The three authentication factors. Image credit: GoogleStarting with Android P, device makers will have to pass new security-focused benchmarks for their biometric authentication systems if they want their customers to have a better biometric authentication experience.
FAR And SAR Biometric Benchmarks
The smartphone industry has used two primary metrics to benchmark the accuracy and precision of biometric authentication: the False Acceptance Rate (FAR), and the False Rejection Rate (FRR).
The first one tells you how likely it is for the phone to incorrectly recognize a biometric input as belonging to you. For instance, if the FAR is 1 in 50,000, then one random fingerprint in 50,000 could unlock your phone, even if that person’s fingerprint wasn’t registered with the device.
The FRR, on the other hand, tells you how often the phone will fail to recognize you, its registered owner. The two metrics can be see in conflict with each other, as the “easier” you make it for the phone to recognize your fingerprint or face, the more likely it will be that other people will be recognized as the owners of that device.
SAR and IAR: New Security-Oriented Biometric Benchmarks
Google mentioned that the FAR and FRR metrics don’t tell the whole story, nor are they too relevant against attackers. This is why in Android 8.1, Google introduced the Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR) metrics, too. These two metrics measure how easily an attacker can bypass a biometric authentication system.
As this author mentioned in previous posts on Apple’s bypassed Face ID system, Apple’s “1 in a million” FAR was quite misleading, because an attacker would have a much better success rate at bypassing an iPhone’s Face ID than just throwing 1 million random faces at the system.
An attacker who wants to bypass your phone, specifically, would likely also gather your public online photos, try to make a 3D profile out of them, and shape it with machine learning until they succeeded in bypassing the system.
Google’s SAR addresses spoofing techniques such as an attacker using a victim’s voice recording or a picture of the device owner’s face or fingerprint. Similarly, the IAR metric addresses the fact that attackers could also try to mimic the user’s biometric features (such as generating the voice through machine learning, etc).
Strong Vs Weak Biometric Authentication Systems
Starting with Android P, Google will classify biometrics systems of Android devices based on their SAR and IAR scores. If a biometric system gets less than 7% on these metrics, it will be considered “strong.” If it gets a score above 7%, it will be considered weak.
Google admitted that the 7% threshold is quite arbitrary, so it doesn’t necessarily mean that a system just slightly below 7% has good enough security. The company started with the 7% threshold because the biometric implementations on the market today can score lower than that number. However, users would do well to prefer devices with as low SAR/IAR scores as possible.
Google also noted that the SAR/IAR scores are still an oversimplification of how secure a biometric system actually is, because there are a range of factors that determine that security. Presumably one of them would be code quality, too, or whether or not the biometric data is isolated within a hardware security module. The company uses the SAR/IAR scores despite those limitations because they are scalable across the ecosystem, which makes it easier to determine the overall risk Android devices on the market pose, at least when it comes to biometric security.
Google will also impose certain restrictions on the devices that have a SAR/IAR above 7%:
- Users will have to enter a PIN, pattern, or passphrase if the phone is not unlocked for four hours straight. This is in addition to the the same thing being required of all devices after 72 hours.
- The devices will not be supported by the Android P BiometricPrompt API, so the owners of devices with weak SAR/IAR will not be able to authenticate to third-party apps with biometrics
- The devices can’t authenticate payments or participate in other transactions that involve a KeyStore auth-bound key
- The phones must show users a warning when enabling biometric authentication on them.
All of these measures are meant to allow weaker biometric authentication, but still minimize the risk of unauthorized access, according to Google.
Google announced the BiometricPrompt API at its latest Google I/O developer event. The API will allow developers to integrate their applications with biometric authentication in a device-agnostic way, which means the developers won’t have to care about each individual implementation of biometric authentication from multiple smartphone vendors.
Google will also make available a support library that will enable the BiometricPrompt API for Android O devices. However, as mentioned above, those devices will also need to have an SAR/IAR score below 7%.