Level of security

Uncompromised and documented security

Arrow
Arrow
Slider

Requirements

In quality critical applications, level of security can not be compromised.

Typically security focused applications like Government ID and Financial inclusion payments, require a security level of less than 1 false acceptance in 100.000 finger attempts. In such markets, true False Acceptance Rates (FARs) must be documented in credible, real life, mass market testing regimes. In India governmental programs, testing of both security and convenience levels is done in tests run by the authorities involving more than 5.000 people in harsh environment Class 3 tests. Passing such tests is required to be allowed access to Aadhaar, the worlds largest biometric scheme, with more than 1.2 billion people now enrolled.

By laws of nature, level of security and level of convenience are opposite forces. Reduced level of security will provide a higher level of convenience. Changing system parameters to decrease the False Acceptance Rate (FAR) will consequently increase the False Rejection Rate (FRR). This means, balancing both high levels of security with high levels of convenience can only be done with a large sensor.

 

 

In some convenience focused applications like retail banking and access control, the security level may be somewhat compromised to increase convenience. However, in payments and access control the consequences of false acceptances may still be severe. Such segments also require proper documentation of actual real life performance.

In other convenience focused applications like smartphones and consumer notebooks, the consequence of a false acceptance will typically be insignificant. Such pin-code or password driven applications are already vulnerable for illegitimate access. Security may therefore be compromised and proper tests of true error rates are rarely conducted.

Required security levels & testing regimes per segment

The required levels of security and testing will vary segment by segment.

Application Security level Testing regime requirement
Cards – Financial Inclusion 1 in 100 k (recommended) Class 3
Cards – Retail banking 1 in 10-50 k (recommended) Class 2
Cards – Government ID 1 in 100 k (recommended) Class 3
Cards – Corporate Access 1 in 10 -100 k (applic dependent) Class 2
Cards – Niches 1 in 10 -100 k (applic dependent) Class 2
Government ID 1 in 100 k Class 3
Government ID India 1 in 100 k Testing by the Authorities Certification mandatory
Access Control – Devices 1 in 10 to 100 k Class 2/Class 3
Notebooks – Commercial 1 in 10 k (typical) Class 1 or Class 2
Notebooks – Consumers Not focused Class 1 / No FAR testing
Smartphones Not focused Class 1 / No FAR testing

 

Read more about uncompromised and documented security here: Highlights from the Madrid Report

 

Level of security
In quality critical applications level of security can not be compromised
Test reports
Only independent third party tests with a large user group and strong methodology yield credible real life results of error rates
Openess
NEXT uniquely publishes results of third party tests