Hitoshi Kokumai, profile picture
Uploaded byHitoshi Kokumai
DOCX, PDF7,978 views

Biometrics & Password - FA, FR & Threshold

FAR and FRR are not just mutually dependent but are in a trade-off relation. The level of a FAR that rejects a twin would have to bring the level of a FRR that rejects the registered user very frequently. The level of a FRR that eliminates the need of a fallback means would have to bring the level of a FAR that accepts nearly anyone. < Videos > Turn off biometrics where security matters (30 seconds) https://youtu.be/7UAgtPtmUbk Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg Six Reasons to Believe Biometrics Don't Ruin Cyber Security https://youtu.be/lODTiO2k8ws Password-free Life - Utopia or Dystopia? (30 seconds) https://youtu.be/UJDBZpX1a0U Password Predicament and Expanded Password System https://youtu.be/-KEE2VdDnY0

Technology
Related topics:
Information Security

Embed presentation

Downloaded 10 times
Biometrics & Password False Acceptance, False Rejection and Threshold Not a few people are talking about FAR (False Acceptance Rate) and FRR (False Rejection Rate) as if these two variables were independent from each other. A graph (*1) below shows the FAR and FRR of two biometrics products - one relatively more accurate and the other less accurate. What this graph indicates is, firstly, that FAR and FRR are not the variables that are independent from each other, but are dependent on each other. A FAR could be fixed only against a certain FRR, i.e., both variables can be positioned only at the same single point on the same single curve. In other words, the couple of a FAR and a FRR can exist only in a certain combination. Secondly, it also indicates that the lower a FAR is, the higher the corresponding FRR is. The lower a FRR, the higher the corresponding FAR. That is, FAR and FRR are not just mutually dependent but are in a trade-off relation. The level of a FAR that rejects a twin would have to bring the level of a FRR that rejects the registered user very frequently. The level of a FRR that eliminates the need of a fallback means would have to bring the level of a FAR that accepts nearlyanyone. Thirdly, also indicated is that the more accurate the biometrics sensor becomes (the lower the Equal Error Rate becomes), the curve goes downwards/leftwards in this graph. But, when a FAR is 0 (zero), the corresponding FRR still remains close to 1 (one). When a FRR is 0 (zero), the corresponding FAR remains close to 1 (one).
*1 *2 Another graph (*2) helps us to grasp how FAR and FRR are mutually dependentand also in a trade-off relation. Move the threshold to the right (more strict) and we would see the combination of a lower FAR and a higher FRR. Moving it to the left (more lenient), the outcome would be the combination of a higher FAR and a lower FRR. The presence of False Rejection, however close to 0 (zero) the rate might be, would require a fallback means against the False Rejection. When a password is used as the fallback means, the overall security is lower than the password-alone authentication (*3). It must be noted that what is improved from a password-alone authentication is convenience, not security. *3 Short Video - Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg < Related Articles > - P3 Clues to Unravelling Conundrums - P5 Deployment of Biometrics and Password - P7 Mix up “Unique” with “Secret” and “Identification” - P8 iPhone X Face ID
Clues to Unravelling Conundrums - Biometrics deployed ‘in parallel’ as against ‘in series’ In my earlier writing “Truth does not matter in infosec?” I wrote as follows: -------- So long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact. --------- It appears that we may have got some clues to this conundrum. We had a chance to look at a document produced by NIAP (National Information Assurance Partnership), in which ‘hybrid biometrics authentication’ was discussed. The biometrics advocates got a NIAP committee to positively evaluate the hybrid (two-factor) deployment of biometrics and passwords by just talking about the 'in series' deployments. Then, the concept that the hybrid biometrics authentications provide good security was solidly established with authority. There may have been some more similar cases. On the other hand, a number of biometrics vendors put on the market the biometrics products, which are deployed 'in parallel', without referring¸ knowingly or unknowingly, to the difference between the 'in parallel' deployments and the 'in series' deployments. I would not like to suspect that there were choreographers for it. I assume that it might well have happened due to lack of good communication and misunderstanding among the people concerned.
The outcome was a number of misguided security professionals and tech media spreading the misguiding information in a gigantic scale. We are now witnessing such a worrying situation that a number of financial institutions are adopting the 'in parallel' hybrid biometrics for the applications for which they say they require the level of security higher than the password. It is defeating the purpose. Well, I am not happy with this uncomfortable hypothesis. I would appreciate it if someone could let me know the presence of different materials that might lead us to different observations. I would also welcome any information on whether the publicized FAR and FRR are empirical or theoretical and how they are measured, monitored or calculated. <Remarks> ‘in series’ deployment = both to pass, And/Conjunction ‘in parallel’ deployment = either to pass, Or/Disjunction
