external access to biometric data and ensuring appropriate contractual protections are in place with any third-party suppliers
• Creating mechanisms for external review and audit

For more information on mitigation methods, please see Sections 5, 6 and 7.

Some of the key questions when deciding whether or not to use biometrics for either 1:N identification (e.g., to establish uniqueness) or 1:1 verification (e.g., to authenticate for transactions) include:

• Is it possible to establish uniqueness of enrollees to the degree required for the purpose of the system using existing identity evidence and/or demographic deduplication (i.e., given the population size and the quality and ownership of existing IDs)? Is a higher level of authentication required for a specified purpose that can’t be provided by other methods (e.g., using multi-factor authentication or a cryptographic authenticator)
• Is there a clear lawful basis for the use of biometrics, and are biometrics necessary for a narrowly defined purpose?
• Can biometric systems be effectively operated in the proposed environment with adequate security standards and sufficient legal, operational, and technical controls?
• Will biometrics be accepted by the intended users?
• Will the use of specific modalities or the requirement to provide biometrics for identification and/ or authentication exclude a significant percentage of the population?

Both ABIS (automated biometric identification system) and AFIS (automated fingerprint identification systems) are software applications designed to undertake the enrollment, matching, and management of biometric information focused on the permanent storage of biometric templates and matching. AFIS are focused on fingerprints only while more modern systems (ABIS) support multiple different types of biometrics. Common examples of ABIS system modalities include fingerprint, face, and iris.

For more information on ABIS and AFIS, please see Section 6.1.2

There are several international not-for-profit membership-based organizations working on biometrics, including:

• The Biometrics Institute (https://www.biometricsinstitute.org/)
• The European Biometric Association (https://eab.org/)

There are various procedures that may be followed to ensure good quality biometrics.

Setup of devices and environments. Consider the capturing device, lighting, and backgrounds. These can have a big impact on the quality of a biometric and may be easy to implement.

Operator training and education. Operators can be trained to assess and ensure many quality characteristics. While these can be documented and taught to operators, it is typically unlikely that all different quality characteristics will be able to be maintained in all instances, free of defects, degradations, and interferences. The training also needs to consider potential fringe cases and sensitivities to ensure they are handled appropriately.

Quality assurance. There are several issues and challenges with capture quality that must be addressed. Ensuring robust quality assurance is critical to system performance and can be achieved in two ways:

• Manual inspection by operators that is reliant on efficient training and operator guidance
• Automated quality assessment that provides high efficiency and depth of analysis to improve outcomes

For more information on acquisition best practice, please see Section 7.10.

Support for those unable to use a biometric system is critical to ensure inclusion. Large scale systems have addressed this issue in a variety of ways:

• Providing multiple biometrics so that if one or more biometrics are not present or unable to be enrolled there is still a biometric that can be used
• Noting in the identity record any missing biometric, and providing an alternative authentication method
• Retrying with relaxed quality standards with appropriate logging
• Taking one or more photo(s) of missing biometrics (all exceptions declared) to deter abuses

For more information on acquisition issues, please see Section 1.1.1.

Biometric data is considered to be sensitive personal data and so needs to be protected with greater rigor than less sensitive types of data. This is particularly the case for government ID systems since they are an active target for sophisticated internal and external attacks. Many of the controls listed are the same as those needed for any large-scale identity system such as ISO/IEC 27001 and ISO/IEC 29100 from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). These standards support defining system security and the data protection safe-guarding requirements.

Biometric data generally refers to either the raw biometric capture or the biometric template. Depending on the use this data can be stored and used either on a credential or device, inside a central system, with a node of a distributed application, or in a cloud storage bucket. The appropriate location for this data depends on the security requirements, data protection requirements, speed and network connectivity, the computing infrastructure available, and the type of application.

For more information on data storage, see Section 6.1.

Biometric data is considered sensitive personal information. Some countries treat this as sovereign data that must be stored onshore within a country. Options exist (and are utilized by some major biometric implementations) to host externally to a government agency but within private clouds established onshore with the appropriate level of security and control. The choice to host the biometrics solution externally must be informed by strict data access controls, high levels of independently assessed security, both physical and logical, the ability to ensure all data is stored in the country of origin, and that no third parties can access or transmit this data apart from the managing agency.

