2017-10-The Rise of Biometric Cards With Comment PDF

This is a research about Biometric Smart Cards conducted from January through
September 2017. The data presented have been collected through various means,
including interviews with company representatives, CEOs, CFOs, CTOs, shareholders,
researchers, developers, and people involved professionally in the smart card and
biometric industry. The views and opinions expressed in this research are those of the
author and do not necessarily reflect the official policy or position of the mentioned
companies or organizations. The author is neither sponsored nor paid by any of the
companies mentioned in this work.
This research was presented for the first time at the International Card Manufacturers
Association(ICMA) CardTrex Europe Conference held in Milan on 5 and 6th October 2017.
You are welcomed to share this content, however I kindly ask you to mention or link to the
original page.
In this research I will reference to a smart card that embeds a fingerprint sensor using the
terms ‘Biometric Card’, ‘Biometric Smart Card’ or ‘BSC’. FPC is also an abbreviation of
‘Fingerprint Card’ but I am not going to use it because it’s often used in the biometric
industry to identify the Swedish company Fingerprint Cards.
The Rise of Biometric Cards – Version October 2017 - © 2017 Antonio D’Albore / Embedded Security News
Nowadays unlocking our smartphone with our finger it’s kind of spontaneous
gestures despite the fact that just few years back it was all very different. I think that the
current wide consumers acceptance of the fingerprint as mean to authenticate and access
began in year 2013 with the launch of the iPhone 5S from Apple. Soon after the Apple
launch several other smartphone makers follow suit making the process of utilizing a finger
to unlock their phone or to authenticate part of our daily life.
A Biometric Smart Card is a smart card where the processes of fingerprint enrollment,
template creation, template storage, template matching is completely performed within the
card. As general rule when we reference to a biometric card means that all acquired,
processed, computed biometric data and associated templates shall never leave the card.
Smart cards have been already used in the past with various degree of success to store
biometric credentials. There are currently three systems to use smart cards as secure
token within the biometric authentication process: Template-On-Card (TOC), Match-On-
Card (MOC) and BSoC (Biometric System on Card). In a TOC scheme the enrollment is
performed at an standalone fingerprint scanner device, the device itself (or the system
where the fingerprint sensor is part of) perform the creation of the template that is then
stored in the smart card. During the Matching process the core system extract the
reference template from the smart card and it perform a match with the template
generated from the user. This system is potentially subject to Man-in-the-middle attack
because during both enrollment and matching there is transit of secret/sensitive data over
a – potentially – non-secure channel.
Match-On-Card system is an evolution of TOC where the matching process is performed
within the smart card. The step up is practically the fact that the reference template it never
leave the smart card. Nevertheless, there is a potential risk of man-in-the-middle attach
when the reference template is created and when the matching template/acquired image is
sent to the card.
A Biometric-System-on-Card do offer higher standards of security when it come to
potential external attacks because the acquired fingerprint image, the template creation, its
storage, the matching process is entirely performed within the card.
A Biometric Smart Card includes all electronics, firmware and embedded software needed
to carry out the Enrollment, Template Creation, Template Storage and Template Matching.
In a BSoC, specific electronic is programmed to process and extract the biometric features
from a raster gray scale image generated by the fingerprint sensor. The extracted features
are then converted into a digital template that is stored into a secure memory. Upon user
verification a matching algorithm gets as input the stored template (the rightful card owner)
and the current template extracted from a live image of the person is trying to authenticate.
If the two templates matches the card is authenticated and some features of the cards are
then unlocked. Typical examples of successful authentication does allow the card to
communicate with a smart card reader for access control or to perform a payment
transaction.
A BSoC is basically an enabler of Multi Factors Authentication (MFA) where the evidence
are represented by the Card = something you have, Fingerprint = something you are and –
optionally – a PIN = something you know.
Among the many uses of the Biometric Cards I think are worth to mention:
▪ To reduce Card-Present-Fraud in Payment Cards

