Note: This is one in a series of blogs about Fingerprint on Card technology. To view the full series, click here.
Recent advances in technology have made fingerprint sensors a viable option for payment cards. The sensor hardware and the algorithm for matching and verifying the fingerprint are embedded onto the card itself. This technology, known as Fingerprint on Card, creates a sleek, easy-to-use way to add biometric authentication to the payment process.
Quick and Simple
Using the card is straightforward. First your fingerprint is captured and stored on the smartcard. This initial fingerprint, called the reference template, serves as the basis for your identity and is later compared to the fingerprint captured during the payment transaction.
When it’s time to make a purchase, you press your finger to the card while either inserting it in the payment terminal reader slot or tapping it to the terminal display. The card captures your fingerprint, with the embedded fingerprint sensor, then uses algorithms to extract the data needed to compare the captured print to the reference template.
If the captured fingerprint matches the reference template, then you’re good to go – you’ve confirmed your identity and authorized the payment terminal to complete the transaction. The capture and match process is seamless, and there’s no need to enter a pin or sign a receipt.
Familiar Form Factor
The Fingerprint on Card format is made possible by extremely thin, low-power components. On one edge of the card there’s the familiar contact plate used in today’s “chip” cards. On the opposite edge there’s an ultra-thin, low-power fingerprint sensor. In between these two is the circuitry for capturing, extracting, and matching the fingerprint during a payment transaction. The design is essentially the same as that of a traditional chip card, so new Fingerprint on Card formats can be used in existing payment infrastructure around the globe.
But is it Secure?
Using the Fingerprint on Card feature is fast and simple, and works with existing infrastructure, but just how secure is it? Can it be trusted to ensure privacy? The short answer is it depends on the implementation. The process of storing, extracting, and matching fingerprints needs to be protected, and how that protection is designed can influence the security of the solution. A quick look at each step in the process highlights where security is most important, and how best to ensure high-level protection.
Storing the Reference Template Securely
The first task is to store the reference template, the basis of your identity, in such a way that it remains protected at all times. The template must be stored in a secure location on the card and, once written into the memory, should never leave that secure location. That’s because letting the template leave its secure location introduces risk and increases the chances of tampering or theft.
The safest way to store the reference template is in a secure, tamper-resistant IC, called a secure element. The secure element acts as a vault, hiding the reference template from view and protecting it from attack. Secure elements are designed from the ground up to protect against a broad range of attack categories and can be equipped with dozens of security mechanisms that defend data in different ways. Because they’re tailor made for security, secure elements offer a level of protection that’s simply not available with general-purpose microcontrollers.
In fact, secure elements are so widely recognized for their ability to protect private information that they’ve been used in the payment industry to store PINs and other sensitive data for many years. The same applies to Secure ID applications where the fingerprint template storage is done only in a Common Criteria certified secure element since a decency. Using a secure element to store the reference template of a Fingerprint on Card solution can be considered a highly secure approach.
Extracting the Fingerprint Quickly
Processing the captured fingerprint, at the time of payment, requires strong calculation capabilities, to ensure quick extraction, but the security requirements are much lower. Extraction is essentially a format change – converting the image captured by the sensor to data that can be used for a match – and doesn’t need as high a level of protection as other steps in the Fingerprint on Card process. A low-power microcontroller is an ideal solution for extraction – designed for strong calculation capabilities, but with a low security level. The microcontroller receives the fingerprint captured by the onboard sensor and then extracts the data needed to do a match against the reference template.
Matching the Fingerprint only in the Secure Element
The next step, the match, is critical. The data extracted by the microcontroller is compared to the reference template to see if there is a match. The data associated with the reference template needs to be available for the match to take place. If the match happens on the microcontroller, then the reference template has to leave the secure element and pass to the microcontroller each time a match takes place. This is risky, since as soon as the reference template leaves the secure element, it’s vulnerable to attack. The template loses its protection and can be either manipulated or stolen. The results produced by the match need to be protected, too, since it includes information needed to verify payment.
To maintain the right levels of protection, the best place to perform fingerprint matching is in the secure element. The secure element (or, more exactly, the secure processing unit) receives the extraction data from the low-power microcontroller, performs the match, and reports a simple “ok” or “not ok,” without releasing the reference template or the data produced by the match.
The Safest Setup
The setup just described, with the reference template stored in a secure element, the extraction performed by a low-cost microcontroller, and matching taking place in the secure element, represents the best combination of security and protection. The reference template remains hidden and the match process minimizes the chances of manipulation, so the payment transaction remains safe and trustworthy.
So, going back to the original question, whether Fingerprint on Card technology can be trusted to deliver a high level of security and privacy, the answer is yes – as long as the storage of the reference template and the matching takes place in the secure element.
The NXP Approach
At NXP, we’ve developed a Fingerprint on Card solution that securely divides tasks between the secure element and the low-power microcontroller. The microcontroller performs extraction only. The secure element – based on a multi-layered architecture already proven in high-security applications – performs the fingerprint match and never lets the reference template leave its secure perimeter. The reference template and the matching results are protected from manipulation by outside forces, and the sensitive identity information relating to the fingerprint remains private.
Next Up: Biometric Performance
Our next blog will discuss performance. We’ll look at contactless formats for Fingerprint on Card solutions, introduce two of the parameters used to gauge performance – the False Reject Rate (FRR) and the False Acceptance Rate (FAR) – and summarize what they mean for cardholders and fraudsters.
The next installment of this blog series is scheduled to post in two weeks.