For more information on cloud storage, please see Section 6.1.3. For more information on third party management, please see Section 7.14.1.

The raw biometric data (known as the biometric sample) is data gathered directly from the sensor before any processing has been carried out. A template is the refined, processed, and stored representation of the distinguishing characteristics of a particular individual. The template is the data that gets stored during an enrollment and which later will be used for matching. Because of variations in the way a biometric 64 PRIMER & FAQS sample is captured, two templates from the same biometric will never be identical. This is the origin of the probabilistic nature of biometrics, as the matching process can only give a decision confidence, not an absolute assurance.

There are two primary reasons to store raw biometric data in addition to templates:

• Manual adjudication. Human inspection of raw data to make an informed judgement about the accuracy or quality of the algorithm match or matches.
• Re-templating. Templates are mostly unique both to specific algorithms from a vendor and to updated algorithms frequently also have different templates. This means that an upgrade is quite likely to involve the re-templating (converting all the images to templates) of the existing database.

Both requirements mean that it is usually too impractical and expensive to remove the original raw data— as this would have to be re-collected from the population to re-template. However, the original biometric data is also sensitive and should be separated from the template and personal data.

For more information on biometric templating, please see Section 6.1.1.

Biometric data can be captured offline by mobile or fixed devices. Where data is captured in an offline environment the challenges are ensuring that data is accurately synchronized, that any stored data is protected in case of theft or loss, and that the data is protected against alteration.

For more information on offline environments, please see Section 7.10.

For face recognition—e.g., for 1:1 authentication against a mobile device—there are several challenges caused by uncontrolled capture devices such as mobiles including:

• Illumination
• Sharpness
• Detection confidence
• Inter-eye pixel measurement
• Pose deviation
• Resolution

For instances where the person enrolling is responsible for the acquisition process, there is limited opportunity to provide instruction or correction for presentation of the biometric. Any instructions should, therefore, focus on key aspects, pose, and lighting that can have more significant impacts on the acquisition of a high-quality face image.

In some unsupervised use cases, the acquisition process may also include liveness detection features for the purposes of presentation attack detection. Inclusion of this technology in the acquisition can have an impact on the ability to capture a high-quality biometric as it could require the user to alter Acronyms and Abbreviations 65 behavior. The user instructions, including the use of presentation attack detection technology, should also consider accessibility issues where it may prove more challenging for specific users to provide a highquality biometric. These user instructions could be, for example, supported by both visual and audio cues.

For more information on face biometrics, please see Section 3.2.

UNICEF’s 2019 guidance on the impact of biometrics on children,49 they identifies that exclusion due to system design or technological constraints and faults, as well as unintentional usage of linked data are all concerns for children. In addition to the basic hazards associated with any identity management system, the possible influence on minors should be considered for some key reasons, including:

• Because biometric systems were meant to function with adults, they are not necessarily suitable for use in recognizing youngsters. Maybe the biometric property is difficult to capture (like an iris scan with young children), or the trait performs poorly in specific age groups (like facial recognition), or the user acceptance is low (DNA).
• Working with children poses more social and ethical hazards than working with adults. Children sometimes lack the agency or chance to participate in key decisions concerning services and programs. They also lack the information and comprehension of the risks and implications of processing their own personal data. While needing parental agreement is crucial, many parents or guardians may not completely comprehend the risks, increasing children's vulnerability.

Other populations that can have issues with biometric systems include:

• Persons with disabilities. Those with a cognitive or physical disability may have difficulty presenting a biometric.
• Persons with medical Issues. Some diseases or accidents ,as well as repetitive injuries due to manual labor, cause biometrics to not be present or to be of such low quality they cannot be used.
• Older persons. Some biometrics can be more difficult to collect from much older subjects as they may suffer from a variety of medical issues.

In all cases such individuals need to be provided alternate mechanisms for proof of identity. Multimodal biometric systems can also support individuals that cannot use one modality. Good governance ensures that reporting is made available on the reasons for failures to enroll in operation.

