Research: The Rise of Biometric Cards – State of the art and future challenges for card manufacturers

By | October 6, 2017

This is a research about Biometric Smart Cards conducted from January through September 2017. The data presented have been collected through various means, including interviews with company representatives, CEOs, CFOs, CTOs, shareholders, researchers, developers, consultants, international standard experts, people involved professionally in the smart card and biometric industry. The views and opinions expressed in this research are those of the author and do not necessarily reflect the official policy or position of the mentioned companies or organizations. The author is neither sponsored nor paid by any of the companies mentioned in this work.

This research was presented for the first time at the International Card Manufacturers Association (ICMA) CardTrex Europe Conference held in Milan on 5 and 6th October 2017.

You are welcomed to share this content, however I kindly ask you to mention or link to the original page.

Should you have any comment about this research you are welcome to contact me here.

The entire research in PDF format can be downloaded here:

In this research, I will reference to a smart card that embeds a fingerprint sensor using the terms ‘Biometric Card’, ‘Biometric Smart Card’ or ‘BSC’. FPC is also an acronym of ‘Fingerprint Card’ but I am not going to use it because it’s often used in the biometric industry to identify the Swedish company Fingerprint Cards.


Nowadays unlocking our smartphone with our finger it’s kind of spontaneous gestures despite the fact that just few years back it was all very different. I think that the current wide consumers acceptance of the fingerprint as mean to authenticate and access began in year 2013 with the launch of the iPhone 5S from Apple. Soon after the Apple launch several other smartphone makers follow suit making the process of utilizing a finger to unlock their phone or to authenticate part of our daily life.

A Biometric Smart Card is a smart card where the processes of fingerprint enrollment, template creation, template storage, template matching is completely performed within the card. As general rule when we reference to a biometric card means that all acquired, processed, computed biometric data and associated templates shall never leave the card.

Smart cards have been already used in the past with various degree of success to store biometric credentials. There are currently three systems to use smart cards as secure token within the biometric authentication process: Template-On-Card (TOC), Match-On-Card (MOC) and BSoC (Biometric System on Card). In a TOC scheme the enrollment is performed at an standalone fingerprint scanner device, the device itself (or the system where the fingerprint sensor is part of) perform the creation of the template that is then stored in the smart card. During the Matching process the core system extract the reference template from the smart card and it perform a match with the template generated from the user. This system is potentially subject to Man-in-the-middle attack because during both enrollment and matching there is transit of secret/sensitive data over a – potentially – non-secure channel.

Match-On-Card system is an evolution of TOC where the matching process is performed within the smart card. The step up is practically the fact that the reference template it never leave the smart card. Nevertheless there is a potential risk of man-in-the-middle attach when the reference template is created and when the matching template/acquired image is sent to the card.

A Biometric-System-on-Card do offer higher standards of security when it come to potential external attacks because the acquired fingerprint image, the template creation, its storage, the matching process is entirely performed within the card.

A Biometric Smart Card includes all electronics, firmware and embedded software needed to carry out the Enrollment, Template Creation, Template Storage and Template Matching.

In a BSoC, specific electronic is programmed to process and extract the biometric features from a raster gray scale image generated by the fingerprint sensor. The extracted features are then converted into a digital template that is stored into a secure memory. Upon user verification a matching algorithm gets as input the stored template (the rightful card owner) and the current template extracted from a live image of the person is trying to authenticate. If the two templates matches the card is authenticated and some features of the cards are then unlocked. Typical examples of successful authentication does allow the card to communicate with a smart card reader for access control or to perform a payment transaction. 

A BSoC is basically an enabler of Multi Factors Authentication (MFA) where the evidence are represented by the Card = something you have, Fingerprint = something you are and – optionally – a PIN = something you know.

Among the many uses of the Biometric Cards I think are worth to mention:

  • To reduce Card-Present-Fraud in Payment Cards
  • For identification in Access Control
  • As proof-of-life for ID Cards / Government Cards / Subsidy Cards

Generally speaking Biometric Cards can be practically used in most of the current smart card application as additional level of security or anywhere is necessary to establish a unique link between the card and its rightful owner.

This is a generic representation of a Payment Biometric Card with some of the elements that can be present on it that I will use as sample to explain how is made.

This is an exploded view of a reference Biometric Card, starting from back to front we have:

  • Back Side Overlay: this is the normal transparent overlay present in most of common PVC cards.
  • Back Side Layer: this is the normal backside printed side of the card. It can contain magnetic stripe, signature panel, hologram and other elements.
  • Inlay: this is the core of the Biometric Card that it contain all the additional components to add the biometric functions to the smart card.
  • Front Side Layer: this is the normal frontside printed side of the card. Notice the additional cavity for the fingerprint sensor.
  • Front Side Overlay: this is the normal transparent overlay present in most of common PVC cards;
  • Micro module: this is a common smart mart micro module that contain the gold-plated microconnector with the microcontroller attached.
  • Fingerprint Sensor: this is the fingerprint area sensor that is physically bonded to the inlay.
  • Sensor Bezel: this is the conductive bezel that is normally placed on top of the fingerprint sensor.

