Android New Anti-Spoofing feature in Bio-metric Authentication

With growing cyber-crime activities, protection of confidential information has become a herculean task. Traditional methods of implementing security for sensitive data such as passwords and keys are not at all effective. Hence the need for ironclad security is paramount.

What is Android Bio-metric Authentication?

New technology solutions are gradually being implemented to combat cyber crime threats. Bio-metrics is one such technology that uses pertinent means to identify and authenticate individuals in a reliable way. This technology uses biological characteristics such as fingerprints, face, Iris and voice recognition to authenticate access to electronic devices. The reference model is first stored in the database. Person’s bio-metric data is then compared with the stored data to unlock the device.

Pitfalls in Bio-Metrics Authentication

Current Bio-metric authentication system also has some pitfalls. The current system makes two types of errors: False Accept Rate (FAR) and False Reject Rate (FRR). FAR error occurs when the device accepts an unauthorized person and when a genuine person is rejected, it is known as FRR. These errors make bio-metric system vulnerable to spoofing attacks.

Android Bio-Metric Authentication features new Metrics:

In an attempt to resolve this issue, Google has introduced two new metrics in addition to FRR and FAR. These are Spoof Accept Rate (SAR) and Impostor Accept Rate (IAR).

Impostor Accept Rate (IAR): It refers to the probability of bio-metric model accepting input from a fake user who mimics the genuine user’s bio-metrics. For instance trying to sound or look like a target user to unlock the device is called Impostor attack.

Spoof Accept Rate (SAR): This refers to the probability that a bio-metric model accepts previously recorded, known good samples of voice. For example replaying a voice recorder or using face or fingerprint picture, mold, or mask of a genuine user to bypass the sensor and unlock the device. Such attacks are called Spoof Attacks.

Strong V/s weak Unlocks:

SAR/IAR metrics is used to categorize the new bio-metric authentication mechanism as Strong or Weak.

Strong Unlock: For the bio-metric Unlock to be considered as strong SAR/IAR metrics should be lower than or equal to 7%.

Weak Unlock: If SAR/IAR is greater than 7%, it is considered weak bio-metric authentication.

Google’s Android Bio-metric Authentication Policies:

While both Strong and Weak bio-metrics can unlock a device. However, Android P will enforce strict authentication policies on users if the bio-metric falls under weak bio-metric. The policies are:

1. In case of weak bio-metrics if the device is inactive for a period of 4- hours such as when the device is left for charging, users are prompted to re- enter their primary password, pattern or PIN or a strong bio-metric to unlock the device.
2. However, if the device is left unattended for 72 hours, then the prompt to re-enter password, pattern or PIN or a strong bio-metric to unlock the device will occur for both strong as well as weak bio-metrics.
3. Users authenticated with weak bio-metrics won’t be able to make payments or participate in transactions that involve cryptographic keys for authentication and encryption (Key-store auth-bound key).
4. Weak Bio-metrics shows users a warning to pronounce the risk involved in using the device before it is enabled.

Bio-metrics if designed securely, measured accurately and implemented to preserve privacy adequately has the potential to simplify and strengthen the authentication process.

Bio-prompt API:

Getting implemented in Android P, Bio-metric Prompt API aims to integrate Bio-metric authentication into the apps present in the device. This is implemented to provide a safe platform to assure consistent level of security across all devices.

Hits: 83