Transparency and Integrity Wanted
I published “Cloning — Just One Minor Issue for Biometrics” a few days ago. https://www.linkedin.com/feed/update/urn:li:activity:6933264537374638082
I raised the issue of False Acceptance (false positive/match) and False Rejection (false negative/non-match) with respect to the probabilistic nature of biometrics that measure the unpredictably variable body features of living animals in ever changing environments.
I was given this question — “At what percentage can we be satisfied on the failure rates”?
Below is my view -
It is not the percentage that matters. What matter are Transparency and Integrity.
1. The vendors should have publicised the empirical false acceptance (false positive/match) rates with the corresponding empirical false rejection rates. ‘Empirical’ means having been measured by a third party in the actual use environment whether indoor or outdoor.
2. The vendors should have declared to the public that their biometrics products, when used with a default/fallback password against false rejection, are to be used for better convenience.
Before starting to use those products, the users should fully understand that the overall security is lower than a password-only user authentication.
Remark 1 : Chances of having to rely on a default/fallback password are fewer when the false rejection rates are lower than when they are higher.
On the other hand, lower chances of using the passwords could end up forgetting the default/fallback passwords more often or relying on easiest-to-guess passwords.
I do not think we can make a quick judgement of which is better than the other.
Remark 2: The view of ‘2’ is valid only for the biometrics used in cyberspace for user authentication.
The criteria could be very different for the biometrics used for forensics and other individual identification purposes (as against authentication).
Lowering the threshold for false rejections rates would only shift the problem elsewhere; It would inevitably increase the false acceptance rates, meaning that the biometrics products would be inevitably more vulnerable to cloning and spoofing, that is, the subject of the Aadhaar report.