The layers of a Biometric Smart Cards are bonded together with an industrial process called Lamination. The two most popular type of Laminations are:

  • Hot Lamination: the layers are collated together and a specific machine apply pressure at various temperature to let the layers to bond together. This is by far the most common process to make standard smart cards and I would expect to become also popular for making Biometric Smart Cards. This process is normally cheaper if compared with Cold Lamination.
  • Cold Lamination: the inner layers of the sheets are coated with a pressure activated adhesive and a mechanical press binds them together. The card bodies can be obtained by injection moulding or mechanical punching. This process cannot be fully automated so some manual labor is necessary. This is the reason why the cold lamination is popular in Asia Pacific and some local card manufacturers have optimized the process for medium production volume. I don’t think this process can be easily adapted for mass production batches.

The core of a Biometric Smart Card is a flexible printed circuit board called FPCB or Inlay. The inlay is developed by the Biometric Solution Providers and is sold to Card Manufacturers for embedding into their cards.

In the illustration are depicted some of the elements that can be present on a Biometric Smart Card Inlay:

  • Micromodule Contact Pad: this is were the smart card micromodule is embedded. Each Biometric Smart Card Solution Provider pre-approve one or more smart card chips to be compatible with their platform.
  • Fingeprint Sensor Contact Pad: this is where the fingerprint sensor is going to be embedded.
  • Battery or Supercapacitor: used to supply power to the fingerprint sensor and the MCU.
  • Status LED: one or more status / operational LED are present in most Biometric Smart Cards.
  • Antenna: for contactless or dual interface Biometric Smart Card a printed antenna is present on the inlay.
  • Buzzer: for audio feedback of operations.
  • LCD or e-Paper display.
  • Passive components: resistors, condensers and few small SMD components are normally present on the flex PCB.

Most of the inlays currently in the market are slightly smaller than a card size in order to facilitate their fusing between the front and back side layers.

As of today there are no standards about how the fingerprint authentication shall interact with the smart card chip so each Biometric Card Solution Provider have developed their own solution.

Among the most popular operative strategies I think are worth to mention the following:

  • IC Power Supply: the default state of the card is not powered so if the user try to use the card for a transaction or to gain access the card does not produce the ATR even if a power supply is applied to the micromodule contacts. After a successful user authentication the card is powered up and working normally.
  • APP Status: the default state of one or more applications loaded into the smart card chip is Disabled so when the card terminal try to select a specific application the card won’t allow the operation. After successful user authentication the status flag of the APP (or the APPs) is set to Enabled and it can be selected.
  • Double ATR: upon warm reset the card send the ATR that is received by the terminal. The terminal start counting a predefined number of clock cycles monitoring for a second ATR. If a second ATR is sent within a maximum number of clock cycles the terminal ‘understand’ that user authentication has been performed successfully else it stop communicating with the card (or send to cards commands to initiate the PIN request).

A Biometric Smart Card need power supply to operate. The power can be obtained by a battery or harvested wireless from the contactless card reader.

Biometric Smart Cards types with Batteries:

  • With no rechargeable battery: when the internal battery is exhausted the card need to be exchanged with a new one.
  • With rechargeable battery + Chip contact: they get power from the smart card chip contact pads.
  • With rechargeable battery + Energy Harvesting: they get power from the energy harvested trough the contactless antenna.
  • With replaceable battery: this is possible only for Biometric Cards for Access Control application where the energy supplied by the terminal isn’t enough to power the card.

Biometric Smart Cards types without Batteries:

  • No Battery + Chip Contact: the card is powered through the smart card chip contacts. It immediately switch off when the card is removed from the card reader. Potentially possible, not really practical for most of common application. For sure this is the cheapest implementation of Biometric Smart Card.
  • No Battery + Energy Harvesting: the card is powered by the energy harvested trough the contactless antenna. This is a very popular method for powering dual interface payment biometric smart cards.
  • No Battery + Supercapacitors: the card is powered by a supercapacitor, a device that can be considered something between an electrolytic capacitor and a rechargeable battery.

Flexibles Lithium-ion batteries are very popular in Biometric Smart Card design, however:

  • In some countries are considered “dangerous goods”.
  • In some countries are subject to certification process.
  • Can be subject to transport limitations by couriers and airlines.

This is the reason why most Biometric Smart Card Solution Providers are trying to reduce if not eliminate them. Supercapacitors are a viable alternative to rechargeable batteries offering short-term energy storage (that is exactly what is needed for a fingerprint authentication), rapid charge cycle (card does not stay within the electromagnetic field of a contactless reader for hours) and availability in very compact and flexible packaging.

