Biometric Access Control: What You Need to Know

Biometric access control can describe any system that determines access based on biometric data. Instead of relying on what you know, such as a password, or on what you have, such as a key, a biometric access control system relies on biometric authentication factors, such as fingerprints, facial recognition, and iris scans.

If you’ve ever used facial recognition to unlock your iPhone or a fingerprint scan to unlock another device, you’ve used biometric access controls. Read on for more info on how biometric access controls work, the different types of biometric authentication factors, and the pros and cons of biometric access controls.

Enrollment and Verification

A biometric access control system typically operates in two steps: enrollment and verification. In some cases, biometrics are used for identification instead of verification.

In enrollment, the subject gives a biometric sample reading. That might mean scanning your fingerprint multiple times, or taking multiple pictures as a computer learns the contours of your face so that it can recognize you.

In verification, the machine takes a reading and matches it against the sample reading. This works much more quickly when comparing against a specific profile for authentication purposes than when comparing against all profiles to identify someone.

Most of the time, verification compares against a specific profile as part of authentication. You might input a username or PIN before scanning your fingerprint, for instance, so the system at least knows whose fingerprint it is comparing yours against.

In some cases, biometrics are used for identification rather than authentication. Instead of comparing a subject’s biometrics to a specific profile, the system attempts to match their biometrics against a much larger database of users. This is less effective than authentication, and can return a high number of false positives that must then be sorted manually. Outside of law enforcement, biometrics are’t frequently used for authentication purposes.

Once someone has been authenticated, the system then determines what kinds of access they have within the system. This is called authorization, and you can read more in our guide to authentication and authorization.

Types of Biometric Access Controls

Any access control system relies on authenticating users: making sure they are who they say they are. And all authentication factors fall into one of three categories:

  • What you know, such as a password or PIN
  • What you have, such as a keycard or fob
  • Who you are – these are our biometrics.


Fingerprints are arguably the oldest biometric authentication method – they were even used to authenticate documents as far back as ancient Babylon and China.

For several key reasons, fingerprints remain one of the most common biometrics used in authentication. Barring injury, fingerprints do not change from birth to death. They’re unique, and they can be analyzed in a matter of seconds. These factors make fingerprints a very appealing method of authentication.

Any fingerprint is composed of ridges and valleys. A fingerprint scanner examines these features, matching both patterns and specific minutiae, such as ridge endings and crossovers, to determine a match.

Fingerprints are one of the biometrics used by law enforcement for identification. In this case, instead of authenticating someone against a specific profile, law enforcement uses fingerprints to identify a culprit out of a much broader pool of potential suspects.

Facial Recognition

Facial recognition entails measuring facial structures, such as cheekbones and jawlines, and comparing the distances between facial features such as your eyes, nose, and mouth.

With the addition of Face ID to iOS devices in 2017, facial recognition soon become one of the most widely used methods of biometric access control. If you’ve set up an iPhone anytime in the past three years, it’s likely you’ve been through enrollment – the step where you take a few example pictures so that your device can recognize you and unlock automatically when it sees your face.

Of all types of biometric data, facial recognition raises some of the most serious privacy concerns. It’s one thing to set up facial recognition on your own personal device; it’s very different for a company such as Facebook to deploy it broadly across user photos without the permission of the people in those photos.

Retina Scans

In a retina scans, a machine scans the back of your eyeball to compare patterns in your blood vessels against an existing photograph. It requires you to hold your face up against a machine for up to fifteen seconds – kinda like getting an eye exam.

Retina scans are one of the most accurate biometrics. But because the process of getting one is so intensive, they are not used as frequently as other biometric access controls.

Iris Scans

Where a retina scan looks at the back of the eyeball, an iris scan examines the visible, colored part of your eyeball. An iris scan can be performed very quickly, and doesn’t even require the subject to take off their glasses. Iris scans can even be combined with facial recognition to create a convenient form of multi-factor authentication.

However, some privacy concerns have been raised around iris scans. They can be made at a distance, raising the possibility that people could be tracked without their knowledge or consent.

Other Methods of Biometric Authentication

The above are some of the most common means of administering biometric access control. Other biometric scanners examine hand geometry, blood vessel patterns, blood samples, or DNA to determine identity or authenticate a user.

DNA testing is one of the most accurate ways to identify someone. But because it takes time to collect a sample and run a test, it’s much more appropriate for identifying a perpetrator than for determining access to a device or building. Imagine having to send off a DNA sample just to go to work or unlock your iPhone!

The typical ID card also includes several biometric data points so mundane we barely think about them: namely your age, height, weight, hair color, and eye color, alongside a photograph from the shoulders up. When presented to a guard or official, they can quickly check these biometric data points against the person presenting them.

We tend to think of facial recognition as pretty advanced, but your average bartender or bouncer might use this authentication method hundreds of times on any given Saturday night!

Pros & Cons of Biometric Access Control

Biometric authentication offers several key benefits. Most importantly, it’s very difficult to steal and reuse biometrics. Something you have, such as a keycard, might be physically stolen or lost. Something you know, such as a password, might be found out through clever social engineering tactics such as phishing. It’s much harder to hijack someone’s fingerprints, irises, or facial structure.

But could someone steal a pair of eyeballs, like Tom Cruise does in Minority Report? It sure sounds worse than losing your keys. But biometric scanners can test for things like body temperature to ensure these features are present on a living human subject.

Boimetrics can also strengthen an access control system by contributing to multi-factor authentication. Authentication is strongest when it includes not only multiple factors, but multiple types of authentication factors. A biometric, such as a fingerprint, paired with something you know, such as a password, is considerably stronger than pairing a password and a PIN, both of which are ‘something you know’ factors.

On the downside, many biometrics have a high error rate compared to other authentication factors. Theorically, any biometric will have some degree of false negatives and positives – unlike a password, which is a one-to-one match. And some of the most accurate biometrics, such as retina scans and DNA tests, are simply impractical to use in most day-to-day circumstances.

Biometrics also raise serious privacy concerns, especially when used broadly. It’s one thing to give users the option to unlock their device with a biometric that stays on that device; it’s very different to loot people’s biometric data without their permission and sell that data to anyone who’s buying.

If you do implement biometric factors in your access control system, you should take great care when storing and transmitting any biometric data. If you compromise someone’s password, they can always change it – not so easy if you compromise their fingerprints. And while biometrics often work well to manage access to a secure location, it rarely makes sense to force customers to use a biometric factor to gain access.

Hypiene is another concern when it comes to biometric access controls. Even though it now appears covid-19 does not spread much from surface contact, no one wants to get pinkeye from a fingerprint scanner hundreds of people might use in a given day.

When implementing biometric access control, keep hand sanitizer close and strongly encourage everyone to use it. You should also make a point to regularly clean any biometric scanner that requires close contact.

What Biometric Access Control Looks Like in Practice

A biometric access control system can be pretty simple. My laptop, for instance, has a fingerprint scanner. When I first set up the laptop, I scanned my fingerprint multiple times to enroll myself in the system. Now when I open the laptop, all I have to do to gain access is scan my finger.

Biometric access controls can get more involved when deployed across an organization. At a company I once worked for, we had private offices in a co-working space that occupied multiple floors of an office building. To enter the building, you had to swipe a keycard. To get into our private offices, you had to enter a PIN and scan your fingerprint. The PIN was shared across our organization – but the fingerprint, of course, was unique to each employee.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.