A biometric system is composed of several different subsystems. Each subsystem may have several different points of attack, and for each point of attack there may be one or more potential exploits. Although such attack points exist in all matching systems, not all are equally vulnerable. Enrollment fraud can occur when an individual is able to procure fake foundational documents, take over another person’s identity, subvert the enrollment by using a fake biometric, or corrupt the enrollment process (perhaps through a bribe).

For more information on risks during the enrollment process, please see Section 1.5.

Technical risk mitigation measures include presentation attack detection, tamper mitigation, and biometric template protection

Biometric spoofs or fakes could be used to attack a system. Such spoofs can be produced from biometric data obtained directly or covertly from a person online or through hacked systems. This attack could involve a printed photo, an image or video of a person on a tablet, or the presentation of a 3D mask or a fake silicone fingerprint. Presentation attack detection (PAD) refers to detecting a biometric spoof when it is presented to a biometric sensor.

Tamper mitigation involves the integrity of the sensor being both electronically tested and physically secured to ensure that no modifications or substitution have been undertaken. Tamper-proofing might include physically sealing all the internal hardware in resin and using electronic sensors to detect if seals have been broken.

Biometric template protection, or biometric encryption, is a method that increases the difficulty of accessing biometric information from stored data. This involves mechanisms to restrict the use of the biometric through active changes to the information stored.

For more information on technical risk mitigation methods, please see Section 6.6.

There are a wide range of biometric fingerprint acquisition devices, and new devices are constantly being developed. When comparing different scanner technologies, the following are the high-level considerations:

• Accuracy. Different scanners have different resolutions and different form factors. For the most accurate systems all 10 fingers need to be captured, but this process takes longer than simply acquiring two fingers. Acronyms and Abbreviations 67
• Speed. A scanner used for access control needs to be quick and easy (and so may be limited to one finger). A scanner used for enrollment for a population-wide ID will need higher accuracy and will need to collect more fingers (usually 10).
• Durability. Some scanners are inherently more scratch and damage resistant due to the hardness of the contact surface. Optical scanners tend to be more robust under high utilization than capacitive.
• Vulnerability. Vulnerability is how well a scanner can be used to detect a presentation attack (i.e., fake finger). Some readers are more resistant to common fake finger techniques.
• Contact. Contactless fingerprint sensors are now available that read the fingerprint from a distance. These readers are fast but may have poorer quality outcomes.

For more information on fingerprint modality, please see Section 2.2.

Standards aim to establish generic sets of rules for different products and to facilitate interoperability, data exchange, consistency of use, and other desirable features.  International biometric standards on interoperability allow stability and consistency of biometric technologies and products.  

Some well-known biometric standards for ensuring interoperability are referenced in Section 6.5.1.

Biometric system performance heavily relies on the quality of the acquired input samples. Compliance to the corresponding international  biometric  standards  advising on data quality  ascertains  a  betterquality assurance management process. Hence, with the use of standards, great flexibility and modularity can be achieved. 

 Biometric standards for quality assurance are referenced in Section 6.6.2.

For more information on standards for ID Systems, please see the Catalog of Technical Standards for Digital Identification Systems.50

While it is technically possible to generate an image from a biometric template, it is not a practical attack vector in most cases. The process is called "hill-climbing." It relies on having access to the original algorithm that was used to generate the template, and then successively updating an initially random image until the new image is closer and closer to generating the same template. Once the original template is close enough, the new image would pass a biometric match, even when the image itself might look substantially different from the original image. The computing power and setup required to do this is usually more complex than other forms of attack.

A token is representation of the captured biometric data that has had some minimal amount of processing applied. For passports, the ICAO definition of the facial token to be stored on the passport chip is a cropped and scaled representation of the actual image. This is processed by the chosen matching algorithm. The reason for storing the image, rather than extracted features, is that any recognition algorithm can be used to process the "raw" data and advances in matching are not precluded. This is known as template interoperability. Another good reason for using a token is that advances in algorithms may discover new ways of extracting distinctive features from the original biometric sample. Using a token can allow seamless upgrading of algorithms.

