Fingerprint recognition has become a popular feature of many smartphones, providing a convenient and trusted method for unlocking the device and for authenticating payments and passwords. In general, a fingerprint sensor delivers a faster and more secure alternative to other device-unlock security measures such as PINs, passwords, or patterns entered on a virtual keypad, which can easily be observed and copied.
No matter which authentication scheme is used, it’s likely that at some point users will experience unlock problems. The tiny, virtual keyboard found on smartphones leads to typing errors for PINs and passwords, and biometric authentication methods have their own unique unlock issues as well.
Biometric unlock failures are considered “nuisance rejects” and are statistically characterized as the false rejection ratio (FRR) for the authentication scheme. For mobile devices, consumers will tolerate a noticeable FRR and re-authenticate by retyping the PIN or touching the sensor more than once before the user’s fingerprint is accepted.
At the same time, the security offered by the fingerprint recognition systems generally implemented in phones is at least equivalent to that of a minimum four-digit PIN, or even the recommended six-digit PIN. This is deemed sufficient by phone manufacturers to protect the value-at-risk of a smartphone and of the data it holds.
The popularity and familiarity of fingerprint recognition are now leading automobile makers to evaluate use cases for the technology in passenger cars. However, the operating criteria for a fingerprint sensor in a vehicle are markedly different from those in the mobile phone. Automotive manufacturers, therefore, face a series of choices over the way in which they implement fingerprint recognition in vehicles. This article explores these choices and describes why a fingerprint-sensor (FPS) system’s support for modification and optimization of system characteristics by the designer is important.
Balancing Security and Convenience
A biometric technology, such as fingerprint recognition, is commonly thought of as a security function, as though it were a biological key. But in the automotive environment, biometric authentication is problematic for certain use cases. In fact, the most popular use case being considered for automotive platforms today—personalization functions—takes advantage of the FPS’s convenience more than its security.
To understand the security limitations of fingerprint recognition in vehicles, it’s worth comparing the car to a smartphone. Outside the home or office, a smartphone is nearly always kept on the user’s person. This means that theft of a phone is difficult.
The main security risk is to private data held on the phone, which could be compromised were the phone to be lost or mislaid. But service providers and phone manufacturers provide methods for disabling a lost or stolen phone remotely, and most phone hardware is encrypted “at rest” until a correct PIN or password is entered.
These characteristics mean that the user can accept a small risk of false acceptance, when someone other than the owner touches the FPS and possibly has a false fingerprint match. Phone manufacturers specify a system-level FAR of <1:100,000—a small risk of a false acceptance, but a risk nonetheless.
The use case for biometric authentication in the car’s locking system or its ignition (or Start button) is different. A car is left for long periods out of sight of the owner, and is a valuable asset, facts which sustain the enthusiasm of criminals for attempts at car theft, despite the hazards involved. Once a thief has stolen a vehicle, it’s possible to modify it to prevent its discovery by law enforcement officers, and then to use or sell it.
To combat this risk of theft, car manufacturers continue to design vehicles’ access controls to be very difficult to attack. At the same time, auto manufacturers acknowledge that devices such as wireless key fobs are routinely left in vehicles, undermining the effectiveness of their security. In addition, while the encryption technology used to encode a key fob’s radio transmission to the security module inside the vehicle is generally unbreakable, the transmissions are potentially vulnerable to remote and replay attacks. In truth, there’s no guaranteed method of preventing vehicle theft or access—all the encryption technology in the world will not prevent a criminal from towing a car away.
No biometric authentication technology on its own provides absolute security, which would be represented by a FAR of 0. To increase security, multifactor authentication can be employed. For vehicle access, facial recognition is expected to play a role: the presence of the key fob, the visual ID of the owner, and the press of the Start button can combine to protect the vehicle from unauthorized use.
Thus, there might be a role for fingerprint recognition in supplementing existing security devices. For instance, a car could have a wireless key fob as its primary access control device but augment its security with a fingerprint sensor in the Start button. In this scenario, a lower FAR parameter setting can provide a near-zero nuisance rejection rate while adding an additional authentication factor to improve the overall security.
The challenge in this use case would be to combine convenience with security, achieving an FRR of zero while also keeping the FAR low. This is difficult for all biometric technologies because FRR and FAR are, in general, inversely related. Making the matching algorithms less stringent (to minimize nuisance rejections) generally has the undesirable effect of lessening security. This problem is mitigated by two-factor authentication: fingerprint and possession of a valid key fob. For applications in which the convenience of the authentication process is more important than its security, however, the FPS is ideal, as the smartphone has shown. And this characteristic of fingerprint recognition is totally compatible with a different use case: personalization.
Press to Configure
Each user of a car has different preferences for its use. Some are fixated on driving dynamics, such as the suspension settings and the speed/fuel economy tradeoff. Some focus on comfort, including the height and rake of the driver’s seat, the position of the steering wheel, cabin temperature, etc.
For others, the primary purchase consideration for a car is the infotainment console—the content shown on the center information display, the choice of radio stations or other audio content, the equalizer settings, and so on. A single press on a “Personalize Settings” button could adjust all of these settings instantly for any number of authorized users of the vehicle. With an FPS in the button, the car would automatically detect the identity of the user in control of the vehicle’s settings.
The use of a button for this function has important benefits. Clearly there are other ways of identifying the user, such as face recognition or iris recognition. These technologies operate automatically. A button, however, implies intent and consent on the user’s part: the user chooses to assert his or her preference by pressing an FPS button.
