Voice Ideas - Behavioral vs. Physical
There are different kinds of biometrics and each category has its own unique value. Incidental biometrics (e.g., scars and tattoos), for example, are commonly-used law-enforcement identifiers. Fingerprints, voices, faces, and other "universal" biometric features can be used to distinguish between/among individuals in non-forensic applications, including providing security for automated systems.
Behavioral vs. Physical
Within the category of automated, universal biometrics there is a well-established dichotomy between biometrics that possess an obvious dynamic or temporal element (e.g., voice, sign/signature, and keyboard dynamics) and those that don't (e.g., fingerprint, iris, and face). The former are called "behavioral biometrics" and the latter are referred to as "physical biometrics." The terms were coined by biometric researcher, Ben Miller, to replace "biometrics and quasi-biometrics which I didn't like because they didn't describe anything."
The distinction quickly acquired value-related connotations in a biometrics industry dominated by fingerprint recognition. Physical biometrics, like fingerprint recognition, were characterized as stable and unchanging and, therefore, reliable; behavioral biometrics, like speaker recognition, were untrustworthy because they depended on variable and unpredictable human behavior.
Everything Is Everything
I railed against the use of these terms with their unfriendly connotations as being, at best, misguided. I argued that all biometrics are physical in that they all rely on anatomy and physiology. Speaker recognition, for example, depends more on resonances derived from the size and shape of a person's vocal track than on that person's style of speech. This is why identical twins and other same-sex siblings are a greater threat to speaker recognition than skilled mimics.
I also pointed out that all commercially-available, automated biometrics are behavioral. It might (or might not) be the case that the actual fingerprints, iris, or vein patterns of an individual do not change, but the biometric characteristic is different from the ability of a biometric system to capture or analyze a sample of those physical biometrics. False rejection of authorized users and instances of "failure to acquire" by all biometric systems are often tied to the behavior of the human users.
The biometrics industry recognizes that some users are simply uncooperative and, therefore, present a problem for biometric systems, but the industry does not always understand or address the behavioral issues associated with cooperative users. For example, a recent deployment of fingerprint technology for authentication employees at their PCs was beset by unacceptable levels of "false rejection" of the employees. The errors arose from the fact that the fingerprint sensor was attached to the PC by a cord and could be moved to different spots on the user's desk. Changing the placement of the sensor altered the angle, pressure, and other information captured by the system. The data were different enough to convince the system that the fingerprints were from different people.
Iris recognition was touted as the best of biometrics, but, outside of the military, they rejected its commercial viability - until a system integrator invented a way of capturing iris patterns even when the person moved her/his head or eyes. Until then, iris recognition could only be used by cooperative individuals who had been trained to keep their eyes and heads steady. The commercial viability of face recognition followed a comparable behaviorally-governed path.
Such experiences clearly demonstrate the extent to which all biometrics are behavioral. They have also somewhat diminished the disparagement of behavioral biometrics.
In 2004, cryptographers at the National Institute of Standards in Technology (NIST) dropped a bombshell on the biometrics industry in the form of Special Publication 800-63, Recommendations for Electronic Authentication. It states that "since they are not secrets, biometrics cannot serve as tokens for e-authentication" (page 8). The biometrics industry hotly disputes assertions such as this and scoffs at the belief set forth in SP 800-63 that even simple PINs and passwords (which can be broken by anyone with freely-available Internet software) are valid security for e-authentication while biometrics are not.
Instead of questioning the assumption that security must be based on secrets, some purveyors of behavioral biometrics are touting the superiority of their technologies because they can contain "embedded secrets." Speaker authentication, for example, is portrayed as password (secret-bearing) security that uses voice-based biometrics as a secondary factor.
I doubt this re-structured behavioral-physical dichotomy will influence the NIST cryptographers. I'm not thrilled about it either.