For more information on biometric data protection methods, please see Section 7.0.

With the digital identity space advancing at an accelerating pace, there has been an increase in biometric standards that are critical for identification systems to be robust, interoperable, and sustainable.  

Some international standards that apply to the use of biometrics in an ID system are referenced in Section 6.5.3.

For more information on standards, please see Section 6.5.

The establishment of a robust governance structure is necessary to ensure that biometric systems stay in compliance with operational goals. Governance structures should be designed to effectively implement and monitor the risk mitigation strategies outlined by threat modeling and data protection and other impact assessments. A robust governance framework will ensure that all governance roles are given specific, detailed, and transparent responsibilities. Several questions should be asked when designing a governance structure, including:

• What skills are required to successfully meet the goals of the project?
• What system processes need to be understood so that the project’s activities are sufficiently overseen?
• Are those within the governance structure being provided with the information required to properly oversee the project and make decisions?

In addition, robust auditing processes will facilitate accountability and enable remediation where required. The processing of sensitive and personal data should be monitored by an appropriate, independent oversight authority and, to the extent possible, by data subjects themselves. Audit logs must be made easily accessible to the relevant authority while maintaining user privacy. A transparent audit system can also reinforce public support and uptake of the system.

For more information on governance best practice, please see Section 7.8.

Communications and public engagement are vital for the rollout of biometric systems. This includes internal communications to staff around the use and benefits of the technology and a communications and marketing strategy to the wider population of users to ensure that they understand how and why Operations Acronyms and Abbreviations 71 biometrics are being used and where they can seek more information. Good communications strategies are needed to address common concerns around the use of biometric technology without oversimplifying or downplaying risks. Beyond one-way communications, effective engagement strategies are also essential for soliciting public feedback on concerns and solutions, and improving overall trust in the system.

For more guidance, see forthcoming ID4D guides on engaging with civil society organizations (CSOs) and communications strategies

The migration of biometric and identity data to a new or upgraded biometric system can be complex and error prone. This is because of one or more the following factors:

• Data errors. There may be errors in the underlying data that are unknown and cause migration problems.
• Poor quality. A new biometric algorithm may handle quality differently. This can result in changes in what biometrics are able to be enrolled.
• Biometric migration. Due to the nature of biometric systems, in most cases the biometric will need to be re-enrolled from the original raw sample acquired to generate new templates. This can be a time-consuming process.
• Data faults. The infrastructure undertaking the migration may make mistakes or have other IT issues that result in a loss or corruption of data.
• Scale up. During the initial phases of implementation, the transition to full data load may need to be carefully managed to ensure the right amount of processing capability is available to ensure transactions are handled with appropriate speed.

To reuse the change of errors, it is recommended to ensure a comprehensive planning phase for migration is undertaken, including an analysis of the existing data as well as third-party audit mechanisms to provide assurance, that there is no data loss or corruption.

There are several possible risks that have caused a global concern over the use of biometric systems:

• Function creep. The risk that a biometric system will be used for something other than its original purpose (or that it is used for new or additional purposes where the raw data is obtained from existing databases or sources, e.g., social media channels). This is a particular issue for identification use cases where a system designed for verification could for instance be expanded for surveillance or where a system established for deduplication is used to match against social media or closedcircuit TV (CCTV).
• Data breach. The risk of biometric data being accessed, read, or removed by an unauthorized source. FRT systems are often more sensitive to such breaches as the facial images can be more easily misused. This is especially concerning for databases that contain tagged images; however, even without labels a face can be potentially matched to social media images.
• Potential discrimination. The possibility that the biometric data held in biometric systems could be used to discriminate against people with certain identifying features (e.g., race or sex).
• Reputational damage. The risk of public opinion and trust in the system being diminished by poor management or breaches of the system.

For more information on biometric risk factors, please see Section 1.5.

In general, the use of biometrics must satisfy the principles of necessity and proportionality, meaning the measure is necessary to meet a specific and legitimate need (and would be effective in doing so) and there is no less intrusive way of achieving that end. A balancing test must be undertaken to strike a fair balance between the risks to and impact on the individual and the apparent benefit to society or the public interest. Data Protection, Privacy, and Governance Acronyms and Abbreviations 73

This test can take the form of a data protection impact assessment and accompanying policy document.

