6. Security best practices
6.1 Best Practices
- Use HTTPS connections to encrypt communication.
- Keep API keys secure and don't share them.
- Monitor and control API usage to avoid excessive fees and abuse.
- Include the “X-Content-Type-Options: nosniff” header in all requests to prevent MIME sniffing attacks.
- Implement HTTP Response Signing to guarantee the integrity and authenticity of API responses, demonstrating a commitment to the security of transmitted data.
- Implement the solution to be used with our SDK. Any other method is not considered secure for production.
6.2 Intrusion tests
You must ask the team responsible to release a production environment for the tests to be carried out. The period during which the tests will be carried out must be clearly communicated to the team.
Remember: the tests must not be carried out in the sandbox environment. The sandbox environment has flexibilities to facilitate debugging and integration with the SDK. Therefore, any intrusion or security test must be conducted in the production environment, where these flexibilities are not present, guaranteeing the accuracy and integrity of the results.
6.3 Matching Levels
Matching levels are used to define the accuracy and security of the facial recognition process, where each level indicates the sensitivity with which the system will compare images or facial features.
The False Acceptance Rate (FAR) indicates the probability of the system mistakenly accepting an incorrect match. The False Rejection Rate (FRR) reflects the probability of the system rejecting a correct match. Ideally, a balance is sought between the two rates, adjusting the matching level according to security and usability needs.
| Match Level | False Acceptance Rate (FAR) | False Rejection Rate (FRR) |
|---|---|---|
| 16 | 1/125.000.000 | 0,0027 (0,27%) |
| 15 | 1/62.500.000 | 0,0026 (0,26%) |
| 14 | 1/41.700.000 | 0,0026 (0,26%) |
| 13 | 1/31.300.000 | 0,0019 (0,19%) |
| 12 | 1/25.000.000 | 0,0019 (0,19%) |
| 11 | 1/12.500.000 | 0,0019 (0,19%) |
| 10 | 1/5.000.000 | 0,0018 (0,18%) |
| 9 | 1/2.000.000 | 0,0014 (0,14%) |
| 8 | 1/1.000.000 | 0,0014 (0,14%) |
| 7 | 1/500.000 | 0,0012 (0,12%) |
| 6 | 1/100.000 | 0,0009 (0,09%) |
| 5 | 1/10.000 | 0,0005 (0,05%) |
| 4 | 1/1.000 | 0,0004 (0,04%) |
| 3 | 1/500 | 0,0004 (0,04%) |
| 2 | 5/10 | 0,0004 (0,04%) |
| 1 | 2/40 | 0,0004 (0,04%) |
| 0 | - | - |
Recommendation for Biometric Approval
Fortface's facial biometrics services do not automatically approve or reject an identification. The API returns a match level value, and the final approval decision must be defined by the integrating application's business logic.
According to the table provided in this section, we recommend that developers consider match level values greater than or equal to 13 as a reference for biometric identification approval. These levels feature a low False Acceptance Rate (FAR), while also maintaining a low False Rejection Rate (FRR)..
6.4 Response Signature
The Fortface API also provides a signature of the request payload in the response header, where the client can be assured of the integrity of the source. This standard follows the reference RFC8446, and is compatible with any verifier system that follows this standard.
In the headers of the response, the Signature and Signature-Input attributes are used to verify the signature using the public key, following a scheme very similar to the example (nodejs) below.
If you want to use the Payload signing feature, contact the Fortface team to obtain the keys for signing.
import { verify } from '@ltonetwork/http-message-signatures'; // Node tool that follows RFC8446 reference
import { createPublicKey, createVerify } from 'crypto'; // Create a public key from a local file
import fs from 'fs';
const publicKey = readFileSync(__dirname + '/publicKey.pem');
async function verifierSignature(response: { status: number, headers: Record<string, string> }) {
const verifier = (data: any, signature: any) => {
const publicKey = createPublicKey(publicKey);
const tokenVerify = createVerify('SHA256');
tokenVerify.update(data);
return tokenVerify.verify(publicKey, signature);
}; // Callback function to create a verifier schematized to the standard used by fortface.
return verify(response, verifier);
}
const result = await verifierSignature(response);
**Contact and Support
- For support, you can contact us via our e-mail suporte@fortface.com.br