3

Every type of biometric authentication will have a false acceptance rate, which is the likelihood that the system will incorrectly accept an access attempt by an unauthorized user. Of course, when combining biometric with other authentication factors (e.g. passwords, or a security device), the chances of someone gaining access are significantly reduced.

However, when dealing with highly sensitive information (e.g. for access to banking, systems requiring PCI compliance, HIPAA compliance, etc), where even a single breach could imply a large risk, what would an acceptable false acceptance rate for biometric authentication be when combined with another authentication factor?

For example, if the FAR is 1%, and I combine that form of authentication with password authentication, would that be acceptable in this case? What about 0.1%? 0.001? I realize that this is relatively subjective, but I have no idea what a good range would be, so any actual data, studies or use cases would be appreciated, if possible.

Mike
  • 425
  • 4
  • 13
  • "a single breach could imply a large risk" -- you calculate the rate of protection against the *quantified* risk. In other words, you need to define what *large* means in this case. – schroeder Oct 07 '17 at 11:05

2 Answers2

4

Apple Touch ID has an FAR of 1/ 50,000 while Face ID has a FAR of 1 / 1,000,000

https://support.apple.com/en-us/HT208108

Android also insists on having an FAR of not higher than 0.002% (1 in 50,000). (Source: Android 7.0 Compatibility definition document)

A company called Eyeverify has a very relevant blog on this topic. They too seem to suggest that an FAR of 1 in 50,000 is good enough and they have clients in the banking sector.

https://www.eyeverify.com/blog/ceo-editorial-a-call-for-payment-grade-industry-standards

Tyrian Pi
  • 91
  • 5
  • I'm sure Apple's numbers (for fingerprints) assume only one partial print of one finger. However most people enroll many partial prints and many use several different fingers, which would significantly reduce this. I also found an [interesting article](http://www.telegraph.co.uk/technology/2017/04/11/smartphone-fingerprint-scanners-could-easily-fooled-fake-prints/) that states that studies have been done to make "master prints" using similarities from many people and they can apparently create a synthetic glove that would unlock "around half of iPhones before the five tries it allows expires". – Mike Oct 09 '17 at 17:39
  • Not to mention people [leave their fingerprints all over their phone](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid). – Mike Oct 09 '17 at 18:47
0

When doing this calculation you need to work on probability.

So using you banking example. The FAR may be 1% for say fingerprint auth used on the bank vault, however there may also be retina scanning at say 0.2% FAR. But imagine this retina scan is authenticated by another bank manager, so both need to be present to open the vault, using one fingerprint and one retina scan.

So you could work out the combined FAR for both of these but that would not be an accurate representation of the risk as the probability of finding people who can trigger a false positive becomes exponentially higher.

In all high value systems, a risk based assessment should be based on the probability of events. I realise this may not directly answer your questions, but it may help with context. I.e instead of

"what is an acceptable FAR"

It may be more beneficial to ask:

"What is an acceptable risk, based on the probability of circumventing biometric auth using false positives."

TrickyDupes
  • 2,809
  • 1
  • 13
  • 27