Appropriate safeguards must also be implemented to ensure data minimization, purpose limitation, robust data security, the prevention of unauthorized access or use, and strict retention and disposal requirements. Data must not be repurposed or shared with third parties without their knowledge, and, in every case, there must be a lawful basis for the data processing. Finally, there should be a mechanism for human intervention and oversight, including an easy way to exercise individual rights, lodge complaints, and seek redress.

For more information on data protection, please see Section 5.2.

Each country’s legal system is unique and therefore, different measures may be required in different countries. In turn, there must be a clear lawful basis under the data protection legal and regulatory framework for processing biometric data in an ID system. Most ID systems mandate participation and enrollment; therefore, consent is unlikely to be a suitable lawful basis for the associated processing of biometric data. The imbalance of power between individuals and public authorities also means that the former may feel pressured to give their consent even if not mandatory (especially if failure to give consent means they may not access a particular government service or benefit). Rather than relying on consent, a public authority should, therefore, be able to demonstrate that the collection of biometric data is necessary for a reason of substantial public interest relating to the ID system, on the basis of a law that contains adequate safeguards (e.g., in respect of transparency, data security, data minimization, purpose limitation, and accuracy).

For more information on laws and regulations, please see Section 5.

The US Department of Labor defines PII as "Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means."51 Biometrics are almost always deemed to be PII due to their ability to uniquely identify an individual. Moreover, they are typically classified as “sensitive” PII, which entails greater risk to the individual if compromised or disclosed without authorization and therefore requires higher levels of protection.

The following terminology is used:

• Match. A comparison decision stating that a biometric probe and biometric reference are from the same source.
• No-match. A comparison decision stating that a biometric probe and biometric reference are not from the same source.
• False accept rate (FAR). The proportion of verification transactions with wrongful claims of identity that are incorrectly confirmed.
• False reject rate (FRR). The proportion of verification transactions with truthful claims of identity that are incorrectly denied.
• False match rate (FMR). FMR is the percentage of completed imposter (non-mated) matching trials whose matching score is greater than the threshold.
• False non-match rate (FNMR). FNMR is the percentage of completed genuine (mated) matching trials whose comparison is less than the threshold.
• Equal error rate (EER). EER is the point where the FMR is identical to the FNMR.
• Failure-to-enroll rate (FTE). The number of people that cannot enroll a biometric at all.
• Failure-to-acquire rate (FTA). The number of people that have difficulty using a biometric.

Note that in literature, FAR versus FMR and FRR versus FNMR are often used interchangeably. There is, however, a subtle difference in that FAR and FRR are system level errors, taking into account, for example, samples that failed to be acquired. Other terminology that is used in literature is the true acceptance rate (TAR), which is defined as 1 – FRR, measuring the degree that a biometric system correctly matches the biometric from the same person.

For more information on biometric performance metrics, please see Section 6.4.

Biometric data should be securely stored and protected to prevent processing by unauthorized parties, loss, theft, unwanted destruction, and damage. Given the increasing occurrence of large-scale cyber-attacks on IT systems (including well-documented cases of breached systems holding biometrics), it is vital to ensure that data is adequately secured. The biometric data must be protected throughout all system components and during all phases of the system lifecycle.

Technical mitigations that assist with data protection include:

• End-to-end encryption of data both in-transit and at rest
• Data anonymization and pseudonymization wherever possible
• System confidentiality and integrity
• Data backups
• Ongoing assurance mechanisms
• Digital certification and PKI
• Access and control platforms
• Robust logging

For more information on technical mitigation measures, please see Section 6.

All physical and electronic security systems have vulnerabilities that require a variety of different levels of expertise to exploit. Any security system can be circumvented with enough access, time, and resources. No single security technique can remove all possible points of vulnerability in a system. As such, it is important to consider security infrastructure as a series of complementary interconnecting factors that are enforced by appropriate levels of governance.

