Tuesday, May 18, 2010

Biometrics False Positive False Acceptance

I'm teaching a Security+ class this week and this topic came up again.  Here's some clarification...

Biometrics is used for authentication.  It is in the "something you are" factor. You can read about the three factors of authentication here.

However, biometrics can be calibrated for different levels of accuracy.  Two types of errors are possible.
  • False acceptance or false positive. This is when a system inaccurately identifies someone as someone else.  For example, imagine that Attacker Al steals Sally's laptop. The laptop has a fingerprint scanner for authentication with Sally's fingerprint .  Attacker Al tries his fingerprint and it works.  It accepts his fingerprint even though it shouldn't. It returns a positive match as though his fingerprint is the same as Sally's even though this is obviously false.
  • False rejection or false negative. Now imagine that Sally has the same laptop.  She has registered her fingerprint on the system.  The next day she tries to use this for authentication. Unfortunately, the system rejects her fingerprint. It returns a negative match as though Sally's fingerprint isn't actually her finger even though it's the same finger she used the day before.
The confusion with some people is realizing that false acceptance is the same as false positive, and false rejection is the same false negative. 

Think about this.  The PoweBall lottery in the U.S. wants to give you a million dollars for your winning ticket. Do you accept it?  You'll probably answer with a positive answer such as Yes, or Absolutely.  Accept is a positive response.  On the other hand, reject is a negative answer.  Someone may say No they don't want the money (though I can't imagine why not). The rejection with a No is a negative response.

You can overthink this, but it's as simply as acceptance is positive, and rejection is negative.

Interestingly, both terms are simplified.  Biometrics more technically use the following terms:
  • False reject rate (FRR).  This is commonly referred to as a Type I error, or a false rejection error.
  • False accept rate (FAR). This is commonly referred to as a Type II error, or a false acceptance error.
  • Crossover error rate (CER). This is a measurement betwee then the FRR and FAR represented as a number or a percentage.  The lower the number or percentage, the more accurate the biometrics system is.  For example, a  CER of 2 (or 2 percent) is much better than a CER of 10 (or 10 percent).
Here's an interesting article that explains FRR, FFAR, and CER. It's a CISSP study article and digs a little deeper into the topic than necessary for Security+ but may help clarify things for you.

Good luck with your studies.

Darril Gibson
Posted by at 4:53 AM
Reactions: 

3 comments:

  1. Darril, I found it very very confused problem .

    I read it again and again, not only this article but also many concepts about False Acceptance, False Positive ....in many pages, and have this conclude :

    - FALSE POSITIVE : You think it is a problem, in fact it's NOT .
    (SOURCE : http://www.cgisecurity.com/questions/falsepositive.shtml)

    - FALSE ACCEPTANCE : for example, a system thinks attacker is legitimate, in fact it is NOT ! (SOURCE : http://www.webopedia.com/TERM/F/false_acceptance.html)
    ___Briefly :
    False Positive : think BAD but NORMAL
    False Acceptance : think NORMAL but BAD .

    SO : False Positive and False Acceptance are absolutely DIFFERENT ! .

    In my arrogant opinion, sorry for my bad English . Thank You .

    Long,

    ReplyDelete

  2. Yes, this is confusing to many people.

    In short, you seem to be mixing the terms used with biometrics with the terms in other technical instances. In the field of biometrics, there are two terms that are important.

    Type I Error
    False rejection
    The biometric system fails to identify a valid user
    The biometric negatively identifies a valid user (false negative)

    Type II Error
    False acceptance
    The biometric system incorrectly identifies an imposter as a valid user
    The biometric system positively identifies an imposter (false positive)

    =====
    This is valid for biometrics:
    - FALSE ACCEPTANCE : for example, a system thinks attacker is legitimate, in fact it is NOT ! (SOURCE : http://www.webopedia.com/TERM/F/false_acceptance.html)
    ======

    ======
    This is not valid for biometrics, but is valid for other systems such as an IDS:
    - FALSE POSITIVE : You think it is a problem, in fact it's NOT .
    (SOURCE : http://www.cgisecurity.com/questions/falsepositive.shtml)
    ======

    A false positive in biometrics is a problem. Think of this example:

    Consider a grocery store that allows customers to register their bank cards with their fingerprint and you register your bank card. Now instead of paying with cash, you use your thumbprint and it automatically retrieves your money from your bank account to pay for your groceries.

    One day, Joe (who never registered his bank card with his fingerprint), sees someone else pay by just using her thumbprint. Joe tries it. It accepts his fingerprint. However, since Joe never registered his fingerprint, the biometric system positively identifies him as someone else (you!). Now you are paying for Joe’s groceries! Is that a problem? I say yes. This is false acceptance, or a Type II Error.

    Later that day, you attempt to buy groceries with your thumbprint. The system doesn’t recognize your thumbprint even though it is valid. This is a false rejection or a Type I error.

    HTH,

    Darril

    ReplyDelete

  3. So, I can say : "FALSE POSITIVE" in Biometric is different from "FALSE POSITIVE" in IDS, right ?

    In Biometric : False Positive = False Acceptance

    In IDS : False Positive is OPPOSITE TO False Positive (in Biometric)(about its meaning)

    A little fuzzy about my question, but hope You understand :) . Thanks !

    ReplyDelete

Subscribe to: Post Comments (Atom)