A Biometric Smart Card without battery or supercapacitor needs a terminal to execute the enrolment or the verification process.

A biometric card must have an additional cavity where the fingerprint sensor is exposed. The cavity can be made with several processes:

  • Sheet Punching: the cavity is created by mechanical punching of the Front Side Layer after the color press printing. The punching is performed on the standard 24 / 48 cards PVC sheets. This process is suitable for mass production.
  • Mechanical Milling: the cavity is created by mechanical milling on a single card with the same equipment used for micromodule milling and embedding process. To use this process the card manufacturer shall add a milling station and an embedding station to its equipment. To use this process the area sensor shall be delivered on reel. This process is suitable for mass production.
  • Laser Milling: some trials have been performed using a laser for milling the fingerprint sensor cavity. Results were very good on PC, not so good on PVC. I don’t believe this technology will have much future.
  • Injection Moulding: the fingerprint sensor and the micromodule cavities are created with the Injection Moulding techniques that is popular for making SIM Cards. This process, that as main material uses ABS, creates the two halves of the card and the back side of the card (sometime the front too) is recessed in order to host the Biometric Card Inlay. This process does produce smooth and clean cavities and do not produce PVC debris. The card is then assembled by Cold Lamination. The disadvantage of this process is that the cards must be printed individually before micromodule and sensor implanting. The process does require some manual labor and it’s currently used with success by several card manufacturers in Asia Pacific. 

Nearly all first prototypes/version of biometric cards had a swipe sensor, that was the most easily available in the sensors market. Swipe sensors output a large bitmap image of the fingerprint offering an high quality input to the minutia generation algorithm. The problem was that in order to achieve a good quality fingerprint image the user had to follow a precise procedure for the finger swiping. Tests conducted among test users showed that people with no familiarity with the finger swiping process struggled to understand how to use the sensor or used the sensor producing very low quality images. Companies soon understood that despite its quality, the swipe sensor was not an optimal choice for a consumer product. So the research turned to the area sensors that offered simplicity and extremely short learning curve. Here others problem arises because most of the area sensors available during the years 1998-2002 were based on a silicon substrate therefore rigid and not ideally suitable for the semi-flexible nature of the smartcard. Nevertheless many prototypes carrying rigid area sensors were produced laying the ground for the following generation of area sensor with polymer-based flexible sensing area and separated controller chip (off-chip) that is nowadays the standard. The communication channel between the fingerprint sensors and its controller IC might be considered a weakness of the system this is why most sensor manufacturers use a fully encrypted data & control interface between them.

Among the many manufacturers of fingerprint sensors, only eight of them offer products optimized for smart cards. As of time of writing I think that the Swedish Fingerprint Cards is the company with the highest specific investment into sensors for smart cards. On September 21, 2017 they launched T-Shape, a smartcard optimized sensor delivered on 35mm format, that can be embedded on card using the very same equipment used for the micromodule. This is a real deal breaker if confronted with other solutions where sensors are delivered either “on tray” or already embedded onto the inlay.

The Norvegian company IDEX is also offering the Eagle family of off chip sensor dedicated for smart card application. IDEX sensors have been selected by major card manufacturers for their launch Biometric Smart Cards.

A typical Area Sensor is made of thin flexible polymer and most of them have the following features:

  • Ability to scan a fingerprint at a resolution of 500 DPI. Sensors with smaller resolution compensate with a larger sensing area.
  • Almost all of them do have several ways to mitigate ESD and avoid components burning.
  • The outer surface is often coated with a very thin protective layer and most of them are declared to withstand at least 1 millions of touches.
  • Ability to sense when the finger is put on the sensor and sending wake-up signal to the card to initiate the fingerprint acquisition process.
  • They produce an 8 bit (256 gray scale levels) image that is sent to the Fingerprint MCU for processing.
  • Ability to read the fingerprint from any angle. Early models were only able to read fingerprint from a specific orientation.
  • Most of them are currently delivered to customer on trays and this make their assembly into the card or card inlays pretty complex. I expect that most of the sensor makers will migrate to 35mm or Super 35mm reel format that is the most commonly used within the Smart Card Manufacturing Industry. As far as I know the first company of the industry that will ship area sensors on reel is Fingerprint Cards.
  • Some area sensors includes into their design the bezel in form of a continuous or dotted frame along the borders of the sensor.

The bezel is a thin frame made of metal or other conductive material, that run along the fingerprint sensor border that have the main function to electrically drive the fingertip during the fingerprint sensing process other than proving ESD protection. The bezel does also act a “sealing gasket” between the external environment and the card inlay.

The bezel can also have aesthetic functions helping to cover the soldering point of the fingerprint sensor and/or cover the fingerprint sensor cavity.

In reference to Biometric Smart Cards we can have several type of bezel:

  • Bezel supplied as external element that the Card Manufacturer shall apply on the top of the Fingerprint Sensor;
  • Bezel supplied as integral part of the Fingerprint Sensor;
  • Fingerprint Sensors with no bezel at all.

