A PRIMER ON BIOMETRICS FOR ID SYSTEMS

The World Bank Group’s Identification for Development (ID4D) Initiative prepared a Primer on Biometrics for ID Systems (Primer) as a reference document for practitioners, civil society organizations, development partners and other stakeholders on the responsible use of biometric recognition in official or government-recognized identification (ID) systems, such as national IDs, civil registration, population registers, and others. Over the past 30 years, countries have increasingly incorporated digital biometric recognition into these ID systems, either as part of identity proofing (de-duplication) and/or to provide verification and authentication to service providers. However, given the specialized and often proprietary nature of most biometric technology, the stakeholders mentioned above have not always had access to information they need to effectively consider the appropriate and responsible use of this technology. The Primer reflects experiences in a range of countries from different regions, with different legal systems, and at different stages of economic development. It also takes into account existing literature, international conventions, and norms and principles. It is based on evolving international good practice, as understood by ID4D.

This Primer aims to help fill this knowledge gap, serving as an introduction to key biometrics-related terms and concepts. It also provides good practices and approaches for determining whether or not biometric recognition is necessary for an ID system and—if so—how to use it responsibly, considering several domains (e.g. technical, deployment, operational, and legal). The Primer includes:

• Answers to frequently asked questions (FAQs) by practitioners during the design and implementation of incorporating biometrics in ID systems (note: there is a user-friendly list of FAQs in the appendix);
• An overview of how biometric recognition can be used in ID systems as part of the registration process and to provide people with proof of identity;
• Guidance on the responsible use of biometrics that are aligned with the Principles on Identification for Sustainable Development and data protection/privacy-by-design approaches; and
• Good practices for incorporating biometrics in ID systems in ways to ensure accessibility, inclusivity, security, and sustainability.

Despite the potential benefits of biometric recognition in detecting duplicate registrations and enabling authentication, including security and inclusion advantages over other authentication methods in some cases, deploying these technologies in ID systems presents various challenges. These challenges range from operational, technical, and legal to ethical considerations and include, for example, data protection, security, performance, inclusion, biometric recognition for children and elderly persons, implementation in harsh environments, technology and vendor selection, literacy, cost, and more.

We hope this Primer will help countries more carefully weigh these potential benefits, challenges, and risks, and where biometric recognition is used, adopt good practices for minimizing risk and safeguarding inclusion and data protection.

The Primer does not advocate for the use of biometric recognition, or any particular biometric technology. Rather, it provides analysis and approaches for evaluating the use of the technology and design options for various contexts and applications. The use of biometrics for purposes beyond official ID systems—e.g., for the purpose of surveillance, law enforcement, public security—is outside the scope of this Primer. In addition, the Primer does not address the broader security and technological issues involved with ID systems, which are addressed in other materials, including in through international standards. As with any system that processes personal data, ID systems are vulnerable to attack or misuse given enough time, resources, and determination. The Primer is not intended to be a guide for planning World Bank operations. There is no guarantee that addressing all the issues raised in this Primer will result in successful use of biometrics in and ID system in a country—that will depend on many factors that must be considered, and which may be different from country to country. While every attempt has been made to be complete, there may be issues affecting the design, establishment of operation of the use of biometrics in an ID system that are not addressed in this Primer, or that are addressed in the context of certain assumptions, facts and circumstances that do not apply equally to every situation. Nothing in this Primer constitutes legal advice and no inference should be drawn as to the completeness, adequacy, accuracy or suitability of any of the analyses or recommendations as applied to any particular situation. This Primer is a reference tool only. As a result, when contemplating the use of biometric recognition for an ID system, policymakers, practitioners and other stakeholders must carefully balance these risks, as well as potential benefits and alternatives.

The primary purpose of a biometric system is to use automated recognition technology to accurately
validate the identity of an individual. To do this, biometric systems utilize two phases:

1. Enrollment or acquisition
2. Matching and decision

And requires the following activities:

• Acquistion or Collection of the biometric
• Comparison of the biometric to one or more enrolled individuals
• The use of a matching algoriothm to create a decision on identity

For more information on the workings of biometric systems, please see Section 1.

Unlike password-based systems, where a perfect match between two “passwords” is necessary to validate
a user’s identity, a biometric system works probabilistically because two biometric samples are never
identical. Instead, a biometric system generates “scores” based on the level of confidence that two samples
are a match. Because of this probabilistic nature, there is a trade-off between two types of errors:

• False accept rate (FAR). The false accept rate is the proportion of verifications with wrongful claims of identity that are incorrectly confirmed. For example, during a verification transaction, if an impostor fingerprint happens to look sufficiently like the one enrolled, the algorithm decides that they are highly likely to be from the same characteristic and incorrectly verifies the user as the valid identity. This is a false accept as an impostor has been allowed access.
• False reject rate (FRR). The false reject rate is the proportion of verification transactions with truthful claims of identity that are incorrectly denied. For example, during a verification transaction, if the finger is placed on the sensor such that only part of the fingerprint is visible and the algorithm incorrectly fails to verify the user, this is known as a false reject, as the legitimate user has been denied access.

