One of the major concerns associated with biometric fingerprint authentication is security of biometric data within the authentication system. When you place your finger on a fingerprint authentication system, it captures an image of your fingerprint pattern and matches it with the one already stored on the system.
In the absence of adequate security measures, providing your fingerprint or other biometric data to an authentication system may result in undesirable consequences including biometric identity theft and all the concerns associated with it.
One potential solution of this problem is biometric smart cards, in which matching of biometric data takes place on the card itself, and you never have to give up your biometric details to perform biometric authentication of identification.
What is a biometric fingerprint smart card?
Biometric fingerprint smart card is a plastic card equipped with a microcontroller, which can store and process biometric and other user data internally. The microcontroller can receive requests from smart card readers and can verify identity or authenticate transactions. Biometric fingerprint smart cards can be of contact or contactless types, however, contactless smart cards are now more common, which come equipped with RFID. RFID enables the card to communicate with external devices (e.g. a card reader) wirelessly.
How does fingerprint match on card work?
Fingerprint match-on-card is an approach, in which biometric authentication is performed with the help of a biometric smart card.
Unlike match-on-server and other biometric implementations, fingerprint match-on-card performs biometric matching on a smart card. This smart card is issued to the user and user biometric data (i.e. fingerprint template of the user) is stored on a fingerprint chip inside.
This microcontroller fingerprint chip comes with inbuilt ability to perform a biometric match. The fingerprint chip may not be as powerful as a biometric database server, but is powerful enough to perform a 1:1 match instantly. Since there only one biometric match has to be performed at a time, the microcontroller fingerprint chip can do it instantly.
Fingerprint smart cards do not come with any internal power source. They receive their inductive current to enable data transfer and processing from the smart card reader, and require very low power to do that.
When a user presents his/her fingerprint smart card to a smart card reader (to perform identification / authentication), the reader communicates with the card and asks the user to get his/her finger scanned. The user gets his/her finger scanned (the one which is registered with the fingerprint smart card) and the card reader captures fingerprint sample. It extracts the relevant information from the sample and sends it to the card.
The smart card microcontroller fingerprint chip executes a biometric comparison between the new scan and the already stored biometric data as per the algorithm used and reaches a decision (match or no-match), which is sent to the card reader.
What is a fingerprint chip?
A fingerprint chip is a microcontroller designed particularly for storing fingerprint data and enabling fingerprint match on the card. The biometric data is stored on the fingerprint chip in a secure format and cannot be extracted out of it. Even if an attacker is able to access the biometric data on the fingerprint chip, it will be of no use as it is stored in encrypted form to ensure data security.
FIPS fingerprint reader and smart card reader
FIPS fingerprint reader is a fingerprint recognition system that makes use of set of standards developed and published by the U.S. Federal Government, commonly known as FIPS.
FIPS (Federal Information Processing Standards) are the standards for information technology system for non-military use. These standards emphasizes security and interoperability among IT systems, specially in the cases where industry standards are not already in place. FIPS are developed by the United States federal government by making required modifications in already published standards from standardization outfits like ANSI, IEEE and ISO.
Smartcards equipped with FIPS are known as PIV (Personal Identity Verification) cards and they use Federal Information Processing Standard (FIPS) 201, which was formally entitled Personal Identity Verification of Federal Employees and Contractors.
FIPS fingerprint scanners and smart card readers have to strictly comply with the standard laid by the federal agency.
For example, according to NIST special publication 800-96 (PIV Card to Reader Interoperability Guidelines), the contactless interface of the reader shall support bit rates of fc/128 (~106 kbits/s), fc/64 (~212 kbits/s), and fc/32 (~424 kbits/s) as defined in ISO/IEC 14443-3:2001/Amd.1:2005. Bit rates fc/64 and fc/32 may be configurable to allow activation / deactivation.
NIST SP 800-96 presents various recommendations for FIPS fingerprint reader and smart card reader in the area of performance and communications characteristics to foster interoperability. These standards enable agencies to achieve the interoperability goal of Homeland Security Presidential Directive 12 (HSPD-12).
Smart cards for identification
Applications in which only a small number of people are registered on a system, biometric identification can be performed almost instantly. For example, in an organization where only a small number of people are registered on a fingerprint attendance system, can use their fingerprint for identification.
Identification will be instant or at worse, it will take no more than a couple of seconds. But when the number of records increases on a biometric system, the time taken for identification also increases. When there are a large numbers of records (e.g. in billions), it may take several hours to find a match.
So performing biometric identification with the use of biometric identifier alone is not a good approach when the number of records are huge, to overcome this, people are allocated a unique number / ID to fetch their biometric record before performing the biometric authentication. But there can be a better solution: fingerprint match on card.
With fingerprint match-on-card, there is no need to remember any number or code as it can be stored on the card or generated by itself. Using a unique string for identification of the biometric record enables us to perform a 1:1 match. In large scale biometric identification programs, people are provided with a unique string so that their identity record associated with their biometric identifiers can be fetched for upfront 1:1 matching. It can otherwise be extremely time consuming to perform a 1:N match on the basis of biometric identifier alone, specially when there are too many records to lookup.
