Using Biometrics to Replace Passwords

I was recently asked this question about biometrics replacing passwords…

I’m working on a project right now where my team wants to substitute passwords and usernames for biometric authentication. I have expressed my multiple concerns for the security of such a system, but the idea has now come up that we could use a system with at least 2 factors of biometric authentication, such as facial and voice recognition. While such a system is definitely better than one form of biometric authentication only, I still believe it is more insecure than using passwords. And even if it were not, I believe it is concerning from a privacy standpoint and makes our database a prime target for hackers.

To which I replied… While biometrics can’t completely replace passwords right now they can greatly improve authentication security. When evaluating any authentication solution you should consider the False Acceptance Rate (FAR), False Reject Rate (FRR), and (Crossover Error Rate) CER.

FAR = False Acceptance Rate or when someone who is not an authorized user is granted access.
FRR = False Reject Rate or when a authorized user is rejected.
CER = Crossover Error Rate which is the point at which the FAR and FRR meet.

You want your FAR and FRR to both be as low as possible. If your FAR was 1 in every 100 unique authentications; meaning that one time in every 100 authentications an unauthorized person was granted access, that would be 1%. Is that acceptable given the number of people using the system?

Calculating a biometric crossover rate based on false negatives and false positives. — Calculating a biometric crossover error rate.

To learn more about biometric based authentication and other best practices for improving information security see the latest NIST Cybersecurity Framework (v2.0).