On July 2020, ST announced co-developing a Biometric System-on-Card (BSoC) platform with Fingerprint Cards. We will provide an STM32 general-purpose microcontroller and an ST31 MCU. The latter uses an Arm SecurCore SC000 core that relies on a 40-nanometer process node. ST will also bring its STPay solution, which relies on a JavaCard based operating system for banking applications.
Moving Security From the PIN to the Finger Tip
The announcement was symbolic, and it appeared on news sites because it serves as a sign of an emerging trend. According to a study by ReportLinker, the global contactless biometrics technology market should reach $18.6 billion by 2026. The study also cites the recent pandemic as a driver of adoption. Consumers are looking for ways to pay while staying physically distant. They also wish to reduce interactions with potentially contaminated hard surfaces. Hence, secure payments through contactless cards with biometric authentication are ever more popular, and introducing BSoC solutions will help increase – or even remove – today’s contactless cap limits.
Unfortunately, as BSoCs become mainstream, getting precise and relevant information can get difficult. Buzzwords abound, platitudes follow, and managers can have a hard time finding accurate data. We thus thought that it was essential to contextualize the ST and Fingerprint Cards announcement. Additionally, the core technologies behind biometric payment cards are sipping into other forms of identification, such as employee badges or ID cards. It is thus crucial for thought-leaders and decision-makers to understand the technical challenges inherent to these emerging technologies.
The hardware building blocks are relatively straightforward. There’s a fingerprint sensor, a general-purpose MCU to extract the image it captures, and a secure element. The latter stores the fingerprint image after enrollment and matches it before any transaction in a secure environment. However, a biometric system-on-cards can only be successful if it overcomes multiple challenges.
Biometric System-on-Card: The Challenge of Efficiency
Physical Requirements
Adding biometrics on a card is challenging because manufacturers must still meet existing thickness requirements to ensure compatibility when swiping or inserting the card in existing readers. The ISO/IEC 7810 standard dictates that all bank and ID cards must have a thickness of 0.76 mm. Other standards also define a card’s ability to bend without the connectors or components breaking. However, satisfying those stringent requirements mean that companies that master biometric bank cards can easily port their solutions. Biometric ID badges, employee’s identification with fingerprint recognition, and more become a lot easier to make.
Engineers must also solve the technical challenge behind the card’s power consumption and energy harvesting. Hence, ST implemented a secure element that can harvest power from the contactless reader and distribute it to the entire card. Such a system is possible because the general-purpose MCU (STM32) and the ST31 have such a low power consumption that they can run with just the energy harvested during magnetic coupling. A BSoC is thus innovative because it uses the same NFC technology as the previous generation of contactless bank cards, but it can now power more components, such as a fingerprint sensor and a general-purpose MCU.
Storage and Computational Throughput
Capturing the user’s fingerprint and storing the associated template after enrollment will necessarily require more memory. Hence, engineers working on biometric system-on-cards face enhanced hardware requirements. The secure element executes the application, secures information, including the biometric template, and runs the algorithm that matches the fingerprint to the template to authenticate the user. There’s thus a need for more storage for the template and the matching algorithm. Similarly, the general-purpose MCU extracts the fingerprint from the sensor and sends it to the secure element, which features high computational performance and low power consumption.
Decision-makers thus understand the importance of hardware optimizations. The STM32 microcontroller has low power modes to improve energy efficiency significantly. Similarly, we ensure the ST31 runs the fingerprint matching algorithm as quickly as possible. Indeed the total transaction time, including the fingerprint matching, must take less than one second. The platform must, thus, offer the greatest optimizations and guarantee a flawless user experience.
Biometric System-on-Card: The Challenge of Security and User Experience
Ease-of-Use
A challenge that users face is the lack of standardization around the enrollment process, which must offer a good tradeoff between overall security, performance, and user convenience. Implementers are looking into different enrollment mechanisms that would utilize a sleeve, a mobile device, or a reader with optional LEDs on the card and the enrollment support. The capture must also be fast enough and comply with biometric standards such as FAR (False Acceptance Rate) and FRR (False Recognition Rate) requirements that regulate biometric interactions. False positives are severe breaches of security and make the whole system unreliable. On the other hand, a false negative creates friction that end-users hardly tolerate. Teams working on their system must, therefore, find the right balance between accuracy and performance.
Security
A BSoC distinguishes itself from current solutions by offering better biometric processing and more secure protection of the assets, such as the sensor image and templates. As a result, biometric cards represent a vastly more secure system than a PIN authentication or basic contactless solutions, by offering more robust security and privacy protections. However, as we saw in this blog post, designing a BSoC is challenging. Hence, adopting the ST and Fingerprint Cards solution means teams can bypass this complexity, ensuring their end-users trust their biometric system-on-card. The STPay platform also guarantees fast processing times, which are crucial for a successful experience.
For more information, visit blog.st.com