▪ For identification in Access Control
▪ As proof-of-life for ID Cards / Government Cards / Subsidy Cards
Generally speaking Biometric Cards can be practically used in most of the current smart
card application as additional level of security or anywhere is necessary to establish a
unique link between the card and its rightful owner.
This is a generic representation of a Payment Biometric Card with some of the elements
that can be present on it that I will use as sample to explain how is made.
This is an exploded view of a reference Biometric Card, starting from back to front we
have:
▪ Back Side Overlay: this is the normal transparent overlay present in most of
common PVC cards.
▪ Back Side Layer: this is the normal backside printed side of the card. It can contain
magnetic stripe, signature panel, hologram and other elements.
▪ Inlay: this is the core of the Biometric Card that it contain all the additional
components to add the biometric functions to the smart card.
▪ Front Side Layer: this is the normal frontside printed side of the card. Notice the
additional cavity for the fingerprint sensor.
▪ Front Side Overlay: this is the normal transparent overlay present in most of
common PVC cards;
▪ Micro module: this is a common smart mart micro module that contain the gold-plated
microconnector with the microcontroller attached.
▪ Fingerprint Sensor: this is the fingerprint area sensor that is physically bonded to the
inlay.
▪ Sensor Bezel: this is the conductive bezel that is normally placed on top of the
fingerprint sensor.
The layers of a Biometric Smart Cards are bonded together with an industrial process
called Lamination. The two most popular type of Laminations are:
▪ Hot Lamination: the layers are collated together and a specific machine apply
pressure at various temperature to let the layers to bond together. This is by far the
most common process to make standard smart cards and I would expect to become
also popular for making Biometric Smart Cards. This process is normally cheaper if
compared with Cold Lamination.
▪ Cold Lamination: the inner layers of the sheets are coated with a pressure activated
adhesive and a mechanical press binds them together. The card bodies can be
obtained by injection moulding or mechanical punching. This process cannot be fully
automated so some manual labor is necessary. This is the reason why the cold
lamination is popular in Asia Pacific and some local card manufacturers have
optimized the process for medium production volume. I don’t think this process can
be easily adapted for mass production batches.
The core of a Biometric Smart Card is a flexible printed circuit board called FPCB or Inlay.
The inlay is developed by the Biometric Solution Providers and is sold to Card
Manufacturers for embedding into their cards.
In the illustration are depicted some of the elements that can be present on a Biometric
Smart Card Inlay:
▪ Micromodule Contact Pad: this is were the smart card micromodule is embedded.
Each Biometric Smart Card Solution Provider pre-approve one or more smart card
chips to be compatible with their platform.
▪ Fingeprint Sensor Contact Pad: this is where the fingerprint sensor is going to be
embedded.
▪ Battery or Supercapacitor: used to supply power to the fingerprint sensor and
the MCU.
▪ Status LED: one or more status / operational LED are present in most Biometric
Smart Cards.
▪ Antenna: for contactless or dual interface Biometric Smart Card a printed antenna is
present on the inlay.
▪ Buzzer: for audio feedback of operations.
▪ LCD or e-Paper display.
▪ Passive components: resistors, condensers and few small SMD components are
normally present on the flex PCB.
Most of the inlays currently in the market are slightly smaller than a card size in order to
facilitate their fusing between the front and back side layers.
As of today there are no standards about how the fingerprint authentication shall interact
with the smart card chip so each Biometric Card Solution Provider have developed their
own solution.
Among the most popular operative strategies I think are worth to mention the following:
▪ IC Power Supply: the default state of the card is not powered so if the user try to use
the card for a transaction or to gain access the card does not produce the ATR even
if a power supply is applied to the micromodule contacts. After a successful user
authentication the card is powered up and working normally.
▪ APP Status: the default state of one or more applications loaded into the smart card
chip is Disabled so when the card terminal try to select a specific application the card
won’t allow the operation. After successful user authentication the status flag of the
APP (or the APPs) is set to Enabled and it can be selected.
▪ Double ATR: upon warm reset the card send the ATR that is received by the terminal.
The terminal start counting a predefined number of clock cycles monitoring for a
second ATR. If a second ATR is sent within a maximum number of clock cycles the
terminal ‘understand’ that user authentication has been performed successfully else it
stop communicating with the card (or send to cards commands to initiate the PIN
request).
A Biometric Smart Card need power supply to operate. The power can be obtained by a
battery or harvested wireless from the contactless card reader.
Biometric Smart Cards types with Batteries:
▪ With no rechargeable battery: when the internal battery is exhausted the card need to
be exchanged with a new one.
▪ With rechargeable battery + Chip contact: they get power from the smart card chip
contact pads.
▪ With rechargeable battery + Energy Harvesting: they get power from the energy
harvested trough the contactless antenna.
▪ With replaceable battery: this is possible only for Biometric Cards for Access Control
application where the energy supplied by the terminal isn’t enough to power the card.
Biometric Smart Cards types without Batteries:
▪ No Battery + Chip Contact: the card is powered through the smart card chip contacts.
It immediately switch off when the card is removed from the card reader. Potentially
possible, not really practical for most of common application. For sure this is the
cheapest implementation of Biometric Smart Card.
▪ No Battery + Energy Harvesting: the card is powered by the energy harvested trough
the contactless antenna. This is a very popular method for powering dual interface
payment biometric smart cards.
▪ No Battery + Supercapacitors: the card is powered by a supercapacitor, a device that
can be considered something between an electrolytic capacitor and a rechargeable
battery.
Flexibles Lithium-ion batteries are very popular in Biometric Smart Card design, however:
▪ In some countries are considered “dangerous goods”.
▪ In some countries are subject to certification process.
▪ Can be subject to transport limitations by couriers and airlines.
This is the reason why most Biometric Smart Card Solution Providers are trying to reduce
if not eliminate them. Supercapacitors are a viable alternative to rechargeable batteries
offering short-term energy storage (that is exactly what is needed for a fingerprint
authentication), rapid charge cycle (card does not stay within the electromagnetic field of a
contactless reader for hours) and availability in very compact and flexible packaging.
A Biometric Smart Card without battery or supercapacitor needs a terminal to execute the
