Synaptics last month introduced its second-generation match-in-sensor (MIS) solution designed for a wide range of fingerprint sensors including those in PCs and other devices. The new FS7600 MIS relies on a brand-new silicon, which the company claims is designed for maximum performance and security.
The Fingerprint Reader: Sensor Plus Security
Before we proceed to the Synaptics FS7600 sensor, let’s recap the basics about fingerprint readers in general. Contemporary fingerprint hardware/software never keeps the image of a real fingerprint, but stores an abstract/hash of its distinctive features in a proprietary format. Once a new fingerprint sample is captured, the hardware/software compares the hashed data, not the images. This approach helps to improve both user experience and security.
Synaptics offers two types of fingerprint readers: match-on-host (MOH) and match-in-sensor (MIS). An MOH solution performs matching during a process that runs on the host system. A MIS system is completely stand-alone and contains a processor, storage, and cryptographic capabilities, running everything locally and performs matching in an environment physically isolated from the host. It then sends an identification result that is encrypted and signed using a sensor-specific key (this key is important, more on that later) to the host.
The Synaptics FS7600
The Synaptics FS7600 (codenamed Prometheus) is the company’s 2nd generation MIS. Besides the scanner itself, the chip features a 192 MHz processor, a hardware accelerated matcher (which uses what Synaptics calls “Quantum Matcher” algorithms), a hardware accelerated image processing unit, a hardware accelerated encryption engine that supports TLS 1.2 and AES-256, its own internal flash memory for fingerprint database, as well as physical I/O interfaces (USB, SPI, GPIO are supported).
Notably, the FS7600 supports up to a 0.2 mm sensing distance, meaning it can be put under glass, under mylar, or just coated with a protective layer. The FS7600 can also come in different shapes for various kinds of applications and different locations of the scanner on a PC. This includes a 10×10-mm square, a 10-mm circle, or a 4×12-mm rectangle .
Synaptics FS7600: Availability
Synaptics’ FS7600 is available to PC makers right now, and is expected to be implemented in future devices. Large OEMs tend to update their PC platforms once a year, so with high-end Coffee Lake systems having just hit the market in the past quarter, the next big window of opportunity for Synaptics to get their sensor adopted by PC vendors will be spread out over the next few quarters.
For their part, Synaptics says that they are going for a wide market approach, targeting both business and consumers. Business users being the more obvious case, particularly because of Windows Hello for Business. As for consumer users, the use cases are a bit more limited at present, as the current Windows Hello fingerprint tech isn’t slated to arrive in consumer OSs. Instead a fingerprint sensor would be a forward-looking addition, as Microsoft is working on their FIDO 2.0-based next-gen OS security tech, which unlike Hello will be coming to consumers.
As for non-PC applications, those have much longer product design and retail lifecycles. The FS7600 was designed for both PC and non-PC applications in mind, so while the sensor can be used in other types of devices, it would be quite some time before any such devices would hit the market. Otherwise, for early adopters, an external dongle incorporating the FS7600 is set to be available this month.
PQI MyLockey 2: 32 or 64 GB, FS7600, Available This Month
PQI has been producing Synaptics-based fingerprint readers for various customers for a while now. The company was first to launch a retail product featuring a Synaptics sensor nearly two years ago and is about to start selling its new one.
PQI’s 1st Gen MyLockey released in 2016 relies on Synaptics’ FS4300 MOH solution that supports all the company’s advanced security technologies. Being powered by a host CPU, the MyLockey 1 is of course fast, but it does not support Windows Hello for Business and will not support Microsoft’s next-gen OS-based security.
Its successor is the aptly named My Lockey 2, which is based on the FS7600 MIS solution and comes with embedded 32 GB or 64 GB of memory to store various files.
Since the 2nd Gen PQI My Lockey is also a flash drive, it looks like a flash drive and is not as small as the previous-gen product. Now, if the 1st Gen My Lockey could be installed once and never removed, the 2nd Gen My Lockey will be travelling because it is a drive. In the meantime, if the 1st Gen My Lockey was made of plastic with a metallic frame, the 2nd Gen My Lockey is made entirely of plastic and the construction does not seem to be too rugged.
Keeping in mind how important things on a PC can be, it might be best to use the 2nd Gen My Lockey only locally, which is good enough for desktops.
Along with their product announcement, Synaptics also gave us a bit more detail about how their architecture works.The chip is made using TSMC’s 55 nm fabrication process, which as we’ve seen repeatedly with products that aren’t high-performance processors, is still good-enough for various ASICs that do not need extreme compute throughput but can benefit from a relatively high transistor density. Given FS7600’s high level of integration, this is exactly our case: a low-power chip packing multiple relatively small special-purpose accelerators.
The FS7600 runs Synaptics’ own operating system. The sensor processes hashed data in a proprietary format, with virtually all demanding tasks being hardware accelerated. This high level of integration is something the company feels is very important, as it offers relatively few points in the authentication chain where an attacker can even attempt to compromise the sensor. Even then, an attack would be about fooling the sensor into giving up its keys or accepting an invalid fingerprint, as even if one could retrieve the hashed metadata – bearing in mind that the fingerprint sensor itself doesn’t have that ability – recovering a complete fingerprint from the stored metadata is thought to be impossible due to the nature of the one-way hash.
It is noteworthy that Synaptics can still update its MIS using a driver update in a bid to improve the PurePrint anti-spoofing or the Quantum Matcher technologies. But for an unauthorized person the FS7600 is going to be a tough nut to crack.
