A new anti-spoofing feature is about to be introduced to Android which will make biometric authentication mechanisms more secure.
As explained by Google:
To keep users safe, most apps and devices have an authentication mechanism, or a way to prove that you’re you. These mechanisms fall into three categories: knowledge factors, possession factors, and biometric factors. Knowledge factors ask for something you know (like a PIN or a password), possession factors ask for something you have (like a token generator or security key), and biometric factors ask for something you are (like your fingerprint, iris, or face).
Thew New Biometrics Explained
As of the moment, the Android biometrics authentication system uses two metrics – False Accept Rate (FAR) and False Reject Rate (FRR). These are deployed together with machine learning techniques with the idea to measure accuracy and precision of the user’s input.
In the case of biometrics, FAR measures how often a biometric model accidentally classifies an incorrect input as belonging to the target user. In other words this shows how often another user is falsely recognized as the legitimate device owner, Google said.
In a similar manner, FRR calculates how often a biometric model accidentally classifies the user’s biometric as incorrect which shows how often a legitimate device owner has to retry their authentication. The first is a security concern, while the second is problematic for usability, in Google’s own words.
However, in some cases some biometric scanners would allow users to authenticate with higher false acceptance rates. This leaves devices open to spoofing attacks. According to the company, no metrics technique is good enough to precisely identify if biometric input is in fact an attempt of a hacker to get access to the device via spoofing or imposter attacks.
So, to improve this, Google is now adding two new metrics to the existing ones – Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). These would particularly account for an attacker.
“As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme,” Vishwath Mohan, a security engineer with Google Android team, explained in the blog post. In addition to this:
Starting in Android P, developers can use the BiometricPrompt API to integrate biometric authentication into their apps in a device and biometric agnostic way. BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on. A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices.