Google’s developers are going to make biometric authentication stronger on Android P, the next iteration of the company’s popular mobile operating system; and in a new post on the company’s blog, Security Engineer Vishwath Mohan explains how.
Essentially, Android’s managers are looking to move beyond FAR and FRR, the standard measures of an authentication mechanism’s performance. The False Acceptance Rate assesses how often an unauthorized user is authenticated and the False Reject Rate assesses how often an authorized user is not verified, but as Mohan explains, “neither metric accounts for an active attacker as part of the threat model”.
That’s where new metrics come in. The Spoof Accept Rate (“SAR”) is designed to assess how often a given system falls victim to deliberate attempts to use recordings of an authorized user to illegitimately gain access to a device, while the Impostor Accept Rate (“IAR”) assesses attempts to mimic an authorized user to gain access.
Most current fingerprint scanning systems have an SAR and IAR of about seven percent, so Android P is going to label any biometric authentication system with an SAR/IAR of seven percent or lower as strong, and anything above seven percent as weak. Weak biometrics will still be allowed for device unlocking, but they’ll have to be paired with a PIN, pattern, or strong biometric after four hours of inactivity, they can’t be used for payments, and they won’t be compatible with the BiometricPrompt API, a new framework allowing developers to easily implement a range of biometric modalities for user authentication.
The new security measures are a testament to the growing importance of biometric authentication in mobile security, and offer Google’s Android an opportunity to stand out as a particularly secure operating system, which could attract increasingly security-conscious users.
Android P is currently in beta testing, with the final version expected to launch in August.