Google's new API improves biometric authentication in Android P

Google has announced a biometric authentication API which enables developers to improve the security of their apps.

Biometrics has become a favoured and quick security method for users. While there are certainly more secure methods of authentication, few are so fast and unintrusive.

Vishwath Mohan, Security Engineer at Google, wrote in a blog post:

“Biometric authentication mechanisms are becoming increasingly popular, and it's easy to see why. They're faster than typing a password, easier than carrying around a separate security key, and they prevent one of the most common pitfalls of knowledge-factor based authentication—the risk of shoulder surfing.”

Knowledge-factor based authentication is something like a PIN or password. Aside from biometrics, the other major form of authentication is possession-based – which uses something you own like a token generator.

Google wants to improve two major areas with biometric authentication in Android P:

  • Define a better model to measure biometric security, and use that to functionally constrain weaker authentication methods.

  • Provide a common platform-provided entry point for developers to integrate biometric authentication into their apps.

There are currently two metrics used for biometric authentication – False Accept Rate (FAR), and False Reject Rate (FRR).

Google believes FAR is a security concern as it measures how often an illegitimate user is accidentally recognised as being the device owner. FRR is problematic for usability, according to Google, as it measures how often a legitimate device owner has to retry their authentication.

Two new metrics have been added in Android P – Spoof Accept Rate (SAR), and Imposter Accept Rate (IAR). They measure how easily an attacker bypasses authentication.

Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g. trying to sound or look like a target user).

These metrics were used to categorise biometric authentication mechanisms as either strong or weak – with seven percent or lower representing strong, or above seven percent as weak.

With the BiometricPrompt API, Google wanted to allow weaker biometrics while still reducing the risk of unauthorised access.

“BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on,” wrote Mohan. “A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices.”

The API enables the platform to select which biometric is most appropriate without developers having to implement specific logic for it themselves.

You can find documentation for the BiometricPrompt API here.

What are your thoughts on Google’s new BiometricPrompt API? Let us know in the comments.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.