-1

How is this vulnerability possible? How is FMR linked with human factor vulnerabiltiy? If there is a vulnerability what are ways to safeguard or mitigate such issues?

user162334
  • 11
  • 2
  • i dont have the source. I was asked this question. Confused with FMR related to human factor – user162334 Oct 26 '17 at 15:40
  • Do you even understand what FMR describes? – Steffen Ullrich Oct 26 '17 at 15:41
  • https://en.wikipedia.org/wiki/Biometrics#Performance – schroeder Oct 26 '17 at 15:42
  • 2
    Dozens of academic papers could be (and have been) written on this subject. Reducing FMR without detrimental effects to FRR and other metrics depends on the individual biometric, use-case, business requirements, acquisition hardware, comparison algorithm, implementation environment, and lots of other factors. – Polynomial Oct 26 '17 at 15:42
  • @Polynomial "human factor vulns" though? – schroeder Oct 26 '17 at 15:43
  • 1
    @schroeder Generally reducing the FMR increases rejection rate, which increases the difficulty of use, which tends to make people find workarounds to 2FA. There are also some weird edge-cases with some ML-based systems where pushing the system to get the FMR as low as possible can inadvertently overtrain the set and lead to really weird bypasses. But the term is poorly defined so I'm largely spitballing here. – Polynomial Oct 26 '17 at 15:46
  • If you do not know the link, why not ask the person who said it? Why do you have to figure it out on your own? – schroeder Oct 26 '17 at 15:58
  • @Polynomial right, which is the answer, correct? – schroeder Oct 26 '17 at 16:00

1 Answers1

2

The false match rate is the rate at which the wrong person is accepted as the user trying to authenticate. Without changing other components of the system the easy way to reduce the false match rate is to make match criteria stricter.

Biometrics aren't perfect. Different angles, dirt build up on a finger, lighting, background sensor noise, movement etc. mean the signal from the same person can be slightly different.

If you make the criteria stricter not only do you reduce the false match rate but you increase the false non-match rate (when the correct person is rejected). This causes user frustration. Frustrated users find ways around your system - in the same way forcing someone to change their password leads to "password1", "password2"... etc.

If they can turn it off and use something else they do. It can also be indirect - if your users continually have to call in an admin to override a failed auth then it becomes a routine part of the system and they stop verifying the users identity properly.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • Thanks! this helps a lot. I was unable to link FMR with human factor vulnerability as i am new to this subject. – user162334 Oct 26 '17 at 15:57
  • In other words, trying to decrease false positives can increase false negatives. – JAB Oct 26 '17 at 16:38