Fingerprint Readers Find Uses for Consumers
Fingerprint technology has found a place in a variety of commercial use cases. We can simplify this by considering these in two broad categories – public and personal fingerprint readers. Public readers are used by (or on) many individuals, for example in banking, law enforcement and border control. Personal readers are deployed in consumer electronics such as smartphones and payment cards and for the purpose of this report we shall call these ‘consumer fingerprint readers’.
The aim of this article is to summarise the similarities and differences between these consumer use cases, the implications for the security/convenience balance and how the issue of trust may play a part in this.
Smartphones and payment cards
The differentiation of these use case categories has become more acute in the post-pandemic world. To retain acceptance, fingerprint technologies in applications such as ATMs and border control may have to rely on trusted and obvious disinfection between users.
Consumer fingerprint readers have the significant cross-infection advantage that they are each used by a very limited number of people, most commonly by one individual.
Here we will consider both smartphone and payment card implications for a number of reasons. Both have evolved to validate the identity of the consumer, but more importantly there are learning points that cross the boundaries between the two implementations. One early and important example of this is the issue of the size of the sensor.
Fingerprint sensors take a sample of the user’s fingerprint, and a larger sensor gives a larger sample and therefore higher security from two perspectives. First, when the fingerprint is first taken on the device there is more data to inform authentication without multiple capture to populate the dataset. Second, during authentication the larger sensor captures more data to inform the process.
This is an area where payment cards currently have an advantage over smartphones. On a smartphone, ‘real estate’, particularly on the front surface is at a premium as there are strong marketing drivers to increase the percentage area devoted to the display screen. In contrast to this there is a larger area potentially available to integrate the fingerprint sensor on a payment card.
The security/convenience balance
One parameter these use cases do have in common is their sensitivity to ‘false negative’ responses and this is a significant driver in the security/convenience balance.
In the digital age, where seamless and rapid validation of any form of transaction has become the norm, a significant degree of false negatives will obviously not be acceptable. As a result, there is obvious pressure to bias the security/convenience balance towards the convenience driver.
We can consider these two use cases as having the same consumer needs in terms of an interaction being rejected. In addition to transaction verification on a smartphone, the fingerprint reader is also used to unlock the device multiple times during daily use. For a payment card, false rejection of a transaction is both a frustration and embarrassment to a consumer, but also an inconvenience to a retailer.
Smartphones have the advantage that they have a higher processing power, inbuilt power source and usually some embossed guide to help centre the finger on the reader, while payment cards have a larger available area for a fingerprint sensor.
As a result, they have different options to deploy to achieve the same objective – a realistic balance of security and convenience for the intended application. It will be interesting to watch if this balance becomes a differentiator of brands in these use cases as this may have implications for our industry.
In a smartphone implementation there is an additional challenge in that this is an established solution where changing the security/convenience balance may well run into resistance. Biometric attacks are perceived as rare, with most transactions being the authorised and regular use of a fingerprint to unlock the smartphone. If legitimate users were rejected too often, users would find this unacceptable.
There is one further difference in these use cases that we should consider. In the case of a payment card, the fingerprint sensor is incorporated for one purpose only – to validate the right of the holder to conduct a financial transaction. There are however multiple uses in the smartphone implementation, from unlocking the phone to app-specific requirements such as payment and identity, which may require a hierarchy of security/ convenience balances, perhaps as multi- factor authentication.
In the age of payments and identity documents such as mDL we may need to reconsider this balance.
Trust may be the issue
Trust rather than performance may become the issue here. The actual performance of these devices in terms of presentation attack detection is the subject of International Standard ISO/ IEC 30107-4:2020, published by ISO/IEC JTC 1/SC 37 – Biometrics 1. This is a great approach for the quantitative comparison of technologies, but I suggest that here we are more concerned with qualitative customer perception and as an example I offer a personal case study.
I write this study on a Windows Surface Pro with facial recognition to unlock the device. The recognition algorithm generates a lot of false negatives: it is sensitive to the spectacles I wear and my position in front of the screen. My Moto smartphone uses fingerprints and, unless my fingers are wet, the fingerprint sensor never generates a false negative. Yet my business and personal banking are all smartphone apps…
From my perspective, the security vs convenience balance seems the wrong way around: right for ease of smartphone use but not for transactional security. Perhaps the issue here is that this balance is dictated by the mobile device industry, rather than with identity security in mind. Maybe in the longer term this will need to be reset.
This issue of trust has been a recurrent theme in the early events of the Digital Document Security conference, now reformatted as the Optical & Digital Document Security™ conference. It would be an interesting topic to revisit at the next meeting, set for Prague in April 2023.
Subscriber content
Read the full article
Full access to ID & Secure Document News articles, newsletters and archives.