Android P to Get Better Biometrics against Spoofing Attacks

A new anti-spoofing feature is about to be introduced to Android which will make biometric authentication mechanisms more secure.

As explained by Google:

To keep users safe, most apps and devices have an authentication mechanism, or a way to prove that you’re you. These mechanisms fall into three categories: knowledge factors, possession factors, and biometric factors. Knowledge factors ask for something you know (like a PIN or a password), possession factors ask for something you have (like a token generator or security key), and biometric factors ask for something you are (like your fingerprint, iris, or face).

Thew New Biometrics Explained

As of the moment, the Android biometrics authentication system uses two metrics – False Accept Rate (FAR) and False Reject Rate (FRR). These are deployed together with machine learning techniques with the idea to measure accuracy and precision of the user’s input.

In the case of biometrics, FAR measures how often a biometric model accidentally classifies an incorrect input as belonging to the target user. In other words this shows how often another user is falsely recognized as the legitimate device owner, Google said.

In a similar manner, FRR calculates how often a biometric model accidentally classifies the user’s biometric as incorrect which shows how often a legitimate device owner has to retry their authentication. The first is a security concern, while the second is problematic for usability, in Google’s own words.

However, in some cases some biometric scanners would allow users to authenticate with higher false acceptance rates. This leaves devices open to spoofing attacks. According to the company, no metrics technique is good enough to precisely identify if biometric input is in fact an attempt of a hacker to get access to the device via spoofing (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: https://sensorstechforum.com/android-p-biometrics-spoofing/