Posted yesteryear Vishwath Mohan, Security Engineer
To drib dead along users safe, most apps too devices guide keep an authentication mechanism, or a way to examine that you're you. These mechanisms autumn into 3 categories: noesis factors, possession factors, too biometric factors. Knowledge factors enquire for something you lot know (like a PIN or a password), possession factors enquire for something you lot guide keep (like a token generator or safety key), too biometric factors enquire for something you lot are (like your fingerprint, iris, or face).
Biometric authentication mechanisms are becoming increasingly popular, too it's tardily to run into why. They're faster than typing a password, easier than carrying unopen to a divide safety key, too they forestall i of the most mutual pitfalls of knowledge-factor based authentication—the guide chances of shoulder surfing.
As to a greater extent than devices contain biometric authentication to safeguard people's soul information, we're improving biometrics-based authentication inwards Android P by:
- Defining a ameliorate model to stair out biometric security, too using that to functionally constrain weaker authentication methods.
- Providing a mutual platform-provided entry indicate for developers to integrate biometric authentication into their apps.
A ameliorate safety model for biometrics
Currently, biometric unlocks quantify their functioning today amongst 2 metrics borrowed from machine learning (ML): False Accept Rate (FAR), too False Reject Rate (FRR).
In the instance of biometrics, FAR measures how oftentimes a biometric model accidentally classifies an wrong input equally belonging to the target user—that is, how oftentimes some other user is falsely recognized equally the legitimate device owner. Similarly, FRR measures how oftentimes a biometric model accidentally classifies the user's biometric equally incorrect—that is, how oftentimes a legitimate device possessor has to retry their authentication. The get-go is a safety concern, piece the minute is problematic for usability.
Both metrics produce a dandy project of measuring the accuracy too precision of a given ML (or biometric) model when applied to random input samples. However, because neither metric accounts for an active aggressor equally component of the threat model, they produce non furnish real useful information well-nigh its resilience against attacks.
In Android 8.1, nosotros introduced 2 novel metrics that to a greater extent than explicitly concern human relationship for an aggressor inwards the threat model: Spoof Accept Rate (SAR) too Imposter Accept Rate (IAR). As their names suggest, these metrics stair out how easily an aggressor tin give notice bypass a biometric authentication scheme. Spoofing refers to the utilization of a known-good recording (e.g. replaying a phonation recording or using a appear upwardly or fingerprint picture), piece impostor credence way a successful mimicking of some other user's biometric (e.g. trying to audio or expect similar a target user).
Strong vs. Weak Biometrics
We utilization the SAR/IAR metrics to categorize biometric authentication mechanisms equally either strong or weak. Biometric authentication mechanisms amongst an SAR/IAR of 7% or lower are strong, too anything higher upwardly 7% is weak. Why 7% specifically? Most fingerprint implementations guide keep a SAR/IAR metric of well-nigh 7%, making this an appropriate criterion to start amongst for other modalities equally well. As biometric sensors too classification methods improve, this threshold tin give notice potentially last decreased inwards the future.
This binary classification is a slight oversimplification of the arrive at of safety that dissimilar implementations provide. However, it gives us a scalable machinery (via the tiered authentication model) to appropriately compass the capabilities too the constraints of dissimilar biometric implementations across the ecosystem, based on the overall guide chances they pose.
While both strong too weak biometrics volition last allowed to unlock a device, weak biometrics:
- require the user to re-enter their main PIN, pattern, password or a strong biometric to unlock a device later a 4-hour window of inactivity, such equally when left at a desk or charger. This is inwards improver to the 72-hour timeout that is enforced for both strong too weak biometrics.
- are non supported yesteryear the forthcoming BiometricPrompt API, a mutual API for app developers to securely authenticate users on a device inwards a modality-agnostic way.
- can't authenticate payments or participate inwards other transactions that involve a KeyStore auth-bound key.
- must exhibit users a alert that articulates the risks of using the biometric before it tin give notice last enabled.
These measures are intended to let weaker biometrics, piece reducing the guide chances of unauthorized access.
BiometricPrompt API
Starting inwards Android P, developers tin give notice utilization the BiometricPrompt API to integrate biometric authentication into their apps inwards a device too biometric agnostic way. BiometricPrompt alone exposes strong modalities, hence developers tin give notice last assured of a consistent marking of safety across all devices their application runs on. H5N1 back upwardly library is likewise provided for devices running Android O too earlier, allowing applications to utilize the advantages of this API across to a greater extent than devices.
While applications tin give notice claw into BiometricPrompt direct for Android nine too higher, developers should utilization the BiometricPrompt library to back upwardly the widest arrive at of devices.
The API is intended to last tardily to use, allowing the platform to pick out an appropriate biometric to authenticate amongst instead of forcing app developers to implement this logic themselves. Here's an illustration of how a developer powerfulness utilization it inwards their app:
Conclusion
Biometrics guide keep the potential to both simplify too strengthen how nosotros authenticate our digital identity, merely alone if they are designed securely, measured accurately, too implemented inwards a privacy-preserving manner.
We desire Android to acquire it right across all three. So we're combining secure blueprint principles, a to a greater extent than attacker-aware mensuration methodology, too a common, tardily to utilization biometrics API that allows developers to integrate authentication inwards a simple, consistent, too rubber manner.
Acknowledgements: This post service was developed inwards articulation collaboration amongst Jim Miller.
