This is a research about Biometric Smart Cards conducted from January through November 2017. The data presented have been collected through various means, including interviews with company representatives, CEOs, CFOs, CTOs, COOs, CLOs, CMOs, shareholders, researchers, developers, and people involved professionally in the smart card and biometric industry. The views and opinions expressed in this research are those of the author and do not necessarily reflect the official policy or position of the mentioned companies or organizations. The author is neither sponsored nor paid by any of the companies mentioned in this work.
This work is licensed under a Creative Common Attribution-NonCommercial 4.0 International License. This means you can share and use part of, mentioning the original work, and that cannot be used entirely or partially for commercial use.
In this research I will reference to a smart card that embeds a fingerprint sensor using the terms ‘Biometric Card’, ‘Biometric Smart Card’ or ‘BSC’. FPC is also an abbreviation of ‘Fingerprint Card’ but I am not going to use it because it’s often used in the biometric industry to identify the Swedish company Fingerprint Cards.
Should you have any comment about this research you are welcome to contact me here.
The entire research in PDF format can be downloaded here:
In this research, I will reference to a smart card that embeds a fingerprint sensor using the terms ‘Biometric Card’, ‘Biometric Smart Card’ or ‘BSC’. FPC is also an acronym of ‘Fingerprint Card’ but I am not going to use it because it’s often used in the biometric industry to identify the Swedish company Fingerprint Cards.
Nowadays unlocking our smartphone with our finger it’s kind of spontaneous gestures despite the fact that just few years back it was all very different. I think that the current wide consumers acceptance of the fingerprint as mean to authenticate and access began in year 2013 with the launch of the iPhone 5S from Apple. Soon after the Apple launch several other smartphone makers follow suit making the process of utilizing a finger to unlock their phone or to authenticate part of our daily life.
A Biometric Smart Card is a smart card where the processes of fingerprint enrollment, template creation, template storage, template matching is completely performed within the card. As general rule when we reference to a biometric card means that all acquired, processed, computed biometric data and associated templates shall never leave the card.
The electronic representation of the fingerprint is called Template and is it actually a file that can be stored either into the Secure Element (SE) or in a Secure Flash. Most of current implementations of BSC store the Template in the SE.
The Matching process is the operation that compare the acquired fingerprint data with the stored Template. This is a key step of biometric authentication process and this is the reason most of the current implementations perform this in the secure environment of the SE.
Smart cards have been already used in the past with various degree of success to store biometric credentials. There are currently three systems to use smart cards as secure token within the biometric authentication process: Template-On-Card (TOC), Match-On-Card (MOC) and BSoC (Biometric System on Card). In a TOC scheme the enrollment is performed at a standalone fingerprint scanner device, the device itself (or the system where the fingerprint sensor is part of) perform the creation of the template that is then stored in the smart card. During the Matching process the Biometric Terminal extract the reference template from the smart card and it perform a match with the template generated from the user fingerprint. This system is potentially subject to Man-in-the-middle attack because during both enrollment and matching there is transit of secret/sensitive data over a – potentially – non-secure channel.
Match-On-Card system is an evolution of TOC where the matching process is performed within the smart card. The step up is practically the fact that the reference template it never leaves the smart card. Nevertheless, there is a potential risk of man-in-the-middle attach when the reference template is created and when the matching template/acquired image is sent to the card.
A Biometric-System-on-Card do offer higher standards of security when it comes to potential external attacks because the acquired fingerprint image, the template creation, its storage, the matching process is entirely performed within the card.
A Biometric Smart Card includes all electronics, firmware and embedded software needed to carry out the Enrollment, Template Creation, Template Storage and Template Matching.
In the vast majority of the existing current implementations, the Template is stored in the SE. Modern Card Operating Systems allow also possibility to program self-destruction of the Template file if tampering attempts are being detected.
There are however few solutions were the Template is stored in a secure flash, outside the SE.
In a BSoC, specific electronic is programmed to process and extract the biometric features from a raster gray scale image generated by the fingerprint sensor. The extracted features are then converted into a digital template that is stored into a secure memory. Upon user verification a matching algorithm gets as input the stored template (the rightful card owner) and the current template extracted from a live image of the person is trying to authenticate. If the two templates match, the card is authenticated and some features of the cards are then unlocked. Typical examples of successful authentication do allow the card to communicate with a smart card reader for access control or to perform a payment transaction.
Operatively, most BSC are programmed in a way that when the card is powered on, the fingerprint reading starts immediately, so the user shall perform the following steps:
- User get BSC on his/her hand.
- User place finger on fingerprint sensor.
- Authentication / Verification process can be started.
A BSoC is basically an enabler of Multi Factors Authentication (MFA) where the evidence are represented by the Card = something you have, Fingerprint = something you are and – optionally – a PIN = something you know.
Among the many uses of the Biometric Cards I think are worth to mention:
- To reduce Card-Present-Fraud in Payment Cards
- For identification in Logical and Physical Access Control
- As proof-of-life for ID Cards / Government Cards / Subsidy Cards
- As mean to e-Sign Government documents
Generally speaking Biometric Cards can be practically used in most of the current smart card application as additional level of security or anywhere is necessary to establish a unique link between the card and its rightful owner.
This is a generic representation of a Payment Biometric Card with some of the elements that can be present on it that I will use as sample to explain how is made.
This is an exploded view of a reference Biometric Card, starting from back to front we have:
- Back Side Overlay: this is the normal transparent overlay present in most of common PVC
- Back Side Layer: this is the normal backside printed side of the card. It can contain magnetic stripe, signature panel, hologram and other elements.
- Inlay: this is the core of the Biometric Card that it contains all the additional components to add the biometric functions to the smart card.