Synaptics FS7600: Performance Figures
As noted above, MOH sensors are typically considerably faster than MIS solutions because they can use the power provided by an Intel Core (or AMD Ryzen, or any other) processor to perform all the necessary tasks and no MIS is going to have performance of a contemporary high-performance x86 CPU any time soon.
According to Synaptics, it takes 180 – 250 ms for its advanced MOH product (such as the FS4300) to capture a fingerprint and match it. By contrast, its first-gen MIS could only boast a 900 ms time, which is considerably slower. The good news is that the FS7600 is designed to lower the capturing and matching time of a fingerprint to 350 ms (capturing takes around 50 ms, processing takes another 300 ms). This being primarily due to the use of more fixed function accelerators.
In a bid to demonstrate how fast the FS7600 works, Synaptics’s Godfrey Cheng showed us a retofitted commercial laptop with the new sensor and demonstrated it at Computex earlier this year. The matching takes so little time that from a visual standpoint everything happens instantly.
From performance numbers point of view, MOH fingerprint solutions are still a bit faster than the FS7600, but Synaptics believes that at 350ms the FS7600 is still fast enough to provide an excellent user experience. Taking Synaptics’ own numbers for a MOH solution, this would put the FS7600 at around 100-150ms slower than an MOH solution, which although is within the realm of human response time, is not excessively so, especially for a “passive” action like a fingerprint swipe. In the meantime, the ‘sealed’ FS7600 has an important advantage over its speedy brother: compatibility with Microsoft’s Windows Hello for Business and next generation OS-level security.
Microsoft Next-Gen Security & Windows Hello for Business
Typically, fingerprint authentication is used for system activation. Obviously, you can replace certain passwords with a fingerprint, but in general everything is limited to a local PC. Meanwhile, an equally (if not more) important use of authentication is for various web and cloud applications, which means that a universal authentication method has to be supported for local and web/cloud services.
Microsoft offers two initiatives to address this problem. The first one is Windows Hello for Business, which is available today and, as the name suggests, it is aimed at the enterprise. The second one is the company’s next generation OS-level security tech designed for consumers.
When it comes to local authentications, both the Windows Hello for Business (WHFB) and the next gen OS-level security (NGOSLS) rely on Microsoft’s Virtualization Based Security. As the name implies, the latter separates applications across different virtualized machines that never affect each other, making intercepting keys using a malicious program a more difficult task.
When extending usage of a local authentication to the web, the WHFB uses Azure Active Directory’s built-in identity protection, whereas the NGOSLS relies on the FIDO (Fast IDentity Online) 2.0 specifications and certifications. Both Azure and FIDO 2.0 require a compatible MIS with a number of special feature and sensor specific key, so an MIS setup is mandatory for both.
Ideally, both types of sensors (match-on-host, match-in-sensor) have to support a sophisticated technology that protects against spoofing. One of the strengths of fingers as identification is that they’re hard to spoof, however it’s not impossibly so. Meanwhile people leave their fingerprints around on virtually everything, so getting someone’s fingerprint is often a lot easier than it would seem. This means a sensor needs to be able to reject items that have a fingerprint but aren’t a human finger, such as gelatin or laxtex fingers. Otherwise, as we saw last year, it can be trivially easy to fake-out naive sensors.
Synaptics calls their proprietary solution PurePrint. The company doesn’t talk about the technology in too great of detail, but the sensor is connected to a host using a TLS 1.2/AES-256 encrypted connection in order to prevent intercepting or faking a valid fingerprint.
Ultimately, while Synaptics is in both the MOH and MIS businesses, now that they have a MIS sensor they feel is competitive in terms of total matching time, the company is trying rather hard to justify why OEM customers should switch to a more integrated MIS solution. This means tactfully pointing out the security shortcomings of MOH sensors, such as the fact that it requires greater software support on the host OS (a particular challenge for non-PC devices) and the general insecurity of a general purpose system.All of which makes a sealed system preferable.
That said, it is not like MOH sensors are bad though — Synaptics’ Quantum Matcher works in SGX and Windows 10 VBS-protected environments, and neither has been cracked so far. Meanwhile, a high-performance CPU is by definition faster than any tiny IC in an MIS in matching hashes and performing all the other necessary operations. As a result, MOH solutions are typically going to provide a better user experience. Though with the FS7600, Synaptics thinks they’re finally able to hit the right balance between security and performance/experience
Final Thoughts and a Glance into the Future
Overall, creating a match-in-sensor fingerprint solution that can perform similarly to match-on-host solutions is an important achievement for Synaptics. This is especially as the as the company looks to further grow their non-core businesses, and bite off a larger piece of the fingerprint sensor market. Of course, necessity is the mother of invention: Synaptics had to design an MIS as fast as the FS7600 because it needed a high-performance sensor compatible with Windows Hello for Business as well as Microsoft’s next-gen OS-based security tech. So for Synaptics the FS7600 is essentially a non-optional product. With that in mind, now that they have the FS7600, Syaptics is looking to compete for design wins in non-PC devices that benefit from a low response time (think door locks, vehicles, etc.).
Though with the FS7600 now complete, Synaptics’ already has an eye towards their own future products. The company is developing its next generation of products, including investigating how to harden their products against ever-improving quantum computers. To that end, the company’s specialists are looking into beyond-AES-256 algorithms that will be “qubit-proven,” meaninging they cannot be factored even when a quantum computer is applied.