Google introduces new biometric authentication API for Android P

Google is looking to improve biometrics in its upcoming Android P. The company announced that developers can start integrating biometric authentication into their apps using the BiometricPrompt API.

[[233901]]

According to Google, biometrics are an important part of keeping users safe. Applications and devices often use knowledge factors, possession factors, and biometrics factors for authentication mechanisms. Knowledge factors typically include PINs and passwords, possession factors include token generators or security keys, and biometrics factors include fingerprints, irises, or the user's face.

Vishwath Mohan, a security engineer at Google, wrote in a blog post:

Biometric authentication mechanisms are becoming increasingly popular, and it’s easy to see why. They’re faster than typing in a password, easier than carrying a separate security key, and they prevent the risks of knowledge-based authentication.

With Android P, Google hopes to provide a better model for measuring biometric security, restrict weaker authentication methods, and provide a common platform and entry point for developers to easily integrate the functionality.

Biometrics typically uses two metrics: the false acceptance rate (FAR) and the false rejection rate (FRR). While both metrics provide an indication of the accuracy and precision of machine learning, Google says they do not take active attackers into account or provide information about resilience against attacks. FAR focuses on security issues, measuring how often an illegitimate user is accidentally identified as the device owner, while FRR focuses on usability issues, measuring how often the legitimate device owner has to retry their authentication.

In Android 8.1, the company introduced the Spoof Acceptance Rate (SAR) and Impersonation Acceptance Rate (IAR) to measure how easy it is for an attack to bypass biometric authentication services. "Spoofing" refers to using a known good recording (such as replaying an audio recording or using a picture of a face or fingerprint), while "impersonation" means successfully mimicking another user's biometrics (such as trying to sound or look like the target user).