Marbles and Probability
NOTE: This is a reprint of an article originally published by Alex Kilpatrick in May 2017 on a different blog. We are reposting them on the Blink Identity blog because these issues are important and we want to keep our writing on these issues in one place.
Visualizing Biometric Accuracy
In a recent blog post I mentioned that the Android and Apple phone specifications call for at least a 1 in 50,000 probability of a false match. In other words, a randomly selected imposter will have a 1 in 50,000 chance of unlocking your phone with his fingerprint.
I have had a few people say that is a hard thing to really visualize/understand and I agree. Marbles are a staple for classes involving probability, so I think they will be useful here. A typical marble is 1/2" in diameter. If we assume that marbles can be stacked pretty much like cubes, then a marble has a volume of (1/2")^3 or .125 in^3. So imagine we have 49,999 white marbles and one black marble, making 50,000 total marbles. 50,000 marbles is about 3.6 cubic feet, which is about the same volume as a washing machine drum.
Imagine filling that washing machine up with 49,999 white marbles and 1 black marble. I would recommend using an older style machine or you are going to make a mess.
Now turn it on and let it run for a while. Please make sure you record this and post it to YouTube. Run it until smoke comes out or until you have lost your hearing, but make sure the marbles are really mixed up. Now turn it off (very important) and close your eyes and reach in and grab a marble. You didn't get a black marble? Put the white marble back and repeat the whole process. You have two more tries. If you fail on the third try then the phone is now locked with a PIN and you have no more fingerprint tries left.
This was a useful exercise for me. Before I did this calculation I thought it would be a lot more "gee-whiz" impressive. A washer full of marbles is a lot, but it is not something ridiculous like the Grand Canyon full of marbles. I can visualize getting lucky and grabbing a black marble from a washing machine. The odds could be improved be with a more expensive and bigger fingerprint sensor, but that would make a thicker/more expensive phone. And it ultimately wouldn't really make a real difference in security.
The fact that the phone stops letting you try after 3 attempts is a huge security feature that makes a brute-force attempt very difficult to carry out. So let's assume you have some way to get around that and have an unlimited number of people who can walk by the phone and try to unlock it. What will happen?
Well, you might get lucky and person #1 unlocks it. Of course, that probably won't happen. But if you have 50,000 people you will certainly unlock it, right? Well, as it turns out probability doesn't work that way. You might run 1,000,000 people by the phone and be able to unlock it. That probably won't be the case either, but it certainly could happen. Probability never tells us what will happen, it tells us how likely something is to happen.
Let's say you have a unlimited line of people waiting to unlock phones for you, and you have a lot of phones to unlock.
Assume you are really efficient and can do a check on a single phone every 5 seconds. On average over a large number of samples you will get the right person after about 25,000 tries, or about a day and a half. Note that you will absolutely need more that 25,000 people because that is an average. It is likely that some of the time you will need more than 50,000. Better have 75,000 just to be safe and maybe 10,000 more on backup. Obviously this is a ludicrous exercise, but it does give you a feel for the scale of things involved here. And even this ludicrous exercise isn't possible until you get around the three-attempt limitation.
Finally, it is worth covering the more traditional PIN-based approach to unlocking your phone. Since your PIN is 4 digits, the possible numbers it can be range from 0000 to 9999, or 10,000 possibilities. That means your phone with a PIN has a 1 in 10,000 chance of accepting an imposter, so it is actually worse than a fingerprint, at least by the math. In truth, it is more complicated because someone can theoretically copy your fingerprint from somewhere and use it on your phone and they can't copy a PIN out of your head.