When present the bezel become integral part of the Biometric Smart Cards and therefore shall be flexible enough to comply with ISO/IEC 10373-1.

In the illustration a cross section of a sample Biometric Smart Card. The bezel help to keep the fingerprint sensor in place and should not extend over the card surface to avoid scratch when the cards are stacked.

The Fingerprint Sensor can be on the same level of card surface but most Biometric Card Solution Providers prefer to have its outer sensing surface slightly recessed in order to reduce its wear and tear.

The MCU communicate with the Fingerprint Sensor Driver IC and the Smart Card Secure Elements using SPI or I2C interfaces. Some vendors encrypt the communication from/to Smart Card IC and the Fingerprint Sensor. The communication network of the MCU, the Smart Card IC, the Secure Flash and the Fingerprint Sensor is a sensitive topic for the security qualification of the product because it’s where external attacks can most likely take place.

The RF IC is another key component of the Biometric Smart Card Inlay because, when present have the delicate duties of:

  • Harvest the power from the RFID excitation field.
  • Regulate the power distributed to inlay components.
  • Generate and Regulate the clock.
  • Generate the Reset signal.
  • Manage the collision that can happen when two or more contactless readers try to interact with the card.
  • Charge the rechargeable battery or the supercapacitor.

Most of Biometric Cards include into their design one or more elements for user feedback. Those are typically LEDs, buzzer or a LCD Display and used to communicate with the user:

  • Card On / Off.
  • Enrolment status (successful / failed).
  • Fingerprint verification status (successful / failed).
  • Battery status.
  • OTP.

Cards with at least one feedback mean are compliant with ISO/IEC 17839-1:2014.

A Biometric Smart Card can be enabled with one or more contactless interfaces including the popular ISO 14443 Type A, B, C, NFC or Bluetooth LE. Biometric Card focusing on Access Control application can be enabled with one or more interfaces among the following:

  • HID 125 kHz / HID iClass
  • Mifare Classic / DESFire EV1
  • Legic Advant
  • Atmel 5577

The Flexible PCB (FPCB) is manufactured by companies specialized in flexible electronics under specification from the Biometric Card Solution Provider. This industrial process output:

  • FPCB Inlays mounted on 24 / 48 prelam sheets.
  • Individual FPCB Inlays, without fingerprint sensor, usually delivered in trays.
  • Individual FPCB Inlays with fingerprint sensor mounted, usually delivered in trays.

The manufacturing process for a Biometric Smart Card might vary according to the inlay delivery format decided by the Biometric Card Solution Provider:

  • PVC sheets are printed with the usual CMYK press process.
  • If the inlays are delivered with fingerprint sensor already embedded, the front side sheet is punched and the fingerprint sensor cavities are created.
  • The layers of the cards, typically back side overlay + printed back side + inlay + printed front side + front side overlay, are collated, aligned and put between the lamination plates.
  • The sheets are laminated.
  • The laminated sheet goes trough a punch machine that detach the cards from the sheet.
  • The produced cards are aligned in the same orientation, gathered and stacked.
  • An automated machine perform the mechanical milling of the micromodule cavity.
  • An automated machine embeds the micromodule into the card body.
  • If the sensor cavity was not done before, then a machine create the fingerprint sensor cavity by mechanical milling.
  • The embedding machine apply conductive epoxy on the contacts pads.
  • The embedding machine apply adhesive epoxy on the walls of the cavity.
  • The embedding machine embeds the sensor in the cavity.
  • If the sensor does not include the bezel into its design, the embedding machine apply the bezel on the top of the fingerprint sensor.

This is a reference process and is subject to variations according to the process in place at card manufacturer site.

Biometric Smart Cards can be personalized with most common personalization equipment, however it shall be taken into consideration two main facts:

  • The card include a flexible electronic circuit board so anything that impact on the inner layer of the card shall be avoided;
  • The fingerprint sensor shall be left exposed.

That said, the most popular (and safest) personalization technologies used for Biometric Cards are Laser engraving and Inkjet printing.

Direct to Card and Retransfer printers can also be used but preliminary tests are necessary to make sure the card can pass freely within the printer transport mechanism. Some Biometric Smart Card have a raised bezel that can jam into the card transport mechanism or/and damage the thermal printhead.

Rear Indent, the technology typically used to imprint the security code on the back of financial cards can be possibly done if no components are present in that specific area of the inlay.

Mechanical Embossing and Front Indent shall not be performed because of the very high risk of damaging the delicate electronic inlay.

Card overlaminates with secure elements such as holograms or security printing inks that cover the whole front surface of the card are highly discouraged because normally cover the whole sensor area making the card unusable. Security overlaminates can be applied on the back side of the card.

Because Biometric Smart Cards are always thicker than standard ISO smartcards (0.76 mm – 1/32 in) it’s always recommended to try to personalize a single card before launching the mass process.