For more information on biometric performance metrics, please see Section 6.5.

Establishing a business or operational need involves investigating and documenting the costs, benefits, risks, and alternatives to biometric use. The primary role of biometrics as part of ID system is increased trust and confidence in a person’s uniqueness and identity and as a potential authentication mechanism. This can be achieved by using biometrics to check for duplicate identities (identification) or using biometrics to validate a person against a previously stored biometric for that individual (e.g., for authentication during transactions). The requirements for each of these functions will be unique to the local environment, and benefits must be balanced against the costs and risks (both security and privacy)—such as those related to data protection and privacy, inclusivity and non-discrimination—both of the biometric systems and potential alternatives (e.g., relying on existing forms of identification and demographic deduplication for identity proofing).

Such an evaluation should be done during the project planning phase, and involve technical and legal experts, as well as consultations with the public and other potential stakeholders (e.g., the relying parties who will use the system for identity services).

What is the difference between enrollment, verification (1:1), identification (1:N), and deduplication?

Biometric recognition involves several distinct processes:

• Enrollment is the process by which individuals are processed and their identity data is recorded into the ID system. This usually requires the individual to provide a strong link to their identity through one or more pieces of existing original documentation such as a birth certificate, driver’s license, or passport or possibly a qualified "introducer" for persons without documentation. Biometrics are captured at this point to establish a link, sometimes known as biometric binding, between the biometrics and the person.
• The identification process is where a captured biometric is compared against multiple individuals’ existing biometric data within a database. This is known as a one-to-many match (1:N). This generates a list of the most likely match candidates, usually ordered by their similarity. The position of a candidate in this list is known as the rank, with the top candidate (most similar) known as rank 1.
• Biometric deduplication uses an identification process to compare captured data against the Acronyms and Abbreviations 57 enrollment database to ensure that the person is not already enrolled to ensure the removal of any duplicates of the biometric identity data enrolled into a system’s database.
• The verification process is where a captured biometric is compared against a single individual’s existing biometric data within a database or stored on a credential. This is known as a one-to-one match (1:1). This comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator.

The verification process is where a captured biometric is compared against a single individual’s existing biometric data within a database or stored on a credential. This is known as a one-to-one match (1:1). This comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator.

Enrollment in an ID system occurs through users providing their biographic data for registration. That captured data can then be compared against the enrollment database to ensure that the person is not already enrolled. Deduplication can be performed by comparing biometric data, biographic data, or a combination of both. The deduplication process lowers the risk of identity fraud by helping prevent people from obtaining multiple identities within an ID system that seeks to establish the uniqueness of enrollees, such as most foundational ID system. Biometric deduplication is used globally in over 130 developed and developing countries as part of the issuance process for national IDs, population and civil registers, or similar foundational ID systems.

For more information on biometric applications, please see Section 1.3.

The verification process is where captured data is compared against a single individual’s existing data within a database. This is known as a one-to-one match (1:1). Verification can be performed by comparing biometric data, biographic data or a combination of both.Where biometrics are used, this comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator. Nonbiometric authentication uses either something you know (e.g., passwords or personal Identification numbers [PINs]) or something you have (e.g., a smart card or passport).

For more information on biometric applications, please see Section 1.3.

A variety of different biometrics can be used in ID systems; however, the most commonly used traits are fingerprint and iris for identity deduplication, as well as face for identity verification.

Fingerprints are currently the most commonly used modality for biometric recognition in systems such 58 PRIMER & FAQS as foundational IDs. This technology relies on the unique minutiae of a fingerprint and requires specific technology (fingerprint readers) for use. A fingerprint pattern under normal circumstances is permanent and unchanging; however, there are factors that can influence the quality of a person’s fingerprints such as employment types, age, and some medical conditions.

Iris recognition is a highly accurate and automated method of biometric identification of someone’s unique and stable eye patterns using pattern-recognition techniques on video. In comparison to other biometric modalities, iris recognition may also provide better protection against spoofing and other attacks. The distinct iris pattern is made up of a number of features within the eye muscle, such as collagenous fibres, crypts, colour, rifts, and coronas. The high stability of the modality is based on the iris pattern’s minimal change from formation prior to birth through the first two years of life.

Facial recognition technology (FRT) has undergone a technology revolution over the last five years. The greatly increased accuracy of FRT has led to the widespread adoption of FRT solutions for both foundational and functional types of ID systems particularly for 1:1 verification against a mobile device. This biometric technology is well-developed, and commonly engaged for many different use cases. For example, FRT is a fundamental component of international passport usage through International Civil Aviation Organization (ICAO) standards for e-passports and is commonly used as part of the passport issuance process. Smartphone devices and applications are increasingly using FRT to verify owners or users, which is leading to growing acceptance. However, there are some specific data protection and discrimination risks related to FRT---particularly when used for 1:N matching---due to the widespread availability of photos online, the ability to capture facial images at a distance, the increasing use of FRT for law enforcement, and bias in facial matching algorithms.

For more information on different biometric modalities, please see Sections 2, 3 and 4.

