Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure

Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever.

Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure.

Although biometric systems also have some pitfalls that are not hidden from anyone, as it has been proven multiple times in the past that most biometric scanners are vulnerable to spoofing attacks, and in most cases fooling them is quite easy.

Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe.

New Biometric Metrics to Identify Spoofing and Imposter Attacks

Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user's input.

In brief, 'False Accept Rate' defines how often the biometric model accidentally classifies an incorrect input as belonging to the targeted user, while 'False Reject Rate' records how often a biometric model accidentally classifies the user's biometric as incorrect.

Moreover, for user convenience some biometric scanners also allow users to authenticate successfully with higher false-acceptance rates than usual, leaving devices open to spoofing attacks.

Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack.

In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.

"As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme," Vishwath Mohan, a security engineer with Google Android team, says.

"Spoofing refers to the use of a known-good recording (e.g., replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g., trying to sound or look like a target user)."