In addition, new methods of attack are being constantly invented due to the evolving global technological landscape. For example, attack artifacts such as realistic latex masks and 3D printed fingerprints are now increasingly available. This trend will mean that sophisticated attack scenarios that were once restricted by availability, resources, and skill will become increasingly frequent.

It is important to note that concerns about risks vary by different stakeholders. For example, citizens may be concerned about their privacy, discrimination, and function creep, whereas governments may be more concerned about public trust and reputational damage.

For more information on technical mitigation measures, please see Section 6.

Most foundational ID systems, particularly those based on face and fingerprint recognition, require the use of human operators to assist the automated system in resolving matches with match scores that fall between the automatic rejection and acceptance thresholds.

If the algorithm assessing the similarity of two images fails to verify the match because the match score falls below a predefined threshold, the transaction can be referred to the manual resolution team (sometimes called manual adjudication) for processing.

As the capability and performance of current biometric solutions improve, the cases that absolutely require humans to perform the identification process will become increasingly difficult, in the sense that the amount and type of such cases requiring manual processing will necessitate humans having improved training and tools.

Section 7 contains more information on the operation of biometric systems.

System operators should receive comprehensive system training, both on how to use the system and on how to avoid misusing it. Operators should also be audited on a regular basis by a transparent and independent authority to ensure that individuals only have access to the functions needed for their specific job function or role. Furthermore, the system design should restrict any individual's ability to alter or delete data or make changes to the system's operation (such as changing the matching threshold).

Strong auditing processes will facilitate accountability and allow for remediation where necessary. The processing of sensitive and personal data should be overseen by an appropriate, independent oversight authority, as well as, where possible, by the data subjects themselves. Audit logs must be easily accessible to the appropriate authority while protecting user privacy. A transparent audit system can also boost public support and adoption of the system.

Section 7.1 contains more information on operational security

The integrity of a biometric system is obviously an important attribute in maintaining public trust and ensuring that sensitive and personal data is not compromised.

New methods of attack are being constantly invented due to the evolving global technological landscape. For example, attack artifacts such as realistic latex masks and 3D printed fingerprints are now increasingly available. This trend will mean that sophisticated attack scenarios that were once restricted by availability, resources, and skill will become increasingly frequent.

For more information on system compromise, please see Sections 7.4 and 7.5.

It is recommended that biometric systems undergo regular audit at least yearly. This audit should look at various measures of system performance including failure rates, transaction performance, and acquisition quality. Another useful activity is to have a biometric penetration attack undertaken. This can help ensure the system is operating as expected.

A periodic and systematic (weekly and after each patch or change brought to automated biometric identification system [ABIS] configuration) accuracy testing of the ABIS by an independent third-party can ensure the ABIS is not “silently broken.”

In addition, it is recommendation to regularly collect data not only on system performance, but also to assess the efficacy of enrollment procedures, operator performance and adherence to procedures, and people’s experiences enrolling and using biometrics. This will help identify potential issues that could lead to exclusion, poor quality data, and/or reputational damage. This can be done via the ID and biometric systems and through periodic surveys, audits and mystery shoppers, and process observation.

To ensure that the legal, operational, and technical data protection practices of any third-parties with access to biometric systems match or exceed those employed by the implementing agency. Additional measures that should be considered include:

• Strict contractual requirements and data sharing agreements outlining the minimum standards and requirements for accessing data (consider naming the specific individuals with access)
• Mandatory authorization processes
• Requirements that private sector providers are located within the country
• Government-retained ownership and control over any data collected and stored by the private sector provider on behalf of the ID system
• Prohibitions on further sharing or subcontracting of requirements to additional individuals or entities

For more information on third-party system access, please see Section 7.14.1

A primary principle to help reduce the impact of data breaches is the logical separation of biometric data into different data stores. The data includes both the original raw image and the template. The link between an individual’s biometrics and other sensitive personal data in these data stores should be a unique string that is not used for any other purpose. Should the biometric database be compromised, the attacker should not be able to link any data back to specific individuals.

To be effective, separation must be managed with other technical and organizational controls, including encryption and access controls, to prevent an attacker from easily taking all the data in a single breach.

For more information on data separation, please see Section 6.2.1.