The process of fusing (i.e., combining) different sources of information is called multibiometric or multimodal biometrics. It is in particular relevant for large-scale biometric identification and de-duplication systems with millions of enrollment records (for example the foundational ID systems used in India, the Philippines, and Indonesia). There are two major benefits to multibiometric recognition:

1. Improved matching performance. Using multiple sources of biometric information will improve the overall matching performance leading to a lower FMR and FNMR. In particular for large-scale identification (e.g., de-duplication) systems, the use of multiple biometric sources is often required to yield an acceptable identification performance.
2. Better inclusion and fault tolerance. Combining different biometric traits will ensure that the system can still be used even when certain biometric data is not available or unreliable because of low quality. The improved acquisition performance (i.e., better FTE, FTA, and FTC) will improve the fault tolerance and inclusion rate of individuals that are to be enrolled in a biometric system.

Improvements of multibiometric systems also come at a cost, in terms of added complexity, lower acquisition throughput, or increased price. For example, capturing multiple samples of the same finger will add complexity and increase the effort of the acquisition process. In addition, capturing fingerprints from different fingers may require more expensive fingerprint scanners or the use of multiple biometric traits may require additional capture devices increasing the overall cost of the system. Also, multibiometric systems will require additional storage capacity and increased bandwidth and computation resources.

Given the unique sensitivity of biometric data used for identification purposes, such data should only be collected where necessary for a narrowly defined and lawful purpose. Collecting more biometric data than necessary to establish uniqueness or for a specific use case would, therefore, not be justifiable and goes Acronyms and Abbreviations 59 against general data minimization principles. The potential for re-identification through linked data is also increased as there is more personal data being stored.

For more information on multimodal systems, please see Section 4 of the Primer.

Fingerprints: Infants and small children that have not fully developed cannot yet have their fingerprint taken, and aging results in the loss of collagen, making the skin loose and dry, negatively affecting the quality of fingerprints acquired by sensors. Manual laborers and persons with disabilities may also have difficulty with fingerprints. Furthermore, risks and challenges in the use of fingerprint recognition include a wide array of spoofing possibilities, universal master print attacks, replay attacks (where stolen fingerprint data is sent to the host remotely) or other kinds of attacks

Face: Unlike other biometric modalities such as fingerprint or iris, facial images are easily available in high volume online through social media channels and can be silently acquired at a distance by cheap equipment (CCTV, smartphones). Facial characteristics can also be used to identify race, gender, ethnicity, and other characteristics that could potentially be used to discriminate or otherwise cause harm. Facial images can be easily captured and matched with the subject from which the biometric was taken without any action or knowledge required directly by the subject. Face recognition algorithms can show varying degrees of bias against certain demographics of a population if they have not been trained on a sufficiently diverse gallery of face images.

Iris: Iris systems can be expensive to implement, requiring relatively niche capture devices. Capture for iris systems is more controlled than some other modalities. Potential issues include eye rotation, pupil dilation, occlusion, movement, environment, eyelash obscuration, glare and height. Iris may also exclude subsets of the population, including those with common medical conditions such cataracts and glaucoma and those that commonly use glasses or contact lenses as well as people with albinism. Additionally, there is the potential for a higher failure to acquire for younger subjects and some racial sub-groups have little visible iris structure which may make capture difficult.

Voice: An individual’s unique voice print can be used for verification, validation, and authentication purposes but is generally not reliable for 1:N identification or deduplication. Because, an individual’s voice prints can change over time and due to several factors, such as sickness, environmental conditions etc. therefore, regular updates of individuals’ voice samples are generally necessary for voice recognition systems.

For more information on modality specific risks, please see Sections 2, 3 and 4.

Like other sensitive personal data, biometrics must be adequately protected from theft and misuse through a combination of legal, technical, and operational measures.

Technical mitigation methods include:

• Appropriate data security measures and controls to protect the integrity and confidentiality of biometric data, having regard to the increased risk associated with such data, including encryption, template protection, digital certificates, and public key infrastructure (PKI).
• Access controls must be securely managed.
• Data must be separated and anonymised.
• Data access and movement must be logged and traceable.
• Third Party external access restrictions must be in place for templated data.

Operational mitigation methods include:

• Operators must be sufficiently trained in use of the system.
• Robust governance structures and audit procedures must be in place.
• Data Protection Impact Assessments (DPIA) and threat modelling must take place.
• Regular technical performance reviews must be undertaken.
• Designating a data protection officer.

A comprehensive legal and regulatory framework will include data protection measures including:

• Demonstrating a clear lawful basis for the processing of biometric data
• Collecting biometric data only where necessary for limited, lawful purposes
• Minimizing collection of biometric data that is necessary
• Ensuring biometric data is kept accurate and for no longer than necessary
• Being transparent with users about the processing of biometric data
• Requiring appropriate organizational and technological security measures in respect of biometric data
• Carefully controlling external access to biometric data and ensuring appropriate contractual protections are in place with any third-party suppliers
• Creating mechanisms for external review and audit

For more information on mitigation methods, please see Sections 5, 6 and 7.