Security over convenience, a decision needs to be made for your biometric security devices, do you know what decision you made?

Today’s security access systems are all progressing towards biometric verification systems, most as an ancillary means of identification, while others are putting their trust in the technology to be the sole determiner. While biometric security systems are improving, they will never be infallible. They will always require a threshold that will be used to determine the likelihood that someone is whom they say they are. How that threshold is determined and set can make all the difference between a successful biometric verification system and a cumbersome, insecure process.

False Acceptance Rate (FAR)

FAR is the likelihood that the biometric security system will incorrectly match the target user with a biometric profile that does not belong to them. Represented as the ratio of false acceptance divided by the number of identification attempts. In the example of a border control kiosk that tries to match the passport photo to the person in front of the kiosk, how likely will the system allow the wrong person to get through the process without adequately flagging them as a biometric match failure? A failure of this kind defeats the purpose of your system but can occur and likely does.

False Reject Rate (FRR)

On the other side of the coin, the biometric system can incorrectly mismatch the target user with their biometric profile. This False Reject Rate is defined as the number of false rejections divided by the number of identification attempts. While far more likely to occur with a biometric security system, the downside of this failure is likely more to do with an inconvenience versus a security breach. 

Most system integrators rely upon the vendor rated performance values of their FAR and FRR scale to determine where those two values intersect, that intersection point is considered the middle ground between security and convenience. Depending on the use case scenario, some integrators will modify this threshold to improve convenience and usability while sacrificing security. For example, eGate implementations would suffer significantly if their False Accept Rate value was too low as it would have a higher chance of rejecting near good matches, thus taking longer to perform its matches. In contrast, other systems that have longer touchpoints have more time with the individual and, therefore, can afford to use a more strict FAR value without compromising convenience and usability.

However, there’s one critical issue with all of this; those initial vendor FAR and FRR values have been tested within their laboratories and personal data sets. And may have little resemblance to your actual environmental conditions, hardware implementation, or user demographics. It’s critical to understand what the actual FAR and FRR values are to be able first to identify the intersect position and then make an educated adjustment based on your system’s particular use case requirements. 

If your vendor has not provided you with this information already, it’s probably best to start with them and ask them the simple questions of:  

• What’s my FAR and FRR values?
• Are you using biometric vendor-provided FAR/FRR values, or have you determined these values based on your hardware and our environmental factors and user demographics?
• Can these thresholds change over time from poor maintenance, operator error, system updates, or other means?
• How is the threshold changed, and are those changes audited and tracked easily?

These are not simple questions to be answered and will likely require some effort on the part of your vendor to provide the answers. Though, like most enterprise organizations, for a proper risk mitigation strategy, a third-party audit would be necessary. That’s why an independent biometric security audit can help provide unbiased and factual information to understand better your system and that the proper oversight is in place. The last thing you need is a bad headline in the newspaper, recovery after that will be long and painful!