Biometrics pros school Google on Android PAD specs

Google is taking criticism for its new biometric specifications for Android devices, which allow an error rate of up to 7 percent on spoof attacks for even those granted the top “strong security” or “Class 3” status.

The acceptable attack presentation classification error rate (APCER) should be closer to 1 percent for the protection against fake attempts to be considered strong, Computerworld reports.

The tech giant says that mobile device manufacturers must choose the tier of native biometric security to build into their devices, avoiding the question of why the top level of the specs would allow so many presentation attacks to succeed. The three tiers specified by Google are “convenience,” “weak” and “strong.” This means there is no distinction in the specification between those devices offering an APCER of 7 percent and a presentation attack detection error rate of 1 percent or lower.

Anonybit Co-founder and CEO Frances Zelazny called the allowable error rate “very very high” in a comment to Computerworld and noted it contrasts with the performance expectations of the biometrics industry.

Despite this impedance to transparency, Google told Computerworld that it “strongly recommends disclosing the biometric class of a biometric and the corresponding risk of enabling it to users for better transparency.”

FaceTec SVP of North America Jay Meier says the strong security spec is “laughably bad,” and that it “should qualify as fraudulent.” He points out the many users will implement passkeys using native device biometrics, which at the specified security level could “enable identity theft and cybercrime.”

Passkeys are usually implemented by enterprises looking to go passwordless with native biometrics, rather than third-party software, due to the cost of the latter approach, and the ease with which the former supports bring-your-own-device policies.

Between the weak standard for PAD performance on Android devices and the typical fallback to the PIN if authentication is unsuccessful, these enterprises may not be getting the security they expect from their use of passkeys.

Pixel 8 Pro’s payments pitch imperfect

Another potential security risk that comes with weak presentation attack detection is that a thief who steals a phone could spoof the real owner’s biometrics to steal their money. Google’s own flagship smartphone, the Pixel 8 Pro, has upgraded face biometrics that are secure enough to support mobile payments and banking.

Pixel 7 users could pay for purchases on their phone with biometric authentication, but had to authenticate themselves to complete the process even if they had unlocked the device using facial recognition, which is no longer the case, according to Android Authority.

Android Authority says the face unlock feature on the Pixel 8 Pro is faster, and credits the combination of new algorithms and the device’s Tensor G3 chipset. Sunglasses and low lighting still prevent biometric recognition, as the Pixel 8 Pro still uses conventional imaging, as opposed to Apple’s infrared scanning.

The Pixel 8 Pro also includes an optical under-display fingerprint sensor, which Wccf tech reports is supplied by Goodix.

No word on the APCER of the device’s PAD system.

Article Topics

Anonybit  |  biometric authentication  |  biometric liveness detection  |  biometrics  |  FaceTec  |  Goodix  |  Google  |  presentation attack detection  |  smartphones