- Front Side Layer: this is the normal frontside printed side of the card. Notice the additional cavity for the fingerprint sensor.
- Front Side Overlay: this is the normal transparent overlay present in most of common PVCcards;
- Micro module: this is a common smart cart micro module that contain the gold-plated microconnector with the microcontroller attached.
- Fingerprint Sensor: this is the fingerprint area sensor that is physically bonded to the inlay.
- Sensor Bezel: this is the conductive bezel that is normally placed on top of the fingerprint sensor.
The layers of a Biometric Smart Cards are bonded together with an industrial process called Lamination. The two most popular type of Laminations are:
- Hot Lamination: the layers are collated together and a specific machine apply pressure at various temperature to let the layers to bond together. This is by far the most common process to make standard smart cards and I would expect to become also popular for making Biometric Smart Cards. This process is normally cheaper if compared with Cold Lamination. This process cannot be used for cards that includes batteries, displays or buttons into their design.
- Cold Lamination: the inner layers of the sheets are coated with a pressure activated adhesive and a mechanical press binds them together. The card bodies can be obtained by injection moldings or mechanical punching. This process is complex and only very few companies managed to setup a fully automated process. From the information I was able to get it seems that most of Eastern Asia players have in place processes with some manual labor steps. Cold lamination is the only viable choice when the card it contains temperature-sensitive components such as batteries, display, buzzers and buttons.
The core of a Biometric Smart Card is a flexible printed circuit board called FPCB or Inlay. The inlay is developed by the Biometric Solution Providers, manufactured by specialized companies (EMS) and is sold to Card Manufacturers for embedding into their cards.
In the illustration are depicted some of the elements that can be present on a Biometric Smart Card Inlay:
- Micromodule Contact Pad: this is where the smart card micromodule is embedded. Each Biometric Smart Card Solution Provider pre-approve one or more smart card chips to be compatible with their platform.
- Fingerprint Sensor Contact Pad: this is where the fingerprint sensor is going to be embedded. Some suppliers deliver inlays with sensors already mounted on the FPCB.
- Battery or Supercapacitor: used to supply power to the fingerprint sensor and the MCU.
- Status LED: one or more status / operational LEDare present in most Biometric Smart Cards.
- Antenna: for contactless or dual interface Biometric Smart Card a printed antenna is present on the inlay.
- Buzzer: for audio feedback of operations.
- LCD or e-Paper display.
- Passive components: resistors, condensers and few small SMDcomponents are normally present on the flex PCB.
- Test Pads: this is the connection to perform automatic electrical check of the FPCB after the components have been mounted.
Most of the inlays currently in the market are slightly smaller than a card size in order to facilitate their fusing between the front and back side layers.
As of today, there are no standards about how the fingerprint authentication shall interact with the smart card chip so each Biometric Card Solution Provider have developed their own solution.
Among the most popular operative strategies I think are worth to mention the following:
- IC Power Supply: the default state of the card is not powered so if the user try to use the card for a transaction or to gain access the card does not produce the ATR even if a power supply is applied to the micromodule contacts. After a successful user authentication, the card is powered up and working normally.
- APP Status: the default state of one or more applications loaded into the smart card chip is Disabled so when the card terminal try to select a specific application the card won’t allow the operation. After successful user authentication the status flag of the APP (or the APPs) is set to Enabled and it can be selected.
- Double ATR: upon warm reset the card send the ATR that is received by the terminal. The terminal start counting a predefined number of clock cycles monitoring for a second ATR. If a second ATR is sent within a maximum number of clock cycles the terminal ‘understand’ that user authentication has been performed successfully else it stops communicating with the card (or send to cards commands to initiate the PIN request). I don’t have specific detailed information about this method, however it seems to me that it can become difficult to be implemented in timing-sensitive scenarios like, for example contactless payments.
A Biometric Smart Card need power supply to operate. The power can be obtained by a battery or harvested wireless from the contactless card reader.
Biometric Smart Cards types with Batteries:
- With no rechargeable battery: when the internal battery is exhausted the card need to be exchanged with a new one.
- With rechargeable battery + Chip contact: they get power from the smart card chip contact pads. This can be complex to be implemented because frequent recharge cycles can kill the batteries.
- With rechargeable battery + Energy Harvesting: they get power from the energy harvested trough the contactless antenna.
- With replaceable battery: this is possible only for Biometric Cards for Access Control application where the energy supplied by the terminal isn’t enough to power the card.
Biometric Smart Cards types without Batteries:
- No Battery + Chip Contact: the card is powered through the smart card chip contacts. It immediately switch off when the card is removed from the card reader. Potentially possible, not really practical for most of common application. For sure this is the cheapest implementation of Biometric Smart Card.
- No Battery + Energy Harvesting: the card is powered by the energy harvested trough the contactless antenna. This is a very popular method for powering dual interface payment biometric smart cards.
- No Battery + Supercapacitors: the card is powered by a supercapacitor, a device that can be considered something between an electrolytic capacitor and a rechargeable battery. Their use is limited by the high device cost.
Flexibles Lithium-ion batteries are very popular in Biometric Smart Card design, however:
- In some countries are subject to certification process.
- Can be subject to transport limitations by couriers and airlines.
This is the reason why most Biometric Smart Card Solution Providers are trying to reduce if not eliminate them. Supercapacitors are a viable – but costly – alternative to rechargeable batteries offering short-term energy storage (that is exactly what is needed for a fingerprint authentication), rapid charge cycle (card does not stay within the electromagnetic field of a contactless reader for hours) and availability in very compact and flexible packaging.
Multi-function powered cards, example OTP cards with biometric fingerprint sensor are normally available with battery only. Batteries are also used in all those BSC applications where there is the need to verify the cardholder identity without any other device.