The Biometric Card Solution Provider is primarily an holder of IPs on process and technologies that allows Card Manufacturers to produce Biometric Smart Cards. Very few Card Manufacturers have capability to fully develop, industrialize and produce a Biometric Smart Card totally in-house.

The Biometric Card Solution Provider deliver a biometric solution to the Card Manufacturers that is made of:

  • Flexible Inlays / prelaminated sheets.
  • Fingerprint Sensors (embedded on inlay or as separate component).
  • API for MCU interface with Smart Card Chip.
  • Development tools that includes prototyping / testing / production / personalization tools.
  • Enrolment software package or API / Windows drivers.
  • Licenses for components / applications / matching algorithm and industrial processes.

The fingerprint templates matching algorithm can be licensed by third parties such as Precise Biometrics or Innovatrix but can also be developed by the Biometric Card Solution Provider or by the Fingerprint Sensor vendor.

This is a map of the key trials and pilots made with Biometric Smart Cards in the last four years:

Year 2014 – Sparebanked DIN – Norway
This was a joint pilot Zwipe – MasterCard and probably world first Biometric Payment Cards endorsed by a large card processors. The smart card EMV chip was supplied by Oberthur.

Year 2015 – Danske Bank- Denmark
This was a joint pilot Zwipe – MasterCard had with selected customers of the Danish Danske Bank. The smart card EMV chip was supplied by Oberthur.

Year 2015 – Battistolli – Italy
This was a pilot done in Italy using Card Tech Biometric Cards and customized POS terminals by Ingenico. The Biometric Cards were used for identification and access of personnel working at secure logistic company Gruppo Battistolli, specialized in transporting cash, jewelry and other kind of valuables. 

Year 2016 – Bundesdruckerei – Germany
This was a pilot made with Bundesdruckerai Biometric Smart Card called GoID, used as company ID among its employees. The GoID card is made of hard-wearing fibre composite and it includes a 12 keys pinpad and a lanyard hole.

Year 2017 – Pick n Pay – South Africa
This was a Biometric Payment Card pilot run by Oberthur and Mastercard at the leading South African supermarket retailer operator Pick n Pay.

Year 2017 – Absa Bank – South Africa
This was a Biometric Payment Card pilot run by Oberthur and Mastercard at the leading South African supermarket retailer operator Pick n Pay.

Year 2017 – Bulbank – Bulgaria
This was a Biometric Payment Card pilot run by OT-Morpho (now Idemia) and Mastercard.

Year 2017 – Pleinair Casino – France
This pilot – that is still ongoing at Plenair Casino La Ciotat in France – uses 7000 MeReal Biometrics V2 Biometric Smart Card. The cards were launched initially to be used by employees to grant access to private back-of-house and privileged areas, as well as provide record-keeping for time and attendance. It’s expected that the group will add more applications for Access and Payments in the future for employees and for its 1 million VIP players who currently carry a contactless loyalty cards.

It’s worth to mention that the Chairman of the Supervisory Board of the Groupe Partouche, the casino’s owner, Mr. Patrick Partouche is MeReal Co-Founder and shareholder.

Year 2017 – United Nations – Switzerland
The United Nations in Geneva is testing 500 Biometric Cards loaded with physical and logical access applications. The tender for the cards was won by Korea Smart ID that developed the Biometric Smart Card using an Elan Microelectronics fingerprint sensor and an inlay made by Jinco Universal.

Year 2017 – Instanbul Municipality – Turkey
The Korean company KSID won a tender for the supply of Biometric Smart Cards to be used as authentication token for the official taxi drivers of Instanbul Municipality.

Year 2017 – Woori Bank – South Korea
KSID won a tender for the supply of Biometric Smart Cards to Woori Bank for bidding at the South Korea National Market Agency of the Public Procurement Service.

Year 2017 – AirPlus International – Germany
The Korean company Kona I is deploying their Biometric Smart Card to AirPlus International, a leading international provider of solutions for the management of business travel. The card – that have payment and loyalty features enabled – feature a Fingerprint Cards sensor.

CardLab is a Danish private company founded in 2003. They have a very solid portfolio of patents on powered smart cards and offer a flexible platform where customers can choose the elements to be included in the cards.

CardLab was one of the first company to make Biometric Smart Cards in Europe and – as many of the early adopters – using a swipe fingerprint sensor. The company new manufacturing plant is located in Bangkok, Thailand were they plan to produce also Biometric Smart Cards.

The company have co-developed their Biometric Smart Card with the Danish company QuardLock also using funds granted by Europe 2020 SME Program. 

CardLab new Biometric Smart Card is currently under industrialization and it should be ready for mass launch early 2018. This card will feature Fingerprint Cards FPC 1321 fingerprint sensor.

CardTech is an Italian private company founded in 2006 by Mr. Fabrizio Borracci. The company launched their first Biometric Smart Card embedding a swipe sensor then migrated to an area sensor.

