Biometrics is the measurement and analysis of unique physical characteristics and behaviour, such as a face, fingerprint, voice, the way someone walks, the way they use their phone and so on.
Legally, biometrics is defined differently in different laws, but the common factor is that you are identified or authenticated through your unique physical characteristics or behaviour. Not all services use this data to identify or authenticate. However, to make things easier to understand, we have called all the physical characteristics and behaviour data ‘biometrics’.
There are a range of different technologies that are considered biometrics. Not all of them identify or authenticate.
Detection: Is there a face in this picture? Is it a human face?
Characterisation
What can I determine from this face? (Examples: age; biological sex; mood.) Is this a real person?
Temporary unique identifier
What is this person doing in a limited context for a limited time? Have we seen this person before, within a limited timeframe?
Authentication 1:1
Is this person who they are claiming to be? Are the two images of the same person?
Authentication 1: many
Is this person entitled to do what they are trying to do? (Example: entering a venue or restricted area) Does this biometric exist in the database?
Verification or identification 1: many
Is this person known to us? Does their biometric match to information we already have about this person and who they are? This kind of software can determine who this unknown person is.
Some service uses of data might involve, for example, a face or elements of a face, but without identifying the person. For example, we have developed technology to check if a face presented is real, or if it someone wearing a mask. This activity doesn’t identify the person in any way, it checks if the image is genuine or not.
When biometric are used to identify a person, the characteristics are compared to a pre-existing list or database of characteristics and other information. For example, if a shop allowed you to pay with your face, or if a casino used facial recognition to identify and help people who had added themselves to a gambling exclusion list.
When biometrics are used to authenticate a person, there are two main ways this is done. The most common approach compares two examples of a characteristic to see if they match. For example, when your bank uses voice recognition for telephone banking the technology checks if your voice matches the sample held on your account. Or where you use your face or fingerprint to access your phone. This use of biometrics allows you to prove it’s really you by comparing your characteristics with a template you have already set up or that has been created for you automatically. The template once created is stored securely and then each time you need to prove that you are really you, your information is compared against the template to see if it matches.
The other way is to compare a characteristic to a pre-existing list or database of characteristics, but there doesn’t need to be any other information about you. For example, if an office used fingerprints to access a certain area that only certain people could access. The technology would match your fingerprint to all the pre-registered templates to see if yours is there. If it is you are allowed access.