Very little work has been done in determining the number of users needed to establish confidence intervals for an error rate of a biometric authentication system. The independence assumption between multiple acquisitions of an individual is too restrictive and is generally not valid. We relax this assumption and present a semi-parametric approach for estimating the within-user correlation using multivariate Gaussian copula models. We describe how to obtain confidence bands for the ROC and present the minimum requirements on the number of users needed to achieve a desired width for the ROC confidence band. Rules of thumb such as the Rule of 3 and the Rule of 30 grossly underestimate the number of users required. The underestimation becomes more severe when the correlation between any two acquisitions increases.