A Biometric Smart Card without battery or supercapacitor needs a terminal to execute the enrolment or the verification process.
A biometric card must have an additional cavity where the fingerprint sensor is exposed. The cavity can be made with several processes:
- Sheet Punching: the cavity is created by mechanical punching of the Front Side Layer after the color press printing. The punching is performed on the standard 24 / 48 cards PVC This process is suitable for mass production. Process currently under industrialization.
- Mechanical Milling: the cavity is created by mechanical milling on a single card with the same equipment used for micromodule milling and embedding process. To use this process the card manufacturer shall add a milling station and an embedding station to its equipment. To use this process the area sensor shall be delivered on reel. This process is suitable for mass production.
- Laser Milling: some trials have been performed using a laser for milling the fingerprint sensor cavity. Results were very good on PC, not so good on PVC. I don’t believe this technology will have much future.
- Injection Moulding: the fingerprint sensor and the micromodule cavities are created with the Injection Mouldingtechniques that is popular for making SIM Cards. This process, that as main material uses ABS, creates the two halves of the card and the back side of the card (sometime the front too) is recessed in order to host the Biometric Card Inlay. This process does produce smooth and clean cavities and do not produce PVC The card is then assembled by Cold Lamination. The disadvantage of this process is that the cards must be printed individually before micromodule and sensor implanting. The process does require some manual labor and it’s currently used with different degree of success by several card manufacturers in Asia Pacific.
Nearly all first prototypes/version of biometric cards had a swipe sensor, that was the most easily available in the sensors market. Swipe sensors output a large bitmap image of the fingerprint offering a high-quality input to the minutia generation algorithm. The problem was that in order to achieve a good quality fingerprint image the user had to follow a precise procedure for the finger swiping. Tests conducted among test users showed that people with no familiarity with the finger swiping process struggled to understand how to use the sensor or used the sensor producing very low-quality images. Companies soon understood that despite its quality, the swipe sensor was not an optimal choice for a consumer product. So, the research turned to the area sensors that offered simplicity and extremely short learning curve. Here others problem arises because most of the area sensors available during the years 1998-2002 were based on a silicon substrate therefore rigid and not ideally suitable for the semi-flexible nature of the smartcard. Nevertheless, many prototypes carrying rigid area sensors were produced laying the ground for the following generation of area sensor with polymer-based flexible sensing area and separated controller chip that is nowadays the standard. The communication channel between the fingerprint sensors and its controller IC might be considered a weakness of the system this is why most sensor manufacturers use a fully encrypted data & control interface between them.
Among the many manufacturers of fingerprint sensors, only eight of them offer products optimized for smart cards. As of time of writing I think that the Swedish Fingerprint Cards is the company with the highest specific investment into sensors for smart cards. On September 21, 2017 they launched T-Shape, a smartcard optimized sensor delivered on 35mm format, that can be embedded on card using the very same equipment used for the micromodule. This is a real deal breaker if confronted with other solutions where sensors are delivered either “on tray” or already embedded onto the inlay.
Fingerprint Cards and NXP have a partnership on the development of integrated BSC. I would expect NXP to integrate all the biometric engine and possibly also the fingerprint scanner controller into their SE.
The Norwegian company IDEX is offering the Eagle family of off-chip sensors dedicated for smart card application. Currents products have sensing area of 8x8mm and 9x9mm and offered with or without MCU. IDEX sensors have been selected by major card manufacturers for their launch Biometric Smart Cards.
The Norwegian Next Biometrics offer the NB-010-S2 large area sensor optimized for the biometric smart card market that is made using a LTPS (Low Temperature Poly Silicon) process. At time of writing it’s the only flexible area sensor compliant with the sensing area defined in the ISO 17839-2:2015. The sensor is controlled by the Data Capture ASIC NB-A510-S. Few companies have selected the Next sensor for their BSC, none of them have made yet public appearance.
A typical Area Sensor is made of thin flexible polymer and most of them have the following features:
- Ability to scan a fingerprint at a resolution of 500 DPI. Sensors with smaller resolution compensate with a larger sensing area.
- Almost all of them do have several ways to mitigate ESD and avoid components burning.
- The outer surface is often coated with a very thin protective layer and most of them are declared to withstand at least 1 million of touches.
- Ability to sense when the finger is put on the sensor and sending wake-up signal to the card to initiate the fingerprint acquisition process.
- They produce an 8 bit (256 gray scale levels) image that is sent to the sensor MCUor ASIC for processing.
- Most of them are currently delivered to customer on trays and this make their assembly into the card or card inlays pretty complex. I expect that most of the sensor makers will migrate to 35mm or Super 35mm reel format that is the most commonly used within the Smart Card Manufacturing Industry. As far as I know the first company of the industry that will ship area sensors on reel is Fingerprint Cards.
- Some area sensors include into their design the bezel in form of a continuous or dotted frame along the borders of the sensor.
There are several technologies employed to embed an Area Sensor into a BSC. I believe is worth to mention the Flexible Bump technology (patent of the German company Mühlbauer) were a conductive epoxy resin is dosed between the FPCB and the sensor and is acting as flexible connection between the two parts.
Given the restricted power supply environment of a BSC is critical that the sensor shall not be power-hungry. Even more important in a dual interface BSC architecture were the energy is wirelessly harvested from the terminal. The recently announced FPC1300-Series T-Shape from Fingerprint Cards offers sensors optimized for contactless BSC application. Key values of the series:
|Power consumption @ capture||<5||mA||(@ 1.8V)|
|Power consumption @ sleep||<1||µA||(@ 1.8V)|
The bezel is a thin frame made of metal or other conductive material, that run along the fingerprint sensor border that have the main function to:
- Electrically drive the fingertip during the fingerprint sensing process
- Provide liveness detection (a synthetic “finger” do not conduct electricity as a real finger).