enrolment or the verification process.
A biometric card must have an additional cavity where the fingerprint sensor is exposed.
The cavity can be made with several processes:
▪ Sheet Punching: the cavity is created by mechanical punching of the Front Side
Layer after the color press printing. The punching is performed on the standard 24 /
48 cards PVC sheets. This process is suitable for mass production.
▪ Mechanical Milling: the cavity is created by mechanical milling on a single card with
the same equipment used for micromodule milling and embedding process. To use
this process the card manufacturer shall add a milling station and an embedding
station to its equipment. To use this process the area sensor shall be delivered on
reel. This process is suitable for mass production.
▪ Laser Milling: some trials have been performed using a laser for milling the fingerprint
sensor cavity. Results were very good on PC, not so good on PVC. I don’t believe
this technology will have much future.
▪ Injection Moulding: the fingerprint sensor and the micromodule cavities are created
with the Injection Moulding techniques that is popular for making SIM Cards. This
process, that as main material uses ABS, creates the two halves of the card and the
back side of the card (sometime the front too) is recessed in order to host the
Biometric Card Inlay. This process does produce smooth and clean cavities and do
not produce PVC debris. The card is then assembled by Cold Lamination. The
disadvantage of this process is that the cards must be printed individually before
micromodule and sensor implanting. The process does require some manual labor
and it’s currently used with success by several card manufacturers in Asia Pacific.
Nearly all first prototypes/version of biometric cards had a swipe sensor, that was the most
easily available in the sensors market. Swipe sensors output a large bitmap image of the
fingerprint offering an high quality input to the minutia generation algorithm. The problem
was that in order to achieve a good quality fingerprint image the user had to follow a
precise procedure for the finger swiping. Tests conducted among test users showed that
people with no familiarity with the finger swiping process struggled to understand how to
use the sensor or used the sensor producing very low quality images. Companies soon
understood that despite its quality, the swipe sensor was not an optimal choice for a
consumer product. So the research turned to the area sensors that offered simplicity and
extremely short learning curve. Here others problem arises because most of the area
sensors available during the years 1998-2002 were based on a silicon substrate therefore
rigid and not ideally suitable for the semi-flexible nature of the smartcard. Nevertheless
many prototypes carrying rigid area sensors were produced laying the ground for the
following generation of area sensor with polymer-based flexible sensing area and
separated controller chip (off-chip) that is nowadays the standard. The communication
channel between the fingerprint sensors and its controller IC might be considered a
weakness of the system this is why most sensor manufacturers use a fully encrypted data
& control interface between them.
Among the many manufacturers of fingerprint sensors, only eight of them offer products
optimized for smart cards. As of time of writing I think that the Swedish Fingerprint Cards is
the company with the highest specific investment into sensors for smart cards. On
September 21, 2017 they launched T-Shape, a smartcard optimized sensor delivered on
35mm format, that can be embedded on card using the very same equipment used for the
micromodule. This is a real deal breaker if confronted with other solutions where sensors
are delivered either “on tray” or already embedded onto the inlay.
The Norvegian company IDEX is also offering the Eagle family of off chip sensor dedicated
for smart card application. IDEX sensors have been selected by major card manufacturers
for their launch Biometric Smart Cards.
A typical Area Sensor is made of thin flexible polymer and most of them have the following
features:
▪ Ability to scan a fingerprint at a resolution of 500 DPI. Sensors with smaller resolution
compensate with a larger sensing area.
▪ Almost all of them do have several ways to mitigate ESD and avoid components
burning.
▪ The outer surface is often coated with a very thin protective layer and most of them
are declared to withstand at least 1 millions of touches.
▪ Ability to sense when the finger is put on the sensor and sending wake-up signal to
the card to initiate the fingerprint acquisition process.
▪ They produce an 8 bit (256 gray scale levels) image that is sent to the
Fingerprint MCU for processing.
▪ Ability to read the fingerprint from any angle. Early models were only able to read
fingerprint from a specific orientation.
▪ Most of them are currently delivered to customer on trays and this make their
assembly into the card or card inlays pretty complex. I expect that most of the sensor
makers will migrate to 35mm or Super 35mm reel format that is the most commonly
used within the Smart Card Manufacturing Industry. As far as I know the first
company of the industry that will ship area sensors on reel is Fingerprint Cards.
▪ Some area sensors include into their design the bezel in form of a continuous or
dotted frame along the borders of the sensor.
The bezel is a thin frame made of metal or other conductive material, that run along the
fingerprint sensor border that have the main function to electrically drive the fingertip
during the fingerprint sensing process other than proving ESD protection. The bezel does
also act a “sealing gasket” between the external environment and the card inlay.
The bezel can also have aesthetic functions helping to cover the soldering point of the
fingerprint sensor and/or cover the fingerprint sensor cavity.
In reference to Biometric Smart Cards we can have several type of bezel:
▪ Bezel supplied as external element that the Card Manufacturer shall apply on the top
of the Fingerprint Sensor;
▪ Bezel supplied as integral part of the Fingerprint Sensor;
▪ Fingerprint Sensors with no bezel at all.
When present the bezel become integral part of the Biometric Smart Cards and therefore
shall be flexible enough to comply with ISO/IEC 10373-1.
In the illustration a cross section of a sample Biometric Smart Card. The bezel help to
keep the fingerprint sensor in place and should not extend over the card surface to avoid
scratch when the cards are stacked.
The Fingerprint Sensor can be on the same level of card surface but most Biometric Card
Solution Providers prefer to have its outer sensing surface slightly recessed in order to
reduce its wear and tear.
The MCU communicate with the Fingerprint Sensor Driver IC and the Smart Card Secure
Elements using SPI or I2C interfaces. Some vendors encrypt the communication from/to
Smart Card IC and the Fingerprint Sensor. The communication network of the MCU, the
Smart Card IC, the Secure Flash and the Fingerprint Sensor is a sensitive topic for the
security qualification of the product because it’s where external attacks can most likely
take place.
The RF IC is another key component of the Biometric Smart Card Inlay because, when
present have the delicate duties of:
▪ Harvest the power from the RFID excitation field.

