Synaptics' Next-Gen Fingerprint Sensor Security: The FS7600 Match-In-Sensor
by Anton Shilov on August 6, 2018 3:00 PM ESTFingerprint Spoofing Rejection
Ideally, both types of sensors (match-on-host, match-in-sensor) have to support a sophisticated technology that protects against spoofing. One of the strengths of fingers as identification is that they're hard to spoof, however it's not impossibly so. Meanwhile people leave their fingerprints around on virtually everything, so getting someone's fingerprint is often a lot easier than it would seem. This means a sensor needs to be able to reject items that have a fingerprint but aren't a human finger, such as gelatin or laxtex fingers. Otherwise, as we saw last year, it can be trivially easy to fake-out naive sensors.
Synaptics calls their proprietary solution PurePrint. The company doesn't talk about the technology in too great of detail, but the sensor is connected to a host using a TLS 1.2/AES-256 encrypted connection in order to prevent intercepting or faking a valid fingerprint.
Ultimately, while Synaptics is in both the MOH and MIS businesses, now that they have a MIS sensor they feel is competitive in terms of total matching time, the company is trying rather hard to justify why OEM customers should switch to a more integrated MIS solution. This means tactfully pointing out the security shortcomings of MOH sensors, such as the fact that it requires greater software support on the host OS (a particular challenge for non-PC devices) and the general insecurity of a general purpose system.All of which makes a sealed system preferable.
That said, it is not like MOH sensors are bad though — Synaptics’ Quantum Matcher works in SGX and Windows 10 VBS-protected environments, and neither has been cracked so far. Meanwhile, a high-performance CPU is by definition faster than any tiny IC in an MIS in matching hashes and performing all the other necessary operations. As a result, MOH solutions are typically going to provide a better user experience. Though with the FS7600, Synaptics thinks they're finally able to hit the right balance between security and performance/experience
Final Thoughts and a Glance into the Future
Overall, creating a match-in-sensor fingerprint solution that can perform similarly to match-on-host solutions is an important achievement for Synaptics. This is especially as the as the company looks to further grow their non-core businesses, and bite off a larger piece of the fingerprint sensor market. Of course, necessity is the mother of invention: Synaptics had to design an MIS as fast as the FS7600 because it needed a high-performance sensor compatible with Windows Hello for Business as well as Microsoft’s next-gen OS-based security tech. So for Synaptics the FS7600 is essentially a non-optional product. With that in mind, now that they have the FS7600, Syaptics is looking to compete for design wins in non-PC devices that benefit from a low response time (think door locks, vehicles, etc.).
Though with the FS7600 now complete, Synaptics’ already has an eye towards their own future products. The company is developing its next generation of products, including investigating how to harden their products against ever-improving quantum computers. To that end, the company’s specialists are looking into beyond-AES-256 algorithms that will be "qubit-proven," meaninging they cannot be factored even when a quantum computer is applied.
5 Comments
View All Comments
jjj - Tuesday, August 7, 2018 - link
Do they use tricks like triggering the unlocking animation after capture but well before processing is done to make it feel faster?What matters is what the user perceives and it can be made to feel like there is practically 0 wait.
Valantar - Tuesday, August 7, 2018 - link
A shame about the form factor for that new My Lockey (I'd rather see them change the name, frankly). That first-gen one is _perfect_ for sticking in the front I/O of a desktop PC. The 2nd gen one is simply asking you to break it, at least over time. "Hey, here's a USB stick where you're supposed to push on one side of its far end multiple times a day." That thing is going to break, and quickly.Also, I get that combining the fingerprint reader with a flash drive is convenient, but given the massive vulnerabilities in USB, it's also pretty dumb. Tying your main mode of authentication (including Windows admin access) to an easily-compromised USB storage device is ... not smart. Conversely, ditching an expensive finger print reader just because you needed to use the flash drive on a non-secure computer would be incredibly wasteful. And, of course, what's the point of a flash drive if you can only use it on one PC?
edzieba - Tuesday, August 7, 2018 - link
Hence why they use TLS over the link between host and device. All the 'broken' USB security means is you cannot rely on the physical link being super-secret-ultra-secure-automatic-double-safe, which merely relegates it to being treated like Ethernet or any other external bus should be anyway.chstamos - Tuesday, August 7, 2018 - link
They should stick these things into mechanical keyboards, they'd be a perfect fit. So far as I know the only keyboard with a fingerprint reader is some designer piece overpriced Microsoft thingy... with chiclet low profile keys.How about REAL mechanical switch keyboards with fingerprint identification? I'd buy one even if it meant eschewing the xmas rgb-led light show on it...
close - Saturday, August 11, 2018 - link
"a sensor-specific key (this key is important, more on that later)"Later in the article? Later in the year? o_O