- Providing ESD
- When no epoxy resin is used on sensor embedding, Act as “sealing gasket” between the external environment and the card inlay.
The bezel can also have aesthetic functions helping to cover the soldering point of the fingerprint sensor and/or cover the fingerprint sensor cavity.
In reference to Biometric Smart Cards we can have several types of bezel:
- Bezel supplied as external element that the Card Manufacturer shall apply on the top of the Fingerprint Sensor;
- Bezel supplied as integral part of the Fingerprint Sensor;
- Fingerprint Sensors with no bezel at all.
When present the bezel become integral part of the Biometric Smart Cards and therefore shall be flexible enough to comply with ISO/IEC 10373-1 and CQM TM-408: Bending stiffness.
In the illustration a cross section of a sample Biometric Smart Card. The bezel can help to keep the fingerprint sensor in place and should not extend over the card surface to avoid scratch when the cards are stacked.
The Fingerprint Sensor can be on the same level of card surface but most Biometric Card Solution Providers prefer to have its outer sensing surface slightly recessed in order to reduce its wear and tear.
The MCU communicate with the Fingerprint Sensor Driver IC and the Smart Card Secure Elements using SPI or I2C interfaces. Some vendors encrypt the communication from/to Smart Card IC and the Fingerprint Sensor. The communication network of the MCU, the Smart Card IC, the Secure Flash and the Fingerprint Sensor is a sensitive topic for the security qualification of the product because it’s where external attacks can most likely take place.
The MCU can perform several tasks, including:
- Trigger a system wake-up upon touch of the sensor
- Perform readout image processing (optimization, rotation)
- Compute minutia extraction
- Create template file
- Encryption / Decryption of communication data on the Sensor bus
- Encryption / Decryption of communication data on the SE bus
The RF IC is another key component of the Biometric Smart Card Inlay because, when present can have various functions including:
- Harvest the power from the RFIDexcitation field.
- Regulate the power distributed to inlay components.
- Generate and Regulate the clock.
- Generate the Reset signal.
- Manage the collision that can happen when two or more contactless readers try to interact with the card.
- Charge the rechargeable battery or the supercapacitor.
The DC voltage regulation can also be regulated using an electronic component known as Low-Dropout or LDO Regulator.
The clock of the BSC can also be generated by a separate electronic oscillator mounted on the FPBC.
Most of Biometric Cards include into their design one or more elements for user feedback. Those are typically LEDs, buzzer or a LCD Display and used to communicate with the user:
- Card On / Off.
- Enrolment status (successful / failed).
- Fingerprint verification status (successful / failed).
- Battery status.
- OTP. A biometric card with OTP function is a patent registered by CardLap ApS and QuardLock ApS.
Cards with at least one feedback mean are compliant with ISO/IEC 17839-1:2014.
A Biometric Smart Card can be enabled with one or more contactless interfaces including the popular ISO 14443 Type A, B, C, NFC or Bluetooth LE. Biometric Card focusing on Access Control application can be enabled with one or more interfaces among the following:
- HID 125 kHz / HID iClass
- Mifare Classic / DESFire EV1
- Legic Advant
- Atmel 5577
The Flexible PCB (FPCB) is manufactured by companies specialized in flexible electronics under specification from the Biometric Card Solution Provider. This industrial process output:
- FPCB Inlays mounted on 24 / 48 prelam sheets. In this case the assembly is called FPCA (Flexible Printed Circuit Assembly).
- Individual FPCB Inlays, without fingerprint sensor, delivered in reels or in trays.
- Individual FPCB Inlays with fingerprint sensor mounted, delivered in reels or in trays.
The manufacturing process for a Biometric Smart Card might vary according to the inlay delivery format decided by the Biometric Card Solution Provider:
- PVCsheets are printed with the usual CMYK / screen press process.
- If the inlays are delivered with fingerprint sensor already embedded, the front side sheet is punched and the fingerprint sensor cavities are created.
- The layers of the cards, typically back side overlay + printed back side + inlay + printed front side + front side overlay, are collated, aligned and put between the lamination plates.
- The sheets are laminated.
- The laminated sheet goes through a punch machine that detach the cards from the sheet.
- The produced cards are aligned in the same orientation, gathered and stacked.
- An automated machine performs the mechanical milling of the micromodule cavity.
- An automated machine embeds the micromodule into the card body.
- If sensor is not already embedded on inlay: a machine creates the fingerprint sensor cavity by mechanical milling.
- If sensor is not already embedded on inlay: the embedding machine apply conductive epoxy on the contacts pads.
- If sensor is not already embedded on inlay: the embedding machine apply adhesive epoxy on the walls of the cavity.
- If sensor is not already embedded on inlay: the embedding machine embeds the sensor in the cavity.
- If the sensor does not include the bezel into its design, the embedding machine apply the bezel on the top of the fingerprint sensor.
This is a reference process and is subject to variations according to the process in place at card manufacturer site.
Biometric Smart Cards can be personalized with most common personalization equipment; however, it shall be taken into consideration two main facts:
- The card includes a flexible electronic circuit board so anything that impact on the inner layer of the card shall be avoided;
- The fingerprint sensor shall be left exposed.
That said, the most popular (and safest) personalization technologies used for Biometric Cards are Laser engraving and Inkjet printing.
Direct to Card and Retransfer printers can also be used but preliminary tests are necessary to make sure the card can pass freely within the printer transport mechanism. Some Biometric Smart Card have a raised bezel that can jam into the card transport mechanism or/and damage the thermal printhead.
Rear Indent, the technology typically used to imprint the security code on the back of financial cards can be possibly done if no components are present in that specific area of the inlay.
