I continue to find common misconceptions related to the proper and cost-effective application of biometrics across heath care, financial institutions, and the public sector. In general, biometrics are functional and cost-effective tools when used to manage risk by linking the identity presented for a transaction to an identity previously registered. Biometrics are, however, less than ideal for cases in which a biometric collected at the transaction is compared (to find a match) with a massive biometric database of customers, patients, and even threat actors. No matter what biometric modality you use (face, finger, iris, palm, voice, etc.), the number of biometric candidates to which you are comparing the biometric presented at the transaction drives exponential growth in costs, and thereby limits their effectiveness to only extreme national security and counter-fraud situations.
- One-to-One Matching (1-to-1) - In 1-to-1 matching, you compare the biometric presented at the current transaction with a stored biometric. The stored biometric is retrieved using some non-biometric other attribute (Medical Insurance ID, SSN), or bundle of attributes (Name, Address, Date of Birth). Then the stored biometric associated with the record retrieved is compared to the biometric presented (1-to-1) to see if they are the same. This probabilistically confirms the linkage of the person to the record found and prevents benefits usage fraud, improper record access, or accidental overlay of records.
- One-to-Many Matching (1-to-∞) - In 1-to-∞ matching, you have a massive collection of biometric data about individuals. A biometric is captured or presented, and the biometric tool then tries to find the best single probabilistic match, or group of likely matches, out of the massive repository of stored biometrics. Think of this like when the FBI finds a latent print at a crime scene, and then takes it back to see if it matches any of the hundred of biometrics stored about known criminals.
As the volume of candidates in the population grows linearly, the cost to deliver accurate decisions (no false positives and significant reduction of false negatives) grows exponentially because of the need for:
- More precise biometric readers: more sophisticated and granular readers have more matching points to differentiate,
- More sophisticated matching algorithms: faster to compare the increasing pool of candidates in real-time,
- More detailed enrollment process: more uniform capture and ability to handle variations by repeatedly enrolling at different angles and pressure, and,
- More human intervention: when the algorithm cannot resolve multiple candidates, a professional biometric reader needs to check to prevent creation of a duplicate record.
In the end, customer- or patient-facing solutions in hospitals, retail and travel loyalty programs, and banking and finance, wherein we are trying to tie the person in front of us (or on the phone) to their records are better off using referential matching solutions to find the right candidate. If there is risk in identity fraud, benefits theft, or record overlap errors, then a simple, cost-effective 1-to-1 match is sufficient. Alternatively, no matter which biometric modality is used, 1-to-∞ biometric matching should be reserved for rarified situations. When we need to check to see that the individual presenting themselves for the transaction is not on a financial or national security watch list or in a criminal database, the cost and complexity of the right 1-to-∞ biometric solution may very well be justified by the risk.