Deployment of Biometrics and Password - NIST Digital Identity Guidelines 800 63B It seems that the biometrics guidelines in 800 63B (*1) are basically made of two key segments. (A) Biometrics now needs to be used together with a physical factor (something you have) 'IN SERIES' in view of its coherent vulnerabilities (*2) (B) When users get falsely rejected, ‘a physical authenticator PLUS <other biometrics OR password>' could be deployed 'IN SERIES' (*3) And, (A) and (B) are to be deployed 'IN PARALLEL' (*3). Its collective vulnerability is the sum of vulnerability of (A = biometrics PLUS physical authenticator) and that of (B = physical authenticator PLUS <other biometrics OR password>), which is larger than A alone and also B alone. As such, we could assume that, in NIST guidelines, a physical authenticator is the star, with biometrics and password playing an auxiliary interchangeable role. It is good to see that NIST no longer allows the use of biometrics with only a fallback password used ‘IN PARALLEL’. But it is worrying that NIST still allows a route of passwordless authentication with no user's volition, which could make a threat to democracy. The principle of citizen's placing their sensitive information under their own control could be eroded. The route of allowing unconscious people to get authenticated unknowingly should be precluded. Incidentally, I am still not certain what users are expected to do when they forget to carry the physical authenticator with them. It would certainly be safe to simply lock out, though very inconvenient. Should a route of fallback password (used 'IN PARALLEL') be provided, the overall security would be lower than that of the fallback password alone, rendering the costs of involving physical authenticators and biometrics utterly meaningless.
And, more fundamentally, when 'a physical authenticator PLUS password' is less complicated, less costly and more secure than 'a physical authenticator PLUS <password OR biometrics>', I wonder where there is a merit of involving the problem-ridden biometrics. We could not forget that the password is crucially required in any case. Readers’ opinions on this hypothesis would be very much appreciated. ……………………………….. *1 Digital Identity Guidelines https://pages.nist.gov/800-63-3/sp800-63b.html *2 Clause 5.2.3 reads "Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have)." *3 and also “Once that limit (of rejection) has been reached, the biometric authenticator SHALL either: • Impose a delay of at least 30 seconds before the next attempt, increasing exponentially with each successive attempt (e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt), or • Disable the biometric user authentication and offer another factor (e.g., a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already available.” <Remarks> ‘in series’ deployment = both to pass, And/Conjunction ‘in parallel’ deployment = either to pass, Or/Disjunction
Mix up “Unique” with “Secret” and we would confuse “Identification” with “Authentication” Biometrics follows “unique” features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this sphere. Being “unique” is different from being “secret”, however. It would be a misuse of biometrics if deployed for security of the identity authentication of individuals. Confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a nefarious false sense of security. However gigantic and grandiose it may look, the sandcastle could melt away altogether when we have a heavy storm. And, the storm will come. The question is not “if”, but just “how soon”. < Videos > Turn off biometrics where security matters (30 seconds) https://youtu.be/7UAgtPtmUbk Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg Six Reasons to Believe Biometrics Don't Ruin Cyber Security https://youtu.be/lODTiO2k8ws Password-free Life - Utopia or Dystopia? (30 seconds) https://youtu.be/UJDBZpX1a0U Password Predicament and Expanded Password System https://youtu.be/-KEE2VdDnY0
iPhone X Face ID What FAR means when it does not come with the corresponding FRR? Answer: It means nothing. According to some tech media¸the FAR (false acceptance rate) of iPhone X Face ID is said to be one millionth, which might be viewed as considerably better than the reported one 50,000th of Touch ID. It is not the case, however. The fact is that which is better or worse can by no means be decided when the corresponding FRR (false rejection rates) of Face ID and Touch ID, which are in the trade-off relation with FAR, are not known. This crucial observation is seldom reported by major tech media. It is really sad to see the misguided tech media spreading the misguiding information in a huge scale. The only meaningful fact that we can logically get confirmed by the trade-off between FAR and FRR is that the biometrics deployed with a password as a fallback means against false rejection would only provide the level of security lower than that of a password-only authentication. Face ID, which brings down security as such, could be recommended only for those who want better convenience, as in the case of Touch ID. If recommended for better security, it would only get criminals and tyrants delighted. Security professionals are expected to speak up.

