Biometrics is an authentication mechanism that falls in the ‘something you are’ (type 3) factor. The most common biometric authentication techniques make use of personal characteristics like fingerprint, retina scan, thumb scan, face detection etc. The most important aspect of a biometric device is its accuracy.
There are three main performance measures in biometrics:
1.
False Rejection Rate (FRR) or Type I
Error (contains 1 c). Depicts the percentage of valid subjects that are falsely
rejected. It implies that a genuine user was denied access to the resources.
2.
False Acceptance Rate (FAR) or Type II
Error (contains 2 c). Depicts the percentage of invalid subjects that are
falsely accepted. It implies the number of unauthorized users to whom the
system incorrectly granted access.
3.
Crossover Error Rate (CER). The percent in which
the FRR equals the FAR. As a general principle, the lower the CER percentage,
the more accurate the biometrics system is considered to be. Also called Equal
Error Rate (ERR).
(Source : ISC2)
For the purpose of security, FAR (Type II) is more damaging
than FRR as some unauthorized individual may gain access to the facility. Hence
given the option we should always opt for low FAR.
If a biometric device is too sensitive, Type 1 errors (FRR)
are more common. When a biometric device is not sensitive enough, Type 2 errors
(FAR) are more common
Effectiveness
Parameters for Biometrics
Enrollment time:
During the enrolment or registration phase, a unique user provided credentials,
such as a fingerprint, is recorded in the authentication system for future authentication
attempts. This stored sample of a biometric factor is called the reference
profile or reference template. The enrollment time for a biometric system
should be kept at a minimum. A low enrollment time leads to higher user
acceptance.
Throughput:
Throughput or processing time implies the time taken by a biometric system to
process an authentication request initiated by a user to approve or deny access.
A high throughput is a factor considered during the deployment of a biometric
system. Complex biometric factors take more processing time and are often not desirable.
User acceptance:
A biometric system should have a high level of user acceptance. Users must be
informed that the organizational resources should be protected and that the
system is not intrusive.
Sample Questions:
1. Why should an organization not deploy a biometric system
based on fingerprinting technology?
a.
The CER value of the biometric system is very
low.
b.
The system demands immense overhead maintenance.
c.
Authentication results are not always accurate
and reliable.
d.
Employees are reluctant to use a biometric
system that scans their fingerprints.
2. Which characteristic of a biometric device should be
considered if an organization wants to deploy a convenient authentication
procedure for employees without compromising the security in the facility?
a.
low FRR
b.
low FAR
c.
high FAR
d.
high FRR