Tuesday, May 18, 2010

Biometrics False Positive False Acceptance

I'm teaching a Security+ class this week and this topic came up again.  Here's some clarification...

Biometrics is used for authentication.  It is in the "something you are" factor. You can read about the three factors of authentication here.

However, biometrics can be calibrated for different levels of accuracy.  Two types of errors are possible.
  • False acceptance or false positive. This is when a system inaccurately identifies someone as someone else.  For example, imagine that Attacker Al steals Sally's laptop. The laptop has a fingerprint scanner for authentication with Sally's fingerprint .  Attacker Al tries his fingerprint and it works.  It accepts his fingerprint even though it shouldn't. It returns a positive match as though his fingerprint is the same as Sally's even though this is obviously false.
  • False rejection or false negative. Now imagine that Sally has the same laptop.  She has registered her fingerprint on the system.  The next day she tries to use this for authentication. Unfortunately, the system rejects her fingerprint. It returns a negative match as though Sally's fingerprint isn't actually her finger even though it's the same finger she used the day before.
The confusion with some people is realizing that false acceptance is the same as false positive, and false rejection is the same false negative. 

Think about this.  The PoweBall lottery in the U.S. wants to give you a million dollars for your winning ticket. Do you accept it?  You'll probably answer with a positive answer such as Yes, or Absolutely.  Accept is a positive response.  On the other hand, reject is a negative answer.  Someone may say No they don't want the money (though I can't imagine why not). The rejection with a No is a negative response.

You can overthink this, but it's as simply as acceptance is positive, and rejection is negative.

Interestingly, both terms are simplified.  Biometrics more technically use the following terms:
  • False reject rate (FRR).  This is commonly referred to as a Type I error, or a false rejection error.
  • False accept rate (FAR). This is commonly referred to as a Type II error, or a false acceptance error.
  • Crossover error rate (CER). This is a measurement betwee then the FRR and FAR represented as a number or a percentage.  The lower the number or percentage, the more accurate the biometrics system is.  For example, a  CER of 2 (or 2 percent) is much better than a CER of 10 (or 10 percent).
Here's an interesting article that explains FRR, FFAR, and CER. It's a CISSP study article and digs a little deeper into the topic than necessary for Security+ but may help clarify things for you.

Good luck with your studies.

Darril Gibson