sim cards – the new frontier for biometrics
TRANSCRIPT
10Card Technology Today April 2009
SIM cards – the new frontier for biometrics
Two-factor authentication of something you have and something you are is becoming increasingly important in both the government and private sectors, where smart cards are being combined with biometrics to boost security, improve convenience and enhance privacy.
Starting pointOne of the most popular approaches to com-bining biometrics with smart cards is Match-on-Card, which has been applied to a number of eID schemes in countries around the world, such as Thailand and Portugal. This process involves both the matching and storing of fingerprints on a smart card. It has the privacy advantage of storing the fingerprint template
within the card, making it unavailable to exter-nal applications and the outside world. In addi-tion, the matching decision is securely authenti-cated internally by the card itself.
Taking the Match-on-Card approach a step further, the technology can also be deployed on SIM cards. This is an important develop-ment as the SIM card segment represents close to 80% of the entire smart card market and, because Match-on-Card technology is tied to smart cards, this is where Precise Biometrics wants to be. As the number of mobile phones in use worldwide grows from its current base of approximately 4 bil-lion over the next few years, there will be a real business need for this type of technol-ogy. And although citizens in some of the developing nations are still only using their low-end handsets to make voice calls, an increasing number in the developed world are using their phones to access and store infor-mation and services, helping drive demand for increased security.
More securityMillions of people now use their mobile phones to access their bank accounts, read their emails, talk to people using Instant Messenger (IM) and download music and ring tones, all of which require an element of verification. But in the future, mobile phones will also be used for other functions such as Registered Traveller Programs (RTPs) as well as mobile payments, both of which will require the handset owner to verify themselves.
By applying fingerprint recognition to SIM cards in a Match-on-SIM process, citizens can secure their information and prevent unauthorized transactions. This process enables both the storing and matching of fingerprint information on a SIM card. And, because no matching or storage takes place outside the SIM card, the personal integrity of the mobile phone carrier is always pre-served. The complete function exists as a Java applet inside the SIM card and uses estab-
lished standards to ensure interoperability, so it is entirely independent of handset manu-facturer model and make.
Smart card limitationsAlthough the smart card offers good security, it has a few limitations, such as the lack of a private human interface to the card. If a user wants to know what’s in their card – what their last transaction was or what seat they have on their eTicket – they have to put it in a terminal. You can introduce a greater ele-ment of convenience with the SIM card and mobile phone. This is because the handset has its own screen and can communicate with the SIM card, enabling the owner to check and manage information at their conven-ience. Suddenly the eTicket becomes more practical than a paper ticket. It means users can now check information at any time or in any place, and it gives them the reassur-ance of being able to interact with all these transactions and use the functions in their own time, whenever they feel like it. They no longer need to find and use a terminal to get the information they want. And the biometrics mean they know that whatever information is stored in the phone is avail-able and accessible only to them.
Additionally, even if they lose their handset, these functions can be locked by biometrics independent of the phone.
How soon?The slowness with which handset manufactur-ers have introduced NFC-enabled phones is well recorded, but there is no doubt that in a not too distant future NFC will play an impor-tant role in applications as diverse as payments and airline ticketing. There are already two NFC-enabled Nokia handsets on the market, with devices also expected from other manu-facturers by the end of 2009 or early 2010. With this in mind, Match-on-SIM supports fully automated identity verification performed
Smart card technology has been successfully combined with biometrics for a number of years in applications such as health cards, drivers licenses, single sign on tokens and national ID cards. Biometrics are now being combined with SIM cards – and winning industry plaudits in the process. Jonas Andersson, vice president of Business Development at Precise Biometrics, reports.
Match-on-SIM – How it worksMatch-on-SIM works in much the same way as Match-on-Card, and uses the same matching engine used in the national ID cards of Thailand and Portugal. However, the technology is optimized for a purely contactless environment with a number of limitations and rules about what is communicated over the NFC and how. It has also been developed to fit into the logic of the mobile phone.
The subscriber’s fingerprint information is stored and matched inside the SIM card. The fingerprint can be captured on an external device and transmitted over the air and matched inside the SIM. This makes the mobile phone a truly personal object, while retaining the verification of the subscriber’s identity in the secure environment of the SIM card. The technology is also compatible with NFC and PKI standards. No biometric data is ever transferred from the SIM card. This ensures the full privacy of the subscriber and protects his or her fingerprint data at the same level as system keys.
FEATURE
11April 2009 Card Technology Today
internally in the SIM card and communicated to the outside world over standard interfaces such as NFC. Using the full functionality of the NFC specification, Match-on-SIM is capable of functioning with the mobile phone turned off, even if the battery is dead.
It will be some time before these handsets become widely available commercially. Their use should start growing in 2010, and by the end of 2011, analysts forecast that 25%-30% of the installed base of mobile phones will be NFC capable. Assuming these estimates are cor-rect, that will be the time from which a good subscription base could be achieved. If you look at the number of mobile phones currently in use worldwide, 30% of that total would repre-sent nearly a billion handsets.
