The relation between FRR and FAR

The relation between FRR and FAR

The two most common abbreviations one can meet when dealing with biometric identification systems are FAR (False Acceptance Rate) and FRR (False Rejection Rate). But how do they relate to each other? What is their significance? This blogpost aims to shed light on this matter.

Many systems give the operator a choice: "security levels", "matching score thresholds" can be set, but these are different terms for the same concept: confidency level. You can either set how thoroughly will the device scan the presented sample, and/or (depending on the device) how much deviance will it tolerate from the already stored template. Altogether: how sure the device will be that the person who presented the sample is the same who is enrolled in the system. You can either set it to very strict, forcing the device to put the presented sample under strict examination or set it to a lighter approach where it will let smaller details slide.

Strict examination and high required confidence can be associated with higher FRR rates, while the lower required confidence can be associated with higher FAR rates. You can have either one, but not both. These graphs "work against each other", so you must select the workpoint of the system at a location, where it will perform adequately, considering all parameters of the particular installation. Generally, the devices, by default, are set to the EER (Equal Error Rate) point, which is the intersection of the FAR and FRR curves. Whether this is good for a particular application or not depends on a large number of factors.

The following figure shows a typical mapping of FAR vs. FRR for a theoretical fingerprint scanner with respect to the probability of false acceptance and false rejection and the number of minutia points that the scanner tires to identify.

If we look at the graph, we can see, that the more minutia point matches are required from the user, the less impostors can get through the system, as there is a decreasing chances to have more and more matching points, if the person is an impostor. For enrolled users, it is the other way around, but with a limit. As the required confidency increases, more and more users will be falsely rejected to the level of practical unusability, because as we decrease the tolerance of the system and look for more and more matching points, external influences, like positioning errors or contaminations on the sensor will come into play, reducing the number of successful identifications.

In many cases, manufacturers give both very low FRR and very low FAR rates on the device data sheets. There is a problem with this: the data, in many cases is "up to n% FRR" or "up to n% FAR", but not both at the same time. This might be misleading for users, who might get the idea from the data sheet that they can get both high security with a very low number of false rejections. The truth is, however, is what we have stated before, you can't have both. In the end, this is a question for each particular application, a question that must always be taken into account. Choosing the correct workpoint is crucial for proper system operation. Some devices even allows the operator to set individual workpoints for users (for example, the system might be more lenient with a VIP, and more secure when high security zones are concerned.