Biometric Systems of Identification and Their Relevance

A biometric is any measurable physiological or behavioural trait that can identify or verify an individual. In authentication theory it sits in the "something you are" bucket, alongside "something you know" (password, PIN) and "something you have" (smart card, OTP token). Biometrics carry a permanent risk: if the template database leaks, you cannot reset your fingerprints the way you reset a password.

NTA almost always tests the seven properties of a good biometric. Learn them as a single list.

1. Universality. Every person in the target population has the trait. Fingerprint fails this for amputees; iris is closer to universal.
2. Uniqueness. The trait differs sufficiently between any two people. Iris beats face geometry.
3. Permanence. The trait is stable over time. Iris is permanent from about 1 year of age; face changes with ageing and weight; voice shifts with puberty and illness.
4. Collectability. The trait can be captured by a sensor with reasonable cooperation. DNA is highly unique but not collectable in real time.
5. Performance. Acceptable accuracy and speed under realistic conditions. Captured by FAR, FRR and throughput.
6. Acceptability. Users are willing to submit the trait. Retina scanning fails because the user must press an eye to the scanner.
7. Circumvention. Resistance to spoofing. Voice and 2-D face are easy to clone; iris and fingerprint with PAD remain harder.

A trait that scores well on all seven is rare. Real systems trade off, which is why multimodal biometrics have grown.

The first split every UGC-NET MCQ tests is physiological versus behavioural. Physiological traits come from body structure and are usually more stable; behavioural traits come from learned action and tend to drift more.

Physiological: fingerprint (the global default, see fingerprint history and classification), iris, retina, face, palm print, palm vein, hand geometry, ear shape, finger vein, DNA.

Behavioural: voice (see voice analysis and speaker identification), gait (see track marks and gait), signature, keystroke dynamics, mouse movement.

The major modalities, briefly.

Fingerprint. Minutiae-based (ridge ends, bifurcations). Global default for civil and criminal use. Cheap sensors, decades of legal precedent, deep AFIS infrastructure.

Iris. Random pigmentation pattern of the iris muscle, captured under near-infrared light. The Daugman algorithm (1993) encodes the pattern as a 256-byte IrisCode and matches by Hamming distance. FAR of about 10 to the minus 6 makes iris the highest-confidence non-DNA modality. Part of the UIDAI Aadhaar capture stack.

Retina. Blood-vessel pattern at the back of the eye. Very high accuracy but invasive (the user must press the eye against a scanner), so rarely deployed outside high-security defence sites.

Face. 2-D systems (FaceNet, DeepFace) work on selfie cameras and CCTV. 3-D systems use structured light or time-of-flight (Apple Face ID) to map depth and resist photo spoofs. Performance drops with age, lighting, occlusion and mask wear.

Palm print and palm vein. Palm print mirrors fingerprint at larger scale. Palm vein (Fujitsu PalmSecure) uses near-infrared to image subcutaneous vein pattern, contactless, common in banking.

Every biometric system, regardless of modality, runs the same three-pipeline architecture.

1. Enrolment. The sensor captures a raw sample. A feature-extraction module reduces it to a compact template (minutiae list for fingerprint, IrisCode for iris, MFCC vector for voice). The template is stored in a database alongside the user identifier. Raw samples are usually discarded for storage and privacy reasons.
2. Verification (1:1). The user claims an identity (Aadhaar number, card, username). The system captures a fresh sample and compares it against ONE stored template. The match score is thresholded into accept or reject. Phone unlock is the canonical example.
3. Identification (1:N). No identity claim. The system captures a fresh sample and searches every template in the database for the best match. AFIS does this when an investigating officer uploads a chance print.

Verification is fast. Identification scales poorly with N: as the database grows, coincidental matches grow with it, which is why mass-surveillance facial recognition has poor real-world precision even with an accurate matcher.

1. Capture
   Sensor records raw biometric (fingerprint image, iris near-infrared photo, audio sample).
2. Feature extraction
   Algorithm reduces raw data to a compact template (minutiae list, 256-byte IrisCode, MFCC vector).

Performance is the part NTA tests most often, because it compresses into clean definitions.

• False Acceptance Rate (FAR). Probability that an imposter is wrongly accepted. Per-comparison variant is False Match Rate (FMR).
• False Rejection Rate (FRR). Probability that a genuine user is wrongly rejected. Per-comparison variant is False Non-Match Rate (FNMR).
• Equal Error Rate (EER). Operating point where FAR equals FRR. A single scalar that ranks systems: lower EER, better matcher.
• ROC curve. Receiver Operating Characteristic. Plots True Acceptance Rate against FAR as the decision threshold sweeps.
• DET curve. Detection Error Trade-off. Plots FRR against FAR on log-log axes. Preferred over ROC because it makes small differences at low error rates readable.

The trade-off is fixed. Lowering the threshold makes the matcher more permissive (FAR rises, FRR falls); raising it does the opposite. A consumer phone tolerates higher FAR (convenience), a border-control gate tolerates higher FRR (security).