More Related Content

PPTX
Image-to-Code Converter 31July2023.pptx
byHitoshi Kokumai
 
DOCX
More Issues on Digital Identity (24Feb2023)
byHitoshi Kokumai
 
DOCX
Fend Off Cyberattack with Episodic Memory (24Feb2023)
byHitoshi Kokumai
 
PDF
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
byHitoshi Kokumai
 
PDF
Fend Off Cybercrime with Episodic Memory
byHitoshi Kokumai
 
DOCX
Bring healthy second life to legacy password system
byHitoshi Kokumai
 
DOCX
Intriguing Evlolution from One to Two and Back to One
byHitoshi Kokumai
 
DOCX
Cyber Predicament by Text-Only Password Systems
byHitoshi Kokumai
 
Image-to-Code Converter 31July2023.pptx
byHitoshi Kokumai
 
More Issues on Digital Identity (24Feb2023)
byHitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
byHitoshi Kokumai
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
byHitoshi Kokumai
 
Fend Off Cybercrime with Episodic Memory
byHitoshi Kokumai
 
Bring healthy second life to legacy password system
byHitoshi Kokumai
 
Intriguing Evlolution from One to Two and Back to One
byHitoshi Kokumai
 
Cyber Predicament by Text-Only Password Systems
byHitoshi Kokumai
 

More from Hitoshi Kokumai

PDF
Updated: Presentation with Scripts at CIW2018
byHitoshi Kokumai
 
DOCX
Presentation with Scripts at CIWEU2018
byHitoshi Kokumai
 
PPTX
Updated: Identity Assurance by Our Own Volition and Memory
byHitoshi Kokumai
 
DOCX
Deployment of Biometrics & Password - NIST63B
byHitoshi Kokumai
 
DOCX
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
byHitoshi Kokumai
 
DOCX
Help unravel the conundrum over NIST authentication guideline
byHitoshi Kokumai
 
PPT
Business Dimension of Expanded Password System
byHitoshi Kokumai
 
PPT
Expanded password system - Reliable Identity Assurance
byHitoshi Kokumai
 
Updated: Presentation with Scripts at CIW2018
byHitoshi Kokumai
 
Presentation with Scripts at CIWEU2018
byHitoshi Kokumai
 
Updated: Identity Assurance by Our Own Volition and Memory
byHitoshi Kokumai
 
Deployment of Biometrics & Password - NIST63B
byHitoshi Kokumai
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
byHitoshi Kokumai
 
Help unravel the conundrum over NIST authentication guideline
byHitoshi Kokumai
 
Business Dimension of Expanded Password System
byHitoshi Kokumai
 
Expanded password system - Reliable Identity Assurance
byHitoshi Kokumai
 

Recently uploaded

PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
January Patch Tuesday
byIvanti
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PDF
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
PDF
Manual Grabadora laser ACMER S1 User Manual(English).pdf
byAadrianVar
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
January Patch Tuesday
byIvanti
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
Manual Grabadora laser ACMER S1 User Manual(English).pdf
byAadrianVar
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 

