During my initial interview with a client, I often ask lots of questions. We need to understand the complete requirements of a project in order to recommend the right tools needed for their Biometric Application. At the end of the day we have a common goal of seeing the project implemented in the best possible way.
One question that I always ask is: Where will the fingerprint templates be stored?
If the project is in a very initial Stage, then I end up explaining what are different possible places where a biometric template is stored. Here they are:
1. Fingerprint Template Stored on the Server
This is one of the most common scenario that we come across. In large scale projects the finger prints are captured at the client computers and sent to the Server for Storage on a central Database. This allows the users to be authenticated from multiple locations.
Since all the fingerprints are only stored on the Server, the matching can happen only on the Server itself. Hence it is very important for the Server to be available all the time in order for the system to function.
In this architecture the developer can send raw fingerprint image to the Server and the template conversion happens on the Server. Alternatively, the fingerprint template conversion happens on the Client machines and the biometric template is sent to the Server.
The decision on where to do the template conversion purely depends on the architecture.
Some things to consider while making this decision are –
In order to convert fingerprint image into fingerprint template on the client machine, you will need the fingerprint algorithm running on the client machine.
Some applications like web-based and web-browser based biometric applications do not want any processing to happen on the client machines. In such cases, the raw images are sent to the Server and Server takes care of template conversion.
Biometric Data is very sensitive and it needs to be as kept secure as possible. In order to avoid Session Hijacking attacks due to Session Sniffing, proper encryption needs to be applied and encryption keys need to be securely stored. Only authorized personnel should be able to access these keys in order to avoid privacy issues.
According to Tech Taget:
Session hijacking, also known as TCP session hijacking, is a method of taking over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user’s session ID has been accessed (through session prediction), the attacker can masquerade as that user and do anything the user is authorized to do on the network.
Touch N Go uses AES algorithm to encrypt the fingerprints. The encryption happens before they are written to disk. Key size is 256, and encryption key is never shared with clients machines.
Touch N Go uses AES 256 bit algorithm to encrypt the fingerprints. This is the same encryption used by banks Click To Tweet
2. Fingerprint Template Stored on the Client
In this scenario the fingerprint templates are stored on the client machines and fingerprint matching also happens on these client machines. This type of design is very rare in Enterprise and Government Applications. We see such an architecture for Windows Logon and Single Sign On applications for home / home office Users.
With this design the user cannot be authenticated from multiple locations. Also, the biometric data is stored on the local hard drive and workstations may lack enough security to safeguard the biometric data.
3. Biometric Template Stored on a Token
In this design, the fingerprints are stored on a Token, for example on a smart card. This kind of applications are usually fingerprint verification or one to one matching. The user has to carry the smart card with them in order to be verified. Even though there is no central database, the user can still be verified at different locations as long as he/she has a smart card.
According to Smart Card Alliance
Smart cards are widely acknowledged as one of the most secure and reliable forms of electronic identification. To provide the highest degree of confidence in identity verification, biometric technology is considered to be essential in a secure identification system design. Combining smart card technology with biometrics provides the means to create a positive binding of the smart card (a difficult-to-clone token) to the cardholder thereby enabling strong verification and authentication of the cardholder’s identity. Using smart cards with biometrics results in a trusted credential for authenticating an individual’s identity using one-to-one biometric verification.
One major drawback of this architecture is the cost of buying and replacing Smart Cards.
You will need a fingerprint Scanner with a Built-in Card Reader to perform the fingerprint matching.
4. Fingerprint Template Stored on the Fingerprint Scanner
There are many fingerprint scanners available with a capability to store fingerprint. These scanners come with a built-in fingerprint storage and matching algorithm. The user cannot be authenticated on multiple locations.