Biometric data is especially sensitive and so needs to be protected with greater rigor than less sensitive data. This is particularly the case for ID systems since they are an active target for sophisticated internal and external attacks. Biometric template protection, or biometric encryption, is a method that increases the difficulty of accessing biometric information from stored data. This involves mechanisms to restrict the use of the biometric through active changes to the information stored. These mechanisms can introduce restrictions for the use of the biometric system for the purposes of

• Identification. The mass searching (1:N) of a database for a matching identity
• Authentication. The validation of an identity (1:1) using a biometric • Inspection. Allowing a visual inspection of an image by an operator or officer
• Cross matching. The cross-linking of biometric databases based on template-to-template matching
• ID systems that use biometric data must include end-to-end encryption implemented for all data, both in-transit and at rest.

For more information on biometric encryption, please see Section 6.1.4.

Biometric systems have several parameters that control accuracy such as the threshold and quality settings. An incorrectly tuned biometric system may perform very poorly either being easily fooled or by rejecting too many of the correct individuals. For any large system it is important to recognize the importance of tuning the various parameters after operation has commenced to ensure optimal performance.

For more information on biometric configuration, please see Section 6.4.1.

All matching algorithms need to be trained on data, both to create and tune the algorithm. This is done using large sets of labeled data that vendors have compiled. The output of this process is a model that can be used to predict similarity, but its robustness depends upon the data that was available for training. Face recognition tends to be the main biometric modality that is subject to further training. This is because it is often more sensitive to demographics, capture technology, and environment than other modalities.

Many modern biometric systems use machine learning to train the algorithm what faces are from the same as compared to different people. When this is undertaken on enormous numbers of individuals, the algorithm learns to become better and better at recognition. Recently some implementations have allowed customers to train on their own local data, resulting in more precise algorithms for local conditions. This can be beneficial but must be approached with caution as it is easy to “overfit” the training data so that performance is better on the set of faces in the training but much worse for unseen faces.

While it is technically possible to include "online" learning to adjust their accuracy during operation, most implementations where learning is available do this as a batch process. This is because of risks associated with poor or misleading training data arising from mislabeled data (ground truth).

For more information on matching algorithms, please see Section 1.2.

While algorithmic bias—i.e., variation in the accuracy of biometric systems based on demographics such as ethnicity or race—may be technically present in all biometric systems, it is mainly systems that use facial recognition technologies (FRT) where most concern about the adverse consequences of system bias are found. As most FRT algorithms are generated by training the system to detect several faces from a database, bias is highly likely in systems where the database is not sufficiently diverse. Early FRT algorithms often had high bias and poor accuracy; however, newer algorithms have corrected for much of this by ensuring they employ a larger and more diverse database for training algorithms.

Current FRT systems are not bias free, however, and the risk of engineering systems that contain bias is still present. It may be possible that bias cannot be eliminated for the FRT, even where the training data has the perfect demographic distribution; therefore, the goal is to minimize bias as much as possible.

For more information on matching algorithms, please see Section 1.2

Assessed biometric performance claims can be complex for those without a statistical background. When assessing performance claims it is important to consider several factors:

• The data set. Performance accuracy only relates to the degree to which the underlying test data matches the data that is expected to be seen by the system. Where the data is different, the performance results are unlikely to be valid. For example, a system that is tested on a population with one main ethnic demographic is likely to perform quite differently when applied to a country with a different mix of demographics.
• Statistical measures. The two best known accuracy statistics are false accept and false reject; however, there are also a huge range of other different types of statistics, for example, the rank one correct identification rate, the false non-match identification rate, and the failure-to-enroll rate. Each of these aggregate statistics can be useful for interpreting performance; however, choosing the right statistic to meet your solution parameters is important, and it is suggested that expert advice is sought.
• Configuration and tuning. Biometric systems have several parameters that control accuracy such as the threshold and quality settings. Assessed performance is dependent on the configuration and tuning, and it is important to note this may change between a test system and production.
• Population size (gallery size). Performance of biometric systems when undertaking identification changes depends on the size of the gallery. As the gallery size increases, the overall identification rate decreases; so, performance figures for identification must be interpreted by understanding the size of the test gallery.

