Smart Cards Security In Biometrics

David Smith

Identity and Access Control

Smart cards are essential to electronic identity and access management solutions. Indeed, this has been the case for at least 30 years now. Identity and access management can allow or deny access to specific users based on the business needs.

Identity cards come in various form factors. This can range from plastic cards, to magnetic stripe based cards, to the smarter chip based cards. All of these can be used in identity/access control depending on the size and complexity of the business.

Recent years have also seen the emergence of biometric solutions for verifying the identity of an individual and grant/deny access. These rely on matching of biometric factors like finger prints or retina scans to verify identity and help to provide fool proof authentication. In this article we explore how smart cards and biometrics can work together for enhanced security, privacy and performance.

Security requirements

Smart cards are both secure and portable. Additionally, they can securely store data. The smartness of smart cards is mainly due to an inbuilt microprocessor chip which can process data and perform calculations if required. This chip can also interact with a smart card reader. Smart cards are secure because they are tamper-proof. It is difficult to reverse engineer a smart card and access the information stored on it.

Smart cards also have various physical and logical security mechanisms embedded in them. This includes Faraday cage embodiment, light detection, attack detection, scrambled addressing of memory etc. While smart cards are secure devices, their security relies on the fact that the right person is in possession of the card. As a result, one can only correctly verify that a person actually is who he claims to be due to biometrics. Biometric authentication is inherently more secure than other authentication methods. This is because it relies on the entirely unique physiological or behavioral characteristics of a person.

Privacy requirements

When a person enrolls with any organization for a secured ID, he/she must share certain personal information as part of the enrollment process. After enrollment, the organization issuing the ID is responsible for protecting the information shared by the individual members. However, a higher amount of personal information required by the system, will result in more privacy concerns surrounding it. Indeed, biometric identification systems require personal biometric information. Therefore, biometric systems are widely considered more sensitive. Members or users would probably feel more safe if their personal information stayed with them.

Performance requirements

ID verification technology in the commercial scenario typically has a very significant peak usage period. That period is every morning when people login to work. Thus, during rush-hour, the verification must take place in seconds. This is the reason why “tap and go” contactless smart cards are so popular in these scenarios.

However, if one uses a biometric system for security reasons, it would require considerably higher processing power to compare the live template of the person signing it against the multiple templates stored on the centralized database. Additionally, it would require high processing power to find the correct match. Indeed, the more people access the system, the longer it will take to authenticate individuals.

To address the above requirements, the identity and access management solution should combine the security benefits offered by biometrics with the privacy and performance of smart cards.

Biometrics with Smart Cards

Smart cards and biometrics when used together complement each other and make up for the shortfalls of the individual systems. The privacy concern when using a biometric identification solution can be addressed by storing the biometric template data on the smart card so that it always stays with the user thus increasing the overall privacy and portability of the biometric template. Not only can the smart card store the biometric template, current smart card processors are also capable of extracting and processing the live template as well as matching it to the stored template. This would also enable the system to be in use during offline mode. This would automatically be more performance efficient then a straightforward biometric system as only a 1-to-1 match is required between the stored template and live template.

Benefits of a Combined System That Uses Smart Cards with Biometrics

  1. Enhanced Privacy: Biometric information is secure on the card, which acts as a personal database, firewall and authentication terminal.
  2. Enhanced Security: Biometric information helps accurately identify people with minimum ambiguity and ensures that the card is in the possession of its rightful owner, thus increasing the security of the overall system.
  3. Better Performance: Smart cards offer contactless interfaces to readers. Common uses include 1-to-1 extraction and matching of biometric templates. In fact, this is possible without connecting to a remote central database. This makes the entire process faster.
  4. Enhance Flexibility: Smart cards can be easily programmed to increase / change the data stored, change the authentication logic or include data from different Id systems. This could enable the introduction of improved biometric algorithms in the future.

Tags: , , , , , ,