Mechanical Embossing and Front Indent shall not be performed because of the very high risk of damaging the delicate electronic inlay.
Card overlaminates with secure elements such as holograms or security printing inks that cover the whole front surface of the card are highly discouraged because normally cover the whole sensor area making the card unusable. Security overlaminates can be applied on the back side of the card.
Because most of BSC ere thicker than standard ISO smartcards (0.76 mm – 1/32 in) it’s always recommended to try to personalize a single card before launching the mass process.
The Biometric Card Solution Provider is primarily a holder of IPs on process and technologies that allows Card Manufacturers to produce Biometric Smart Cards. Only very few Card Manufacturers have capability to fully develop, industrialize and produce a Biometric Smart Card totally in-house.
The Biometric Card Solution Provider deliver a biometric solution to the Card Manufacturers that is made of:
- Flexible Inlays / prelaminated sheets.
- Fingerprint Sensors (embedded on inlay or as separate component).
- API for MCU/ ASIC interface with Smart Card Chip.
- Development tools that includes prototyping / testing / production / personalization tools.
- Enrolment software package or API / Windows drivers.
- Licenses for components / applications / matching algorithm and industrial processes.
The fingerprint templates matching algorithm can be licensed by third parties but can also be developed by the Biometric Card Solution Provider or by the Fingerprint Sensor vendor.
The Sensor Solution Provider is a company having IPs on:
- Sensor technology
- Sensor assembly
- Sensor manufacturing
- Sensor module
- ASIC design
The delivery to the Biometric Card Solution Providers can be made of:
- Sensor Module
- Sensor ASIC or MCU
- Biometric Engine licenses
- Development tools
- Production tools
- Testing tools
Several companies are active in the development of biometric engines optimized for the -low-resource environment of a smart card. Few more information in the below table:
|Innovatrics||Slovak Republic||Biometric Solutions||Yes|
|Id3||France||RF, RFID, Biometric Solutions||Yes|
|Fulcrum Biometrics||USA||Biometric Software & Solutions||Yes|
|Neuro Technology||Lithuania||Biometric Algorithm & Software||Yes|
|Precise Biometrics||Sweden||Biometric Software||Yes|
This is a map of the key trials and pilots made with Biometric Smart Cards in the last four years:
Year 2014 – Sparebanked DIN – Norway
This was a joint pilot Zwipe – MasterCard and probably world first Biometric Payment Cards endorsed by a large card processor. The smart card EMV chip was supplied by Oberthur.
Year 2015 – Danske Bank- Denmark
This was a joint pilot Zwipe – MasterCard had with selected customers of the Danish Danske Bank. The smart card EMV chip was supplied by Oberthur.
Year 2015 – Battistolli – Italy
This was a pilot done in Italy using Card Tech Biometric Cards and customized POS terminals by Ingenico. The Biometric Cards were used for identification and access of personnel working at secure logistic company Gruppo Battistolli, specialized in transporting cash, jewelry and other kind of valuables.
Year 2016 – Bundesdruckerei – Germany
This was a pilot made with Bundesdruckerai Biometric Smart Card called GoID, used as company ID among its employees. The GoID card is made of hard-wearing fibre composite and it includes a 12 keys pinpad and a lanyard hole.
Year 2017 – Pick n Pay – South Africa
This was a Biometric Payment Card pilot run by Oberthur and Mastercard at the leading South African supermarket retailer operator Pick n Pay.
Year 2017 – Absa Bank – South Africa
This was a Biometric Payment Card pilot run by Oberthur and Mastercard at Absa Bank, a wholly-owned subsidiary of the Barclays Africa Group.
Year 2017 – Pleinair Casino – France
This pilot – that is still ongoing at Plenair Casino La Ciotat in France – uses 7000 MeReal Biometrics V2 Biometric Smart Card. The cards were launched initially to be used by employees to grant access to private back-of-house and privileged areas, as well as provide record-keeping for time and attendance. It’s expected that the group will add more applications for Access and Payments in the future for employees and for its 1 million VIP players who currently carry a contactless loyalty cards.
It’s worth to mention that the Chairman of the Supervisory Board of the Groupe Partouche, the casino’s owner, Mr. Patrick Partouche is MeReal Co-Founder and shareholder.
Year 2017 – United Nations – Switzerland
The United Nations in Geneva is testing 500 Biometric Cards loaded with physical and logical access applications. The tender for the cards was won by Korea Smart ID that developed the Biometric Smart Card using an Elan Microelectronics fingerprint sensor and an inlay made by Jinco Universal.
Year 2017 – Instanbul Municipality – Turkey
The Korean company KSID won a tender for the supply of Biometric Smart Cards to be used as authentication token for the official taxi drivers of Istanbul Municipality.
Year 2017 – Woori Bank – South Korea
KSID won a tender for the supply of Biometric Smart Cards to Woori Bank for bidding at the South Korea National Market Agency of the Public Procurement Service.
Year 2017 – AirPlus International – Germany
The Korean company Kona I is deploying their Biometric Smart Card to AirPlus International, a leading international provider of solutions for the management of business travel. The card – that have payment and loyalty features enabled – feature a Fingerprint Cards sensor. As far as I know the cards have been not delivered yet to the customer.
The 2018 will be a crucial year for the development of the BSC market. In fact, I think is during the next year that the market will take shape with more precise identification of whom will lead the market in the years ahead.
Among the many planned projects for the year 2018 I think that the most realistic will be:
Cartes Bancaires: the French banking group, which in 2016 represented turnover of €465.6 billion in card payment is going to test BSC from Idemia and Visa for an undisclosed quantity. Given the current state of industrialization I won’t be surprised if the cards delivered for the initial launch will be contact-only.