As of time of writing, the company it uses almost exclusively area sensors from IDEX that are embedded in the inlay at the end of the manufacturing stage of the flexible electronics.

CardTech it support a tier-one card vendor and several 2nd tier card manufacturers.

CardTech propose an architecture where the template matching is performed by the Smart Card Chip and the main product marketed today is a contact-only Biometric Smart Card. A Dual Interface version is under development.

Datang Microelectronics Technology Co., Ltd (DMT), chinese name 大唐微电子技术有限公司, formerly the IC center of China Academy of Telecommunications Technology (CATTIC), is a holding subsidiary of Datang Telecom Technology Co., Ltd (DTT, 600198. SH), a State owned 3.3B$ industrial group. As one of the largest IC design companies in China, DMT has established Asia’s largest, highly complete and sophisticated smart card chip production line. The company develop, produce and distribute ICs for smart cards, micromodules, fingerprint sensors and flexible PCB inlays.
Datang key products are:

  • Contact Biometric Smart Card with rechargeable battery
  • Dual Interface Biometric Smart Card with rechargeable battery
  • Clam shell Biometric Smart Card (non ISO) with rechargeable battery

Jinco Universal is a private Taiwanese company founded in 2005. Jinco is Asia’s largest supplier of OEM / ODM of powered smart cards.

Although they produce their own Biometric Smart Card they have specific partnership with KSID Korea (IC Chip OS + Card Manufacturing) and Elan Microelectronics (Fingerprint Sensors). Together they have participated and won the United Nations tender for the Biometric Cards trial.

They do have few patents on Biometric Cards and their manufacturing process is almost entirely focusing on Cold Lamination technology.

They do offer Contactless Biometric Cards with rechargeable battery, dual interface energy harvesting Biometric Cards and dual interface biometric cards with rechargeable battery plus dynamic magnetic stripe and display. As optional contactless interface is also available the Sony Felica RC-SA01 transponder chip.

MeReal Biometrics is a private company based in Hong Kong founded in 2009 and is led by Patrick Partouche and Philippe Blot. Mr. Partouche other being chairman of MeReal Biometric is also Chairman of the Supervisor Board of Groupe Partouche. Mr. Blot is CEO and Chairman of UINT, a French company specialized in powered smart cards.

They have several patents related to Smart Cards including some related to transmission of OTP from card to terminal by means of acoustic or RFID.

The Biometric Smart Card platform offered by MeReal Biometrics make use of rechargeable batteries and among their product range there is also a compact portable contactless battery charger.

First version of their Biometric Smart Cards were using swipe sensor lately switched to area sensor. Trials are currently ongoing among Partouche Group employees. Partouche Group is an industrial group active in casino, hotel, restaurants and spa businesses.

Morix is a Japanese private company founded in year 2005 and is one of the oldest company operating in the field of Biometric Smart Cards.

Morix have co-developed with ASD an area sensor for Smart Card that is used in their product and also sold as standalone device.

The key product of the company is a Biometric Smart Card with non-rechargeable battery while a dual interface NFC Biometric Smart Card is currently under development.

Tactilis is a private company founded in Singapore in 2009 run by smart card industry seasoned professionals led by Michael Gardiner (CEO), Adriano Canzi (CTO) and David Martin (CFO). The manufacturing base is located in Penang, Malaysia.

Their core product is a dual interface, energy harvesting Biometric Smart Card with area sensor from Next Biometrics. Their Biometric Smart Card is powered by the popular Cortex M4 and they offer secure flash storage up to 4 GB, opening the door to several advanced applications. The card is assembled using a patented process.

The product is available as complete card or as flexible inlay on OEM license.

Tactilis have strategic technological partnership with a leading tier-one card manufacturer.

Zwipe is a private Norvegian company founded in 2009 by Kim Kristian Humborstad that is currently managing the company as CEO.

Zwipe is invested since 2015 by Kuang-Chi Group (深圳光啟集團) a Chinese diversified technology conglomerate that develops and invests in telecommunication, aerospace, artificial intelligence, metamaterial, smart-city and digital health technologies. Kuang-Chi is also majority shareholder of a JV setup in 2016 with Zwipe to promote biometric products in China.

Zwipe have the largest IP portfolio of the Biometric Smart Cards industry with more than 50 patents filed.

The current Flexible PCB is developed around a Fingerprint Cards area sensor, however their MCU and inner architecture is designed in such a way to be easily adapted to other area sensors.

Main products by Zwipe includes:

  • Dual interface, energy harvesting Biometric Smart Card with focus on payment applications.
  • Contactless, energy harvesting Biometric Smart Card with focus on ID applications.
  • Clam shell design, rigid, non-ISO, access control Biometric Card powered by a replaceable battery. This is the first commercial product of the company and is currently available worldwide through a network of selected partners.

