Campus ID News
Card, mobile credential, payment and security
match on card1

Tech 101: Match-on-card biometrics

Use grows rapidly for this privacy-protecting technology

CampusIDNews Staff   ||   Jun 25, 2013  ||   ,

Match-on-card technology marries biometrics with smart cards, enabling users to not only carry their biometric with them but also match it on the card. This means greater privacy for the cardholder and the ability to authenticate without connection to a backend database.

In a traditional fingerprint biometric implementation, a user first establishes an identity in order to be added to the system. To do so, personal information is provided and fingerprints are scanned to create a template or vectorized representation of the image. The template captures the core aspects of the image and turns them into a representation that is much smaller and can be matched quicker, says Shahram Orandi, supervisory computer scientist at the National Institute for Standards and Technology (NIST).

In traditional biometric systems, templates are then stored in a central system along with the identifying information, says Shahram Orandi, supervisory computer scientist at the National Institute for Standards and Technology.

When a person is challenged to prove his identity, a finger has to be scanned and sent to the server. A template is then created and checked against the previously enrolled template.

The fundamental difference between this traditional biometric process and a match-on-card process is all about location. With match on card, the template is locked on the smart card and never leaves, explains Orandi.

To conduct the verification process, a user presents the card to either a contact or contactless card reader.

On the other end of that communications channel is a biometric sensor. Typically this is an integrated fingerprint reader or peripherally attached fingerprint sensor, says Patrick Grother, computer scientist at NIST's Information Technology Laboratory.

When a user places his finger on the sensor, it produces an image of the finger. The reader then extracts information from that fingerprint image in the form of minutiae points, and those points are bundled up into data packet and sent to the card for matching, says Grother.

The card executes a fingerprint comparison algorithm and produces a score revealing how similar the fingerprint sent to the card is with the one stored on the card. The card then renders a decision as to whether or not it's the same person, explains Grother.

A difference between match-on-card architecture and traditional match-on-server architecture comes in the type of algorithm you can run. "Sometimes with a remote server you've got more computational power, so you can run a different class of algorithms. Richer algorithms can run on computers than on cards," says Grother.

This is due to the fact that smart cards have limited computational capability. Grother explains that over time cards have gotten faster and more capable, but so to have desktop computers. "A card has a limited amount of working memory, and that turns out to be important for certain algorithms," says Grother.

Two standards oversee the majority of match-on-card functionality, ISO/IEC 19794-2 and ISO-7816, Grother says. ISO/IEC 19794-2 defines the bits and bytes for fingerprints in both match on card and match off card, says Grother.

Commands must be used to send and receive data from cards. The ISO 7816-11 and 7816-4 standards regulate this transmission, Grother says.

Proprietary options

Although standards exist for biometrics and match on card, organizations can utilize proprietary closed systems that do not abide by standards at all, says Grother.

An integrator can help an organization implement the match-on-card process. To do this, an integrator needs to be aware of and perform smart card personalization for biometric data. The fingerprint live capture devices for both enrollment and verification need template conversion tools in order to convert the live template into a viable match-on-card template.

Integrators also need to be aware that fingerprint templates still need to be captured in standard RAW formats for safekeeping. Also, depending on the application, an integrator may need to develop or procure an AFIS or ABIS to perform de-duplication at enrollment, says Jonah Adams, strategy and group coordination at Nigerian-based Interswitch.

Match on card advantages

A challenge with traditional match on server, says Orandi, is what happens if the biometric image is stolen or intercepted along the communication channel. Because biometric identifiers are permanently attached to a person, the credential can't be cancelled once it's compromised. "It's the biggest risk of a biometric system," says Orandi.

Because match on card locks the data in the chip, lost or stolen cards pose minimal risks. Additionally, the biometric is never stored on a backend database so compromise at this level is also a non-issue.

With match on card the likelihood of data being intercepted is virtually eliminated. Because there is still communication between the card and the reader, Orandi says it is still possible but greatly diminished.

Still, match on card does presents some challenges.Once the card architecture and algorithm have been designed and manufactured, there’s no easy way to change or upgrade that architecture, says Orandi.

The computer on the card is also not as powerful as a full blown computer so the speed to establish the identity is reduced. Servers operate much more quickly, 10-to-100 times faster than a smart card, says Orandi. "Smart cards lose the speed race," he says. "But to counter that, you are able to make a match even if you can't reach the server."

A potential problem with this method, however, is that in the case of offline matching, there is no central authority to dictate permissions. Orandi gives the example of 9/11 and different people trying to gain access to the site, from legitimate first responders to unscrupulous individuals. Match on card would verify the person is who they say they are, but without tapping into a central authority, it would not be able to say whether the person was allowed to be there. A card would be able to hold permissions, says Orandi, but it can't revoke the information. "The server has the revocation list or hotlist," says Orandi.

NIST has determined that algorithms are not quite as good for match on card as they are for match on server. NIST's MINEX, or Minutiae Exchange, program looked at the commercial viability, accuracy and speed associated with off-card and on-card matching.

"The answer is 'not quite, but almost,'" says Grother. "There are algorithms, fewer of them, commercially available that run with accuracy approaching that of off-card matching."

In places where lack of infrastructure poses a problem, match on card can be an ideal solution. "In markets where infrastructure challenges impact a customer's ability to fully explore a server-side implementation, the preference is for the match-on-card options," says Interswitch's Adams. "Especially where flexibility of use and mobility in deployment is a critical factor."

Subscribe to our weekly newsletter


Feb 03, 23 /

Brown campus mailroom adds visual queue

Brown University has added a new visual queue in its campus mailroom that displays the order in which students will be called to pick up their packages. The system is underpinned by the student ID card and a kiosk system in the mailroom.
Feb 02, 23 / ,

East Carolina adds robot delivery with Grubhub, Starship

East Carolina University has joined the growing list of institutions to deploy robot delivery, partnering with Grubhub and Starship Technologies to provide the service. All students, faculty and staff at East Carolina University are able to leverage robot delivery from main campus dining locations.

LEAF on campus: An open standard for access control and identity management

ELATEC's Sean Houchin discusses a solution for campuses seeking an open alternative to traditional access control platforms: LEAF. LEAF is an open, interoperable platform that allows credential holders to use their LEAF ID card, key fob or smartphone to unlock access to various campus applications through any LEAF-enabled reader.
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

As supply chain issues in 2021 persist, identity solutions provider @ColorID discusses ways campuses can to overcome potentially troublesome delays until the situation eases.

A dining services push at the @UBuffalo is reinforcing the utility of self-service checkout. @CBORD is improving the food service experience using the GET app, as well as Nextep kiosks and Oracle’s Micros Simphony POS.

Did you miss our recent webinar? No worries - watch it on-demand. Leaders from @NAU and the @UAlberta joined Ryan Audus, Touchnet, and Andrew Hudson, @CR80News, to discuss innovative mobile services and the future of mobile tech in higher ed. Watch now:

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.