Biometrics & Password - FA, FR & Threshold

  • 1.
    Biometrics & Password FalseAcceptance, False Rejection and Threshold Not a few people are talking about FAR (False Acceptance Rate) and FRR (False Rejection Rate) as if these two variables were independent from each other. A graph (*1) below shows the FAR and FRR of two biometrics products - one relatively more accurate and the other less accurate. What this graph indicates is, firstly, that FAR and FRR are not the variables that are independent from each other, but are dependent on each other. A FAR could be fixed only against a certain FRR, i.e., both variables can be positioned only at the same single point on the same single curve. In other words, the couple of a FAR and a FRR can exist only in a certain combination. Secondly, it also indicates that the lower a FAR is, the higher the corresponding FRR is. The lower a FRR, the higher the corresponding FAR. That is, FAR and FRR are not just mutually dependent but are in a trade-off relation. The level of a FAR that rejects a twin would have to bring the level of a FRR that rejects the registered user very frequently. The level of a FRR that eliminates the need of a fallback means would have to bring the level of a FAR that accepts nearlyanyone. Thirdly, also indicated is that the more accurate the biometrics sensor becomes (the lower the Equal Error Rate becomes), the curve goes downwards/leftwards in this graph. But, when a FAR is 0 (zero), the corresponding FRR still remains close to 1 (one). When a FRR is 0 (zero), the corresponding FAR remains close to 1 (one).
  • 2.
    *1 *2 Another graph(*2) helps us to grasp how FAR and FRR are mutually dependentand also in a trade-off relation. Move the threshold to the right (more strict) and we would see the combination of a lower FAR and a higher FRR. Moving it to the left (more lenient), the outcome would be the combination of a higher FAR and a lower FRR. The presence of False Rejection, however close to 0 (zero) the rate might be, would require a fallback means against the False Rejection. When a password is used as the fallback means, the overall security is lower than the password-alone authentication (*3). It must be noted that what is improved from a password-alone authentication is convenience, not security. *3 Short Video - Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg < Related Articles > - P3 Clues to Unravelling Conundrums - P5 Deployment of Biometrics and Password - P7 Mix up “Unique” with “Secret” and “Identification” - P8 iPhone X Face ID
  • 3.
    Clues to UnravellingConundrums - Biometrics deployed ‘in parallel’ as against ‘in series’ In my earlier writing “Truth does not matter in infosec?” I wrote as follows: -------- So long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact. --------- It appears that we may have got some clues to this conundrum. We had a chance to look at a document produced by NIAP (National Information Assurance Partnership), in which ‘hybrid biometrics authentication’ was discussed. The biometrics advocates got a NIAP committee to positively evaluate the hybrid (two-factor) deployment of biometrics and passwords by just talking about the 'in series' deployments. Then, the concept that the hybrid biometrics authentications provide good security was solidly established with authority. There may have been some more similar cases. On the other hand, a number of biometrics vendors put on the market the biometrics products, which are deployed 'in parallel', without referring¸ knowingly or unknowingly, to the difference between the 'in parallel' deployments and the 'in series' deployments. I would not like to suspect that there were choreographers for it. I assume that it might well have happened due to lack of good communication and misunderstanding among the people concerned.
  • 4.
    The outcome wasa number of misguided security professionals and tech media spreading the misguiding information in a gigantic scale. We are now witnessing such a worrying situation that a number of financial institutions are adopting the 'in parallel' hybrid biometrics for the applications for which they say they require the level of security higher than the password. It is defeating the purpose. Well, I am not happy with this uncomfortable hypothesis. I would appreciate it if someone could let me know the presence of different materials that might lead us to different observations. I would also welcome any information on whether the publicized FAR and FRR are empirical or theoretical and how they are measured, monitored or calculated. <Remarks> ‘in series’ deployment = both to pass, And/Conjunction ‘in parallel’ deployment = either to pass, Or/Disjunction
  • 5.
