Google is planning to upgrade the way that Android handles biometric authentication in the next version of the mobile OS, adding an API that favors strong biometrics and allows developers to build biometric authentication into their apps without relying on one specific mode.
The new BiometricPrompt API will appear in Android P, which is in beta right now, and Google engineers say that the API is designed in such a way that is does not support the use of weak biometrics. Weak biometrics, as defined by Google, are those that have a Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR) of seven percent or higher. Seven percent is about the rate for a fingerprint, which is the most popular biometric used in mobile devices right now, including many iPhone models and some Android phones.
Android has supported biometric authentication for some time, but as technology has advanced and threat models continue to change, Google has had to adapt, as well. The changes in Android P are meant to help address the changing environment while still giving users and developers the options to use the biometric modalities they choose, for the most part.
“Starting in Android P, developers can use the BiometricPrompt API to integrate biometric authentication into their apps in a device and biometric agnostic way. BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on. A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices,” Vishwath Mohan, a security engineer at Google, wrote in a post on the new API.
"We're combining secure design principles, a more attacker-aware measurement methodology, and a common, easy to use biometrics API."
“The API is intended to be easy to use, allowing the platform to select an appropriate biometric to authenticate with instead of forcing app developers to implement this logic themselves.”
Biometrics have gained popularity among device manufacturers for several reasons, chief among them being ease of use and security. The TouchID sensor on iPhones and the fingerprint sensor on Android phones makes it simple and quick for users to unlock their phones, and they also provide an extra layer of security beyond a simple PIN or passcode. Spoofing someone’s fingerprint is much more difficult than guessing or brute-forcing a PIN.
But not all biometrics are created equal, and Android P will be biased toward strong biometrics. Mohan said future versions of Android won’t allow weak biometrics to be used to authorize payments and will require that a user enter her PIN or passcode in addition to the biometric after four hours of inactivity.
“Biometrics have the potential to both simplify and strengthen how we authenticate our digital identity, but only if they are designed securely, measured accurately, and implemented in a privacy-preserving manner,” Mohan said.
“We want Android to get it right across all three. So we're combining secure design principles, a more attacker-aware measurement methodology, and a common, easy to use biometrics API that allows developers to integrate authentication in a simple, consistent, and safe manner.”