Did you know that IDEX Biometrics TrustedBio™ will be in the first Gen 3 biometric cards in 2021?
Did you know that IDEXBiometrics TrustedBio™ will be in the first Gen 3 biometric cards in 2021? Learn how TrustedBio is improving performance and security with all secure controllers and why TrustedBio will be the #fingerprint #sensor of choice for Gen 3 cards.
Biometric security is taken very seriously. Biometric cards with IDEX sensors have passed multiple certifications in Europe, US, and Asia. IDEX Gen 2 products are in production. TrustedBio is leading the way and will be in the first Gen 3 biometric cards in 2021. TrustedBio increases the level of security in all card configurations including with standard SEs. Let’s look at Gen 2 and Gen 3 biometrics cards with TrustedBio to understand why.
What are the two most important requirements to ensure security in a biometric card?
- Enrolled templates & matcher compare in SE: IDEX payment cards store the fingerprint templates and perform the biometric match in the SE.
- Encrypted communication: IDEX sensors support encryption between the SE and the sensor.
These are important, but there are others. Payment networks and card companies have security teams that assess the security of the biometric card system. IDEX security experts work with these security teams as well as third party auditors to audit every detail searching for the weakest link. They study how the card is designed, all the components, and how the software is written. They study how the system communicates and how the functions are divided among the different MCUs as well as assess the biometric performance.
Additional topics reviewed by security teams include:
- Encryption key exchange: Key exchange needs to be randomized and secure An encrypted channel is only secure if the keys themselves are secure. TrustedBio supports random key generation and exchange with SE to ensure security and that no two cards are alike.
- Secure manufacturing process: It must not be possible to inject malicious software or keys into a card in any part of the supply chain and manufacturing process.
- Secure software coding: There are techniques for software that ensure that errors do not open a security loophole including errors generated intentionally by hackers.
- Prevention of replay attacks: It must not be possible to monitor communication on a card, record the events, replay the events and fool the secure element that a legitimate finger was placed on the sensor
- Robustness during power outage or brownouts: One strategy to hack a system is to remove power or barely provide power causing the system to end up in a non-secure state.
TrustedBio cards are designed to prevent attacks from an ordinary thief to highly sophisticated hackers with extensive electronic and computing expertise.
As cards evolve from Gen 2 to Gen 3, TrustedBio ensures that security is enhanced with both BioSEs and standard SEs. Below is a Gen 2 biometric card with the extra MCU and a PMU. Notice that fingerprint template storage and biometric match are in the SE and all communication channels are encrypted which assures security. While the PMU is harvesting energy from the antenna, the SE connects directly to the antenna for communication with the POS terminal ensuring security.
The key takeaway is that Gen 2 cards work well and are secure, but there is a lot of stuff on Gen 2 cards increasing cost.
- Antenna
- Secure element – template storage and match
- Fingerprint sensor
- Power management unit
- Low power MCU – matcher feature extraction
- Active inlay – to connect components
The history of cost reduction in electronics is integration, taking different components and chips and putting the functionality into a single ASIC. One can make the new ASIC smaller, cheaper, faster, better, all at the same time, Moore’s law in action. There are two options. Option A move the “other stuff” into a BioSE with a faster MCU, much more memory, and ability to harvest energy or option B move the “other stuff” into the sensor.
TrustedBio is the only sensor that can implement option B because IDEX uses off-chip sensing, separating the sensing surface from the ASIC. TrustedBio can keep a large sensing area, 90 mm2, while integrating and shrinking the ASIC.
The picture below shows the design with TrustedBio paired with a standard SE. The separate PMU, low power MCU and active inlay are gone. Notice that the templates and secure match remain in the SE maintaining strict security. In fact, security is considered higher than Gen 2 because there is only one communication link, between TrustedBio and SE rather than the two links in Gen 2.
When paired with a BioSE the design is almost the same with two changes:
- Antenna connects to BioSE which provides power back to TrustedBio.
- Part A of the Matcher, feature extraction, moves to the SE.
Biometric cards are becoming more secure, faster, and much less expensive. Gen 3 cards will also be faster, with a fingerprint match in much less than 1 second. TrustedBio is a highly configurable sensor providing the lowest cost solution for all card designs. No other fingerprint sensor can match TrustedBio. TrustedBio is leading the way and will be the sensor of choice for Gen 3 cards.