▪ Regulate the power distributed to inlay components.
▪ Generate and Regulate the clock.
▪ Generate the Reset signal.
▪ Manage the collision that can happen when two or more contactless readers try to
interact with the card.
▪ Charge the rechargeable battery or the supercapacitor.
Most of Biometric Cards include into their design one or more elements for user feedback.
Those are typically LEDs, buzzer or a LCD Display and used to communicate with the
user:
▪ Card On / Off.
▪ Enrolment status (successful / failed).
▪ Fingerprint verification status (successful / failed).
▪ Battery status.
▪ OTP.
Cards with at least one feedback mean are compliant with ISO/IEC 17839-1:2014.
A Biometric Smart Card can be enabled with one or more contactless interfaces including
the popular ISO 14443 Type A, B, C, NFC or Bluetooth LE. Biometric Card focusing on
Access Control application can be enabled with one or more interfaces among the
following:
▪ HID 125 kHz / HID iClass
▪ Mifare Classic / DESFire EV1
▪ Legic Advant
▪ Atmel 5577
The Flexible PCB (FPCB) is manufactured by companies specialized in flexible electronics
under specification from the Biometric Card Solution Provider. This industrial process
output:
▪ FPCB Inlays mounted on 24 / 48 prelam sheets.
▪ Individual FPCB Inlays, without fingerprint sensor, usually delivered in trays.
▪ Individual FPCB Inlays with fingerprint sensor mounted, usually delivered in trays.
The manufacturing process for a Biometric Smart Card might vary according to the inlay
delivery format decided by the Biometric Card Solution Provider:
▪ PVC sheets are printed with the usual CMYK press process.
▪ If the inlays are delivered with fingerprint sensor already embedded, the front side
sheet is punched and the fingerprint sensor cavities are created.
▪ The layers of the cards, typically back side overlay + printed back side + inlay +
printed front side + front side overlay, are collated, aligned and put between the
lamination plates.
▪ The sheets are laminated.
▪ The laminated sheet goes trough a punch machine that detach the cards from the
sheet.
▪ The produced cards are aligned in the same orientation, gathered and stacked.
▪ An automated machine perform the mechanical milling of the micromodule cavity.
▪ An automated machine embeds the micromodule into the card body.
▪ If the sensor cavity was not done before, then a machine create the fingerprint sensor
cavity by mechanical milling.
▪ The embedding machine apply conductive epoxy on the contacts pads.
▪ The embedding machine apply adhesive epoxy on the walls of the cavity.
▪ The embedding machine embeds the sensor in the cavity.
▪ If the sensor does not include the bezel into its design, the embedding machine apply
the bezel on the top of the fingerprint sensor.
This is a reference process and is subject to variations according to the process in place at
card manufacturer site.
Biometric Smart Cards can be personalized with most common personalization equipment,
however it shall be taken into consideration two main facts:
▪ The card include a flexible electronic circuit board so anything that impact on the
inner layer of the card shall be avoided;
▪ The fingerprint sensor shall be left exposed.
That said, the most popular (and safest) personalization technologies used for Biometric
Cards are Laser engraving and Inkjet printing.
Direct to Card and Retransfer printers can also be used but preliminary tests are
necessary to make sure the card can pass freely within the printer transport mechanism.
Some Biometric Smart Card have a raised bezel that can jam into the card transport
mechanism or/and damage the thermal printhead.
Rear Indent, the technology typically used to imprint the security code on the back of
financial cards can be possibly done if no components are present in that specific area of
the inlay.
Mechanical Embossing and Front Indent shall not be performed because of the very high
risk of damaging the delicate electronic inlay.
Card overlaminates with secure elements such as holograms or security printing inks that
cover the whole front surface of the card are highly discouraged because normally cover
the whole sensor area making the card unusable. Security overlaminates can be applied
on the back side of the card.
Because Biometric Smart Cards are always thicker than standard ISO smartcards (0.76
mm – 1/32 in) it’s always recommended to try to personalize a single card before
launching the mass process.
The Biometric Card Solution Provider is primarily an holder of IPs on process and
technologies that allows Card Manufacturers to produce Biometric Smart Cards. Very few
Card Manufacturers have capability to fully develop, industrialize and produce a Biometric
Smart Card totally in-house.
The Biometric Card Solution Provider deliver a biometric solution to the Card
Manufacturers that is made of:
▪ Flexible Inlays / prelaminated sheets.

