Android P Will Encourage OEMs to Adopt Stronger Biometric Systems

The three authentication factors. Image credit: GoogleThe three authentication factors. Image credit: GoogleStarting with Android P, device makers will have to pass new security-focused benchmarks for their biometric authentication systems if they want their customers to have a better biometric authentication experience.

FAR And SAR Biometric Benchmarks

The smartphone industry has used two primary metrics to benchmark the accuracy and precision of biometric authentication: the False Acceptance Rate (FAR), and the False Rejection Rate (FRR).

The first one tells you how likely it is for the phone to incorrectly recognize a biometric input as belonging to you. For instance, if the FAR is 1 in 50,000, then one random fingerprint in 50,000 could unlock your phone, even if that person’s fingerprint wasn’t registered with the device.

The FRR, on the other hand, tells you how often the phone will fail to recognize you, its registered owner. The two metrics can be see in conflict with each other, as the “easier” you make it for the phone to recognize your fingerprint or face, the more likely it will be that other people will be recognized as the owners of that device.

SAR and IAR: New Security-Oriented Biometric Benchmarks

Google mentioned that the FAR and FRR metrics don’t tell the whole story, nor are they too relevant against attackers. This is why in Android 8.1, Google introduced the Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR) metrics, too. These two metrics measure how easily an attacker can bypass a biometric authentication system.

As this author mentioned in previous posts on Apple’s bypassed Face ID system, Apple’s “1 in a million” FAR was quite misleading, because an attacker would have a much better success rate at bypassing an iPhone’s Face ID than just throwing 1 million random faces at the system.

An attacker who wants to bypass your phone, specifically, would likely also gather your public online photos, try to make a 3D profile out of them, and shape it with machine learning until they succeeded in bypassing the system.

Google’s SAR addresses spoofing techniques such as an attacker using a victim’s voice recording or a picture of the device owner’s face or fingerprint. Similarly, the IAR metric addresses the fact that attackers could also try to mimic the user’s biometric features (such as generating the voice through machine learning, etc).

Strong Vs Weak Biometric Authentication Systems

Starting with Android P, Google will classify biometrics systems of Android devices based on their SAR and IAR scores. If a biometric system gets less than 7% on these metrics, it will be considered “strong.” If it gets a score above 7%, it will be considered weak.

Google admitted that the 7% threshold is quite arbitrary, so it doesn’t necessarily mean that a system just slightly below 7% has good enough security. The company started with the 7% threshold because the biometric implementations on the market today can score lower than that number. However, users would do well to prefer devices with as low SAR/IAR scores as possible.

Google also noted that the SAR/IAR scores are still an oversimplification of how secure a biometric system actually is, because there are a range of factors that determine that security. Presumably one of them would be code quality, too, or whether or not the biometric data is isolated within a hardware security module. The company uses the SAR/IAR scores despite those limitations because they are scalable across the ecosystem, which makes it easier to determine the overall risk Android devices on the market pose, at least when it comes to biometric security.

Google will also impose certain restrictions on the devices that have a SAR/IAR above 7%:

  1. Users will have to enter a PIN, pattern, or passphrase if the phone is not unlocked for four hours straight. This is in addition to the the same thing being required of all devices after 72 hours.
  2. The devices will not be supported by the Android P BiometricPrompt API, so the owners of devices with weak SAR/IAR will not be able to authenticate to third-party apps with biometrics
  3. The devices can't authenticate payments or participate in other transactions that involve a KeyStore auth-bound key
  4. The phones must show users a warning when enabling biometric authentication on them.

All of these measures are meant to allow weaker biometric authentication, but still minimize the risk of unauthorized access, according to Google.

BiometricPrompt API

Google announced the BiometricPrompt API at its latest Google I/O developer event. The API will allow developers to integrate their applications with biometric authentication in a device-agnostic way, which means the developers won’t have to care about each individual implementation of biometric authentication from multiple smartphone vendors.

Google will also make available a support library that will enable the BiometricPrompt API for Android O devices. However, as mentioned above, those devices will also need to have an SAR/IAR score below 7%.

Create a new thread in the News comments forum about this subject
Comment from the forums
    Your comment
  • InvalidError
    I personally don't care how strong biometrics are: no matter how good they are, relying on biometrics mean you can be strong-harmed into unlocking your devices against your will. With reasonably strong passwords only known to you on a secure device, your data is as safe as you are willing it to be.
  • mrjhh
    INVALIDERROR - And you think a password is safe from a strong-arm approach? Passwords can also be captured from taking a video of you entering the password. This is why a strong authentication is recommended to have two factors from the three options of what you know, what you have, and biometrics. But, with strong authentication, bad guys look for weaker links, like someone at your bank who uses a password of abc123.
  • TJ Hooker
    @InvalidError If an attack is willing/able to grab you, force your eye/face/thumb up to your phone and steal your device, I wouldn't put it past that person to just beat any password out of you instead if required. Unless you're including 'standing up to torture' as part of "as safe as you are willing it to be".