Google is all set to improve the biometrics options and security on Android P and has announced that developers can now use the Biometric Prompt API to integrate biometric authentication in their apps.
Google justifies this move by citing the importance of using biometrics as a security measure by the users. Google adds that apps and devices use the information provided by the users for its own purpose and store them as well which make it a priority to have sound security. Apps use knowledge factors, possession factors and biometrics factors as authentication mechanism.
Knowledge factors include PINs and passwords, while possession factors are token generator or security key and biometric factors are usually fingerprints, iris or the face of the user.
Vishwath Mohan, who is the security engineer at Google wrote in the blog post, “Biometric authentication mechanisms are becoming increasingly popular, and it’s easy to see why. They’re faster than typing a password, easier than carrying around a separate security key, and they prevent one of the most common pitfalls of knowledge-factor based authentication—the risk of shoulder surfing.”
And the new update on Android P will help Google a more precise model for measuring biometric security, as well as clamp down on weaker authentication methods, while making this whole integration process much easier for developers.
The biometrics that are used all around right have two metrics which are False Accept Rate (FAR) and False Reject Rate (FRR) and both provide accurate readings using machine learning. But according to Google neither of these metrics take into account an active attacker or have any information on how it protects itself against such attacks. And Google introduced Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR) to measure the easy with which an attacker can bypass biometric authentication service on Android 8.1.
“Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user’s biometric (e.g. trying to sound or look like a target user),” said the blog.
It even explains that SAR and IAR are used to test whether a biometric authentication system is strong or weak. The blog cites some examples of what could be a weak biometric authentication system and those include allowing re-entering of PIN or password, inability to authenticate payments and transactions, and it will show users a warning about the weaknesses of this biometric system.
“BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on. A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices,” explained the blog.