Initially defined as the recognition of individuals through unique physical characteristics, biometrics now encompasses two main categories—physiological (static authentication) and behavioral (dynamic authentication). Though you’re much more likely to encounter the former, the latter is slowly becoming a legitimate second avenue in biometric technology. Let’s take a closer look at where the field is currently, as well as what potential challenges and developments are on the horizon.
Biometrics (Increasingly) as Usual
Physiological biometrics refers to any measurable characteristics, also known as modalities, of the human body. Common examples include fingerprints, facial features and iris/retinal scans, all of which have been gradually adopted as identity authenticators across a wide range of industries during the past two decades. You’ve likely interacted with at least one biometric authenticator today if you’re reading this on a smartphone or laptop. But to give an idea of just how prevalent they’ve become on a global scale, look no further than the ongoing rollout of the European Union’s Entry/Exit System (EES), which requires all non-EU visitors to register their fingerprints and facial features along with scans of their passports before entering or leaving the 29 nations of continental Europe’s Schengen Area. The EES, set to officially launch in 2026, is intended to replace the manual passport stamp system and create a massive digital record of visa-free travelers.
But make no mistake—the biometrics industry has not simply rested on its laurels now that facial and fingerprint scans have become commonplace. Numerous studies have been conducted to discover new identifiers that can be integrated into security systems and databases, ranging from the seemingly exhaustively examined to the experimental. Some examples include:
- DNA: A person’s DNA profile, usually retrieved from samples of blood, hair or saliva, is considered a physiological biometric.
- Palm Print: Much like fingerprints, the unique pattern of ridges found on the palm are considered a reliable biometric.
- Hand Geometry: We’re all taught about the uniqueness of fingerprints in elementary school, but other hand-based modalities now include the geometry of both the hand and each individual finger. Usually saved for high-security environments, the process measures finger curvature, length, width and thickness along with palm size.
- Vascular Pattern Recognition: Detected under near-infrared lighting, unique patterns of branching blood vessels can be found in the fingers, palm and back of the hand.
- Ear Shape: Ears are not typically included in facial recognition, and research into establishing ear shape as a biometric is ongoing. However, the shape and impression of one’s ear on surfaces is already used as an identifier in law enforcement, namely by forensic scientists.
- Scleral Veins: While the colored tissue in the iris and the network of blood vessels in the retina have been popular modalities within the eye, numerous studies have been conducted proposing the network of veins found in the sclera (the white portion of the eye) as another form of eye-based identifier.
- Odor: While already used in various identifying applications, a person’s individual body odor becoming an identifier is still in the developmental stage.
Utilizing physiological indicators is considered static authentication. It’s effective, but far from perfect. Because you’re dealing with immutable traits, you cannot simply change and reset those traits (i.e., you can’t change your fingerprint) if they are copied or stolen, thus making all future authentications with those indicators potentially compromised. It’s also possible for both false negatives and false positives to emerge in authentication if certain physiological traits degrade (as from aging, for example) or are damaged. And that’s to say nothing of the well-documented problem of racial and gender bias in facial recognition systems. These potential flaws have driven the biometrics industry to start exploring continuous, dynamic authentication through behavioral biometrics.
Less What You Are, More How You Do It
Behavioral biometric identifiers are not measured through physical properties but rather involve an individual’s repeated actions at both the conscious and subconscious levels. Some are the end results of long-established habits. A signature is a prime example—not just in its physical appearance but how it’s repeatedly inscribed on a surface. The modernized version of the same concept can be found in keystroke patterns, specifically the speed in which words are typed and how forcefully each key is pressed. It’s less what about what you write and more about how you write. This type of dynamic authentication is becoming increasingly popular, particularly in the fintech industry. Other examples include a person’s mouse movement, touchscreen interactions, walking gait and speaking pattern.
Yet even as behavioral biometrics evolve, many hurdles remain. To accurately build a behavioral profile takes significantly more time and resources than static authentication. Its accuracy can be suspect when outside variables are introduced. While the increased integration of artificial intelligence has seemingly expanded the frontier of what’s possible with behavioral biometrics, the potential for bias or false positives/negatives has kept pace with its potential. A lack of widely accepted standards for behavioral biometrics has kept most of its applications in the developmental and research phase, and, just like physiological biometrics, authentication can be seriously compromised if behavioral patterns are successfully imitated by attackers.
With no perfect solution yet discovered in biometrics’ two primary fields, the industry has continued its research into more intricate potential indicators. And while studies into concepts like emotional detection, wearable technologies and biometric-encrypted data security systems may sound like we’re once again dipping into works of fiction, these all could potentially be as commonplace in the future as facial recognition is today.
The Privacy Problem
As bright as the potential future of biometrics may seem, the industry must contend with its greatest, ever-present concern—privacy. How a person’s data is obtained, how it’s utilized, how it’s stored and how it’s protected from cyberattacks will always be the public’s key concern regardless of how widespread and advanced biometric innovations become. With the introduction and improved sophistication of each biometric indicator, the need for privacy protection in the United States grows beyond the legal patchwork we currently have.
The U.S. does not currently have a comprehensive biometric statue at the federal level, leaving its privacy to be governed by various state laws and agency rules. Attempts have been made on both sides of the political aisle in the past decade, most notably with the Consumer Online Privacy Rights Act (2021) and the United States Consumer Data Privacy Act of 2019, though neither generated enough support to be signed into law.
Three states currently have laws directly pertaining to biometric indicators on the books, with the most thorough being Illinois’ Biometric Information Privacy Act (BIPA). Under the law, private entities are regulated in how they obtain, secure, store and destroy biometric identifiers from individuals who grant consent to that information. While an attempt to pass a more-expansive version of BIPA on a national level failed in 2020, hundreds of BIPA lawsuits have been filed annually and the law been used in a number of high-profile class action lawsuits.
Yet even as more states consider following Illinois’ lead, the lack of concrete regulation puts the biometrics industry in a precarious position. The technology is improving, the data on a single person is becoming more specific and intricate, and implementation grows by the day—the market is projected to reach $85 billion by 2027. But recent public surveys show a distinct lack of trust in the industry due to a lack of transparency in how (and when) biometric information is gathered, utilized and stored. Until firm regulations are put in place, that lack of trust will make any and all biometric advancements an uphill battle.
RELATED ARTICLES
Biometric Privacy, BIPA and the Battle for EPLI Policy Coverage