The rate at which an authentication system incorrectly accepts an unauthorised person or presentation. In biometric programmes, this measures the security side of the trade-off and helps determine whether the control is suitable for the risk level of the application.
Expanded Definition
False acceptance rate, often abbreviated FAR, is the probability that an authentication control incorrectly grants access to an unauthorised person or an invalid presentation. In biometric systems, it is the security side of the operating threshold, while false rejection rate reflects the usability side.
Definitions vary across vendors because FAR may be reported per attempt, per subject, or under different spoofing assumptions, so practitioners should compare measurements only when the test conditions are explicit. For biometric assurance, the threshold must be tied to the risk of the application, the attack model, and whether the system is used for enrollment, step-up verification, or continuous access decisions. The NIST SP 800-63 Digital Identity Guidelines provide a useful reference point for assurance thinking, even when a specific product claims biometric support. In NHI programmes, FAR is conceptually similar to any control that admits an identity based on a signal that can be guessed, replayed, or spoofed.
The most common misapplication is treating a vendor’s published FAR as a universal security guarantee, which occurs when test conditions, threshold settings, and spoofing resistance are not disclosed.
Examples and Use Cases
Implementing FAR rigorously often introduces friction for legitimate users, requiring organisations to weigh stronger fraud resistance against higher retry rates and support overhead.
- A mobile banking app uses facial recognition for step-up authentication and sets a stricter threshold for high-value transfers than for routine login.
- A physical access system compares FAR against false rejection rate before allowing badge replacement kiosks to use face matching as a fallback control.
- A workforce identity team reviews biometric enrollment settings after comparing them with guidance from the NIST SP 800-63 Digital Identity Guidelines.
- An NHI governance team studies the attack patterns in the Ultimate Guide to NHIs and applies the same logic to API-key validation and service-account access paths.
- A fraud lab tests presentation attacks and replay scenarios to see whether the effective FAR changes under realistic adversary conditions.
Why It Matters in NHI Security
FAR matters because any authentication control with an unacceptably high acceptance rate can become a silent bypass path for service accounts, privileged workflows, or AI agents acting with execution authority. In NHI environments, the practical risk is not just unauthorised login, but lateral movement, secret exposure, and automated abuse at machine speed.
NHI Mgmt Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 97% of NHIs carry excessive privileges, making weak acceptance controls especially dangerous. The same research also reports that 96% of organisations store secrets outside of secrets managers in vulnerable locations, which compounds the impact when an attacker gets past the first control. That is why FAR should be assessed alongside secret hygiene, privilege scope, and detection coverage, not as a standalone metric. The Ultimate Guide to NHIs is a practical starting point for understanding how identity weakness spreads across lifecycle and access paths.
Organisations typically encounter the operational meaning of false acceptance only after a spoofed factor, replayed credential, or over-permissive fallback path is used in an incident, at which point the control becomes unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | AAL2 | Defines authentication assurance levels and biometric risk tradeoffs tied to acceptance errors. |
| NIST AI RMF | Risk framing helps assess how false acceptance affects trust, harm, and deployment context. | |
| OWASP Agentic AI Top 10 | Agentic systems may over-accept weak signals when identity checks are poorly bounded. |
Set acceptance thresholds to match the required assurance level and the application's fraud risk.
