What are biometrics? Is my identity at risk?

Privacy news
7 mins
unlocking a device using fingerprint biometrics

Ever passed through an international airport? Owned a smartphone? Posted on social media? You’ve likely shared your biometric data. You may have even done so on purpose, but you might be surprised by how much biometric data gets collected without your explicit consent.

Jump to…

What is biometric data?
Common types of biometrics
When is biometric data collected?
How are biometrics used?
What are the risks of biometrics?
Can biometrics be hacked?
Are biometrics safer than passwords?
How to protect your biometric data
Infographic: Know your biometrics

What is biometric data?

“Biometrics” refers to a range of physical or behavioral attributes that are unique to an individual. They are generally used either for identification (who are you?) or authentication (are you who you claim to be?).

Common types of biometrics

There’s evidence that fingerprints were used as identifiers as early as 500 BCE, and signatures have long been considered proof of identity—but technology has unlocked a whole host of new ways to identify someone using biometrics. Here is a (not exhaustive) list:

  • DNA contains your unique genetic code and can be obtained from a range of cell samples, including skin, blood, and hair.
  • Fingerprints have up to 85 points of minutiae which are used to compare prints and identify someone. Criminal courts require 16 matching points in the UK, while the U.S does not have a uniform standard.
  • Hand geometry or palm recognition identifies people from the shape of their hand, including width, length, and thickness of fingers, and the thickness of their palm.
  • Voice recognition uses your “voiceprint” and has similar accuracy to fingerprints. Not to be confused with speech recognition, voice recognition uses up to 100 unique identifiers that incorporate your accent, breathing, cadence, pronunciation, and other sounds that indicate the shape and size of your nasal passages and larynx.
  • Facial recognition works similarly to hand geometry, using the specific measurements and topography of your features and the distance between them to map out unique identifiers.
  • Iris and retina scanning both use infrared light to scan for detail that isn’t visible to the naked eye. Iris scanning examines the colored part of your eye, while retina scanning uses the unique patterns of a retina’s blood vessels.
  • Gait recognition uses the height and shape of a body and the way it moves to identify individuals. Accuracy is at around 94%, and the technology can’t usually be tricked, even if someone fakes a limp or otherwise tries to walk differently.
  • Typing patterns boast a high accuracy rate and look at typing speed, the duration of a keypress, the time between certain characters, and the pressure on different keys.

When is biometric data collected?

Biometric data is collected by governments for border control and law enforcement, as well as by companies for authentication (proving your identity to get access to services). Companies have also been known to collect biometrics for non-essential uses, such as Facebook’s recently-defunct face-tagging feature that identifies people in photos automatically.

Here are scenarios in which your biometrics might be collected:

  • Arriving at airports and border control points
  • Applying for a work permit
  • Getting arrested, which may entail being fingerprinted, photographed, and subjected to DNA collection
  • Using DNA-analysis services
  • Setting up smartphones or computers that use fingerprints or facial recognition access
  • Using apps that manipulate your image
  • Entering a workplace that uses fingerprint recognition or retina scanning to enable access to buildings
  • Making a purchase through a payment gateway that uses hand geometry, such as Amazon One
  • Interacting with voice assistants like Google Home, Siri, and Alexa, which may gather voice data to perform tasks based on who requests them
  • Posting on social media. In June 2021, TikTok made changes to its privacy policy that enabled it to collect biometric data, including ​​faceprints and voiceprints from user-generated content. Facebook was also recently fined 650 million USD for collecting biometric data through Instagram without user permission.

How are biometrics used?

Biometrics stored on your devices, such as your fingerprint and faceprint, are meant to be only accessible by you and help you gain access to features on your devices. You can use these for:

  • Unlocking your phone
  • Accessing passwords stored on your phone
  • Authorizing app purchases
  • Making payments using Apple Pay, Samsung Pay, Google Pay, etc.

Biometrics stored by companies, such as fingerprints and voiceprints, are usually but not always for accessing their services. Common uses include:

  • Logging in to your bank accounts online or over the phone
  • Facebook’s automatic photo-tagging feature
  • Allowing voice assistants or home robots to identify individual users
  • Boarding a plane

Biometrics stored by governments—usually faceprints, fingerprints, and iris scans—are used for border control, national security, and law enforcement. They are also increasingly common in the education sector.

  • Verifying your identity when you cross international borders
  • Identifying individuals on security cameras to solve crimes
  • Enhancing security at schools and universities

What are the risks of biometrics?

There are several ways using biometrics as identification or giving them away poses risks to your privacy, security, and identity.

False identification by law enforcement. In the past, we’ve written about a wrongful arrest resulting from the use of facial recognition. Studies have shown that women and people of color are more likely to be misidentified through facial recognition, compared with white men.

Once compromised, always compromised. Your biometrics aren’t meant to change. This is the reason they’re great as a form of identity. But if someone steals your biometric information, your identity might be compromised forever.

Increased surveillance. With the growing network of cameras in public places, law enforcement can easily track your movements across cities and countries using facial recognition. Disconcertingly, companies are doing the same in order to know your behaviors and preferences.

Can biometrics be hacked?

It is possible to break into someone’s account using stolen biometrics; hackers were able to demonstrate this with Apple’s Touch ID within days of being released in 2013. There are also plenty of videos on YouTube showing simple fingerprint scan hacks using items like gummy bears and wood glue. Touch ID has since been replaced with Face ID, which is 20 times harder to use fraudulently, according to Apple.

When it comes to actually stealing your biometrics, your data is much more vulnerable if it’s stored by a company on a server or in the cloud than if it were only stored on your personal devices.

But if your data is stolen, will someone steal your identity? No, probably not. “Liveness” is a key part of biometric security: It tests whether a face or fingerprint is real (and alive!). For fingerprint technology, this means a radio frequency scanner reads the living tissue a couple of layers beneath the top layer of skin, while a retina scan relies on blood flow. So even if someone has your biometric data, it’s not an easy feat to dupe a bank or border control.

Are biometrics safer than passwords?

Some would argue that biometrics are safer since passwords can be guessed using brute-force methods or through data breaches. By comparison, it’s harder for an attacker to get a hold of your biometrics and use them.

But the answer is not that simple. There’s often an assumption that biometrics replace passwords. It’s quicker and easier for users, and after all, you can forget a password, but you can’t forget your thumbprint or your face. But no single authentication process is hackproof. Two-factor authentication (2FA) or multifactor authentication (MFA) would raise your security levels.

There are legal implications for using biometric data instead of a passcode to access your devices. In the U.S., your biometric data is not protected under the Fifth Amendment. This means that while you can’t be legally compelled to open your iPhone with a passcode, you can with a fingerprint or face scan.

How to protect your biometric data

Biometrics aren’t necessarily something to be feared and avoided; they also offer individuals the potential to significantly increase and simplify online security. You can keep them safe with a few security measures.

  • Be discerning about when and where you share your biometric data. Consider the reputation of the company asking you to use biometrics for authentication.
  • Use multifactor authentication, not just biometrics, for logging into accounts.
  • Opt-out if possible; at airports, workplaces, schools, and universities, there may be other ways to prove your identity.
  • Using a VPN can help secure your internet connection and stop third parties from intercepting any biometric data you transmit. Download a VPN app and protect your privacy today.

Infographic: Know your biometrics

Get a quick understanding of biometric data with our handy graphic.

Infographic on biometric data.

Phone protected by ExpressVPN.
Protect your online privacy and security

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?