For more information on biometric accuracy, please see Section 6.4.2.

The comprise of any system holding personal data is extremely serious. This is particularly the case for ID systems that hold biometric data, as a person’s biometrics cannot be practically changed. For the individual, that can cause concern about identity theft and loss of control of personal information.

Each country will have different laws about what is required in terms of notification after a data breach. Best practice, however, involves outreach to all those affected, an attempt to track down those responsible for the breach, and to remove any copies found online. Additional watch mechanisms may be placed on the accounts of those affected to compensate for an elevated risk of attack.

The use of biometrics is as just one part of the overall identity confirmation process and helps to control risk, not eliminate risk. Modern biometric systems should have presentation attack detection to reduce the chance of a stolen biometric being used. To prevent data being stolen it is important to have state-of-theart data encryption for data, both at rest and in transit, and not link biometric data to demographic data (including “public” personal identifiers).

For more information on securing biometric information, please see Section 6.1

Biometric operations are by their very nature probabilistic. Therefore, it is not possible to say with 100% certainty in most cases that an identity match has positively identified an individual. Sources of misidentification are modality dependant but can include twins, poor quality sample, or a poorly tuned algorithm. Handwritten signatures are currently used to “attest” a transaction for many legal purposes, and the traditional signature is just a type of biometric. Other biometrics can have a significantly higher accuracy than signatures but they are not foolproof. Ultimately, proof of a transaction rests with the legal framework in a jurisdiction and the risk tolerance of the organization using the biometrics.

For more information on legal considerations, please see Section 5

A functioning biometric system requires all the standard personnel needed to ensure a functioning IT solution including but not limited to security, operations, governance, database, and performance. Biometric systems, however, do have some specific types of personnel that are different from a standard IT system. These individuals include identity resolution specialists (these need training for each different modality that is used), acquisition staff (the people that are capturing the biometrics), and performance and accuracy experts (experts in how to ensure the biometric system is running accurately).

There are three methods to evaluate vendors’ past performance and quality that can be used in combination:

• Assessment of similar technology deployments
• Use of independent well-run public benchmarks such as those conducted by the US National Institute of Standards and Technology (NIST)
• Independent evaluation (ideally a formal ISO evaluation from a properly accredited laboratory)
• Proof of concept demonstration

Biometric specific factors for a good tender include the following:

• A precise description of the business and operational environment
• The use of international standards Costs and Procurement 82 PRIMER & FAQS
• Running a pilot (where practical) on the top selected vendors can be beneficial to identify how the technology performs in the local environment. Note: This should only be done with an experienced independent adviser to ensure that the testing is unbiased and accurate.
• Consideration of interoperability requirements
• Understanding of any data migration needs
• Flexibility in component architecture to allow replacement of biometric components devices and algorithms overtime
• The opportunity for down-selected vendors to undertake a well-defined proof of concept
• The use of independent expert advice during development
• Identification of target SLAs including accuracy, availability, and transaction times.

For more information, please see the ID4D Procurement Guide and Checklist for Digital Identification Systems.52

Vendor lock-in occurs because of technology choices that are not sufficiently flexible and do not anticipate system changes. In a biometric system this may, for instance, relate to the templates that have been generated from a particular algorithm and cannot be used with another vendor. In most cases templates are proprietary and, therefore, not easily transferred between technologies (or even versions). Consequently, it's extremely important for ID systems store and backup the original biometric images outside of the ABIS. Planning for how this data will be protected and used for re-enrollment is a critical part of the system lifecycle. Systems that have highly modular architectures should also allow for the replacement of algorithms and the addition of new modalities.

For more information, please see the ID4D Procurement Guide and Checklist for Digital Identification Systems.53

Open-source solutions are solutions where the code is available for use without commercial restrictions and where the technology has been placed in the public domain. This can allow for significant advantages in terms of customization and integration. Its disadvantage is that it may not be as accurate or perform as well as commercial offerings that have had significant additional investment. Open source can be involved with many different components of a system from the algorithm through to the integration framework. Some solutions will mix both open and closed source solutions.