Algorithm ✅

Biometrics usage

Algorithm is used to mean either:

1. A combination of computing software which takes as input biometric data and outputs attributes and/or identity information.
2. An individual component of such software that performs one specific step (such as extracting relevant features of a fingerprint).

In many contexts this distinction is unimportant; where it is material, we recommend making the desired meaning clear.

Context and wider usage

In common English usage, algorithm means a process or set of rules to be followed in calculations or other problem-solving operations, especially by a computer, to produce a desired result. Usually, the word is taken to mean ‘inclusive of systems that use artificial intelligence’ although some writers distinguish the two into separate categories.

Examples

1. They tested the performance of the iris recognition algorithm in poor lighting.
   The algorithm provided a list of potential matches to the face seen in the camera footage.
   The algorithm was used to estimate the age of each customer.
2. Performance was improved by swapping out the feature extraction algorithm while leaving the others unchanged.

Definitions in technical use

ISO does not define algorithm but uses the word consistent with meaning #1.
NIST offers a definition similar to the ordinary English usage.

Artificial intelligence (AI) 🚫

Biometrics usage

1. A machine, system etc. that performs intelligent functions or processes data using mechanisms believed to underpin intelligence (for example, machine learning); or describing such a system.
   
   Many use AI to mean ‘both performing intelligent function and containing intelligent data processing’. However, sometimes only one of these is intended; and sometimes systems with either function or processing are included (often when describing several such systems). Consequently, the meaning is often not obvious from the context; see examples 1, 2a and 2b below for illustration. Especially in formal use, ensure that the intended meaning is clear.
   
   This inconsistency confounds the relationship between biometrics and AI. Some view that all biometric systems are AI – applying to AI only an ‘intelligence of function’ requirement. Others argue that biometrics are only AI if they use intelligent data processing such as machine learning and neural networks.
   
   
2. AI has been increasingly employed in mainstream biometric processing in recent years, but it also features in other aspects of these applications:

1. AI attacks on biometric systems – Threats from AI technologies that can seriously impact biometric applications are ever-present and growing. These include elements such as deepfakes (where a person’s face or voice is impersonated with AI techniques) and more general AI cyber attacks which result in the corruption or loss of data within the system.
2. AI protecting biometric systems – AI can also play a crucial role in countering these threats by detecting incoming attacks and analysing and quality assuring data integrity.

Context and wider usage

In very general terms AI may be considered to be any form of an autonomous or partially autonomous computing system that is able to:

1. Simulate human thought, learning or behaviour.
2. Analyse large data sets to classify material, solve problems and make decisions, predictions or recommendations that previously would have required human intelligence.
3. Process data on a scale that exceeds human abilities.

However, it should be noted that many stakeholders observe the difficulty of drafting a solid definition for AI.

Confounding factors include:

• Interest in AI from a wide array of governing bodies, commentators, and the public.
• Lack of clarity and shifting perspectives over time on what does and does not constitute ‘intelligence’ either in function or computation; and therefore what AI is when compared to non-intelligent machines.
• Reliance on comparisons with human intelligence. While analogy can aid understanding, it can lead to ‘things that previously required human intelligence’. 50 years ago, that was true of calculators – yet we do not now consider calculators to contain AI technology.

Different stakeholders desire different entities to be considered, or not considered, as AI and even these predilections sometimes change over time.

Examples

1.

• The AI technology in the cameras recognised people passing in the street and presented them with tailored advertising on the electronic hoardings.
• Regulators are concerned about the non-consensual public capture and processing of face images using artificial intelligence facial recognition technology.

(Note these examples may well use techniques such as convolutional neural networks, but do not need to; and the actions and concerns described do not depend on this.)

• Face recognition system performance improved circa 2018 by adding AI (implying that prior to that time, non-AI algorithms were used).
• The legislators sought to impose controls on all types of AI systems (Note how would the scope of this intended action be defined?).

2a.        
Audio presented to the voice recognition system was actually an artificial intelligence-generated deepfake. (NB that deep fake usually implies generation by neural network techniques.) 

2b.        
The attempt to enrol an altered, imposter’s face image into the biometric system was prevented by artificial intelligence software that detected spurious artefacts and small distortions in the features. (Note a good example of where the process described may refer to a specific AI technique or be open to a wider interpretation i.e. any such software would be AI, no matter how implemented?). 