This table summarize the main type of Biometric Smart Cards offered by the companies introduced in the research.

The development on Biometric Smart Cards by the tier-one card vendors is the following:

  • Gemalto: industralization is currenlty undergoing at their R&D centers and plants in France and Germany and I would expect them to have the product ready by end of the year. The product will be on demo at Trustech.
  • Idemia (former OT-Morpho): is the first company among the first-tier card vendors to have completed the industralization and is already selling Biometric Smart Cards for various small trials and projects worldwide. They mostly use an area sensor from IDEX with the Biometric Authentication Engine developed by the Morpho team (now integral part of Idemia).
  • G&D: the German company does not market any BSoC in their Payment and ID (Veridos) products portfolio. I am not aware of any ongoing development, this doesn’t mean that they are not investing in this technology. I would speculate that the Bundesdruckerei biometric card called GoID will be moved to Veridos products portofolio. It seems anyhow that GoID is a very well engineering product, made of of hard-wearing fibre composite with a very nice keypad but it’s current steep price is making it’s way into the global market limited to some narrow verticals.
  • Korea Smart ID: it’s the company that by far shipped the largest number of Biometric Smart Cards. Among the several projects won, are worth to mention:
    • Logic and Access Control Card for United Nations.
    • Taxi Drivers ID License Card for Instanbul Municipality.
    • E-Procurement Platform Access Card for Woori Bank.

For year 2017 I expect a global combined volume of shipped Biometric Smart Cards below 20M units.

Year 2018 will mark the beginning of mass deployment for Biometric Smart Cards with a global volume that will stay below 100M units.

By the end of year 2018 new Inlay ASICs will be ready and optimized fingerprint sensors will be available at lower cost generating a new, larger wave of issuance that might likely reach at least 250 millions of Biometric Cards during the Year 2019.

Biometric Smart Cards will eventually become part of most card vendors portfolio and the cards will reach a pricing level that will enable new applications. Isn’t an easy call making a forecast for the year 2020, let’s say that with the indicators available today I would put that number around 400M pieces shipped globally.

Current ASP of a personalized Biometric Smart Card without battery is between 14 and 18USD. Pricing for very low volume, e.g. hundreds cards can potentially almost double the price. This is happening because product industrialization have been just completed or is under completion thus we can’t enjoy yet the pricing given by the economy of scale.

Pricing for battery-powered Biometric Smart Card are normally higher of those without and clamshell biometric cards for access control cost even more because of the moulded rigid shells and manual labor for its assembly.

Kindly note that the provided forecast is purely indicative and might be subject to significant variation mainly due to:

  • Variation in price of the fingerprint sensors.
  • New ASICs integrating MCU + RF IC + Fingerprint Sensor driver IC + Secure Flash. If the market will become significantly relevant I would expect smart card chip manufacturers to power up their IC design integrating all is needed to fully power and control a Biometric Smart Card. This last hypothesis will require an highly coordinated effort between chip manufacturers, sensor manufacturers, biometric authentication algorithm developer and smart card vendors.
  • Market demand: a strong market pull will drive pricing down.
  • Popularity wave created by Card Issuers.
  • Ability of Card Manufacturers and Biometric Solution Providers to optimize the industrialization process.

The industrial process of making flexible PCB is well established, so I only expect slight reduction in FPCB cost when Biometric Cards shipping volumes will go up.

ISO specifications for the Biometric Smart Cards are being developed by the Technical Committee ISO/IEC JTC 1/SC 17 and their scope of work cover:

  • Identification and related documents
  • Cards
  • Security devices associated with their use in inter-industry application and international exchange.

The ISO/IEC 17839-1:2014 – Biometric System-on-Card – Part 1: Core requirements define two type of cards:

  • Type S1:
    • Same dimension as ISO/IEC 7810
    • Same torsion and bending requirements as ISO/IEC 7816-1
    • Contact interface as specified in ISO/IEC 7816-3
    • Enable use of USB interface as specified in ISO/IEC 7816-12
    • Contactless interface as specified in ISO/IEC 14443
  • Type S2:
    • Card is 2.5 mm (0.098 in) thick
    • The card cannot be inserted by mistake in conventional card slot
    • Width and height same as ISO/IEC 7810
    • No need to comply with flexibility requirements of ISO/IEC 7816-1
    • Only ISO/IEC 14443 contactless interface

The ISO/IEC 17839-1:2014 – Biometric System-on-Card – Part 1: Core requirements specify the key characteristics of the biometric acquisition element on card:

  • For Area Sensors:
    • They shall have a minimum active area of 169 mm2 (13 x 13 mm or 0.152 x 0.152 in)
  • For Swipe Sensors:
    • They shall have a linear acquisition element measuring minimum 13 mm (0.512 in)
  • Allows presence on card of other electronic elements able to acquire voice (microphone), facial image (camera) or card user signature (signature input pad).

