Using your fingerprint as a password
Every day, more and more people turn towards online services and cashless transactions. And while this trend provides a range of conveniences to users, it also creates new opportunities for identity and data theft by hackers. “Despite rapid advances in online commerce and digital services, data protection hasn’t evolved much past PINs and passwords – both of which are incredibly easy for hackers to access,” says Frank Sandeløv, CEO of CardLab, a Danish company that creates high-security card systems. “The challenge is making data dynamic while simultaneously providing unique user identification and full privacy protection.” With the support of the EU-funded QuardCard (Powered smart card with a biometric one time password system) project, CardLab is developing a groundbreaking biometric smart card with a fingerprint sensor, display, multiple interfaces and back-end authentication system. “This innovative technology creates the unbreakable link between the physical and digital identity, and also provides full privacy protection and is both GDPR and PSD 2 compliant,” adds Sandeløv.
Better digital security
QuardCard is a highly secure smart card developed for the access, government ID, blockchain and payments markets. The card is a first in that it combines the smart card concept with the latest in biometrics. According to Sandeløv, all the data is kept inside the card, with only a tokenised identity being released. The card stores a biometric fingerprint algorithm, which is highly accurate and impossible to copy. “Using your fingerprint, the system creates a token/one-time password, or OTP,” he explains. “Because the card only works with the rightful owner’s fingerprint, it drastically improves the security of online and physical transactions.” QuardCard generates the OTP using a standard OATH algorithm, meaning the back-end verification server, accessed via an API, can act as an authentication gateway to any existing application regardless of operating system, data model or architecture. “The API-based solution effortlessly integrates three-factor security in a cost-effective manner and with minimal impact on existing infrastructure and operations,” remarks Sandeløv. This versatility means the QuardCard can be used for a wide range of electronic security applications, including remote access, government ID systems, drivers’ licences, digital wallets, medical cards, and student and employee IDs – to name only a few. “The project provides a solution that spans well beyond only facilitating online payments,” explains Sandeløv. “As the first secure biometric solution that stores data in a card and offline, the QuardCard overcomes a number of security and data protection risks that all companies face.”
Technology and market entry
Despite COVID-19-related delays and issues with suppliers, the project succeeded in developing a biometric platform for building different versions of the QuardCard. This includes a primary cell-powered card with a normal lifespan of 2.5-5 years and a card with a rechargeable battery for an extended lifespan. The project also developed a battery-less energy-harvesting version, which is ideal for extended lifetime use applications like national ID cards, medical insurance cards and drivers’ licences. “In addition to enabling these electronic card applications, the QuardCard solution is a very efficient cybersecurity tool,” concludes Sandeløv. “Companies investing in the solution can get an almost immediate return on investment, along with many other benefits and administrative savings.” The company is currently in a funding round to ramp up its sales and marketing efforts and production. The research team is correcting a few minor bugs identified during user testing, and the first large-scale pilot programme is expected to begin in spring 2021.
Keywords
QuardCard, biometric, smart card, identity, data theft, digital services, data protection, privacy, GDPR, PSD 2, cybersecurity