A growing number of smartcard applications are using biometrics as part of their authentication process. At international borders, for example, the use of face recognition is becoming a standard way to verify the identity of travelers. Fingerprint scanners can now be found at the entry points of high-security areas, like government buildings, research facilities, and military installations, and recent smartcard formats support the use of handwritten PIN codes for authentication.
Choosing which biometric to use with a particular smartcard setup involves a number of considerations, including reliability, usability, form factor, and cost. The environment where the smartcard will be used also comes into play, because the security requirements can vary depending on whether the card operates in what’s known as a closed or open environment.
Closed environments are tightly controlled. The scanning device is operated by the authenticating authority and the equipment is constantly supervised. Border crossings and corporate offices are examples of closed environments.
Closed environments can use either of the two methods for biometric scanning – on-card scanning or off-card scanning. On-card scanning refers to using the smartcard itself to take the live biometric sample, such as a handwritten PIN code, while off-card scanning refers to the process of using a separate piece of machinery, not the card itself, to take the live sample.
Off-card scanning is the method used more widely today in closed environments. This is mostly because closed environments typically provide enough space to accommodate the relatively bulky equipment, such as fingerprint scanners and image-capture devices, used to collect live samples.
An open environment is typically one where the user requests authentication through the use of a personal computer, a tablet, a smartphone, or some other system not owned and operated by the authenticating authority. Taken on a global level, the open environment is staggeringly large, involving billions of devices.
Off- and on-card scanning can both be used in open environments. For off-card scanning, where a separate device is needed to take the live sample, fingerprint scans are usually the best choice. For on-card scanning, which requires the most compact footprint, fingerprint scans and handwritten PIN entry are the most practical.
On-card scanning is a particularly attractive idea for open environments, since the card itself is equipped with the ability to store a reference sample (template), take a live sample, and perform a comparison. Having a secure element integrated onto the smartcard ensures security during the processing step, because it enables data encryption, and can reduce the chances of tampering, even in an open environment.
The figure below shows a biometric smartcard developed by NXP. It uses the cardholder’s handwriting as a biometric feature. The individual numbers of the PIN code are captured in the writer’s unique way of writing through the use of an integrated capacitive touchpad. As a solution that supports on-card scanning, it is a good choice for use in closed and open environments.
To support online purchases and other transactions in an open environment, the biometric smartcard can be configured to provide a secure connection to a laptop. A USB-type contactless reader connects to the smartcard, which supports handwritten PIN entry. Only after the PIN has been entered and verified is any sensitive user information forwarded from the card’s secure element to the online application. Any key loggers or other malware will only be able to intercept encrypted communications.
Our white paper, titled “Smartcards, security, and biometrics,” is a detailed look at the biometric techniques best suited for use with smartcards. It presents the options for implementing biometrics in a smartcard system and provides examples of real-world biometric smartcards, including the NXP implementation. Download your copy today.