▪ Fingerprint Sensors (embedded on inlay or as separate component).
▪ API for MCU interface with Smart Card Chip.
▪ Development tools that includes prototyping / testing / production / personalization
tools.
▪ Enrolment software package or API / Windows drivers.
▪ Licenses for components / applications / matching algorithm and industrial processes.
The fingerprint templates matching algorithm can be licensed by third parties such
as Precise Biometrics or Innovatrix but can also be developed by the Biometric Card
Solution Provider or by the Fingerprint Sensor vendor.
This is a map of the key trials and pilots made with Biometric Smart Cards in the last four
years:
Year 2014 – Sparebanked DIN – Norway

This was a joint pilot Zwipe – MasterCard and probably world first Biometric Payment
Cards endorsed by a large card processors. The smart card EMV chip was supplied by
Oberthur.
Year 2015 – Danske Bank- Denmark
This was a joint pilot Zwipe – MasterCard had with selected customers of the Danish
Danske Bank. The smart card EMV chip was supplied by Oberthur.
Year 2015 – Battistolli – Italy
This was a pilot done in Italy using Card Tech Biometric Cards and customized POS
terminals by Ingenico. The Biometric Cards were used for identification and access of
personnel working at secure logistic company Gruppo Battistolli, specialized in
transporting cash, jewelry and other kind of valuables.
Year 2016 – Bundesdruckerei – Germany
This was a pilot made with Bundesdruckerai Biometric Smart Card called GoID, used as
company ID among its employees. The GoID card is made of hard-wearing fibre
composite and it includes a 12 keys pinpad and a lanyard hole.
Year 2017 – Pick n Pay – South Africa
This was a Biometric Payment Card pilot run by Oberthur and Mastercard at the leading
South African supermarket retailer operator Pick n Pay.
Year 2017 – Absa Bank – South Africa
This was a Biometric Payment Card pilot run by Oberthur and Mastercard at the leading
South African supermarket retailer operator Pick n Pay.
Year 2017 – Bulbank – Bulgaria
This was a Biometric Payment Card pilot run by OT-Morpho (now Idemia) and Mastercard.
Year 2017 – Pleinair Casino – France
This pilot – that is still ongoing at Plenair Casino La Ciotat in France – uses 7000 MeReal
Biometrics V2 Biometric Smart Card. The cards were launched initially to be used by
employees to grant access to private back-of-house and privileged areas, as well as
provide record-keeping for time and attendance. It’s expected that the group will add more
applications for Access and Payments in the future for employees and for its 1 million VIP
players who currently carry a contactless loyalty cards.
It’s worth to mention that the Chairman of the Supervisory Board of the Groupe Partouche,
the casino’s owner, Mr. Patrick Partouche is MeReal Co-Founder and shareholder.
Year 2017 – United Nations – Switzerland
The United Nations in Geneva is testing 500 Biometric Cards loaded with physical and
logical access applications. The tender for the cards was won by Korea Smart ID that
developed the Biometric Smart Card using an Elan Microelectronics fingerprint sensor and
an inlay made by Jinco Universal.
Year 2017 – Instanbul Municipality – Turkey
The Korean company KSID won a tender for the supply of Biometric Smart Cards to be
used as authentication token for the official taxi drivers of Instanbul Municipality.
Year 2017 – Woori Bank – South Korea
KSID won a tender for the supply of Biometric Smart Cards to Woori Bank for bidding at
the South Korea National Market Agency of the Public Procurement Service.
Year 2017 – AirPlus International – Germany
The Korean company Kona I is deploying their Biometric Smart Card to AirPlus
International, a leading international provider of solutions for the management of business
travel. The card – that have payment and loyalty features enabled – feature a Fingerprint
Cards sensor.
CardLab is a Danish private company founded in 2003. They have a very solid portfolio of
patents on powered smart cards and offer a flexible platform where customers can choose
the elements to be included in the cards.
CardLab was one of the first company to make Biometric Smart Cards in Europe and – as
many of the early adopters – using a swipe fingerprint sensor. The company new
manufacturing plant is located in Bangkok, Thailand were they plan to produce also
Biometric Smart Cards.
The company have co-developed their Biometric Smart Card with the Danish
company QuardLock also using funds granted by Europe 2020 SME Program.
CardLab new Biometric Smart Card is currently under industrialization and it should be
ready for mass launch early 2018. This card will feature Fingerprint Cards FPC 1321
fingerprint sensor.
CardTech is an Italian private company founded in 2006 by Mr. Fabrizio Borracci. The
company launched their first Biometric Smart Card embedding a swipe sensor then
migrated to an area sensor.
As of time of writing, the company it uses almost exclusively area sensors from IDEX that
are embedded in the inlay at the end of the manufacturing stage of the flexible electronics.
CardTech it support a tier-one card vendor and several 2nd tier card manufacturers.
CardTech propose an architecture where the template matching is performed by the Smart
Card Chip and the main product marketed today is a contact-only Biometric Smart Card. A
Dual Interface version is under development.
Datang Microelectronics Technology Co., Ltd (DMT), chinese name 大唐微电子技术有限公
司, formerly the IC center of China Academy of Telecommunications Technology
(CATTIC), is a holding subsidiary of Datang Telecom Technology Co., Ltd (DTT, 600198.
SH), a State owned 3.3B$ industrial group. As one of the largest IC design companies in
China, DMT has established Asia’s largest, highly complete and sophisticated smart card
chip production line. The company develop, produce and distribute ICs for smart cards,
micromodules, fingerprint sensors and flexible PCB inlays.
Datang key products are:
▪ Contact Biometric Smart Card with rechargeable battery
▪ Dual Interface Biometric Smart Card with rechargeable battery
▪ Clam shell Biometric Smart Card (non ISO) with rechargeable battery
Jinco Universal is a private Taiwanese company founded in 2005. Jinco is Asia’s largest
supplier of OEM/ ODM of powered smart cards.
Although they produce their own Biometric Smart Card they have specific partnership with
KSID Korea (IC Chip OS + Card Manufacturing) and Elan Microelectronics (Fingerprint
Sensors). Together they have participated and won the United Nations tender for the
Biometric Cards trial.
They do have few patents on Biometric Cards and their manufacturing process is almost
entirely focusing on Cold Lamination technology.
They do offer Contactless Biometric Cards with rechargeable battery, dual interface
energy harvesting Biometric Cards and dual interface biometric cards with rechargeable
battery plus dynamic magnetic stripe and display. As optional contactless interface is also
available the Sony Felica RC-SA01transponder chip.
MeReal Biometrics is a private company based in Hong Kong founded in 2009 and is led
by Patrick Partouche and Philippe Blot. Mr. Partouche other being chairman of MeReal
Biometric is also Chairman of the Supervisor Board of Groupe Partouche. Mr. Blot is CEO
and Chairman of UINT, a French company specialized in powered smart cards.
They have several patents related to Smart Cards including some related to transmission
of OTP from card to terminal by means of acoustic or RFID.
The Biometric Smart Card platform offered by MeReal Biometrics make use of
rechargeable batteries and among their product range there is also a compact portable
contactless battery charger.
First version of their Biometric Smart Cards were using swipe sensor lately switched to
area sensor. Trials are currently ongoing among Partouche Group employees. Partouche
Group is an industrial group active in casino, hotel, restaurants and spa businesses.
Morix is a Japanese private company founded in year 2005 and is one of the oldest
company operating in the field of Biometric Smart Cards.
Morix have co-developed with ASD an area sensor for Smart Card that is used in their
product and also sold as standalone device.
The key product of the company is a Biometric Smart Card with non-rechargeable battery
while a dual interface NFC Biometric Smart Card is currently under development.
Tactilis is a private company founded in Singapore in 2009 run by smart card industry
seasoned professionals led by Michael Gardiner (CEO), Adriano Canzi (CTO) and David
Martin (CFO). The manufacturing base is located in Penang, Malaysia.
Their core product is a dual interface, energy harvesting Biometric Smart Card with area
sensor from Next Biometrics. Their Biometric Smart Card is powered by the popular
Cortex M4 and they offer secure flash storage up to 4 GB, opening the door to several
advanced applications. The card is assembled using a patented process.
The product is available as complete card or as flexible inlay on OEM license.
Tactilis have strategic technological partnership with a leading tier-one card manufacturer.
Zwipe is a private Norvegian company founded in 2009 by Kim Kristian Humborstad that is
currently managing the company as CEO.
Zwipe is invested since 2015 by Kuang-Chi Group (深圳光啟集團) a Chinese diversified
technology conglomerate that develops and invests in telecommunication, aerospace,

