Google has just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever.
Biometric authentications, such as fingerprint, IRIS or face recognition technologies, smooth the process of unlocking devices and applications by making it significantly faster and more secure.
Although biometric systems also have some drawbacks that are not hidden from anyone, as has been demonstrated several times in the past, most biometric scanners are vulnerable to counterfeiting attacks and, in most cases, are very easily fooled.
Google today announced a better model for improving biometric security, which will be available through Android P, enabling mobile application developers to integrate an improved mechanism into their applications to keep user data secure.
New biometric measures to identify spoofing and impostor attacks
Android’s biometric authentication system currently uses two indicators: false acceptance rate (FAR) and false rejection rate (FRR), combined with automatic learning techniques to measure the accuracy and precision of user information.
In summary, the false acceptance rate’ defines how often the biometric model accidentally classifies an incorrect entry as belonging to the target user, while the false rejection rate’ records how often a biometric model accidentally classifies the user’s biometrics as incorrect.
In addition, for the convenience of the user, some biometric scanners also allow users to successfully authenticate themselves with higher than normal false acceptance rates, leaving the devices open for counterfeiting attacks.
Google says that none of the given metrics is sufficiently capable of accurately identifying whether the biometric data entered by a user is an attempt by an attacker to gain unauthorized access using any impersonation or imposter attack.
In an attempt to solve this problem, in addition to FAR and FRR, Google has introduced two new metrics: Parody Acceptance Rate (SAR) and Imposter Acceptance Rate (IAR), which explicitly represent an attacker in the threat model.
“As their names suggest, these metrics measure how easily an attacker can circumvent a biometric authentication scheme,” says Vishwath Mohan, a security engineer with the Google Android team.
“Spoofing” refers to the use of a known recording (e.g., playing a voice recording or using a face or fingerprint image), while accepting impostors means successfully imitating another user’s biometric information (e.g., attempting to sound or appear to be a target user).
Google will implement strong biometric authentication policies
Based on user biometric information, the SAR / IAR metric values define whether it is a “strong biometric” (for values less than or equal to 7%), or a “weak biometric” authentication (for values greater than 7%).
When unlocking your device or an application, if these values fall within a weak biometric system, Android P will apply strict authentication policies to users, as outlined below:
It will prompt the user to re-enter their PIN, pattern, password or strong biometrics if the device is idle for at least 4 hours (such as when left on a desktop or charging).
If you have left your device unattended for 72 hours, the system will apply the above policy to both weak and strong biometrics.
For added security, users authenticated with weak biometric data will not be able to make payments or participate in other transactions involving a KeyStore authentication key.
In addition to this, Google will also offer a new easy-to-use BiometricPrompt API that developers can use to configure a robust authentication mechanism in their applications to ensure maximum security for their users by completely blocking weak biometric authentication detected by two newly added metrics.
“BiometricPrompt only exposes robust modalities, so developers can be assured of a consistent level of security on all devices running their application,” Mohan said.
“A support library for devices running Android O and earlier is also provided, allowing applications to take advantage of this API on more devices.
The new feature would positively prevent unauthorized access to thieves’ devices, esp