{"id":23224,"date":"2023-10-30T08:41:14","date_gmt":"2023-10-30T16:41:14","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16954\/"},"modified":"2023-10-30T08:41:14","modified_gmt":"2023-10-30T16:41:14","slug":"news-16954","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16954\/","title":{"rendered":"Android\u2019s new biometric spec for 'strong security' is anything but"},"content":{"rendered":"

<\/p>\n

Credit to Author: eschuman@thecontentfirm.com| Date: Tue, 24 Oct 2023 12:00:00 -0700<\/strong><\/p>\n

Google has released new biometrics specs for Android devices, with the top-level \u201cstrong security\u201d option requiring only \u201ca spoof and imposter acceptance rate not higher than 7%.\u201d But most biometrics specialists say that for something to be considered \u201chigh security,\u201d that imposter and acceptance rate should be closer to 1%.<\/span><\/p>\n

That prompted me to ask Google for comment. Google replied by emailing an anonymous statement to be attributed to nobody that doesn\u2019t directly defend the levels it chose \u2014 but did say security decisions are ultimately up to each handset manufacturer.<\/span><\/p>\n

\u201cAndroid hardware OEMs alone choose the tier of biometric strength they implement in their products and for device unlock,” Google said. “Hardware OEMs also ensure that the security of their product <\/span>can meet Android Compatibility Definition Document (CDD) requirements. We are constantly working with the Android OEM ecosystem to raise the bar for user security. With a global Android OEM ecosystem, we take a balanced approach on issuing new requirements to ensure the Android OEM ecosystem can adequately prepare for and implement stricter requirements at-scale, while also ensuring requirements enable OEMs to protect users.\u201d<\/span><\/p>\n

That would be a reasonable position had the company not created three distinct categories: Class 1 for \u201cconvenience,\u201d Class 2 for \u201cweak\u201d security and Class 3 for \u201cstrong security.\u201d Why not give the handset manufacturers the choice of which one to use, but to make the strong security option truly strong?\u00a0<\/span><\/p>\n

Google said it \u201c<\/span>strongly recommends disclosing the biometric class of a biometric and the corresponding risk of enabling it to users for better transparency.<\/span>\u201d Therein lies the problem. By labeling this level as delivering strong security, it will likely mislead users into thinking that they are far more protected than they really are.\u00a0<\/span><\/p>\n

To Google\u2019s credit, it also said \u201cCDD requires that Android OEMs provide language in the user onboarding for any biometrics to indicate that this method of authentication is less secure than PIN, patterns and passwords.\u201d True, or it could <\/span>set specifications that actually make biometrics stronger<\/span><\/a>. Wouldn\u2019t that be the better route to take?<\/span><\/p>\n

\u201cThis \u2018strong security\u2019 benchmark is laughably bad,” said Jay Meier, <\/span>senior vice president of North American operations for FaceTec. \u201cTo describe this benchmark as ‘strong’ should qualify as fraudulent. Seriously. <\/span>This is what many will use in conjunction with the FIDO PassKeys. It\u2019s like Android wants to enable identity theft and cybercrime.<\/span>\u201d<\/span><\/p>\n

Google\u2019s new specs \u201cdon\u2019t align with biometric expectations and it doesn\u2019t jibe with industry best performance,” said\u00a0Anonybit CEO Frances Zelazny. “That is a very very high error rate.\u201d<\/span><\/p>\n

For enterprise CISOs, there’s an even bigger issue. For several years, enterprise security has been seriously evaluating a way to move to passwordless options, a.k.a passkey \u2014 typically as part of a slow shift to a zero-trust environment.\u00a0<\/span><\/p>\n

Much of these involve authentication methods such as behavioral analytics, continuous authentication, FIDO fob and \u2014 invariably \u2014 some form of biometrics. There are two broad ways for an enterprise to deliver biometrics: internally, through a custom-built third-party or to piggyback, where the enterprise relies on whatever biometrics are on the phone in the employee\u2019s\/contractor\u2019s pocket. (Piggybacking is part of a BYOD approach.)<\/span><\/p>\n

Piggybacking is light-years more cost-effective, as there is essentially zero biometrics cost. But it also means that the enterprise is limited to whatever version the major phone makers offer. And given that both Apple and Google have leaned heavily on convenience more than security, it means enterprises must either create their own robust biometrics system or, candidly, see biometrics as mere convenience that doesn\u2019t meaningfully authenticate users. <\/span><\/p>\n

That is a big problem.<\/span><\/p>\n

Why couldn\u2019t Google have rolled four or even five categories \u2014 and then offered a truly strong security option for OEMs to select?\u00a0<\/span><\/p>\n

Another part of the problem is how biometrics are presented. Mathematically, facial recognition sounds quite secure, given the large number of factors it is evaluating. But the real test of authentication accuracy is how strict or leniently the system views those datapoints. And given that handset manufacturers are far more worried about blocking a legitimate user than they are about letting a thief gain access, they choose very lenient criteria. That means that the number of possible datapoints being evaluated becomes irrelevant.<\/span><\/p>\n

Both Apple and Google have also pushed biometrics because they are supposedly more secure than a 6-digit PIN. That would be valid \u2014 except that both companies go right back to that PIN if the biometric authentication fails. In other words, if a thief wants to bypass biometrics, that thief merely needs to fail once and device access defaults back to a PIN. (One of the few security advantages of biometrics is that it can effectively thwart shoulder-surfing, which is the top method used to steal a PIN.)<\/span><\/p>\n

As long as IT admins and security pros internalize that consumer biometrics are solely for convenience, no harm is done. But if they opt to rely on it for authentication, things are not going to end well. And Google\u2019s new specs do very little to help.<\/span><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: eschuman@thecontentfirm.com| Date: Tue, 24 Oct 2023 12:00:00 -0700<\/strong><\/p>\n

\n
\n

Google has released new biometrics specs for Android devices, with the top-level \u201cstrong security\u201d option requiring only \u201ca spoof and imposter acceptance rate not higher than 7%.\u201d But most biometrics specialists say that for something to be considered \u201chigh security,\u201d that imposter and acceptance rate should be closer to 1%.<\/span><\/p>\n

That prompted me to ask Google for comment. Google replied by emailing an anonymous statement to be attributed to nobody that doesn\u2019t directly defend the levels it chose \u2014 but did say security decisions are ultimately up to each handset manufacturer.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10462,1670,10554,714,24580],"class_list":["post-23224","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-android","tag-google","tag-mobile","tag-security","tag-small-and-medium-business"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23224"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23224\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23224"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}