artificial intelligence, metamaterial, smart-city and digital health technologies. Kuang-Chi is
also majority shareholder of a JV setup in 2016 with Zwipe to promote biometric products
in China.
Zwipe have the largest IP portfolio of the Biometric Smart Cards industry with more than
50 patents filed.
The current Flexible PCB is developed around a Fingerprint Cards area sensor, however
their MCU and inner architecture is designed in such a way to be easily adapted to other
area sensors.
Main products by Zwipe includes:
▪ Dual interface, energy harvesting Biometric Smart Card with focus on payment
applications.
▪ Contactless, energy harvesting Biometric Smart Card with focus on ID applications.
▪ Clam shell design, rigid, non-ISO, access control Biometric Card powered by a
replaceable battery. This is the first commercial product of the company and is
currently available worldwide through a network of selected partners.
This table summarize the main type of Biometric Smart Cards offered by the companies
introduced in the research. Jinco Universal is the only company able to offer the complete
range of Biometric Smart Cards variants.
The development on Biometric Smart Cards by the tier-one card vendors is the following:
▪ Gemalto: industralization is currenlty undergoing at their R&D centers and plants in

France and Germany and I would expect them to have the product ready by end of
the year. The product will be on demo at Trustech.
▪ Idemia (former OT-Morpho): is the first company among the first-tier card vendors to
have completed the industralization and is already selling Biometric Smart Cards for
various small trials and projects worldwide. They mostly use an area sensor from
IDEX with the Biometric Authentication Engine developed by the Morpho team (now
integral part of Idemia).
▪ G&D: the German company does not market any BSoC in their Payment and ID
(Veridos) products portfolio. I am not aware of any ongoing development, this doesn’t
mean that they are not investing in this technology. I would speculate that
the Bundesdruckerei biometric card called GoID will be moved to Veridos products
portofolio. It seems anyhow that GoID is a very well engineering product, made of of
hard-wearing fibre composite with a very nice keypad but it’s current steep price is
making it’s way into the global market limited to some narrow verticals.
▪ Korea Smart ID: it’s the company that by far shipped the largest number of Biometric
Smart Cards. Among the several projects won, are worth to mention:
▪ Logic and Access Control Card for United Nations.
▪ Taxi Drivers ID License Card for Instanbul Municipality.
▪ E-Procurement Platform Access Card for Woori Bank.
For year 2017 I expect a global combined volume of shipped Biometric Smart Cards below
20M units.
Year 2018 will mark the beginning of mass deployment for Biometric Smart Cards with a
global volume that will stay below 100M units.
By the end of year 2018 new Inlay ASICs will be ready and optimized fingerprint sensors
will be available at lower cost generating a new, larger wave of issuance that might likely
reach at least 250 millions of Biometric Cards during the Year 2019.
Biometric Smart Cards will eventually become part of most card vendors portfolio and the
cards will reach a pricing level that will enable new applications. Isn’t an easy call making a
forecast for the year 2020, let’s say that with the indicators available today I would put that
number around 400M pieces shipped globally.
Current ASP of a personalized Biometric Smart Card without battery is between 14 and
18USD. Pricing for very low volume, e.g. hundreds cards can potentially almost double the
price. This is happening because product industrialization have been just completed or is
under completion thus we can’t enjoy yet the pricing given by the economy of scale.
Pricing for battery-powered Biometric Smart Card are normally higher of those without and
clamshell biometric cards for access control cost even more because of the moulded rigid
shells and manual labor for its assembly.
Kindly note that the provided forecast is purely indicative and might be subject to
significant variation mainly due to:
▪ Variation in price of the fingerprint sensors.

