Controlled face-to-face enrollment and secure operational handling ensure trusted identities and sustained card integrity at these potentially sensitive steps.
Introduction
A security device for sensitive applications requires a well-defined process for manufacturing, operation and registration of the biometric reference data. The following text describes the processes and the resulting lifecycle integrity for the APPSCARD platform.
There are several sensitive steps in the lifecycle. The below outline provides what we like to label as “Passport Grade” implementations.
Card Lifecycle
A Biometric System-on-Card (BSoC) is a functional extension of a smart card and adds enrollment to the lifecycle, illustrated in the figure below.
Card Production
During card production, the components are mounted onto a flexible circuit board, and the fingerprint sensor is calibrated before the board is encapsulated permanently into a robust rigid housing. This takes place in a secure environment and ends with a functional outgoing test. Firmware and card operating system are fully operational at this stage. Details of how this is done will not be disclosed.
BSoC Applet Loading
The smart card applets are valuable assets. Loading them to the secure element of the card requires a hardware security module (HSM) in a secured environment. This can be done before or after physical production of the card. Parameters that are shared among all cards of one production batch are loaded at the same time. The process is also called pre-personalization and identical for all cards.
The GlobalPlatform consortium has defined a system for configuration and management of card operating system, applets, keys and parameters. APPSCARD follows this standard to keep all critical items secure.
Personalization
The cardholder has individual credentials that are stored in the BSoC. This can include e.g. cardholder name, user or id number, access rights, expiry date and cryptographic credentials generated or imported to the card. Logical personalization is done by an authenticated officer before the card is handed to the cardholder. External personalization means printing information onto the card body. This typically includes a card or id number and may also include cardholder name or photo as is common for access cards and ID cards.
KYC
The identity of the cardholder needs to be verified, and credentials validated before the biometric reference data can be enrolled. This is a mandatory step of a Know-Your-Customer or onboarding process and must be done in a face-to-face setting.
Enrollment
Registration of the fingerprints of the user is a quality and security critical step that will be described in the next section in detail. Typically, enrollment takes place after personalization in one session with the cardholder and an authenticated officer.
Card Activation
The card needs to be activated before it can be used operationally. The card is set to an operational state which usually blocks certain functions like e.g. enrollment or manipulation of applets. If necessary, the system is made aware that the card is now added to the portfolio of users.
Card Usage
The cardholder can now use the BSoC and all installed applications until deactivation of the card. The issuer policy implemented in the card configuration governs whether change of parameters, re-enrollment or installation of new applets is allowed assuming proper rights and cryptographic credentials. Most high security applications allow only one-time enrollment and no further change of applets or parameters.
Officers Integrity
The processes related to KYC, enrollment and credentials management are security sensitive steps managed by humans, typically one of the weakest linkS in a total system. As such humans will be exploited by resourceful attacker, whether they are individuals, criminal organizations or hostile nations.
By nature humans may be corrupt, lazy, naive, incompetent or may be coerced into actions compromising the integrity of the KYC, enrollment and credential management processes.
APPSCARD policy is to recommend organizations implementing our platform in higher end security sensitive contexts to demand officers handling the above steps to biometrically verify, using their own cards, in order to be verifiably linked to these processes.
The probability that an officer will act dishonest, corrupt or sloppy will be significantly reduced if such an individual knows that it is not possible without getting caught and when executing the enrollment process.
Enrollment
The registration of the cardholder biometric data is a critical step and needs to be managed carefully. Here is how it works for APPSCARD products.
Pre-Conditions
- The BSoC has been personalized with the users’ credentials but not yet activated.
- The BSoC is connected via a card reader to a host computer running card configuration and management software.
- A trained and authorized officer is securely authenticated to the host system controlling the BSoC.
- The officer has validated the identity of the cardholder — typically by checking the passport or national ID card.
- The officer gave guidelines on how to present the finger to the card. This shall be done orally with support of instructional video or printed illustration.
Fingerprint Registration
- The officer starts the registration from the host computer.
- The cardholder repeatedly presents both thumbs as instructed to the BSoC.
- Normally (context determined), the cardholder is asked to present also index or other fingers as backup depending on card configuration.
- After all reference data has been collected and processed, the officer will perform a test verification before handing out the card.
- Afterwards it is safe to activate the card.
Handling Difficult Users
- The BSoC and host software constantly give feedback on the enrollment quality.
- The officer supervises the process and supports the user with proper finger placement.
- If the cardholders’ default fingers do not have sufficient quality, the officer will instruct to use different fingers.
- If the cardholders’ main fingers (typically thumb, index and middle — excluding ring and small finger) from both hands all do not have sufficient quality, the officer will decide to disqualify the user.
- A disqualified user cannot use the BSoC. The system operator must find a different means of authentication — which is typically less convenient.
- Disqualifying users affects only a very small percentage of the user population and is to their own benefit. If they were allowed to use the BSoC, they would have a frustrating user experience with too many false rejects.
- The APPSCARD platform roadmap includes a face recognition match-on-card algorithm. This to provide yet another fallback for temporary or permanent failure to authenticate or enroll users.
Post Condition
- The BSoC has been enrolled with the cardholder fingerprints. The biometric reference data will remain for the entire life of the card — sometimes 5 years or more.
- It is guaranteed that only the legitimate user can use the BSoC with all credentials and applications registered.
- Enrollment quality is excellent thanks to the supervised process and enables reliable operation even under changing environmental and finger conditions.
Optional Processes
- Export of biometric reference data is possible, if policy required, assuming administrative privileges. This allows de-duplication during card issuance. After the process is completed, the exported biometric reference data will be deleted permanently. De-duplication is a process sometimes required to control that a given fingerprint has not been enrolled by an individual attempting to a enroll with more than one identity.
- Import of standardized (ISO/IEC 19794-2) biometric reference data is also possible in case that the operator already has an existing database and want to issue BSoC. A test verification is strongly recommended in this case. See also separate article on the subject of interoperability.
Summary
It is essential to follow established processes for smart card manufacturing and credential management for security devices. Enrollment is a quality and security critical step for a BSoC and a supervised process mandatory for high security applications. It ensures both the identity of the user and superior enrollment quality for reliable operation.
Home enrollment or self-enrollment as used by most biometric payment cards is not applicable for security centric applications. The user could enroll the biometric data of friends or family members. Even an intercepted card may be enrolled by a malicious player and accidentally activated. Field trials have shown that the enrollment quality suffers dramatically when users are allowed to register their fingerprints without professional guidance. This may be good enough for a convenience feature but a high-end security product should always mandate supervised enrollment.