Definitions in technical use

Russell & Norvig – ‘Systems that act/think like humans,’ aligned with the function/processing split noted in definition 1.
Google – Alternative – either intelligent in both function and processing as in definition 1; or using data analysis beyond human scale (Wider usage no.3).
US Presidential order – Intelligence in both function and processing.
EU AI Act (and OECD) – Intelligence in both function and processing.
ISO – Intelligence in either function or processing.
NIST CSRC – Intelligence in processing only.

Authentication 🚫

Biometrics usage

Authentication answers one of the questions:

1. Is this person who they claim to be? 
2. Is this document (which is intended for biometric use) valid?

Given these different definitions and the overlap between authentication and verification, it is impossible to interpret precisely what is intended when either term is used without further context.

Therefore, if reading the term without clarification it should be interpreted mindful of the background given above and the potential meanings.

When using the term in writing, it is strongly recommended that clear guidance is given so the reader knows what is intended.

Context and wider usage

In common English usage, authentication means ‘the proving of someone or something to be valid or genuine’ across a wide range of disciplines, types of processes for so proving, and things to be authenticated. Domain-specific uses have attempted to tighten this – unfortunately, these are inconsistent.

‘Confirm identity of previously registered person’
In IT usage authentication has come to mean more specifically ‘confirmation of the identity of a previously registered user or device’. Many uses of the term in digital identity are aligned with this general IT usage – i.e. ‘confirmation that the original creator of a digital identity is the one using it right now’.

‘Confirm genuine documents (esp. when used to establish digital identity)’
However, the process of document authentication – checking that, for example, a passport is genuine – also uses the word, and is associated with the creation of a digital identity, not its later use.

Authentication/verification overlap
Further, the term verification or identity verification is often used to mean one or both of these processes, sometimes supported by assigning authentication and verification to specific meanings for a particular scenario.

Examples

1. Changes of postal address require biometric authentication or a visit to a branch office.
2. Authentication of the passport is required before checking that the face image within it matches the face of the presenter.

Definitions in technical use

FIDO defines to mean, in their context, ‘confirm identity of previously registered person’.
ISO defines similarly to the usual English definition and deprecates the (widespread) use of the term as synonyms for other processes including biometric verification.
NIST defines as ‘confirm identity of previously registered person’, and notes in SP800-175b similar challenges with multiple uses of the term with slightly different contexts.

See also

Contrast with remarks at Verification on definition challenges.
1:1 / 1:N Verification (1:1) and identification (1:n) explanatory graphics

Bias 🚫

Biometrics usage

Bias is sometimes used to describe an aspect of some biometrics systems in which they show consistent poor performance for certain groups of people (usually demographically based).

The usual English definition of ‘bias’ does not really convey this meaning, and the term is generally only used outside the biometrics industry.

Within the industry, such outcomes are commonly – and more accurately – termed ‘demographic differentials.’ However, this is a technical term unsuitable for a general audience.

Context and wider usage

The term in English has several meanings. In this context most readers would infer ‘inclination or prejudice for or against a person or group, especially in a way considered to be unfair’.

Notes

1. Illustrations of the meaning of the ‘consistent poor performance’ alluded to include:

• A voice biometric system might more frequently make mistakes with the voices of older people than of younger people; or
• A face recognition system might find it easier to distinguish Caucasian faces than East Asian faces.

2. Such performance differences have parallels in lived human experience: for instance, most humans are poor at recognising the faces of unknown people from different racial groups to their own.

These differences usually arise due to training and data differences: a system trained exclusively to recognise the faces of infants would be unlikely to perform well on the elderly. Again, this echoes lived human experience.

Examples

The immigration gates showed bias against older black women. (Note likely meant ‘the system does not as reliably match older black women to their passport images as it does for other groups, and so many could not use the gates’.)

The digital onboarding system showed bias allowing more fraud against young East Asian men. (Note likely meant ‘the system mistakenly matches East Asian men more frequently than other groups’.)

