Biometrics is an authentication mechanism that falls in the ‘something you are’ (type 3) factor. The most common biometric authentication techniques make use of personal characteristics like fingerprint, retina scan, thumb scan, face detection etc. The most important aspect of a biometric device is its accuracy.
There are three main performance measures in biometrics:
- False Rejection Rate (FRR) or Type I Error (contains 1 c). Depicts the percentage of valid subjects that are falsely rejected. It implies that a genuine user was denied access to the resources.
- False Acceptance Rate (FAR) or Type II Error (contains 2 c). Depicts the percentage of invalid subjects that are falsely accepted. It implies the number of unauthorized users to whom the system incorrectly granted access.
- Crossover Error Rate (CER) The percent in which the FRR equals the FAR. As a general principle, the lower the CER percentage, the more accurate the biometrics system is considered to be. Also called Equal Error Rate (ERR).
(Source : ISC2)
For the purpose of security, FAR (Type II) is more damaging than FRR as some unauthorized individuals may gain access to the facility. Hence given the option we should always opt for low FAR.
If a biometric device is too sensitive, Type 1 errors (FRR) are more common. When a biometric device is not sensitive enough, Type 2 errors (FAR) are more common
Effectiveness Parameters for Biometrics
- Enrollment time: During the enrolment or registration phase, a unique user provided credentials, such as a fingerprint, is recorded in the authentication system for future authentication attempts. This stored sample of a biometric factor is called the reference profile or reference template. The enrollment time for a biometric system should be kept at a minimum. A low enrollment time leads to higher user acceptance.
- Throughput: Throughput or processing time implies the time taken by a biometric system to process an authentication request initiated by a user to approve or deny access. A high throughput is a factor considered during the deployment of a biometric system. Complex biometric factors take more processing time and are often not desirable.
- User acceptance: A biometric system should have a high level of user acceptance. Users must be informed that the organizational resources should be protected and that the system is not intrusive.
Sample Questions:
1. Why should an organization not deploy a biometric system based on fingerprinting technology?
a.The CER value of the biometric system is very low.
b.The system demands immense overhead maintenance.
c.Authentication results are not always accurate and reliable.
d.Employees are reluctant to use a biometric system that scans their fingerprints.
2. Which characteristic of a biometric device should be considered if an organization wants to deploy a convenient authentication procedure for employees without compromising the security in the facility?
a.low FRR
b.low FAR
c.high FAR
d.high FRR
1. c
2. b