Android P to require 7 percent FAR standard for authentication with BiometricPrompt API
Android P’s BiometricPrompt API will use a 7 percent combined spoof accept rate (SAR) and imposter accept rate (IAR) as a standard to differentiate weak and strong smartphone biometrics, and will not support weak biometrics, according to a post to the Android Developers blog. The 7 percent standard enables Android to use a scalable mechanism with a tiered authentication model.
Any weak biometric on an Android device will also have to show a warning explaining its risks, and will not be able to authenticate payments or other transactions involving a KeyStore auth-bound-key, Android Security Engineer Vishwath Mohan explained in the post. Weak biometrics can be used for device unlocking on devices running Android P, but after 4 hours of inactivity users will have to use another unlocking method, such as a PIN, password, pattern, or a strong biometric. The additional requirements after a 72-hour period of inactivity will also apply to both strong and weak biometrics.
The BiometricPrompt API capabilities can also be integrated with devices running Android O and earlier versions through compatibility tools provided in a support library.
Because BiometricPrompt only supports strong authentication, developers integrating it into their apps are assured of a consistent level of security regardless of the device or biometric modality used, according to the post.
“Biometrics have the potential to both simplify and strengthen how we authenticate our digital identity, but only if they are designed securely, measured accurately, and implemented in a privacy-preserving manner,” Mohan writes. “We want Android to get it right across all three. So we’re combining secure design principles, a more attacker-aware measurement methodology, and a common, easy to use biometrics API that allows developers to integrate authentication in a simple, consistent, and safe manner.”
The Developer Preview of Android P shows native support for face, iris, and in-display fingerprint biometrics, using a blanket USE_BIOMETRIC permission.