4

As known in biometrics: https://en.wikipedia.org/wiki/Biometrics#Performance

False match rate (FMR, also called FAR = False Accept Rate): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs that are incorrectly accepted. In case of similarity scale, if the person is an imposter in reality, but the matching score is higher than the threshold, then he is treated as genuine. This increases the FMR, which thus also depends upon the threshold value

For example we have case:

  • 1000 users templates of faces in database
  • 100 users-impostors which aren't in database trying to log the system, once every
  • FAR = 0.001 (0.1%)

Then how many false matches will there be?

  1. 1000 * 100 * 0.001 = 100 (some of users-impostors will be accepted with many templates in database, some no once)
  2. 100 * 0.001 = 0.1 (imposters will not be allowed into the system, only 10% that one impostor may still be accepted to the system)

Or the same question in other words, what specifically is FAR (False Accept Rate):

  1. Is FAR a false match of one attempt to compare with only one template in database? And it does not depend on the size of the database.
  2. Or is FAR - if there is at least one match with any of the templates in database? And it depends on the size of the database.
Jedi
  • 3,906
  • 2
  • 24
  • 42
Alex
  • 143
  • 3
  • I would say both your answers look incorrect. By the definition you link to, FAR refers to the percentage of users wrongly identified. You have 1100 login attempts, therefore you can expect 1.1 login attempt to be misidentified. The probability is 90.9% that this a legitimate user is identified as a different user, and 9.1% that an impostor is accepted as a legitimate user... – Jedi Jun 24 '16 at 01:33

1 Answers1

1

First you should define whether your system uses identification or authentication. Identification finds a biometric scan in a database (e.g. to find a criminal in a crowd), while authentication compares a biometric scan with a single database entry (e.g. to grant access after a user scanned his RFID card).

According to my CISSP guide, FAR is a property of the system and it is calculated on a single comparison.

Assuming that each impostor is only allowed one scan, if your biometric system is used for authorization then the average probability that one impostor enters is

100 impostors x 0.001% FAR x 1 database entry = 0.1% = 1 impostor every 1000 days

If your biometric system is used for identification as the sole access control system, then the average probability that an impostor enters is

100 impostors x 0.001% FAR x 1000 database entries = 100% = 1 impostor every day

Unless there are specific business needs, biometrics is better suited for authentication.

Enos D'Andrea
  • 1,047
  • 5
  • 12
  • Thank you very much, very understandable explanation. One more question, is the FAR always measured in percent? – Alex Apr 14 '18 at 12:26
  • 1
    @Alex I am not qualified to answer that question, but I can say that in the industry I have always seen it as percent, while in scientific texts it often appears also as a ratio, probably because it is easier to handle in calculations. Examples [here](http://pubs.sciepub.com/ajeee/1/3/4/index.html), [here](https://patents.google.com/patent/US8190540) and if you have time and patience also [here](https://duckduckgo.com/?q=far+%22false+acceptance+rate%22&iar=images&iax=images&ia=images) – Enos D'Andrea Apr 15 '18 at 14:13