The crowd surveillance system showed bias against young white men. (Note may mean ‘young white men were over-represented in the watch-list of potential offenders’ – a procedural, rather than technological, issue; or ‘young white men in the crowd were mis-matched to the watch-list more frequently than other groups’.)

Definitions in technical use

ISO, together with OASIS, defined BIAS or ‘Biometric Identity Assurance Services’ in ISO 30108; this is unrelated to bias as described here.
NIST offers definitions relating to the statistical concept of bias.

Note that lack of technical definitions directly addressing this subject largely reflect the poor alignment of the term with the underlying concept it is sometimes used to describe, usually by stakeholders outside the biometric industry.

Biometrics ⚠

Biometrics usage

Used to mean:

1. The recognition (and/or sometimes classification) of humans using distinctive characteristics such as the shape of the face, the sound of the voice, the veins of their hand, consistently measurable behaviours, etc.
2. The distinctive human characteristics that are (or may in future be) used for such recognition or classification processes.
3. Any external (often digital) representation of these human characteristics.

In casual use the term is usually intended to also imply ‘using computers.’ However, usually humans can be involved either in support of, or in replacement of, computers to perform these tasks.

Because of the possible variations it is helpful for writers to be clear about the broad parameters intended – especially whether it is about processing vs data; and, for processing, identification vs classification and performed by machine vs human.

Context and wider usage

Biometrics literally means ‘body measurements’ of any type (including for example, temperature used for medical diagnosis), but is increasingly used in the narrower sense of ‘measurements that can be used to identify and/or classify people’. This notwithstanding, the term is still in use to mean a range of different processes that involve body measurements such as physical performance in certain tasks or conditions (for example, “Sensors … will monitor brain signals and other medical data … [amassing] a huge biometric … database.”).

Some characteristics measured for biometrics are physiological; some are behavioural; but most of the time a combination of physiology and behaviour contributes to the process.

The inclusion of classification alongside identification is inconsistent: some include it, and some do not; where included, it may include a range of attributes – from characteristics like racial groupings to bodily attributes like age to mental attributes like mood or sentiment.

Examples

1. The decision to use biometrics for mobile device unlocking was based on convenience and security.
2. She was uneasy about presenting biometrics like her fingerprints for fear of them being copied.
3. He didn’t like the idea of the agency holding his biometrics.

Definitions in technical use

ISO provides a precise definition for biometrics which largely aligns with ‘use of data for identification’ aside from requirements that computing is involved (i.e. human-only is out of scope), and that recognition is required (i.e. classification is out of scope).
NIST offers a few definitions. One (from SP800-63-3) aligns with the ‘use of data for identification’ meaning above but, like the ISO definition, excludes purely human processes and classification uses. Another (from SP800-12 Rev. 1) defines biometrics as the plural of biometric, as in a ‘specific type of data from a person that can be used to recognise them’.

Classification ✅

Biometrics usage

The process of using distinctive human characteristics such as the shape of the face, the sound of the voice, consistently measurable behaviours, etc., to determine attributes of people. These attributes are wide ranging and may include characteristics like racial groupings or age to mental attributes like mood or sentiment.

The term is usually intended to also imply ‘using computers.’ Humans can support, or replace, computers to perform these tasks in most cases, although this is relatively unusual in large-scale uses of classification.

Context and wider usage

The usual English meaning ‘the action or process of arranging a group of people into classes or categories according to shared qualities or characteristics’ is well aligned with use in biometrics.

Examples

The store used biometric classification to determine the approximate age of its customers as they entered.

Definitions in technical use

Both ISO and NIST include only identity-related functions within biometrics and therefore offer no definition.

See also

Compare with Identification and Verification which are the other two main uses of biometrics.

Identification 🚫

Biometrics usage

Also known as 1:N and One-to-Many.

Identification is a biometric database search: a person is looked up in the database by their biometric (such as their face, fingerprint, or the pattern of their iris).

Biometric identification answers the questions: ‘Is this person in the database? If so, which entries do they match?’

In some biometric systems the identification process is entirely automated and the results of any database search are not subject to human adjudication. However, in many systems a human adjudicator is required to review the output, especially when a list of potential candidate matches is routinely produced by the system.