Bank of Cyprus: The Cyprus-based banking group, is the largest bank in Cyprus by market penetration. They are going to trial one of the first Visa branded BSC in the market with cards supplied by Gemalto.
CardLab is a Danish private company founded in 2003. They have a very solid portfolio of patents on powered smart cards and offer a flexible platform where customers can choose the elements to be included in the cards.
CardLab was one of the first company to make Biometric Smart Cards in Europe and – as many of the early adopters – using a swipe fingerprint sensor. The company new manufacturing plant is located in Bangkok, Thailand where they plan to produce also Biometric Smart Cards using a fully automated custom-made Lamination process.
CardLab new Biometric Smart Card is currently under industrialization and it should be ready for mass launch early 2018. This card will feature Fingerprint Cards FPC 1321 fingerprint sensor.
Among their products worth to mention a FIPS compliant BSC featuring the swipe sensor FPC1080A that is expected to be launched during Q2 Y2018.
CardTech is an Italian private company founded in 2006 by Mr. Fabrizio Borracci. The company launched their first Biometric Smart Card embedding a swipe sensor then migrated to an area sensor. So far, the company have invested in excess of 6M€ of private funds into the development of their Biometric Solution also thanks to strategic cooperation with key players into EMS and flexible electronic design and manufacturing.
As of time of writing, the company it uses almost exclusively area sensors from IDEX that are embedded in the inlay at the end of the manufacturing stage of the flexible electronics.
CardTech is supported by a tier-one card vendor, by several 2nd tier card manufacturers and is cooperating with a leading payment scheme.
CardTech propose an architecture where the template matching is performed by the Smart Card Chip and the main product marketed today is a contact-only Biometric Smart Card. A Dual Interface version is under development.
The company is currently delivering products to make a contact BSC that will go live in a bank on Q1/2018.
The key target markets of the company are Payment and ID.
Datang Microelectronics Technology Co., Ltd (DMT), chinese name 大唐微电子技术有限公司, formerly the IC center of China Academy of Telecommunications Technology (CATTIC), is a holding subsidiary of Datang Telecom Technology Co., Ltd (DTT, 600198. SH), a State owned 3.3B$ industrial group. As one of the largest IC design companies in China, DMT has established Asia’s largest, highly complete and sophisticated smart card chip production line. The company develop, produce and distribute ICs for smart cards, micromodules, fingerprint sensors and flexible PCB inlays.
Datang key products are:
- Contact Biometric Smart Card with rechargeable battery.
- Dual Interface Biometric Smart Card with rechargeable battery.
- Clam shell Biometric Smart Card (non ISO) with rechargeable battery.
First Biometrics is an American private company founded in 2015.
Their development is based upon several biometric-related patents, some acquired, others filed by themselves.
The company focus development of their first battery-based contact BSC using a large area flexible sensor from Next Biometrics and SE supplied by multiple tier-1 vendors. Production is going to take place in East Asia and US.
Although they produce their own Biometric Smart Card they have specific partnership with KSID Korea (IC Chip OS + Card Manufacturing) and Elan Microelectronics (Fingerprint Sensors). Together they have participated and won the United Nations tender for the Biometric Cards trial.
They do have few patents on Biometric Cards and their manufacturing process is almost entirely focusing on Cold Lamination technology.
They do offer Contactless Biometric Cards with rechargeable battery, dual interface energy harvesting Biometric Cards and dual interface biometric cards with rechargeable battery plus dynamic magnetic stripe and display. As optional contactless interface is also available the Sony Felica RC-SA01 transponder chip.
MeReal Biometrics is a private company based in Hong Kong founded in 2009 and is led by Patrick Partouche and Philippe Blot. Mr. Partouche other being chairman of MeReal Biometric is also Chairman of the Supervisor Board of Groupe Partouche. Mr. Blot is CEO and Chairman of UINT, a French company specialized in powered smart cards.
The Biometric Smart Card platform offered by MeReal Biometrics make use of rechargeable batteries and among their product range there is also a compact portable contactless battery charger.
First version of their Biometric Smart Cards used swipe sensor, lately switched to area sensor. Trials are currently ongoing among Partouche Group employees. Partouche Group is an industrial group active in casino, hotel, restaurants and spa businesses.
Morix is a Japanese private company founded in year 2005 and is one of the oldest company operating in the field of Biometric Smart Cards.
Morix have co-developed with ASD an area sensor for Smart Card that is used in their product and also sold as standalone device.
The key product of the company is a Biometric Smart Card with non-rechargeable battery while a dual interface NFC Biometric Smart Card is currently under development.
Tactilis is a private company founded in Singapore in 2009 run by smart card industry seasoned professionals led by Michael Gardiner (CEO), Adriano Canzi (CTO) and David Martin (CFO). The manufacturing base is located in Penang, Malaysia.
Their core product is a dual interface, energy harvesting Biometric Smart Card with large area sensor from Next Biometrics. Their Biometric Smart Card is powered by the popular Cortex M4 and they offer secure flash storage up to 4 GB, opening the door to several advanced applications. The card is assembled using a patented process.
The product is available as complete card or as flexible inlay on OEM license.
Tactilis have strategic technological partnership with a leading tier-one card manufacturer.
Zwipe is a private Norwegian company founded in 2009 by Kim Kristian Humborstad that is currently the company CEO.
Zwipe is invested since 2015 by Kuang-Chi Group (深圳光啟集團) a Chinese diversified technology conglomerate that develops and invests in telecommunication, aerospace, artificial intelligence, metamaterial, smart-city and digital health technologies. Kuang-Chi is also majority shareholder of a JV setup in 2016 with Zwipe to promote biometric products in China.
Zwipe have the largest IP portfolio of the Biometric Smart Cards industry with more than 50 patents filed.
