Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure.
Although biometric systems also have some pitfalls that are not hidden from anyone, as it has been proven multiple times in the past that most biometric scanners are vulnerable to spoofing attacks, and in most cases fooling them is quite easy.
Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users' data safe.
New Biometric Metrics to Identify Spoofing and Imposter Attacks
Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user's input.
In brief, 'False Accept Rate' defines how often the biometric model accidentally classifies an incorrect input as belonging to the targeted user, while 'False Reject Rate' records how often a biometric model accidentally classifies the user's biometric as incorrect.
Moreover, for user convenience some biometric scanners also allow users to authenticate successfully with higher false-acceptance rates than usual, leaving devices open to spoofing attacks.
Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack.
In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.
"As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme," Vishwath Mohan, a security engineer with Google Android team, says.
"Spoofing refers to the use of a known-good recording (e.g., replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g., trying to sound or look like a target user)."
Google to Enforce Strong Biometric Authentication Policies
Based upon user's biometric input, the values of SAR/IAR metrics define if it is a "strong biometric" (for values lower than or equal to 7%), or a "weak biometric" authentication (for values higher than 7%).
While unlocking your device or an application, if these values fall under weak biometric, Android P will enforce strict authentication policies on users, as given below:
- It will prompt the user to re-enter their primary PIN, pattern, password or a strong biometric if the device is inactive for at least 4 hours (such as when left at a desk or charging).
- In case, you left your device unattended for 72-hours, the system will enforce policy mentioned above for both weak and strong biometrics.
- For additional safety, users authenticated with weak biometric would not be able to make payments or participate in other transactions that involve a KeyStore auth-bound key.
Besides this, Google will also offer a new easy-to-use BiometricPrompt API that developers can use to set up a robust authentication mechanism in their apps to ensure maximum security of their users by completely blocking weak biometric authentication detected by two newly added metrics.
"BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on," Mohan said.
"A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices."The new feature would positively prevent unauthorized access to devices from thieves, spies and law enforcement agencies as well by locking it down to cripple known methods to bypass biometric scanners.