ApplicationsThe technology has the potential to be used in a number of different environments, includ-ing payments and RTPs. At airports, where passenger safety and national security are paramount, it enables airlines and airports to offer travellers an extensive service based on biometric verification. For example, passengers can purchase tickets online. They can also receive real-time updated information relevant to their requirements, meaning that instead of having to wait close to information screens for details of their flight to appear, they can enjoy the airport duty free/shopping mall experi-ence safe in the knowledge that their phone will alert them when they need to board. Plus, by using biometric verification, the traveller can pass through automated fast-lane identity verification for domestic and international air travel.
The Match-on-SIM-based solution provides many of the services that the self-service kiosks offer today without the maintenance overheads. And, as with all automated airport processes, it allows for faster passenger throughput as well as increased reliability and more accurate passen-ger identity verification.
Precise Biometrics has developed a mobile aviation solution based on Match-on-SIM, which won first prize at the global SIMagine competition held at the GSMA Mobile World Congress earlier this year. The solution is known as BioXpress – the queue-less travel experience. This enables fast-lane service using fingerprint recognition and mobile phones. It uses Match-on-Card for automated ID check supporting airline services through the SIM card and NFC.
This builds on last year’s entry when Precise Biometrics achieved second place with its Match-on-SIM technology. This was a fairly straightforward demonstration of how
the technology works, showing the Match-on-Card channel and the SIM card’s capa-bility of supporting the Match-on-Card in the same way that people have become used to using it in ID cards and single sign-on tokens. But 2009’s entry went a step further, demonstrating an entire solution for airline travel, showing how biometrics can be used throughout the entire process of booking, check-in, boarding and other services related to travel where authentication is needed. The concept was built on Precise’s experience with the aviation industry and developed with the help of Scandinavian Airlines (SAS). It is a solution to a particular issue faced by airlines and offers them definable advantages and cost efficiencies. It also comes in a format that works for airline operators that are inde-pendent of airport authorities, such as border control staff.
At the airport, this approach is about far more than passenger ID. It enables an airline to make a ticket truly personal because pas-sengers will associate it with their fingerprint. The ticket is null and void without this piece of biometric information. So if passengers associ-ate their fingerprint with their ticket, they can access fast-lane automated services in the air-port, bypassing queues, speeding up the whole process and making the travel experience more convenient. Of course, if a traveller has criminal convictions, doesn’t want to use the system, is incapable of using the technology, or simply doesn’t have the technology to use it, they will continue to go through ordinary airline passen-ger channels.
We think our progress in the SIMagine competition says a lot about the state of the mobile market, which is developing and grow-ing very fast. To achieve second last year with our very basic demonstration of our concept shows how interesting the judges found it. Our first position in 2009 shows that the dynamic mobile industry almost needs to have things packaged and ready with the marketing material, price list, business model and so on to meet the demand they’re soon going to get for the technology.
Well suited?RTP applications are well suited to a mobile environment. The type of people requesting registered traveller status are the most likely to own a mobile phone. Furthermore, RTP rollout is currently being hindered because of the reluctance of the various parties involved to pick up the cost of issuing cards to travellers. As it stands, there are still only a small number of RTPs running in Europe, such as the Dartagnan scheme at Schiphol
Airport in Amsterdam. Unless things change, Europe risks having a number of very local-ized schemes where all you get is fast passage through one single airport and nothing more. If you can get away from the cost of printing and distributing a document, you’re much closer to being able to share the functionality.
To address this, the industry is looking at the documents travellers already carry that are capable of incorporating biometric verifi-cation and are accessible at an airport. Some have considered ePassports, but this would not work because legally the passport can only be read by the border control author-ity. Not only can you not process them in the airline ticketing environment, but these documents also lack a data field to add RTP details. However, mobile phones, are avail-able to anyone travelling. They can be read by the same type of equipment as ePassports or eTickets in general. Furthermore, they can manage a Match-on-Card facility. So the effort and high cost of distributing RTP cards could be replaced with the need to distribute a much more affordable piece of software that fits on mobile phone SIM cards.
PaymentsOther application markets also look interest-ing for Match-On-SIM. In the payments sector, Match-on-SIM restricts the phone to one specific person, removing the pos-sibility of transferring or delegating card usage. There will be those that argue that the whole purpose of NFC-based payment is to speed up transactions and make things more convenient for customers, and that adding biometric verification to the process makes it more complicated. However, this is not true. It enables merchants and banks to link the payment with the phone holder securely. And because the matching is performed in a split second, based on a single finger placement, it enables cardholder verification with excep-tional ease of use, speed and increased secu-rity. Furthermore, by adding a fingerprint for transaction verification, skimming attacks are practically impossible.
With the NFC phone you can piggyback on the infrastructure that’s in place. You don’t have a distribution cost or any other cost for that matter. Suddenly people are using their phones as the medium for things such as ticketing and payment at their own cost, and they’re just ask-ing you to add your applications.
Contact: Jonas Andersson at Precise Biometrics,
Tel: +46 46 31 11 00,
Email [email protected],
Web: www.precisebiometrics.com
FEATURE