Biometrics feature via BiometricPrompt API supported by Android “P”

All the smartphones and mobile devices possess some authentication mechanism to assure absolute security measures to the users. They authenticate in a way to confirm that you are only authorized to use a particular device and it belongs to you only. There are three essential factors under which these mechanism fall i.e. possession factors, knowledge factors and biometric factors that play a significant role in a mobile app development program.

Here includes some detailing kind of thing in the knowledge factors like a password or a PIN. In possession factor like things you can create a security key or generate a token. Finally, in biometric factors, you will be asked as if you are ‘you’ with taking your fingerprint, face or iris.

Today, biometric authentication mechanisms are getting immense popularity among the users and they are easy to handle as well. Biometric functioning is better than carrying a separate security key around or typing a password and they are also far away from the most common problem with the knowledge-based authentication i.e. the shoulder surfing risk.

As an increased number of devices are incorporating the biometric authentication for the security of user’s private information, professional app developers are improving on this kind of authentication technique in Android P with taking following steps:

· Involving a better structure for measuring levels of biometric security and utilizing it for constraining functionally, weaker methods of authentication.

· Assuring provision for an entry point provided as a common platform for the developers for the integration of the biometric authentication into their Android mobile app.

An Enhanced Model for Biometrics Security

The machine learning (ML) features bring forward two metrics to enhance the performance of the biometric unlocks today and they are False Accept Rate and False Reject Rate.

The FAR in the case of biometrics measures how far a false user can be recognized as a legitimate owner of the device , whereas the FRR denotes how often a legitimate user is recognized as an incorrect one for owning the device. The role of biometric models is very important in this case. The primary concern here remains with the security of the app as well as device; the second one is the usability problem.

Image Courtesy:

However, when the Android App Development professionals have applied the machine learning to random input samples, both the metrics perform really great to measure the precision or accuracy of a given machine learning model. As none of the metrics behave like an active striker as a part of this threatening model, they hardly provide any information about its capacity to recover quickly against attacks.

There are two new metrics included in Android 8.1 that is more helpful to keep the attackers away in the threat model. They are:

· Imposter Accept Rate (IAP)

· Spoof Accept Rate (SAR)

As the name depicts, these metrics are highly capable of measuring an easy attack that can bypass the scheme of biometric authentication. A well-known recording comes under Spoofing including replay of a voice record or use fingerprint picture or face.

Biometrics — Strong and Weak

Rich skilled Android app development professionals at Kunsh Technologies use SAR/IAR metrics for categorizing biometric mechanism for authorization as either strong or weak. Biometric mechanism for authentication with 7% or lower SAR/IAR is strong and above 7% is weak. This is because majority of fingerprint implementation comprising of 7% of SAR/IAR metric bring this to a perfect standard to begin with for some other modalities as well. With the improvements in the biometric sensors and classification methods, the future may experience a potential decrease in the threshold.

The binary classification covers a bit of oversimplification of the security range provided by different implementations. However, it facilitates us with a scalable mechanism using the tiered authentication model to scope the capabilities and constraints of diverse biometric implementations in the system most appropriately, depending upon the level of risk they show.

BiometricPrompt API

In Android P platform, the BiometricPrompt API can be used by the professional app developers for the integration of the biometric authentication in their apps in a device and a way to biometric agnostic. The role of BiometricPrompt is just to display strong modalties. Hence, the android developers can remain assured of a consistent security level across different devices where their app runs. The devices are also provided a support library running Android O and before that, the apps are allowed to use the benefits of this API across more devices.

In a BiometricPrompt’s high-level architecture, the API intends to be used easily, permitting the platform to choose an appropriate biometric for authenticating with rather than forcing the android app developer to use this logic by themselves.


The potentials of biometrics are based on both strengthening as well as simplifying the way we authenticate our digital identity, but only if they are securely designed, accurately measured and implemented in a secretly preserving manner.

Our aim remains with letting Android work across all the three security factors. Hence, we rely over the secure design principles and use an enhanced attacker-secure methodology along with an easy-to-use biometrics API that permits the developers in integrating authentication in a consistent, simple and safe manner.