Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR) join FAR and FRR in biometric toolkit
More devices are incorporating biometric authentication to safeguard data and access, and the Android team is working to strengthen the use of biometrics in Android P release.
Android P will include a new model to measure biometric security and use the model to limit the functions that can be conducted if weaker biometric methods are used, according to the Android Developers blog. It also launches a new API to enable developers to integrate biometric authentication into apps.
While both strong and weak biometrics will be allowed to unlock a device, weak biometrics will require the user to re-enter their primary PIN or a strong biometric after a 4-hour window of inactivity.
Biometric security measures have always relied on two key metrics – False Acceptance Rate (FAR), and False Rejection Rate (FRR). FAR measures how often a system accidentally approves an incorrect person. FRR, on the other hand, measures how often a system rejects the legitimate person. FAR is a security problem, but FRR creates usability issues.
The problem, according to the Android OS team, is that neither of these measures accounts for an active attacker.
“In Android 8.1, we introduced two new metrics that more explicitly account for an attacker in the threat model: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR),” explains Vishwath Mohan, Android OS Security Engineer.
These new metrics look at an attacker’s ability to beat a biometric authentication system. “Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user’s biometric (e.g. trying to sound or look like a target user),” he says.
The SAR/IAR metrics are used in Android P to categorize biometric authentication mechanisms as strong or weak. Most fingerprint biometric systems have a SAR/IAR metric of about 7%, so an SAR/IAR below 7% is considered strong, and anything above 7% is weak.
While both strong and weak biometrics will be allowed to unlock a device, weak biometrics will require the user to re-enter their primary PIN, pattern, password or a strong biometric to unlock a device after a 4-hour window of inactivity.
Weak biometrics in Android P also won’t be eligible to authenticate payments nor will they be supported in the forthcoming BiometricPrompt API, a common API for app developers to securely authenticate users on a device in a modality-agnostic way.
“In Android P, developers can use the BiometricPrompt API to integrate biometric authentication into their apps in a device and biometric agnostic way,” says Mohan.
BiometricPrompt only exposes strong modalities, based on the new SAR/IAR measures, so developers can be assured of a consistent level of security.