How Biometrics Works

By: Tracy V. Wilson  | 
Iris scanning is one form of biometric identification. Francesco Carta fotografo / Getty Images

Imagine you're James Bond, and you have to get into a secret laboratory to disarm a deadly biological weapon and save the world. But first, you have to get past the security system. It requires more than just a key or a password -- you need to have the villain's irises, his voice and the shape of his hand to get inside.

You might also encounter this scenario, minus the deadly biological weapon, during an average day on the job. Airports, hospitals, hotels, grocery stores and even Disney theme parks increasingly use biometrics -- technology that identifies you based on your physical or behavioral traits -- for added security.


In this article, you'll learn about biometric authentication systems that use handwriting, hand geometry, voiceprints, iris structure, and vein structure. You'll also learn why more businesses and governments use biometric technology, such as facial recognition systems and voice recognition software. Maybe then we'll discover whether Q's fake contact lenses, recorded voice, and silicone hand could really get James Bond into the lab (and let him save the world).

The Innovative Security of Biometric Data

You take basic security precautions every day -- you use a key to get into your house and log on to your computer with a username and password. You've probably also experienced the panic that comes with misplaced keys and forgotten passwords. It isn't just that you can't get what you need -- if you lose your keys or jot your password on a piece of paper, someone else can find them and use them as though they were you.

Instead of using something you have (like a key) or something you know (like a password), biometrics uses who you are to identify you. Biometrics includes everything from physical characteristics (such as fingerprint recognition and facial recognition) to behavioral biometrics (like voice recognition). Unlike keys and passwords, your personal traits are extremely difficult to lose or forget. They can also be very difficult to copy. For this reason, many people consider them to be safer and more secure.


Biometrics uses unique features, like iris recognition, to identify you.
Photo courtesy Iridian Technologies

How Biometric Information is Encoded

Biometric systems can seem complicated, but they all use the same three steps:

  • Enrollment: The first time you use a biometric system, it records basic information about you, like your name or an identification number. It then captures an image or recording of your specific trait.
  • Storage: Contrary to what you may see in movies, most systems don't store the complete image or recording. They instead analyze your trait and translate it into a code or graph. Some systems also record this data onto a smart card that you carry with you.
  • Comparison: The next time you use the system, it compares the trait you present to the information on file. Then, it either accepts or rejects that you are who you claim to be.
This laptop features a fingerprint scanner, bringing biometric security to the home.

Systems also use the same three components:


  • A sensor that detects the characteristic being used for identification
  • A computer that reads and stores the information
  • Software that analyzes the characteristic, translates it into a graph or code and performs the actual comparisons

Biometric security systems, like the fingerprint reader available on the IBM ThinkPad T43 (right), is becoming more common for home use. You can read other HowStuffWorks articles to learn about face recognition and fingerprint scanning.



This Tablet PC has a signature verification system.
Photo courtesy Softpro

At first glance, using handwriting to identify people might not seem like a good idea. After all, many people can learn to copy other people's handwriting with a little time and practice. It seems like it would be easy to get a copy of someone's signature or the required password and learn to forge it.

But biometric systems don't just look at how you shape each letter; they analyze the act of writing. They examine the pressure you use and the speed and rhythm with which you write. They also record the sequence in which you form letters, like whether you add dots and crosses as you go or after you finish the word.


Unlike the simple shapes of the letters, these traits are very difficult to forge. Even if someone else got a copy of your signature and traced it, the system probably wouldn't accept their forgery.

A handwriting recognition system's sensors can include a touch-sensitive writing surface or a pen that contains sensors that detect angle, pressure and direction. The software translates the handwriting into a graph and recognizes the small changes in a person's handwriting from day to day and over time.


Hand and Finger Geometry

A hand geometry scanner
Photo courtesy Ingersoll-Rand

People's hands and fingers are unique -- but not as unique as other traits, like fingerprints or irises. That's why businesses and schools, rather than high-security facilities, typically use hand and finger geometry readers to authenticate users, not to identify them. Disney theme parks, for example, use finger geometry readers to grant ticket holders admittance to different parts of the park. Some businesses use hand geometry readers in place of timecards.

Systems that measure hand and finger geometry use a digital camera and light. To use one, you simply place your hand on a flat surface, aligning your fingers against several pegs to ensure an accurate reading. Then, a camera takes one or more pictures of your hand and the shadow it casts. It uses this information to determine the length, width, thickness and curvature of your hand or fingers. It translates that information into a numerical template.


Hand and finger geometry systems have a few strengths and weaknesses. Since hands and fingers are less distinctive than fingerprints or irises, some people are less likely to feel that the system invades their privacy. However, many people's hands change over time due to injury, changes in weight or arthritis. Some systems update the data to reflect minor changes from day to day.

For higher-security applications, biometric systems use more unique characteristics, like voices.



Speaker recognition systems use spectrograms to represent human voices.
Photo courtesy Richard Horne

Your voice is unique because of the shape of your vocal cavities and the way you move your mouth when you speak. To enroll in a voiceprint system, you either say the exact words or phrases that it requires, or you give an extended sample of your speech so that the computer can identify you no matter which words you say.

