Gemalto introduced smart card and biometric authentication solutions. It discussed using fingerprints for biometric authentication on computers due to user acceptance and technology maturity. Combining biometrics with smart cards provides multifactor authentication with a portable device linked to the user, improving security and convenience. Existing implementations include matching biometrics on or off the smart card. Limitations include operating system support, but workarounds exist and the ultimate solution is a smart card using PKI with both a PIN and biometrics for authentication.

1. Smart Card Forum
May 21st, 2009
New trends in smart-cards technology

2. Agenda
Gemalto introduction
Computer Authentication Solutions
Biometrics on Computers
Smart Card, Biometrics and Convenience
Reference, date

3. Making people’s everyday interactions with the
digital world secure and easy
Gemalto provides end-to-end solutions for digital security,
from the development of software applications,
through the design and production of secure personal devices
such as smart cards, e-passports and secure tokens,
to the deployment of managed services for our customers
Reference, date

4. Introducing Gemalto
World Leader: Key figures:
• World’s #1 for SIM (2)  € 1.7 billion revenue 2008
• World’s #1 for chip payment cards (3)  Innovation investment:
 10 R&D sites worldwide
• World’s #1 reference for e-passports (4)  1,300 engineers
• World’s #1 install-base of over-the-air  Global footprint:
(OTA) platforms for GSM networks (5)  19 production sites
 31 personalization centers
• Pioneer and patent holder of high-speed  85 sales & marketing offices
SIM for mobile Internet, multimedia and
mobile contactless applications  Experienced team:
 10,000 employees
• Pioneer of the .NET card, the first
 90 nationalities
Microsoft Vista compatible smart card
 40 countries
solution
Source: (1) Gartner 2006; (2) Frost & Sullivan 2006; (3) The Nilson Report 2007; (4) Keesing Journal of Identity 2007; (5) Gemalto 2007
Reference, date

5. Gemalto's worldwide presence
Reference, date

6. Agenda
Gemalto introduction
Computer Authentication Solutions
Biometrics on Computers
Smart Card, Biometrics and Convenience
Reference, date

7. Computer Authentication Solutions
 There are many ways to authenticate to a computer:
 Username/Password
 Tokens storing credentials
 Tokens storing digital certificates
 Biometrics unlocking credentials or digital certificates stored on PC
 Dynamic passwords (OTP), challenge & response
 ... to name a few
 Multifactor is recognised as necessary
 Something you know, something you are, something you own
 Simplicity is key
 Complex solutions lead users to look for shortcuts!
 Strong link to users is necessary
 Avoid credential passing/borrowing
 Enables non-repudiation
Reference, date 7

8. The need for strong authentication
 High profile cases
 UK aide to Gordon Brown gets blackberry stolen
– http://www.timesonline.co.uk/tol/news/politics/article4364353.ece
– “Downing Street BlackBerrys are password-protected but security officials said
most are not encrypted”
 FBI loses 3-4 laptops a month (2007)
– AP, http://www.msnbc.msn.com/id/17115660/
– “"Perhaps most troubling, the FBI could not determine in many cases whether
the lost or stolen laptop computers contained sensitive or classified information”
 Regulatory compliance
 Non repudiation
 Strong Authentication is an enabler
 High mobility
 Home office
 Trust management
 Real Strong authentication is mutual!
 Not only user to computer/network, but also the other way around
Reference, date 8

9. Strong Authentication on computers
 What is “Strong Authentication” ?
 Multifactor
 Mutual
 Secure
 Digital certificates on smart cards/tokens enable all three
 Only solution today
 Remaining issues
 Strong but not absolute binding with user (lending of smart card)
 Potential day to day issues
– Lost cards
– Blocked cards
 Enter biometrics
 Enables 3rd factor if needed
 Makes it more convenient!
 Boosts user adoption
Reference, date 9

10. Agenda
Gemalto introduction
Computer Authentication Solutions
Biometrics on Computers
Smart Card, Biometrics and Convenience
Reference, date

11. Biometrics and Identity
“Any distinguishing element of a physical person/entity that can be
considered as unique”
 Remains constant over time – mostly
 Public – most of the time
 Difficult to revoke
 Sensitive – cultural bias
→ Needs to be considered carefully before using!
Principle of Psychological Acceptability:
A security mechanism should not make accessing a resource, or
taking some action more difficult than it would be if security
mechanism were not present.
Reference, date 11

12. What type of biometrics ?
 Linked to
 User acceptance
 Technology maturity
 Performance
 Fingerprint recognition is the only prevalent type of biometrics
on regular computers
 Does not mean other types won't catch up quickly!
 Swipe readers are now common
Source: JF Mainguet
Reference, date 12

