A Fingerprint Card is a smart card that embeds a fingerprint sensor and the most common implementation are standardized according the ISO/IEC 17839-1:2014 and the ISO/IEC 17839-2:2015 specifications defines two main types of cards:
- Type S1 – fully ISO/IEC 7810 compliant.
- Type S2 – card 2.5mm thick, no need to conform the ISO/IEC 7816-1 flexibility requirements, supports only ISO/IEC 14443 contactless interface.
In this article the key focus will be on the Type S1, although all the concepts can be applied to both types.
Fingerprint Cards are a relatively new concepts in the smart card industry and few commercial trials have been done till today.
The main objective of integrating a fingerprint sensor into a smart card is to verify cardholder identity.
To better understand the advantages of a Fingerprint Card, let’s consider few real life scenarios:
- STANDARD CREDIT CARD
A thief steal Mr. Brown wallet and it uses its credit card to pay for goods at a luxury store. Mr. Brown card is without Pin code so the thief need only to reproduce the card owner signature on the transaction slip.
- DEBIT CARD WITH PIN CODE
Mr. Brown is returning home at the end of a busy working day. It’s night and he did not realize that a criminal is following him. The criminal stop Mr. Brown and ask him to hand over his wallet and tell him the PIN code of its debit card. The criminal is then using Mr. Brown debit card to pay for goods at a luxury store. The criminal knows the debit card pin so the transaction is performed positively.
- ACCESS CONTROL CARD
Mr. Brown works in a company that hold several industrial patents and he got a personal contactless ID Card to open the main door of the office building and many doors of the offices. The main entry is unattended so anyone with a company ID Card can access the building. While Mr. Brown is on vacation with his family a criminal break into his home and steal his company ID Card that is afterwords used to access Mr. Brown office and steal sensitive documents.
- GOVERNMENT ID CARD
John and his twin brother Mark have a legal litigation over the family heritage left by the late grandmother. John believe that Mark already got some lots of land but he won’t admit that. So John steal Mark’s Government ID Card and shows himself up to government office impersonating his brother asking for a full report of Mark properties. The clerk at the office taps the card on the contactless reader and Mark’s photo is displayed on his computer display. Since John and Mark are twins they looks like almost identical so when the clerk at the government office check Mark photo’s against John he believe the person in front of him is Mark and then he process the request.
All the above stories lacks of identification and/or authentication of card bearer and the Fingerprint Cards have been invented to solve those problems. In fact to use a fingerprint-enabled smart card the rightful owner of the card must place one of his finger (normally the thumb) over the fingerprint sensor and – at the same time or immediately after the positive authentication – use the card. A secure cpu (embedded into the smart card body) then match the readout from the fingerprint reader against the pre-recorded fingerprint and – if they match – signal the “go ahead” to the smart card microcontroller. Upon receiving the “go ahead” signal from the secure cpu, the smart card chip is then enabled and perform the transaction with the reader terminal.
When a criminal or a person that is not the rightful card owner tries to scan his finger on the sensor, the match between the scanned finger and the stored fingerprint fails and the secure cpu signal “fraud detected” to the smart microcontroller that immediately stop any communication with the contact or contactless reader.
So the four fraudulent scenarios weren’t going to happen if they were performed using a Fingerprint Cards. The method of verification of a fingerprint on a card is often referred as Match On Card (MOC).
The enrollment process can be done:
- On Card. When the user receive its new Fingerprint Card he needs to acquire its fingerprint that is directly digitized and stored into the secure cpu chip of the card.
- Off Card. The the user enroll for the card he record his fingerprint on a desktop fingerprint reader. The digitized fingerprint is then processed and sent to the secure cpu chip trough the smart card contact / contactless interface.
The basic scheme of a contact Fingerprint Card includes a non-replaceable and non-rechargeable battery that can give between 3-5 years of operating life under normal usage conditions. First generation fingerprint card used a physical button to switch on the fingerprint sensor while latest generation cards uses fingerprint sensors that “sense” when a finger is put in contact with them enabling the reading.