Given public understanding of identification is much broader than the usual biometrics interpretation, use of the term can be confusing for non-specialist readers. Arguably a term such as ‘biometric database search’ might be better. A clarifying comment when first used is recommended if the term must be used with such an audience.

Context and wider usage

In English, ‘identification’ has several meanings somewhat aligned with biometric technology: for instance, ‘the act of identifying’, ‘the state of being identified’, and ‘evidence of identity’.

In general use, ‘identification’ may be from a candidate set of any size from one (for example, ‘a member of the family was brought in for identification of the body’) to a population (for example, ‘a suspect for the crime was identified’). Public interpretation of the word ‘identification’ encompasses this very broad range of possibilities.

Notes

1. A significant consideration is the size of the database being searched:
   1. Some are quite small (for example, a database of employees permitted to enter a building, where non-matches are diverted to a reception desk);
   2. Some are quite large (for example, a face image database of prior offenders, searched to attempt to identify a face image captured at a crime scene; typically, several candidate matches are generated that are subject to human adjudication); and
   3. Some are enormous (for example, a whole-of-population database used to support border crossing).
2. The search process may result in:
   1. No matches (for example, the presented face matches no-one in the database)
   2. One match (for example, the presented face matches this one person in the database; this usually only occurs when the database is small)
   3. A candidate list of several matches (for example, the presented face could be one of these 20 people) – usually for further consideration by a human

Note that such a search is not dependent upon a suggested identity. Contrast this with verification, which is dependent on such a suggestion.

Examples

Face images from the border crossing were used for identification of known smugglers for police review.
The building access control system used biometric identification to either allow or deny entry.

Definitions in technical use

ISO offers a similar definition to that provided above.
NIST offers a broader definition in FIPS 201-3 that also encompasses non-biometric means.

See also

Verification, one of the other uses of Biometrics.
Verification (1:1) and identification (1:n) explanatory graphics

Verification ⚠

Biometrics usage

Also known as 1:1 and One-to-One.

Verification is a direct biometric comparison: a person is compared against previously stored information to confirm whether there is a match. In this way, biometric verification answers the question: ‘it this person who they claim to be?’

The ‘previously stored information’ may be in user devices (such as a face within the user’s smartphone) or in a centralised database. When in a database, verification implies comparison with a single entry in that database representing the suggested or claimed identity of the person. This is unlike identification which does not depend on such a claim.

In digital identity contexts, there is overlap between authentication and verification, and it is impossible to interpret precisely what is intended without context.

Therefore, if reading the term without clarification it should be interpreted with care. If using the term in a document, it is strongly recommended that guidance is given so the reader knows what is intended.

Context and wider usage

The usual English definition is ‘the process of establishing the truth, accuracy, or validity of something’ – while fairly general, this is somewhat aligned with use of the term in biometrics. Domain-specific uses have attempted to tighten this – unfortunately, these are inconsistent.

‘Upon registration’ vs ‘previously registered’

In some usages (for example, customer service delivery), ‘verification’ or ‘identity verification’ mean confirmation that:

• ‘The original creator of an account or identity is the one using it right now’; or
• ‘An attempt to create a digital identity linked to real-world identity X is being made by person X’ – i.e. the identity proofing process.

Further, the term authentication is often used to mean one or both of these processes, sometimes supported by assigning each of the two words to one of the two meanings in a particular scenario.

Notes

1. Often verification processes are entirely automated. In some systems a human adjudicator must review the output, especially when incorrect results have significant consequences.
2. Biometric verification can be employed in a wide range of operating scenarios including crossing international borders using a biometric travel document, and assuring access to physical locations (such as event venues or secure facilities), digital devices (such as mobile phones and laptops), and remote services (such as online or over-the-phone transactions).

Examples

Apple’s FaceID biometric verification is performed on-device.
Creating a new digital identity requires verification of the person against their passport.

Definitions in technical use

FIDO defines identity verification in the sense of ‘confirm identity of person when registering’ whether using biometrics or not.
ISO provides a precise definition which largely aligns with that provided above.
NIST defines identity verification to align with the above but also including non-biometric means.

See also

Compare with Identification and Classification, the other main two uses of Biometrics.
Contrast with remarks at Authentication on definition challenges.
Verification (1:1) and identification (1:n) explanatory graphics