Main products by Zwipe includes:
- Dual interface, energy harvesting BSC with focus on payment applications.
- Contactless, energy harvesting BSC with focus on ID applications.
- Clam shell design, rigid, non-ISO, access control BSC powered by a replaceable battery. This is the first commercial product of the company and is currently available worldwide through a network of selected partners.
This table summarize the main type of Biometric Smart Cards offered by the companies introduced in the research. Jinco Universal is the only company in the market able to offer the complete range of Biometric Smart Cards variants.
The development on Biometric Smart Cards by the tier-one card vendors is the following:
- Gemalto: industrialization for a payment-focused BSC is currently undergoing at their R&D centers and plants in France and Germany and I would expect them to have the product ready by end of the year. The product will be on demo at Trustech 2017 in Cannes.
- Idemia(former OT-Morpho): is the first company among the first-tier card vendors to have completed the industrialization and is already selling Biometric Smart Cards for various small trials and projects worldwide. They mostly use an area sensor from IDEX with the Biometric Authentication Engine developed by the Morpho team (now integral part of Idemia). The current battery-powered BSC is claimed to be able to operate for approx. 3000 payments or 3 years.
- G&D: the German company does not market any BSC in their Payment and ID (Veridos) products portfolio. I am not aware of any ongoing development, this doesn’t mean that they are not investing in this technology. I would speculate that the Bundesdruckerei biometric card called GoID will be moved to Veridos products portofolio. It seems anyhow that GoID is a very well engineering product, made of of hard-wearing fibre composite with a very nice keypad but it’s current steep price is making it’s way into the global market limited to some narrow verticals.
- Korea Smart ID: it’s the company that by far shipped the largest number of Biometric Smart Cards. Among the several projects won, are worth to mention:
- Logic and Access Control Card for United Nations.
- Taxi Drivers ID License Card for Istanbul Municipality.
- E-Procurement Platform Access Card for Woori Bank.
Basically, all card processing schemes are somehow involved into the definition and/or implementation of work related to BSC.
Mastercard has been the first company to focus and invest in BSC starting from the earlier trial with Zwipe cards and their CQM Approval Scheme has been updated to support BSCs.
Visa started only recently to work on the subject of BSC. In fact, the first public appearance of a Visa-branded payment BSC happened only last October at Bloomberg Next event in Washington, DC. Several sources reported that Visa has setup a specific partnership on BSC with Gemalto.
China UnionPay is currently testing several China domestic-made BSC and it seems that the first product to pass their qualification will be those manufactured by Datang.
The shipment forecast of the previous edition of this research was including the several trials and actual implementation of non-ISO BSC and that kind of products were almost exclusively targeting Asian markets. In this new edition I have taken the decision to make a forecast only for the ISO compliant products.
For year 2017 I expect a global combined volume of shipped Biometric Smart Cards below 1M units.
Year 2018 will mark the beginning of mass deployment for Biometric Smart Cards with a global volume that will stay around 55M units.
By the end of year 2018 new Inlay ASICs will be ready and optimized fingerprint sensors will be available at lower cost generating a new, larger wave of issuance that might likely reach at least 200 million of Biometric Cards during the Year 2019.
Biometric Smart Cards will eventually become part of most card vendors portfolio and the cards will reach a pricing level that will enable new applications. Isn’t an easy call making a forecast for the year 2020, let’s say that with the indicators available today I would put that number around 340M pieces shipped globally.
In terms of type of applications, I would most volumes will be in Payment, followed by ID and Access Control.
Current ASP of a personalized Biometric Smart Card without battery is between 25 and 30USD. Pricing for very low volume, e.g. hundreds of cards can double or multiply by four the price. This is happening because product industrialization has been just completed or is under completion thus we can’t enjoy yet the pricing given by the economy of scale.
Pricing for battery-powered Biometric Smart Card are normally higher of those without and clamshell biometric cards for access control cost even more because of the molded rigid shells and manual labor for its assembly.
Kindly note that the provided forecast is purely indicative and will be surely subject to significant variation mainly due to:
- Variation in price of the fingerprint sensors.
- New ASICs integrating MCU+ RF IC + Fingerprint Sensor driver IC + Secure Flash. If the market will become significantly relevant I would expect smart card chip manufacturers to power up their IC design integrating all is needed to fully power and control a Biometric Smart Card. This last hypothesis will require a highly coordinated effort between chip manufacturers, sensor manufacturers, biometric authentication algorithm developer and smart card vendors.
- Market demand: a strong market pull will drive pricing down.
- Popularity wave created by Card Issuers.
- Ability of Card Manufacturers and Biometric Solution Providers to optimize the industrialization process.
The industrial process of making flexible PCB is well established, so I only expect slight reduction in FPCB cost when Biometric Cards shipping volumes will go up.
- Identification and related documents
- Security devices associated with their use in inter-industry application and international exchange.
The ISO/IEC 17839-1:2014 – Biometric System-on-Card – Part 1: Core requirements define two type of cards:
- Type S1:
- Type S2:
The ISO/IEC 17839-1:2014 – Biometric System-on-Card – Part 2: Physical characteristics specify the key characteristics of the biometric acquisition element on card:
- For Area Sensors:
- They shall have a minimum active area of 169 mm2(13 x 13 mm or 0.152 x 0.152 in)
- For Swipe Sensors:
- They shall have a linear acquisition element measuring minimum 13 mm (0.512 in)
- Allows presence on card of other electronic elements able to acquire voice (microphone), facial image (camera) or card user signature (signature input pad).
As of time of writing, only the Next Biometrics area sensor NB-0610-S2 reach 201.11 mm2 and is therefore compliant within the minimum area specified of 169 mm2.
