STPayBio, the proof-of-concept at the heart of the STPay-Topaz-Bio biometric system-on-card platform, just won a CES 2022 Innovation Award. The prize celebrates the technology as the bedrock of fingerprint bank cards, thus opening consumers and financial institutions to a new payment method. However, the mechanisms go far beyond payment solutions. Indeed, teams are already studying the use of this technology in health care and access control. Authenticating users with a fingerprint can provide a more reliable and secure path to privacy. For instance, a server could demand a user's fingerprint before decrypting information and use biometrics only stored on the card. Additionally, medical professionals could fight fraud by ensuring the identity of their patients.
What is STPay-Topaz-Bio?
A Platform With Hardware and Software Components
STPay-Topaz-Bio facilitates the creation of biometric system-on-cards. It handles the fingerprint enrollment, data template, power management, and the card's authentication process. Users simply put a finger on the card's scanner instead of entering a PIN before the transaction takes place. The experience is efficient and more secure. Indeed, hackers can't use an image to unlock the mechanism, and banks can offer a more modern authentication system.STPay-Topaz-Bio uses the ST31N600 Secure Element, a 40-nm Arm SecurCore SC000 core, which handles most operations during payment, while the STM32L443 processes the image from the fingerprint reader. The platform also includes an operating system compliant with Java Card 3.0.5 and GlobalPlatform 2.3.1 to accelerate development operations.
A Solution That Gets Rid of the PIN
ST developed STPay-Topaz-Bio in partnership with Fingerprint Cards and Linxens. According to a study by ReportLinker, the global contactless biometrics technology market should reach $18.6 billion by 2026. The study also cites the pandemic as a driver of adoption. Consumers are looking for ways to pay while staying physically distant. They also wish to reduce interactions with potentially contaminated hard surfaces. Secure payments through contactless cards with biometric authentication answer those new demands by removing the need to enter a PIN code.
Another reason the industry is celebrating STPay-Topaz-Bio is that chip-and-PIN authentication has inherent problems. The technology dates from the early 2000s, and while massive hacking frauds are rare, they exist. For instance, in 20111, fraudsters used a man-in-the-middle attack to compromise chip-and-PIN cards and steal a total of EUR600,000. The hack, while complex, clearly demonstrated important limits. Similarly, researchers at Cambridge University2 published details on two crucial security flaws. STPay-Topaz-Bio offers a newer platform with more significant safeguards and does away with a code that criminals could try to spy over a shoulder or social engineer.
A Straightforward Way to Approach Biometric System-on-Cards
By making biometric system-on-cards more secure and practical, STPay-Topaz-Bio solutions will help increase - or even remove - today's contactless cap limits on most bank cards. It will also facilitate the adoption of the new technology by companies and medical establishments. Unfortunately, managers can have a hard time finding accurate information. We thus thought that it was essential to contextualize STPay-Topaz-Bio. Indeed, thought leaders and decision-makers must understand the technical challenges inherent to these emerging technologies.
STPay-Topaz-Bio: The Challenge of Efficiency
A biometric system-on-card in action
Adding biometrics on a card is challenging because manufacturers must still meet existing thickness requirements to ensure compatibility when swiping or inserting the card in existing readers. The ISO/IEC 7810 standard dictates that all bank and ID cards must have a thickness of 0.76 mm. Other standards also define a card's ability to bend without the connectors or components breaking. Satisfying those stringent requirements mean that companies that master biometric bank cards can easily port their solutions. Biometric ID badges, employees' identification with fingerprint recognition, and more become easier to make.
Engineers must also solve the technical challenge behind the card's power consumption and energy harvesting. Hence, ST implemented a secure element that can harvest power from the contactless reader and distribute it to the entire card. Such a system is possible because the general-purpose MCU (STM32L443) and the ST31N600 Secure Element have low power consumption that they can run with the energy harvested during magnetic coupling. STPay-Topaz-Bio is thus innovative because it uses the same NFC technology as the previous generation of contactless bank cards while powering more components, such as a fingerprint sensor and a general-purpose MCU.
Storage and Computational Requirements
Capturing the user's fingerprint and storing the associated template after enrollment requires more memory. Hence, engineers working on biometric system-on-cards face greater hardware requirements. The secure element executes the application, secures information, including the biometric template, and runs the algorithm that matches the fingerprint to the template to authenticate the user. There's thus a need for more storage for the template and the matching algorithm. Similarly, the general-purpose MCU extracts the fingerprint from the sensor and sends it to the secure element, demanding high computational performance while keeping the power consumption as low as possible.
Decision-makers thus understand the importance of hardware optimizations. The STM32 microcontroller has low power modes to improve energy efficiency vastly. Similarly, we ensure the ST31 runs the fingerprint matching algorithm as quickly as possible. Indeed the total transaction time, including the fingerprint matching, must take less than one second. The platform must, thus, feature the most outstanding optimizations and guarantee a flawless user experience.
STPay-Topaz-Bio: The Challenge of Security and User Experience
Users may struggle with the lack of standardization during enrollment, which must offer a good tradeoff between overall security, performance, and user convenience. Implementers are looking into different enrollment mechanisms that would utilize a sleeve, a mobile device, or a reader with optional LEDs on the card. The capture must also be fast enough and comply with biometric standards such as FAR (False Acceptance Rate) and FRR (False Recognition Rate) requirements that regulate biometric interactions. False positives are severe breaches of security and make the whole system unreliable. On the other hand, a false negative creates friction that end-users hardly tolerate. Therefore, teams working on their system must find the right balance between accuracy and performance.
STPay-Topaz-Bio distinguishes itself from current solutions by offering better biometric processing and more secure protection of the assets, such as the sensor image and templates. Biometric cards, in general, represent a vastly more secure system than PIN authentication or basic contactless solutions by offering more robust security and privacy protections. However, STPay-Topaz-Bio goes a step further by solving multiple design challenges Adopting it means teams can bypass significant complexities, ensuring their end-users trust their biometric system-on-card. The STPay-Topaz-Bio platform also guarantees fast processing times, crucial for a successful experience.
Ferradi, H., Géraud, R., Naccache, D. et al. When organized crime applies academic results: a forensic analysis of an in-card listening device. J Cryptogr Eng 6, 49-59 (2016). doi: 10.1007/s13389-015-0112-3↩︎
M. Bond, O. Choudary, S. J. Murdoch, S. Skorobogatov and R. Anderson, "Chip and Skim: Cloning EMV Cards with the Pre-play Attack," 2014 IEEE Symposium on Security and Privacy, 2014, pp. 49-64, doi: 10.1109/SP.2014.11. ↩︎