Google is looking to improve biometrics in its upcoming operating system Android P. The company announced developers can start using the BiometricPrompt API to integrate biometric authentication into their apps.
According to Google, biometrics are an important part to keeping users safe. Apps and devices typically utilize knowledge factors, possession factors and biometrics factors for an authentication mechanism. Knowledge factors usually include PINs and passwords, possession factors include a token generator or security key while biometric factors include fingerprints, iris or a user’s face.
“Biometric authentication mechanisms are becoming increasingly popular, and it’s easy to see why. They’re faster than typing a password, easier than carrying around a separate security key, and they prevent one of the most common pitfalls of knowledge-factor based authentication—the risk of shoulder surfing,” Vishwath Mohan, security engineer at Google, wrote in a post.
With Android P, Google wants to provide a better model for measuring biometric security, constraint weaker authentication methods, and provide a common platform and entry point for developers to easily integrate the capability.
Biometrics typically uses two metrics: False Accept Rate (FAR) and False Reject Rate (FRR). While both metrics provide accuracy and precision thanks to machine learning, Google says they don’t account for an active attacker or provide information about its resilience against attacks. In Android 8.1, the company introduced Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR) to measure how easily an attack bypasses a biometric authentication service.
“Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user’s biometric (e.g. trying to sound or look like a target user),” Mohan wrote.
SAR and IAR are used to detect whether biometric authentication mechanisms are strong or weak. Some examples of weak biometrics include having to re-enter a PIN or password, inability to authenticate payments or transactions, and shows users a warning about the risks of the biometrics.
“BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on. A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices,” wrote Mohan.
Google hopes the new API will help strengthen and simplify digital identity authentication as well as providing the ability to securely and accurately implement biometrics.
“We want Android to get it right across all three. So we’re combining secure design principles, a more attacker-aware measurement methodology, and a common, easy to use biometrics API that allows developers to integrate authentication in a simple, consistent, and safe manner,” Mohan wrote.