13. Fingerprint authentication
 Good maturity – standards and evaluation campaigns
 Large-scale deployments – National ID schemes
 Good user acceptance
 Can be achieved in “Match On Card” mode
 Performance is a tradeoff between:
 Quality (FAR) – Typical figures are well below 0.001%
 Convenience (FRR) – Typical figures are below 2%
 Accessibility (FTE) – Below 1%
Reference, date 13

14. Biometrics on computers
 Almost all corporate notebook brands embed a fingerprint
reader either as option or standard
 Mostly swipe readers, varying quality
 Surface readers emerging
 Government standards (FIPS201) as driver
 61 Million fingerprint readers to be shipped in 2009
 Cumulative 300 Million to date
 (F&S WW Silicon Chip fingerprint market, 2007)
Reference, date 14

15. Biometrics and regulations
 The use of biometrics needs to take local regulations into
account
 CNIL in France
 European data privacy directives (data protection working party Art 29)
 UK Data Protection Act
 Regulations mostly require
 Justification of means
 Appropriate protection of biometric data
Reference, date 15

16. Biometric Technologies : Reliability vs Convenience
+ Iris/Retina
Fingerprint
Hand
Face
Signature Voice
Gait
Keystroke -
+ User friendliness - - User friendliness +
Behavioral Physiological
16

17. Fingerprint Recognition
 Strengths
 Long experience
 Good user acceptance
 Good reliability
 Easy to use
 Weaknesses
 Criminality-related image
 Leaves traces (latent prints)
17

18. Agenda
Gemalto introduction
Computer Authentication Solutions
Biometrics on Computers
Smart Card, Biometrics and Convenience
Reference, date

19. Merging Biometrics & Smart Card
 Mutual & Strong authentication
 Using X509 certificates
 Portable device
 Personal, linked to user, “regulator friendly”
 Biometrics establish a strong link to user
 Multifactor security
 Convenience
 User adoption
 Evolutivity
 Can adapt to rapidly evolving technology
Reference, date 19

20. Existing implementations
 Standalone Match On Card not linked to certificates
 Used with ad hoc software
 Standalone 3rd authentication factor
 Can be used for identification purposes
 Standalone Match On Card protecting PIN code and credential
storage
 Enables biometric-protected credential storage
 Enables biometric-protected PKI certificate usage by PIN replay
 Match Off Card with fingerprints stored on card
 Compatible with every existing PKI smart card
 “Regulator-friendly”
 Enables both credential storage & PKI cert usage by PIN replay
 PKI Smart card accepting PIN and/or Match On Card
 Most secure implementation
 Enables card-enforced authentication policy (2 to 3 factor)
Reference, date 20

21. Current limitations and way forward
 OS Architecture can lead to limitations
 MS Crypto API was not written for anything else than PIN code
 Even though there are openings in future Windows versions
 Practical Workarounds are available
 PKCS#11 API has better support for biometrics natively
 Wrappers for ill-behaving applications are possible
 Most important limitation
 A lof of software assumes the use of PIN code for smart cards
 Practical approach
 Test and validation !
PIN or Fingerprint Authentication
Biometric Verification
Please swipe your finger OR enter your PIN
Biometric Authentication
SWIPE FINGER
PIN Authentication
PIN
Select Finger Click here for more information
OK Cancel
Reference, date 21

22. Why Smart Card with Biometrics?
 Provides «Something you have» to the authentication scheme
 & smart card PIN code provides «something you know»
 Provides privacy
 No centralized database
 You carry your own biometric template
 Provides trust between Authority & End User
 Mutual authentication
 Provides simplification of operations
 One to one matching
23

23. Process : Template Extraction & Storage
24

24. Process : Matching
25

25. Pin vs Bio
PinCode Biometrics

Secret 
Public

Modifiable 
Fixed (Template)

Delegation 
No delegation

Exhaustive attacks 
Not possible

Perso very easy Very  
 difficult
Match very 
  simple Match not 
  trivial
Very efficient counter measures
(for example against physical &
 
Not Yet
logical attacks)
27

26. Conclusion : Smart Cards / Biometrics ?
 Smart-Card + PIN & Biometrics have to be considered as
complementary technologies.
 Smart cards & pin-code need Biometrics
 Card holder authentication
 Non repudiable transaction
 Biometrics need Smart cards & pin-code
 Privacy
 Large volume opportunity
 Simplification : One to One matching
 The ultimate solution :
Smart card & Pin-code + Biometrics + PKI
28

27. THANK YOU