▪ New ASICs integrating MCU + RF IC + Fingerprint Sensor driver IC + Secure Flash.
If the market will become significantly relevant I would expect smart card chip
manufacturers to power up their IC design integrating all is needed to fully power and
control a Biometric Smart Card. This last hypothesis will require an highly coordinated
effort between chip manufacturers, sensor manufacturers, biometric authentication
algorithm developer and smart card vendors.
▪ Market demand: a strong market pull will drive pricing down.
▪ Popularity wave created by Card Issuers.
▪ Ability of Card Manufacturers and Biometric Solution Providers to optimize the
industrialization process.
The industrial process of making flexible PCB is well established, so I only expect slight
reduction in FPCB cost when Biometric Cards shipping volumes will go up.
ISO specifications for the Biometric Smart Cards are being developed by the Technical
Committee ISO/IEC JTC 1/SC 17 and their scope of work cover:
▪ Identification and related documents
▪ Cards
▪ Security devices associated with their use in inter-industry application and
international exchange.
The ISO/IEC 17839-1:2014 – Biometric System-on-Card – Part 1: Core requirements
define two type of cards:
▪ Type S1:
▪ Same dimension as ISO/IEC 7810
▪ Same torsion and bending requirements as ISO/IEC 7816-1
▪ Contact interface as specified in ISO/IEC 7816-3
▪ Enable use of USB interface as specified in ISO/IEC 7816-12
▪ Contactless interface as specified in ISO/IEC 14443
▪ Type S2:
▪ Card is 2.5 mm (0.098 in) thick
▪ The card cannot be inserted by mistake in conventional card slot
▪ Width and height same as ISO/IEC 7810
▪ No need to comply with flexibility requirements of ISO/IEC 7816-1
▪ Only ISO/IEC 14443 contactless interface
The ISO/IEC 17839-1:2014 – Biometric System-on-Card – Part 1: Core
requirements specify the key characteristics of the biometric acquisition element on card:
▪ For Area Sensors:
▪ They shall have a minimum active area of 169 mm2 (13 x 13 mm or 0.152 x
0.152 in)
▪ For Swipe Sensors:
▪ They shall have a linear acquisition element measuring minimum 13 mm (0.512
in)
▪ Allows presence on card of other electronic elements able to acquire voice
(microphone), facial image (camera) or card user signature (signature input pad).
The ISO/IEC 17839-3:2016 – Biometric System-on-Card – Part 3: Logical information
interchange mechanism covers the main commands, protocols and procedures to
coordinate the biometric enrollment/verification with the smart card microcontroller and the
terminal:
▪ Commands and data structure
▪ Internal Enrollment and External Enrollment
▪ Initiation of verification
▪ Status feedback
▪ Processing time management and extension
▪ Capability discovery mechanism
Other ISO TS / TR related to Biometric Cards includes:
▪ ISO/IEC 24787: 2010 – On-card biometric comparison
▪ ISO/IEC TR 30117: 2014 – Guide to on-card biometric comparison standards and
applications
▪ ISO/IEC 18584: 2015 – Conformance test requirements for on-card biometric
comparison applications
EMVCo is currently working on the 2nd Generation Specifications that will include Biometric
Cards. The specifications on the terminal side have been completed while those of the
cards are still ongoing. In November 2017 the working group will meet in Paris also to
discuss and potentially finalize the specifications for the Biometric Card.
The latest 3D Secure version 2.0 use token-based and biometric authentication, instead of
static passports.
Visa, MasterCard and American Express have updated their Payment Applets specs in
order to be biometric-compliant introducing the possibility to use card holder Fingerprint
verification as alternative to PIN.
The European Union, on 25 November 2015 have issued the directive 2015/2366 on
payment service in the so called “internal market”.
The Directive, that is currently in force provide the legal foundation for the further
development of a better integrated internal market for electronic payments within the EU
and, among the several new recommendations, it introduce the requirements for “Strong
User Authentication”.
Strong User Authentication requires the use of at least two independent elements among:
▪ Knowledge category > example the PIN

▪ Possession category > example the card
▪ Inherence category > example the fingerprint
Development of biometric authentication at ICAO working groups is still ongoing. As of
time of writing there is still no specific reference to Biometric Systems on Cards.
Biometric Smart Cards will enjoy wide acceptance because of the following key factors:
▪ Consumers familiarity with Smart Cards and smartphones.

▪ Relatively slow consumer adoption of mobile payments.
▪ Payment industry need to reduce Card-Present transaction.
▪ Improve verification and authentication processes that in some context doesn’t work
anymore, even with smart cards. Just think of a classical Access Control
implementation where a thief can steal someone else badge and gain physical or
logical access to facilities and/or systems containing sensitive data.
▪ Very low or no implementation cost. Apart from the cost related to acquisition of new
cards and the initial users enrollment, on the terminal side minor or no changes are
required.
▪ New local, regional, national, trans-national legal framework / recommendations /
laws on management of biometric data are being published and updated; in most of
them is indicated that biometric data (either raw or processed) cannot be stored in a
centralized database. This is a major shift of paradigm toward many current
implementation were biometric data are stored in a single large database.
▪ Last, but not least the elimination of risks associated to infection transmission with
standalone fingerprint scanners.
Further development of Biometric Smart Cards can he hampered by several risks:
▪ Rejection due to personal reasons.

