I was recently asked this question…
I’m working on a project right now where my team wants to substitute passwords and usernames for biometric authentication. I have expressed my multiple concerns for the security of such a system, but the idea has now come up that we could use a system with at least 2 factors of biometric authentication, such as facial and voice recognition. While such a system is definitely better than one form of biometric authentication only, I still believe it is more insecure than using passwords. And even if it were not, I believe it is concerning from a privacy standpoint and makes our database a prime target for hackers.
To which I replied… When evaluating any authentication solution you should consider the FAR, FRR, and CER.
FAR = False Acceptance Rate or when someone who is not an authorized user is granted access.
FRR = False Reject Rate or when a authorized user is rejected.
CER = Crossover Error Rate which is the point at which the FAR and FRR meet.
You want your FAR and FRR to both be very low. If your FAR was 1 in every 100 unique authorizations; meaning that one time in every 100 authorizations an unauthorized person was granted access, that would be 1%. Is that acceptable given the number of people using the system?
You should try to account in your design for a FAR event (unauthorized user with access) and have some other protection in place; so that leads to a MFA (multi factor authorization) scheme.
FRR is what will truly frustrate your authorized users because they will be turned away and unable to access the system. That drives up the cost of operating the system since some additional person will have to be standing by to allow the rejected but authorized person access.
The CER or crossover rate is a way of detecting if either the FAR or the FRR is low. If either is a low number it will result in a lower CER. If you want to make sure that unauthorized users DO NOT have access and that your authorized users are not being turned away; you want to maximize your CER.