A contactless Fingerprint Card normally does not embeds a battery and the power for the fingerprint cpu is harvested from the card reader through the antenna. So when the card is within range of the contactless reader the fingerprint sensor and the secure cpu are powered on and the verification is performed as described for a contact fingerprint card. When the card is removed from the contactless reader, the smart card chip, the secure cpu and the fingerprint sensor are switched off.
The technology of the fingerprint sensors utilized in Fingerprint Smart Card are primarily Capacitive Sensing Technology or Active Thermal Technology.
Capacitive Sensing sensors use arrays of tiny capacitor circuits to collect data about a fingerprint. As capacitors can store electrical charge, connecting them up to conductive plates on the surface of the scanner allows them to be used to track the details of a fingerprint. The charge stored in the capacitor will be changed slightly when a finger’s ridge is placed over the conductive plates, while an air gap will leave the charge at the capacitor relatively unchanged. An op-amp integrator circuit is used to track these changes, which can then be recorded by an analogue-to-digital converter.
The Active Thermal sensing principle has been developed by Next Biometrics and this kind of sensor measures heat conductivity. A low power heat pulse is applied to each sensor pixel over a short period of time and a response is measured. This response is different for pixels in proximity to a finger’s ridge or valley. A dedicated chip read and process the recorded signal. All this is done in a short period of time and without the user feeling any heat.
In the following table the comparison between two fingerprint sensors for smart card application:
Fingerprint sensors have been available in the market for many years but only recent technological progress allowed companies to make very thin and flexible fingerprint sensors flexible ad thin enough to be embedded into an ISO/IEC 7810 ID-1 and CR 80 compatible card body.
All current flexible fingerprint sensors have similar
Because fingerprints are unique and difficult to forge, Fingerprint Cards unlock a new, higher level of security while keeping relatively low implementation cost. In fact, apart from the high price tag (we are still in the very early stage development of this market so components yield is still low and market demand extremely small) of a fingerprint-enabled smart card, the huge advantage is that there is no need to replace neither update existing readers (POS, Access Control Readers, Desktop Readers) infrastructure simply because the whole identification/authentication process is entirely performed in-card.
In contrast with the traditional fingerprint recognition systems, a Fingerprint Card makes the need for biometric databases redundant, since the biometric data is securely stored on the card itself for each individual user. Only the rightful owner of the card can use it, and the fingerprint data cannot be extracted from the card.
As of time of writing, February 2017, among the very few commercial deployments of fingerprint-enabled financial cards I think is worth to mention F.CODE, a solution made possible by the following companies:
- Fingerprint Cards AB – Fingerprint sensor design
- Shenzhen O-Film Tech – Fingerprint sensor manufacturing
- Zwipe – Biometric authentication engine
- Oberthur Technologies – Smart card chip development, Smart card chip OS, Integration and distribution of the complete card
From what I have seen from the few current Fingerprint Cards the personalization process shall take into account the fact that the card body includes a lot more electronics than a regular card. Therefore I believe this family of cards cannot be embossed, instead direct-to-card printing, retransfer printing, inkjet or laser engraving thermal transfer should be used for their personalization. For Financial Cards rear indent of CVV/CVC should be potentially feasible, if no critical elements are present below the marking area.
In terms of compliance with the international standards, namely the ISO/IEC 7810:2003 – Identification cards — Physical characteristics, several company declare that their fingerprint cards thickness are compliant with the ISO meaning nominally o.76mm (1/32 in) but – as far as I know – no fingerprint card is below 0.8mm.
About the Type S2 cards, they are mostly used for access control and most of them normally embeds a battery that power the fingerprint sensor, its CPU and the status LEDs. The inner electronics is most of the times encased in a clam-shell plastic case.
One last thing worth to mention is that a card in order to be compliant with the ISO/IEC 17839-1:2014 shall also have a feedback mechanism (man-machine interface) such as a buzzer, a LED or a LCD, to inform the user when the fingerprint reading is ongoing or performed.
Companies involved into Fingerprint Cards business from the Card Industry Directory.