The evolution of smartcards

Rouzet Agaiby, Senior Business Development Engineer

November 14, 2016

The two key criteria for smartcards are secure identity verification and ease of use. Having one at the expense of another is not acceptable.

Smartcards have evolved from verifying the user’s identity via their signature to memorable pin codes. The former approach enabled ease of use at the expense of lower security, while the latter facilitates more secure transactions at the expense of having to recall several pin numbers. Today, we are witnessing a new trend that attempts to achieve secure verification without compromising on the ease of use – by using the cardholder’s fingerprint.

There are three key challenges that need to be addressed to enable the use of fingerprint sensors in smartcards:
1) the user’s perception of using their fingerprints as a verification method
2) the added complexity and cost of manufacture of the card and
3) updating the infrastructure to support such verification methods in smartcard applications.

The fingerprint sensor needs to be either compatible with current card manufacturing techniques or the process needs to be adapted to accommodate the integration of a fingerprint sensor. This entails both smartcard manufacturers and end-users buying into new fingerprint sensor technologies in order to justify the investment required. Moreover, smartcard solution providers may need to invest in updating the infrastructure that supports fingerprint verification. Simultaneously, end-users need to perceive the technology as secure and compelling enough to be used daily and shake off its negative association with law enforcement and border security.

Choosing the best identity verification method for smartcards

Following Idex’s announcement earlier this year that they are developing a flexible capacitive fingerprint module that is small enough to be used in smartcards, other companies have followed suit. More recently Next Biometrics announced that smartcards is a target market for their flexible thermal fingerprint sensor technology. Similarly, FlexEnable and ISORG announced in January 2016 that their flexible large area optical fingerprint sensor can capture both fingerprint and vein images and is ideally suited for biometrics applications.

Undoubtedly, there is a need for more secure identity and payment verification solutions particularly with the transition from instore transactions to online transactions. However, this raises two main questions. Firstly, is fingerprint sensor technology the most suitable identity verification option for smartcards? And second, if it is, then which fingerprint technology is best suited to achieve the security requirements associated with fingerprints and payment platforms?

Fingerprints are the most widely adopted identity verification method* that is currently used in law enforcement and border security, and more recently in consumer electronic applications. While other identity verification methods like iris and face recognition also exist, they suffer from the disadvantages of longer capture process in the case of iris scanning** or the susceptibility to false verification as a result of slight changes in facial features, for examaple, makeup***. Fingerprints can also be faked, but the secret to prevent this from happening is in the technology that is used in the fingerprint sensor as well as the complex algorithms that detect the fake attributes of the fingerprint image.

Implementation challenges

The first challenge is to ensure that fingerprint technology is secure enough. There is a wide range of fingerprint sensor technologies out there that can be broadly segmented into four key types: thermal, capacitive, ultrasonic and optical. The dominant technologies used are capacitive and optical. Capacitive fingerprint sensors are more widely used in consumer electronics due to their small size and ease of integration, while optical fingerprint sensors are used where more security requirements are needed, for example in law enforcement and border security. Capacitive fingerprint sensors can be sufficient for identity verification in mobile phones, laptops and computers in order to obtain local access to the hardware, but are unlikely to be enough if they are used to gain access to bank accounts and payments.

There have been several videos and articles about how to fake fingerprints on mobile phones and this is likely going to deter users from making online payments via their fingerprint enabled phones. On the other hand, optical fingerprint sensors cannot be easily faked due to the use of anti-spoofing algorithms that are regularly updated to teach the sensors to detect fake attributes. Additionally, liveness detection can also be possible with optical fingerprint sensors as they can also potentially be paired with vein imaging by changing the wavelength of the light from visible to infrared. By acquiring both the fingerprint and the vein image, identity verification can be made more secure which can convince both service providers and users that this is the ideal path for user-friendly secure identity verification in smartcards. This overcomes the security challenge.

Another challenge is the integration of an optical fingerprint and vein sensor into a smartcard. The sensor module suppliers and the smartcard manufactures have to work together to achieve this. The sensor modules have to be compatible with current standards for manufacturing smartcards such as ISO/IEC 7810 and ISO/IEC 7816. However, as such modules have only recently been integrated it is likely that some modification may be required to make the integration successful. For example, this could be the temperature, pressure or the laminated areas in the smartcard. Of course, flexible sensors would be easier to integrate.

Manufacturers have to keep an open mind to make these changes while still maintaining their certification standards or update those standards to make them applicable for the integration of such modules. Discussions regarding updating card manufacturing standards need to be addressed by smartcard associations in collaboration with both manufacturers and sensor module suppliers in order to make sure that manufacturing challenges are addressed. Moreover, card reader manufacturers need to integrate lighting modules to their readers in order to deliver the lighting required to capture both the fingerprint and the vein images.

Obtaining the support of service providers also represents a challenge that needs to be addressed to ensure successful integration of fingerprint and vein sensors in smartcards. Service providers need to create an infrastructure that is capable of supporting more complex identity verification protocols and be able to deal with any security breaches that arise from any misuse. Fingerprint and vein image matching algorithms have to be integrated into the banking infrastructure and debates around the local or remote matching of user profiles have to be carried out to determine the most optimal path to implementation.

As it has become clear, there are several challenges, but they cannot be addressed in isolation. Different players in the ecosystem need to conduct these debates and make decisions that contribute to the wider good of the industry as a whole.

This article was originally published on www.planetbiometrics.com.

FlexEnable will be exhibiting at TrusTech in Cannes, 29 November – 1 December 2016.

 

References

* “Biometrics and Border Security”, published by Biometrics Research Group Inc 2016
** “Biometrics and Banking special report”, published by Biometrics Research Group Inc 2014
*** “Biometric Scanning Technologies: Finger, Facial and Retinal Scanning”, published by SANS Institute 2003

Share this article: