authentication pci-dss multi-factor biometrics sensitive-data-exposure: Updated Sun, 07 Aug 2022 12:48:04 GMT

False acceptance rate in biometric authentication for sensitive information

Every type of biometric authentication will have a false acceptance rate, which is the likelihood that the system will incorrectly accept an access attempt by an unauthorized user. Of course, when combining biometric with other authentication factors (e.g. passwords, or a security device), the chances of someone gaining access are significantly reduced.

However, when dealing with highly sensitive information (e.g. for access to banking, systems requiring PCI compliance, HIPAA compliance, etc), where even a single breach could imply a large risk, what would an acceptable false acceptance rate for biometric authentication be when combined with another authentication factor?

For example, if the FAR is 1%, and I combine that form of authentication with password authentication, would that be acceptable in this case? What about 0.1%? 0.001? I realize that this is relatively subjective, but I have no idea what a good range would be, so any actual data, studies or use cases would be appreciated, if possible.

Solution

Apple Touch ID has an FAR of 1/ 50,000 while Face ID has a FAR of 1 / 1,000,000

https://support.apple.com/en-us/HT208108

Android also insists on having an FAR of not higher than 0.002% (1 in 50,000). (Source: Android 7.0 Compatibility definition document)

A company called Eyeverify has a very relevant blog on this topic. They too seem to suggest that an FAR of 1 in 50,000 is good enough and they have clients in the banking sector.

https://www.eyeverify.com/blog/ceo-editorial-a-call-for-payment-grade-industry-standards

Comments (2)

+0 – I'm sure Apple's numbers (for fingerprints) assume only one partial print of one finger. However most people enroll many partial prints and many use several different fingers, which would significantly reduce this. I also found an interesting article that states that studies have been done to make "master prints" using similarities from many people and they can apparently create a synthetic glove that would unlock "around half of iPhones before the five tries it allows expires". — Oct 09, 2017 at 17:39
+0 – Not to mention people leave their fingerprints all over their phone. — Oct 09, 2017 at 18:47

External Links

External links referenced by this document:

References

https://security.stackexchange.com/questions/170820