Biometric smart card attendance system
Employee time and attendance is an important activity in any organization which ensures employees are paid only for the time they have worked. Early time tracking at work were accomplished by keeping track of employee time on paper, where employees put their check in / out time along with their signature. This system needed someone to watch over, so that employees do not commit time theft by inflating their work hours. Human intervention was prone to errors and omissions as well as illegitimate favours, not to mention. It was also possible for someone else to do it on your behalf.
Now biometric time clocks are fairly common at workplaces of all sizes. It is extremely hard to commit time theft or timesheet manipulation with biometric time and attendance systems. However, with growing biometric data privacy concerns, biometric smart card attendance systems offer more viable solution of employee time and attendance.
In biometric time clocks, employee fingerprints are first enrolled on the systems and then every time the employee checks in and out with fingerprint scan, the system logs the timing. A supporting application can import this data and calculate daily / weekly / monthly time spent at work and payroll can be generated.
Biometric smart card attendance system does the same thing but also takes care of privacy and security of biometric data by matching employee fingerprints right on the card and not on the recognition system. Employees fingerprint never leave the card and the biometric matching takes place inside the card, resulting in unprecedented security of biometric data.
Biometric smart card access control
Fingerprint match-on-card approach can also be leveraged for deploying biometric smart card access control. In business outfits and workplaces, access control is implemented with RF cards or biometric access control methods like fingerprint or face recognition. Use of RF cards is no better than using keys, you eventually have to carry something which can be lost or stolen and misused. Biometric based access control has already seen wide deployments in recent years and it continues to grow, though it has its own pitfalls.
A biometric smart card access control not only personalizes the smart cards by replacing PIN with user biometrics, it also safeguards users as PINs can be highly vulnerable to shoulder surfing by other access seekers. When compared with traditional biometric access control systems, biometric smart card access control does not require a database to store and process biometric data. Since biometric data is stored on the card, it is matched right on the card resulting in securer and privacy friendly access control experience.
When biometric smart card access control is implemented with face recognition, biometric facial details are capture with a camera present on the card reader. After capturing and processing details, it is sent to the card for matching with what is already stored. If it matches with the sample captured for authentication, authentication succeeds.
Advantages of Fingerprint match-on-card vs. match-on-server
Today, a large majority of fingerprint recognition systems uses database based (match-on-server) approach. Be it a small scale implementation like office attendance system or a large scale deployment like biometric voter / civil ID, a database of biometric identities works like the central nervous system. Both match-on-card and database centric approaches have their own set of advantages and disadvantages, as discussed below.
Advantages of database backed biometrics over match-on-card
- People do not have to carry anything (i.e. a smart card), which keeps the basic objective of having a biometric ID intact (identification on the basis of “who you are” and not “what you possess”.
- In law enforcement and forensic applications, database backed identification is the only solution.
- If there is any upgrade related to security or architecture, upgrading the card is not easy.
- Requires fewer infrastructures than match-on-server biometric implementation.
Advantages of match-on-card over match-on-server
- Match-on-card does not require a database of biometric identities since biometric data is stored right on the card. Biometric matching is also performed by the embedded microcontroller in the smartcard.
- Maintaining a centralized biometric database securely in today’s highly insecure environment can be a tough job, even the best cyber security practices cannot guarantee the security against cyber threats.
- Lost or stolen smart cards pose minimal risk as the data is encrypted on the fingerprint chip which is next to impossible to decipher. Loss or theft of smart card does not result in identity theft, unlike loss or theft of physical IDs.
- It is virtually impossible to intercept the communication between the smart card reader and the smart card, unlike network communication over computer network, which can be highly vulnerable.
Applications of match-on-card biometric implementation
Implementing biometric authentication with smart cards, in which match is performed on the card itself offers numerous possibilities. Since there is no need to maintain backend database, match-on-card requires lesser upfront cost than match-on-server biometric authentication.
- Authentication: Banking payment cards, electronic wallets, online shopping, institutional authentication, digital / network security, etc.
- Identification: Government / civil identification, healthcare service, voter ID, Subscriber Identity Modules (SIMs), smart licence, etc.
- A single card can be used for multiple applications
- Biometric smart card attendance systems
- Biometric smart card access control
Despite the unprecedented rise in deployment of biometric identification and authentication applications, a large percentage of authentication requirements are still served by passwords, PINs or similar knowledge based authentication factors. On the other hand, a large chunk of market share is still captured by traditional IDs or similar methods for identity verification, regardless of the huge growth of fingerprint based identity verification methods.
While the rise of biometrics based identification and authentication approaches may seem impressive, security of biometric data is still a major concern. This data can be prone to theft or loss within the authentication systems itself (e.g. in biometric databases). Match-on-card, a comparatively newer approach can be the potential solution of all the problems biometric data security concerns with traditional biometrics. A biometric smart card loaded with your fingerprint data, can not only perform biometric identification / authentication on your finger’s behalf, but can also guarantee security of your fingerprints.