Other MCQ terms: Failure to Enrol (FTE) rate (users whose biometric cannot be captured at all, e.g., manual labourers with worn-smooth fingerprints) and Failure to Acquire (FTA) rate (attempts where the sample is too poor to process).

A biometric system that ignores spoofing fails on the seventh property (circumvention). The classical attacks are well documented.

• Fingerprint spoofs. Silicone, gelatin or wood-glue moulds lifted from a latent print. Mythbusters defeated a commercial sensor in 2006.
• Face spoofs. Printed photo, video replay, 3-D mask. Deepfake video makes remote onboarding particularly vulnerable.
• Iris spoofs. High-resolution printouts behind a contact lens to reproduce corneal curvature.
• Voice spoofs. Recorded playback against text-dependent systems, voice cloning and modern TTS against text-independent systems. Generative audio has made this a much harder problem since 2022.

The countermeasure is Presentation Attack Detection (PAD), also called liveness detection. Common PAD techniques include pulse and blood-flow detection on a fingerprint or finger-vein sensor, sweat-pore micro-pattern checks on fingerprint, 3-D depth checks on face, eye-blink and head-movement challenge for face, and random-phrase challenge-response for voice. PAD evaluation is standardised under ISO/IEC 30107.

Multimodal biometrics combine two or more modalities (face plus fingerprint, fingerprint plus iris). Accuracy goes up because the joint error rate is lower than either single matcher, and spoof resistance goes up because an attacker has to defeat all modalities at once. UIDAI's Aadhaar capture stack (10 fingerprints, 2 iris, face) is the world's largest multimodal biometric system.

Biometrics matter to forensic science because they connect a person to a trace, a recording, or a record. The Indian institutional map runs along four lines.

Fingerprint and AFIS. The NCRB Central Fingerprint Bureau (Delhi) and state Finger Print Bureaux run NAFIS (National Automated Fingerprint Identification System), launched 2020. Chance prints lifted from a scene are searched 1:N against the database. See the fingerprint development, lifting and AFIS comparison topic for the matching workflow.

Face and Automated Facial Recognition System (AFRS). NCRB floated the AFRS tender in 2020 for a national face-matching system, rolled out at airports and railway stations. State police forces (Delhi Police via Innefu Labs, Telangana Police, UP Police) run their own pilots on CCTV feeds, with mixed accuracy in low-base-rate conditions.

Voice biometrics. Used in ransom-call investigations, NIA terror cases, and disputed-recording matters. CFSL audio-forensics units run aural-spectrographic and automatic speaker recognition workflows.

Iris and gait. Iris is used at airport immigration pilots and Aadhaar eKYC. Gait identifies masked or hooded suspects from CCTV when the face is not visible (see the track marks and gait topic).

Outputs from all of these get tendered under the Bharatiya Sakshya Adhiniyam 2023, with Section 39 expert opinion and Section 63 electronic-record certification. Continuity from sensor to court depends on a clean chain of custody for every biometric exhibit. Digital handling of biometric devices follows the BNS 2023 cyber and BSA 2023 electronic-evidence

Two statutes anchor the Indian biometric landscape, and NTA tests both.

Aadhaar and UIDAI. Aadhaar is the world's largest biometric ID system with about 1.3 billion enrolments. Each resident submits 10 fingerprints, 2 iris scans and a face photo. Two authentication modes: a Yes/No 1:1 biometric check for service delivery, and eKYC for full demographic disclosure with consent. The Aadhaar Act 2016 is the enabling statute. Section 57 (private-sector use) was struck down in Puttaswamy v. Union of India (2018, Aadhaar judgment), which upheld Aadhaar for state welfare delivery but restricted private use. Puttaswamy v. Union of India (2017) recognised the Right to Privacy as a fundamental right under Article 21, the doctrinal foundation for every Indian biometric-privacy challenge since. The Aadhaar and Other Laws (Amendment) Act 2019 codified the post-2018 restrictions.

Criminal Procedure (Identification) Act 2022. Replaces the colonial-era Identification of Prisoners Act 1920. Empowers police to take measurements (fingerprints, palm prints, footprints, photographs, iris and retina scans, biological samples, behavioural attributes including signature and handwriting) from convicted, arrested or detained persons. Scope is much wider than the 1920 Act, which was limited to fingerprints and footprints. NCRB is the designated central repository. Critics (Internet Freedom Foundation, SFLC.in) argue the Act allows function creep and disproportionate collection on arrestees.

Privacy and limits. The Digital Personal Data Protection Act 2023 (DPDP Act) treats biometric data as a category requiring stronger protection. Exam-relevant limits: irrevocability (you can change a password, not your fingerprint), ageing effects on face and voice, injury effects on fingerprint and palm, exclusion harm in PDS where authentication failures deny ration to genuine beneficiaries, and the low-base-rate problem in mass surveillance where even a 99% accurate matcher generates a flood of false positives at city scale.