    Deployment of Biometricsand Password - NIST Digital Identity Guidelines 800 63B It seems that the biometrics guidelines in 800 63B (*1) are basically made of two key segments. (A) Biometrics now needs to be used together with a physical factor (something you have) 'IN SERIES' in view of its coherent vulnerabilities (*2) (B) When users get falsely rejected, ‘a physical authenticator PLUS <other biometrics OR password>' could be deployed 'IN SERIES' (*3) And, (A) and (B) are to be deployed 'IN PARALLEL' (*3). Its collective vulnerability is the sum of vulnerability of (A = biometrics PLUS physical authenticator) and that of (B = physical authenticator PLUS <other biometrics OR password>), which is larger than A alone and also B alone. As such, we could assume that, in NIST guidelines, a physical authenticator is the star, with biometrics and password playing an auxiliary interchangeable role. It is good to see that NIST no longer allows the use of biometrics with only a fallback password used ‘IN PARALLEL’. But it is worrying that NIST still allows a route of passwordless authentication with no user's volition, which could make a threat to democracy. The principle of citizen's placing their sensitive information under their own control could be eroded. The route of allowing unconscious people to get authenticated unknowingly should be precluded. Incidentally, I am still not certain what users are expected to do when they forget to carry the physical authenticator with them. It would certainly be safe to simply lock out, though very inconvenient. Should a route of fallback password (used 'IN PARALLEL') be provided, the overall security would be lower than that of the fallback password alone, rendering the costs of involving physical authenticators and biometrics utterly meaningless.
  • 6.
    And, more fundamentally,when 'a physical authenticator PLUS password' is less complicated, less costly and more secure than 'a physical authenticator PLUS <password OR biometrics>', I wonder where there is a merit of involving the problem-ridden biometrics. We could not forget that the password is crucially required in any case. Readers’ opinions on this hypothesis would be very much appreciated. ……………………………….. *1 Digital Identity Guidelines https://pages.nist.gov/800-63-3/sp800-63b.html *2 Clause 5.2.3 reads "Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have)." *3 and also “Once that limit (of rejection) has been reached, the biometric authenticator SHALL either: • Impose a delay of at least 30 seconds before the next attempt, increasing exponentially with each successive attempt (e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt), or • Disable the biometric user authentication and offer another factor (e.g., a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already available.” <Remarks> ‘in series’ deployment = both to pass, And/Conjunction ‘in parallel’ deployment = either to pass, Or/Disjunction
  • 7.
    Mix up “Unique”with “Secret” and we would confuse “Identification” with “Authentication” Biometrics follows “unique” features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this sphere. Being “unique” is different from being “secret”, however. It would be a misuse of biometrics if deployed for security of the identity authentication of individuals. Confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a nefarious false sense of security. However gigantic and grandiose it may look, the sandcastle could melt away altogether when we have a heavy storm. And, the storm will come. The question is not “if”, but just “how soon”. < Videos > Turn off biometrics where security matters (30 seconds) https://youtu.be/7UAgtPtmUbk Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg Six Reasons to Believe Biometrics Don't Ruin Cyber Security https://youtu.be/lODTiO2k8ws Password-free Life - Utopia or Dystopia? (30 seconds) https://youtu.be/UJDBZpX1a0U Password Predicament and Expanded Password System https://youtu.be/-KEE2VdDnY0
  • 8.
    iPhone X FaceID What FAR means when it does not come with the corresponding FRR? Answer: It means nothing. According to some tech media¸the FAR (false acceptance rate) of iPhone X Face ID is said to be one millionth, which might be viewed as considerably better than the reported one 50,000th of Touch ID. It is not the case, however. The fact is that which is better or worse can by no means be decided when the corresponding FRR (false rejection rates) of Face ID and Touch ID, which are in the trade-off relation with FAR, are not known. This crucial observation is seldom reported by major tech media. It is really sad to see the misguided tech media spreading the misguiding information in a huge scale. The only meaningful fact that we can logically get confirmed by the trade-off between FAR and FRR is that the biometrics deployed with a password as a fallback means against false rejection would only provide the level of security lower than that of a password-only authentication. Face ID, which brings down security as such, could be recommended only for those who want better convenience, as in the case of Touch ID. If recommended for better security, it would only get criminals and tyrants delighted. Security professionals are expected to speak up.