▪ Cultural incompatibility, due to certain religion believes, for examples.
▪ Lack of respective biometric feature, example people born with the rare genetic
disorder called Adermatoglyphia, where the person have no fingerprints. Dermatitis
can also cause inflammation of the skin and temporarily leave the individual unable to
leave fingerprints. The autoimmune disease Scleroderma can also create a condition
where the person fingerprint is extremely light and sometime impossible to be
recorded by a fingerprint scanner.
▪ Criminal organizations might develop techniques to enroll/verify fake or artificially built
fingers avoiding the liveness detectors and other technologies on board of the
fingerprint scanners.
▪ Biometric Smart Cards might be challenging to use in harsh climatic conditions such
as places with high temperature, high humidity and high temperature.
Given the very fast pace of today technology, it won’t be easy to predict what will happen
in the future. However, I will provide my very personal view of what might be happen in the
next 3-5 years from now:
▪ Fingerprint Sensors will extend existing liveness detection with vein sensing
capability, blood flow and heartbeat detection.
▪ In terms of electronics I foresee a drastic reduction of components on the
flexible PCB:
▪ Y2020-2022 – Two main chips on board: the Smart Card Microcontroller +
custom ASIC.
▪ Y2023-2025 – All electronics embedded into the Smart Card Microcontroller.
▪ Fingerprint sensors will be able to operate under a layer of conductive plastic. This
means no more fingerprint sensor cavity and cost reduction due to simplified
manufacturing.
▪ Behavioral biometric meaning a system comprised of fingerprint and additional
sensors able to “learn”, “record” and “detect” user finger behavior in terms of speed,
approach point on sensor, rotation on sensor, pressure on sensor and other user
behavioural patterns.
▪ Contactless fingerprint sensors where the user fingerprint is read without need of
physical contact with the sensing surface.
▪ Development of compact DNA sequencer able to fit into a smart card format.
References
▪ http://coe.int/en/web/conventions/full-list/-/conventions/treaty/005
▪ http://dhl.it/en/express/shipping/shipping_advice/lithium_batteries.html
▪ http://dmt.com.cn/product/aqkz/zwsb/529.html
▪ http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
▪ https://en.wikipedia.org/wiki/Biometrics
▪ https://en.wikipedia.org/wiki/Data_Protection_Directive
▪ https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
▪ https://en.wikipedia.org/wiki/Fingerprint_recognition
▪ https://en.wikipedia.org/wiki/Personally_identifiable_information
▪ https://en.wikipedia.org/wiki/Supercapacitor
▪ http://fingertec.com/download/tips/whitepaper-01.pdf
▪ http://www.gemalto.com/govt/biometrics/biometric-data
▪ http://heritage.org/homeland-security/report/biometric-technologies-security-legal-
and-policy-implications
▪ http://horizon2020projects.com/special-reports/technical-information-card-fraud-
identity-theft-protection-technologies/
▪ http://iata.org/whatwedo/cargo/dgr/Pages/lithium-batteries.aspx
▪ https://www.icao.int/Meetings/a38/Documents/WP/wp094_en.pdf
▪ https://www.icao.int/publications/pages/publication.aspx?docnum=9303
References
▪ https://www.icao.int/publications/Documents/9303_p9_cons_en.pdf
▪ https://www.icao.int/publications/Documents/9303_p10_cons_en.pdf
▪ http://www.mainguet.org/
▪ https://ncbi.nlm.nih.gov/pubmed/19006507
▪ http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf
▪ http://patentexaminer.org/wp-
content/uploads/2011/09/SmartMetric.MC_.2.Complaint_small.pdf
▪ http://patentexaminer.org/wp-content/uploads/2011/09/SMME_v_MasterCard_1.pdf
▪ http://prba.org/wp-content/uploads/IATA-Lithium-Battery-Guidance-2017-1.pdf
▪ https://www.sec.gov/Archives/edgar/data/1301991/000114420415058083/v421136_e
x10-8.htm
▪ https://scribd.com/doc/316791717/Special-Report-Biometrics-and-Border-Security
▪ https://uni-kassel.de/fb07/fileadmin/datas/fb07/5-
Institute/IWR/Hornung/isse_2004_47-57_biometric_identity_cards.pdf
▪ https://ups.com/media/news/en/ca/intl_lithium_battery_regulations.pdf
▪ https://www.youtube.com/watch?v=jw_4uaRNsBA&t=1228s
▪ https://www.youtube.com/watch?v=VESg5mPWk34&t=21s
DISCLAIMER
Antonio D’Albore is making any representation or warranty, expressed or implied, as to the

accuracy, reliability or completeness of the information in the research, and neither
Embedded Security News or Antonio D’Albore will have any liability to you or any other
persons resulting from your use of the information in this research. Antonio D’Albore
undertakes no obligation to publicly update or revise any forward-looking information or
statement in this research.
All brands and product names are the property of their respective holders.
© 2017 Antonio D’Albore / Embedded Security News

2017-10-The Rise of Biometric Cards With Comment PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

2017-10-The Rise of Biometric Cards With Comment PDF

Caricato da

Copyright:

Formati disponibili

This is a research about Biometric Smart Cards conducted from January through

▪ To reduce Card-Present-Fraud in Payment Cards

Biometric Smart Cards types with Batteries:

In reference to Biometric Smart Cards we can have several type of bezel:

▪ Harvest the power from the RFID excitation field.

▪ Flexible Inlays / prelaminated sheets.

Year 2014 – Sparebanked DIN – Norway

司, formerly the IC center of China Academy of Telecommunications Technology

Zwipe is invested since 2015 by Kuang-Chi Group (深圳光啟集團) a Chinese diversified

technology conglomerate that develops and invests in telecommunication, aerospace,

▪ Gemalto: industralization is currenlty undergoing at their R&D centers and plants in

▪ Variation in price of the fingerprint sensors.

▪ Knowledge category > example the PIN

▪ Consumers familiarity with Smart Cards and smartphones.

▪ Rejection due to personal reasons.

Antonio D’Albore is making any representation or warranty, expressed or implied, as to the

© 2017 Antonio D’Albore / Embedded Security News

Potrebbero piacerti anche