The ISO/IEC 17839-3:2016 – Biometric System-on-Card – Part 3: Logical information interchange mechanism covers the main commands, protocols and procedures to coordinate the biometric enrollment/verification with the smart card microcontroller and the terminal:

  • Commands and data structure
  • Internal Enrollment and External Enrollment
  • Initiation of verification
  • Status feedback
  • Processing time management and extension
  • Capability discovery mechanism

Other ISO TS / TR related to Biometric Cards includes:

EMVCo is currently working on the 2nd Generation Specifications that will include Biometric Cards. The specifications on the terminal side have been completed while those of the cards are still ongoing. In November 2017 the working group will meet in Paris also to discuss and potentially finalize the specifications for the Biometric Card.

The latest 3D Secure version 2.0 use token-based and biometric authentication, instead of static passports.

Visa, MasterCard and American Express have updated their Payment Applets specs in order to be biometric-compliant introducing the possibility to use card holder Fingerprint verification as alternative to PIN.

The European Union, on 25 November 2015 have issued the directive 2015/2366 on payment service in the so called “internal market”.

The Directive, that is currently in force provide the legal foundation for the further development of a better integrated internal market for electronic payments within the EU and, among the several new recommendations, it introduce the requirements for “Strong User Authentication”.

Strong User Authentication requires the use of at least two independent elements among:

  • Knowledge category > example the PIN
  • Possession category > example the card
  • Inherence category > example the fingerprint

Development of biometric authentication at ICAO working groups is still ongoing. As of time of writing there is still no specific reference to Biometric Systems on Cards.

Biometric Smart Cards will enjoy wide acceptance because of the following key factors:

  • Consumers familiarity with Smart Cards and smartphones.
  • Relatively slow consumer adoption of mobile payments.
  • Payment industry need to reduce Card-Present transaction.
  • Improve verification and authentication processes that in some context doesn’t work anymore, even with smart cards. Just think of a classical Access Control implementation where a thief can steal someone else badge and gain physical or logical access to facilities and/or systems containing sensitive data.
  • Very low or no implementation cost. Apart from the cost related to acquisition of new cards and the initial users enrollment, on the terminal side minor or no changes are required.
  • New local, regional, national, trans-national legal framework / recommendations / laws on management of biometric data are being published and updated; in most of them is indicated that biometric data (either raw or processed) cannot be stored in a centralized database. This is a major shift of paradigm toward many current implementation were biometric data are stored in a single large database.
  • Last, but not least the elimination of risks associated to infection transmission with standalone fingerprint scanners.

Further development of Biometric Smart Cards can he hampered by several risks:

  • Rejection due to personal reasons.
  • Cultural incompatibility, due to certain religion believes, for examples.
  • Lack of respective biometric feature, example people born with the rare genetic disorder called Adermatoglyphia, where the person have no fingerprints. Dermatitis can also cause inflammation of the skin and temporarily leave the individual unable to leave fingerprints. The autoimmune disease Scleroderma can also create a condition where the person fingerprint is extremely light and sometime impossible to be recorded by a fingerprint scanner.
  • Criminal organizations might develop techniques to enroll/verify fake or artificially built fingers avoiding the liveness detectors and other technologies on board of the fingerprint scanners.
  • Biometric Smart Cards might be challenging to use in harsh climatic conditions such as places with high temperature, high humidity and high temperature.

Given the very fast pace of today technology, it won’t be easy to predict what will happen in the future. However, I will provide my very personal view of what might be happen in the next 3-5 years from now:

  • Fingerprint Sensors will extend existing liveness detection with vein sensing capability, blood flow and heartbeat detection.
  • In terms of electronics I foresee a drastic reduction of components on the flexible PCB:
    • Y2020-2022 – Two main chips on board: the Smart Card Microcontroller + custom ASIC.
    • Y2023-2025 – All electronics embedded into the Smart Card Microcontroller.
  • Fingerprint sensors will be able to operate under a layer of conductive plastic. This means no more fingerprint sensor cavity and cost reduction due to simplified manufacturing.
  • Behavioral biometric meaning a system comprised of fingerprint and additional sensors able to “learn”, “record” and “detect” user finger behavior in terms of speed, approach point on sensor, rotation on sensor, pressure on sensor and other user behavioural patterns.
  • Contactless fingerprint sensors where the user fingerprint is read without need of physical contact with the sensing surface.
  • Development of compact DNA sequencer able to fit into a smart card format.



The entire research in PDF format can be downloaded here:


Antonio D’Albore is making any representation or warranty, expressed or implied, as to the accuracy, reliability or completeness of the information in the research, and neither Embedded Security News or Antonio D’Albore will have any liability to you or any other persons resulting from your use of the information in this research. Antonio D’Albore undertakes no obligation to publicly update or revise any forward-looking information or statement in this research.

All brands and product names are the property of their respective holders.

© 2017 Antonio D’Albore / Embedded Security News