Biometric Insights

How can your fingerprint data be as secure as your 4-digit PIN?

As for all biometric systems, the quality of a biometric smart card is based on two characteristics: False Rejection Rate (FRR) and False Acceptance Rate (FAR).

The False Rejection Rate represents the number of times the authorized user of the card will not be granted access. The FRR gives a statistical indication of how many times out of 100 fingerprint verifications will the card refuse user access. This figure is usually given as a percentage value; the lower it is, the more convenient it is to use the card.

The False Acceptance Rate is related to the security of the biometric authentication algorithm. The FAR provides a statistical indication of how likely it is that two people can access the card, that is to say the card cannot differentiate two different fingerprints. Typically, this figure is expressed as a fraction, for example:

• FAR = 10^-4 = 1/10,000: One out of 10,000 will two different fingerprints match, or
• FAR = 10^-6 = 1/1,000,000: One will try one million different fingerprints to find one that matches a given one.

Ideally, the biometric system should have 0% FRR and 0% FAR, however such system doesn’t exist at all. The higher the figures are, the longer the matching calculations take, and the greater the powers are needed. Therefore, compromise has to be made particularly in the context of a contactless biometric smart card that is 100% powered by the field.

With this in mind, what is the perfect compromise then? Given that many smart cards are secured with 4-digit PIN, it is easy to calculate the FAR figure that will provide the same level of protection as that of a biometric card:

• Q: What is the probability that one will guess the 1-digit number? 
  A: 1/10 = 10^-1 
   
• Q: How about guessing the 2-digit decimal number at the same time? 
  A: 10^-1 x 10^-1 = 10^-2 = 1/100
   
• Q: Or guessing the 4-digit-decimal number all at once? 
  A: 10^-1 x 10^-1 x 10^-1 x 10^-1 = 10^-4 = 1/10,000