Accuracy Limits as a Barrier to Biometric System Security

TL;DR

The paper investigates biometric security through the lens of the false match rate $FMR$, analyzing how untargeted attacks and the biometric birthday problem constrain scalable, secure deployments. It develops a parameter-driven framework using the empirical $\overline{FMR}$ and its confidence interval to derive the critical population $N$ and the critical $\overline{FMR}$ needed to bound impersonation and collisions, including both approximate and exact formulations. Numerical results show that contemporary systems with $\overline{FMR} \approx 10^{-6}$ offer only modest security (roughly 20 bits) against untargeted attacks, while securing billions of users would require unrealistically low $\overline{FMR}$ (as low as $10^{-45}$). The authors propose practical design directions—such as zero-knowledge authentication, higher biometric entropy, and robust template protection—to raise security margins and provide analytic tools for system designers facing large-scale biometric deployments.

Abstract

Biometric systems are widely used for identity verification and identification, including authentication (i.e., one-to-one matching to verify a claimed identity) and identification (i.e., one-to-many matching to find a subject in a database). The matching process relies on measuring similarities or dissimilarities between a fresh biometric template and enrolled templates. The False Match Rate FMR is a key metric for assessing the accuracy and reliability of such systems. This paper analyzes biometric systems based on their FMR, with two main contributions. First, we explore untargeted attacks, where an adversary aims to impersonate any user within a database. We determine the number of trials required for an attacker to successfully impersonate a user and derive the critical population size (i.e., the maximum number of users in the database) required to maintain a given level of security. Furthermore, we compute the critical FMR value needed to ensure resistance against untargeted attacks as the database size increases. Second, we revisit the biometric birthday problem to evaluate the approximate and exact probabilities that two users in a database collide (i.e., can impersonate each other). Based on this analysis, we derive both the approximate critical population size and the critical FMR value needed to bound the likelihood of such collisions occurring with a given probability. These thresholds offer insights for designing systems that mitigate the risk of impersonation and collisions, particularly in large-scale biometric databases. Our findings indicate that current biometric systems fail to deliver sufficient accuracy to achieve an adequate security level against untargeted attacks, even in small-scale databases. Moreover, state-of-the-art systems face significant challenges in addressing the biometric birthday problem, especially as database sizes grow.

Figures (3)

• Figure 1: Critical ${\tt FMR}$ as a function of the population size $N$ and the security level $S$ against untargeted attacks.
• Figure 2: The maximal ${\tt \overline{FMR}}$ (in $\log_{10}$) required to handle a population size $N$ with a maximum allowed probability $p$ for a collision occurrence.
• Figure 3: Critical population $N$ as a function of the system accuracy ${\tt \overline{FMR}}$ estimated on $n$ comparisons with a significance level of $95\%$ and the security level $S$ against untargeted attacks.

Theorems & Definitions (13)

• theorem 1: Bounds on the Complexity of the Untargeted Attacker
• Remark 3.1.1
• theorem 2: Critical Population Against Untargeted Attacker
• Remark 3.2.1
• theorem 3: Critical Estimated ${\tt FMR}$
• Remark 3.3.1: Confidence Paradox
• theorem 4: Approximated Biometric Birthday Problem
• theorem 5: Approximated Solution for the Biometric Birthday Problem
• theorem 6: Approximated Critical Population
• theorem 7: Approximated Critical ${\tt \overline{FMR}}$