When people think of voiceprints, they often think of the wave pattern they would see on an oscilloscope. But the data used in a voiceprint is a sound spectrogram, not a wave form. A spectrogram is basically a graph that shows a sound's frequency on the vertical axis and time on the horizontal axis. Different speech sounds create different shapes within the graph. Spectrograms also use colors or shades of grey to represent the acoustical qualities of sound. This tutorial has a lot more information on spectrograms and how to read them.


Some companies use voice recognition technology so that people can gain access to information or give authorization without being physically present. Instead of stepping up to an iris scanner or hand geometry reader, someone can give authorization by making a phone call.

Unfortunately, people can bypass some systems, particularly those that work by phone, with a simple recording of an authorized person's password. That's why some systems use several randomly-chosen voice passwords or use general voiceprints instead of prints for specific words. Others use technology that detects the artifacts created in recording and playback.


Iris Recognition

Eye anatomy
Photo courtesy Iridian Technologies

An iris scan can seem very futuristic, but at the heart of the system is a simple CCD digital camera. It uses both visible and near-infrared light to take a clear, high-contrast picture of a person's iris. With near-infrared light, a person's pupil is very black, making it easy for the computer to isolate the pupil and iris.

When you look into an iris scanner, either the camera focuses automatically or you use a mirror or audible feedback from the system to make sure that you are positioned correctly. Usually, your eye is 3 to 10 inches from the camera. When the camera takes a picture, the computer locates:


  • The center of the pupil
  • The edge of the pupil
  • The edge of the iris
  • The eyelids and eyelashes

It then analyzes the patterns in the iris and translates them into a code.

An iris scanner
Photo courtesy Iridian Technologies

Iris scanners are becoming more common in high-security applications because people's eyes are so unique (the chance of mistaking one iris code for another is 1 in 10 to the 78th power [ref]. They also allow more than 200 biometric identifiers for comparison, as opposed to 60 or 70 points in fingerprints.

The iris is a visible but protected structure, and it does not usually change over time, making it ideal for biometric identification. Most of the time, people's eyes also remain unchanged after eye surgery, and blind people can use iris scanners as long as their eyes have irises. Eyeglasses and contact lenses typically do not interfere or cause inaccurate readings.


Vein Geometry

Vein scanners use near-infrared light to reveal the patterns in a person's veins.

Veins are perfect markers for identity verification. As with irises and fingerprints, a person's veins are completely unique. Twins don't have identical veins, and a person's veins differ between their left and right sides. Many veins are not visible through the skin, making them extremely difficult to counterfeit or tamper with. Their shape also changes very little as a person ages.

To use a vein recognition system, you simply place your finger, wrist, palm or the back of your hand on or near the scanner. A camera takes a digital picture using near-infrared light. The hemoglobin in your blood absorbs the light, so veins appear black in the picture. As with all the other biometric authentication methods, the software creates a reference template based on the shape and location of the vein structure.


Scanners that analyze vein geometry are completely different from vein scanning tests that happen in hospitals. Vein scans for medical purposes usually use radioactive particles. Biometric security scans, however, just use light that is similar to the light that comes from a remote control. NASA has lots more information on taking pictures with infrared light.

Privacy and Other Concerns

Some people object to biometrics authentication for cultural or religious reasons. Others imagine a world in which cameras identify and track them as they walk down the street, following their activities and buying patterns without their consent. They wonder whether companies are sharing biometric data the way they sell e-mail addresses and phone numbers. People may also wonder whether a huge database exists somewhere, containing vital information about everyone in the world, and whether that stored data is secure.

At this point, however, modern biometric authentication solutions don't have the capability to store and catalog information about everyone in the world. Most store a minimal amount of information about a relatively small number of users. They don't generally store a recording or real-life representation of a person's traits -- they convert the data into a code.


Most systems also work in only one specific place where they're located, like an office building or hospital. The information in one system isn't necessarily compatible with others, although several organizations are trying to standardize biometric data.

In addition to the potential for invasions of privacy, critics raise several concerns about biometrics, such as:

  • Over reliance: The perception that biometric systems are foolproof might lead people to forget about daily, common-sense security practices and to protect the system's data.
  • Accessibility: Some systems can't be adapted for certain populations, like elderly people or people with disabilities.
  • Interoperability: In emergency situations, agencies using different systems may need to share data, and delays can result if the systems can't communicate with each other.


Lots More Information

Related Articles

More Great Links

  • Bromba, Dr. Manfred. "Biometrics FAQ."
  • Brown, Greg. "Connecting the Dots." Latin Trade, April 2005.
  • FindBiometrics
  • Homeland Security: Biometrics.
  • Mainguet, Jean-Fran├žois. "Biometrics." 2004.
  • Ross, A., S. Prabhakar and A. Jain. "An Overview of Biometrics."
  • Resources Related to Biometrics and People with Disabilities
  • Thalheim, L., J. Krissler and P. Ziegler. "Body Check." WIBU Systems, November 2002.