The ISO/IEC 17839-3:2016 – Biometric System-on-Card – Part 3: Logical information interchange mechanism covers the main commands, protocols and procedures to coordinate the biometric enrollment/verification with the smart card microcontroller and the terminal:
- Commands and data structure
- Internal Enrollment and External Enrollment
- Initiation of verification
- Status feedback
- Processing time management and extension
- Capability discovery mechanism
Other ISO TS / TR related to Biometric Cards includes:
- ISO/IEC 24787: 2010 – On-card biometric comparison
- ISO/IEC TR 30117: 2014 – Guide to on-card biometric comparison standards and applications
- ISO/IEC 18584: 2015 – Conformance test requirements for on-card biometric comparison applications
Mastercard Card Quality Management (CQM) is a program that involve Personalization bureaus, Card manufacturers and suppliers of the card manufacturers (chip, modules, inlays, etc.) to self-assess MasterCard EMV cards (ID1 card format) against specifications of Quality Management and Product Quality. Self-assessment is controlled by on-site audits where certified auditors can issue a full approval or indicate the corrective actions to be performed.
The list of certified companies is updated monthly and published at www.mastercardconnect.com.
Biometric Smart Cards are tested under the Product Program called Card Structure Integrity and Security.
The European Union, on 25 November 2015 have issued the directive 2015/2366 on payment service in the so called “internal market”.
The Directive, that is currently in force provide the legal foundation for the further development of a better integrated internal market for electronic payments within the EU and, among the several new recommendations, it introduce the requirements for “Strong User Authentication”.
Strong User Authentication requires the use of at least two independent elements among:
- Knowledge category > example the PIN
- Possession category > example the card
- Inherence category > example the fingerprint
Development of biometric authentication at ICAO working groups is still ongoing. As of time of writing there is still no specific reference to Biometric Systems on Cards.
Biometric Smart Cards are set to enjoy wide acceptance because of the following key factors:
- Consumers familiarity with Smart Cards and smartphones.
- Relatively slow consumer adoption of mobile payments.
- Strong need to solve the skimming / shimming of payment cards.
- Payment industry need to reduce Card-Present frauds.
- Improve verification and authentication processes that in some context doesn’t work anymore, even with smart cards. Just think of a classical Access Control implementation where a thief can steal someone else badge and gain physical or logical access to facilities and/or systems containing sensitive data.
- Low implementation cost. Apart from the cost related to acquisition of new cards and the initial user enrollment, on the terminal side minor or no changes are required.
- New local, regional, national, trans-national legal framework / recommendations / laws on management of biometric data are being published and updated; in most of them is indicated that biometric data (either raw or processed) cannot be stored in a centralized database. This is a major shift of paradigm toward many current implementations were biometric data are stored in a single large database.
- Last, but not least the elimination of risks associated to infection transmission with standalone fingerprint scanners.
Further development of Biometric Smart Cards can he hampered by several risks:
- Rejection due to personal reasons.
- Cultural incompatibility, due to certain religion believes, for examples.
- Lack of respective biometric feature, example people born with the rare genetic disorder called Adermatoglyphia, where the person have no fingerprints. Dermatitis can also cause inflammation of the skin and temporarily leave the individual unable to leave fingerprints. The autoimmune disease Sclerodermacan also create a condition where the person fingerprint is extremely light and sometime impossible to be recorded by a fingerprint scanner.
- Criminal organizations might develop techniques to enroll/verify fake or artificially built fingers avoiding the liveness detectors and other technologies on board of the fingerprint scanners.
Hacking of biometric data from commercial weak BSC could create a strong negative media campaign. The real problem is that biometric data, unlike PINs is persistent: we carry it with us for life. Any security breach resulting in leakage of this information is likely to have much more serious consequences than a theft of a PIN: after all we can change a weak PIN but we can’t change a compromised fingerprint.
Given the very fast pace of today technology, it won’t be easy to predict what will happen in the future. However, I will provide my very personal view of what might be happen in the next 3-5 years from now:
- Fingerprint Sensors will extend existing liveness detection with vein sensing capability, blood flow and heartbeat detection.
- In terms of electronics I foresee a drastic reduction of components on the flexible PCB:
- Y2018-2019 – Two main chips on board: Smart Card Microcontroller + M4-like MCU.
- Y2019-2020 – Two main chips on board: Smart Card Microcontroller + custom ASIC.
- Y2020 onward – All electronics embedded into the Smart Card Microcontroller. NXP have made announcement of an integrated SE for biometric card on Oct 2017. Still unsure what is this including and when will be commercially available.
- Fingerprint sensors will be able to operate under a layer of conductive plastic. This means no more fingerprint sensor cavity and cost reduction due to simplified manufacturing.
- Behavioral biometric meaning a system comprised of fingerprint and additional sensors able to “learn”, “record” and “detect” user finger behavior in terms of speed, approach point on sensor, rotation on sensor, pressure on sensor and other user behavioral patterns.
- Contactless fingerprint sensors where the user fingerprint is read without need of physical contact with the sensing surface. Nice in theory, in practical life it open the door to a new category of finger skimming.
- Development of compact DNA sequencer able to fit into a smart card format.
- More user physical features will be extracted such as vein pattern of finger temperature and those data will be associated with the fingerprint template.
The entire research in PDF format can be downloaded here:
Antonio D’Albore is making any representation or warranty, expressed or implied, as to the accuracy, reliability or completeness of the information in the research, and neither Embedded Security News or Antonio D’Albore will have any liability to you or any other persons resulting from your use of the information in this research. Antonio D’Albore undertakes no obligation to publicly update or revise any forward-looking information or statement in this research.
All brands and product names are the property of their respective holders.
© 2017 Antonio D’Albore / Embedded Security News
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.