Why does this matter? Imagine that a mother is driving, and her teenage child is in the front passenger seat. A face-recognition camera could automatically identify the mother and change all the settings to her preferences. Her child might have very different music and climate-control preferences, though. FPS buttons enable the occupants of the car to choose whose preferences are applied during this particular trip.
The action of pressing a button to signal intent and consent will also be of benefit when validating in-car payments such as parking fees, entrance fees, or road-use tolls, since it prevents the risk that a driver could claim that a payment was debited without her or his consent.
Design Considerations: The Need for Rapid, Easy Modification
Multiple factors affect the operation of the FPS and the user’s experience of it. These include:
- The mechanical design of the surface in which the button is to be embedded, and the space available for it
- The electrical environment, including the amplitude and frequency of electromagnetic interference.
- Operating parameters such as the required FRR and FAR.
These factors are interdependent, meaning that changes in one factor affect decisions about the others. Because of this, every FPS button design will be different. And this means that the system designer needs the flexibility and the tools to modify prototypes and test their functionality under the intended operating conditions.
This, in turn, heightens the need for a platform that facilitates iterative design. Platform approaches for fingerprint recognition from various suppliers are available to automotive system designers. These platforms provide a means to perform the two basic functions in fingerprint recognition:
- Fingerprint sensing
- Fingerprint matching
In fingerprint sensing, a crucial parameter is the size of the actual fingerprint sensing area. The larger the sensing area, the more fingerprint data is captured. The more biometric data acquired, the better the FRR performance for any given FAR setting.
For this reason, Cypress Semiconductor adopted a sensor-on-substrate architecture in its FPS modules (Fig. 1). Here, the size of the sensor is independent of the size of the sensor controller chip, which is mounted underneath. This is in contrast to silicon sensor implementations, in which the sensing element is built into the die; increasing the size of the sensor increases the size of the die, which increases cost.
With a sensor-on-substrate approach, increasing the sensor size has a negligible effect on system cost. This enables OEMs to experiment freely with various sensor sizes to find the best tradeoff between performance and mechanical design, rather than between performance and cost. In addition, coatings and covers may readily be applied to the sensor’s surface to match surfaces and textures.
A further advantage of the sensor-on-substrate architecture is that the controller chip is itself a programmable system-on-chip. Important operating parameters, including pin allocation and I/O configuration, may be easily changed in software, with no change to the chip itself or the board layout. This promotes experimentation and rapid design iterations. The Cypress FPS platform is supported by a fingerprint-matching module (FPMM) reference design. This reference design is available as a module, and in an FPMM Evaluation Kit (Fig. 2).
For fingerprint matching, authentication software is required, such as that from Precise Biometrics. Flexibility is required in the authentication software as well to maximize ease of use and enable OEMs to match capabilities to their applications:
- Enrollment flexibility: The OEM can vary the number of enrollment images to favor user convenience or initial security.
- Dynamic template update: This allows the OEM to optionally add fingerprint images at a later date, thus allowing for quicker enrollment.
- Rotationally invariance: This ensures no degradation of FRR performance over a full 360-degree rotation of the finger or the fingerprint sensor
- Fast processing: Typical 250-ms match time, plus 50 ms per additional enrolled finger
- Automotive-qualified components, including the sensor and matching MCU
The FPMM comes pre-programmed with software that’s ready to use. The module is available with a choice of two fingerprint-matching controllers, either a Cypress PSoC 6 or a Cypress FM4 microcontroller. The fingerprint-matching software stack is easily ported to other Arm Cortex-based MCUs, making it easy for OEMs to port the solution to their chosen MCU platform in a production design.
The FPMM architecture is tightly integrated: The fingerprint image is processed and authenticated locally, in the same module as the FPS. This offers the advantage of eliminating the need to encrypt/decrypt the fingerprint image—a function that’s required in systems performing remote matching at the vehicle’s head unit—to protect the fingerprint image from tampering or intrusion as it’s transported over the vehicle’s network infrastructure.
Tools and Testing
By adopting a modular platform for the development of a fingerprint-recognition button, automotive OEMs can abstract themselves from the detail of the capacitive sensor’s functions and concentrate on configuration of those parameters that affect the user experience. For example, the Cypress FPMM is configured with an intuitive tool suite. The entry point to the fingerprint recognition tool is the company’s evaluation software (Fig. 3), which provides a set of 22 APIs for full control of the biometric subsystem. Demonstration software eases system bring-up and integration.
The tools support functions including:
- Usability evaluation
- Fingerprint collection
- FAR/FRR evaluation and performance testing
- User experience evaluation
Tools for production include a manufacturing test kit (MTK) for quality control of module vendors.
Today’s fingerprint-recognition technology supports car makers’ efforts to differentiate the user experience and to create convenient and attractive ways to personalize the operation of the vehicle. Commercially available components, modules, software, and tools provide for rapid prototyping, enabling the designer to find the optimal balance of performance, size, and cost.
And as the automotive industry’s experience in the implementation of fingerprint sensing deepens, the potential exists to extend fingerprint sensing into a wider range of applications, including augmenting the security of traditional devices such as wireless key fobs via a fingerprint-sensing remote Unlock/Start button.
Jeff Lee is a Vice President/Fellow in the Subsystems Business Unit within Cypress Semiconductor Corp.