Google is looking for ways to improve their biometric-based authentication features for Android P, their upcoming OS. For this they are taking two major steps:
First, Google has defined a better model to measure biometric security and constrain weaker authentication methods. Secondly, they are providing a common platform-provided entry point for developers to integrate biometric authentication into their apps.
Google has combined secure design principles, a more attacker-aware measurement methodology, and an easy to use BiometricPrompt API for developers to integrate authentication in their devices in a simple manner.
Current, biometric models quantify performance from two machine learning inspired metrics, False Accept Rate (FAR), and False Reject Rate (FRR). Both metrics do a great job of measuring the accuracy and precision of a given biometric model. However, they do not provide very useful information about its resilience against attacks.
In Android 8.1, Google introduced two new metrics Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR) to measure how easily an attacker can bypass a biometric authentication scheme. The SAR/IAR metrics categorize biometric authentication mechanisms as either strong or weak.
While both strong and weak biometrics allowed to unlock a device, weak biometrics did not allow app developers to securely authenticate users on a device in a modality-agnostic way. This was what inspired the development of a Biometric authentication API.
With Android P, mobile developers can use the BiometricPrompt API to integrate biometric authentication into their apps in a device. Developers can be assured of a consistent level of security across all devices their application runs on because BiometricPrompt only exposes strong modalities.
The API is automated and easy to use. Instead of forcing app developers to implement biometric logic, the platform automatically selects an appropriate biometric to authenticate. For devices running Android O and earlier, a support library is provided for allowing applications to utilize this API across other devices.
Further details on BiometricPrompt API are available on the Android developer blog.