USD

How to Secure Microcontroller-Based IoT Devices with Fingerprint Authentication

By Bill Giovino

Contributed By Digi-Key's North American Editors

Designers are under increasing pressure to ensure their product or system is secure, particularly if it is to be connected to the Internet of Things (IoT). Much publicized hacks have shown the vulnerability of passwords and the ease with which Personal Identification Number (PIN) codes can be copied and near field communication (NFC)-based badges can be stolen. Designers need to raise the security ante, while at the same time keeping the reins on cost and design time. Fingerprint identification (ID) is one way to achieve both goals.

Fingerprint security, however, has typically been a challenge to implement. The technical details of designing a fingerprint scanning system from scratch with a microcontroller or digital signal processor (DSP) containing fingerprint identification firmware, data processing and conditioning, and host communication, can be complex with a significant learning curve.

Fortunately, off-the-shelf hardware and software now exist that can do all the hard work of a fingerprint recognition system. This article will explain the basics of fingerprint recognition before introducing the SEN0188, a self-contained fingerprint enrollment and verification unit from DFRobot that can interface to any host microcontroller that has a universal asynchronous receiver/transmitter (UART) interface.

The article will then show how to use the SEN0188 to add fingerprint identification security to a facility that uses an IoT network to make it more resistant to hacking or physical attack.

Basics of fingerprint identification

Fingerprints are an impression of the friction ridges found on the fingers and thumb of each hand that make it easier to grab onto and hold objects. Partly the result of DNA, and partly a random process, fingerprint patterns are unique to a particular individual, with the odds of two people having the same fingerprints being extremely low. Even the fingerprints of identical twins are different. For this reason, fingerprint identification is an excellent detection method for high security systems.

Fingerprint identification systems are separated into two operations—enrollment and verification. Fingerprint enrollment is the process where a clean fingerprint is identified and stored for later use. The fingerprint is scanned one or more times by a specialized scanner and then digitized. The digitized fingerprint is then analyzed to make sure it is a valid fingerprint. If the fingerprint is valid it is stored in non-volatile memory such as flash or EEPROM, along with personal identification information about the person such as an ID number, name, and badge number. If the fingerprint is invalid, then the finger must be scanned again.

Fingerprint verification is the process where a clean fingerprint is scanned for verification against the digitized fingerprints stored in non-volatile memory. The fingerprint scanning system will then indicate to the host whether the scanned fingerprint matches a valid fingerprint stored in memory, or if the match is invalid.

Access security with IoT

The IoT is networking many systems that were previously standalone. Some of these systems require medium security such as schools and businesses. However, illegal intrusions into some critical systems such as water treatment plants and power grids can have devastating effects and so require enhanced security. For these systems, developers are always looking for better ways to ensure security with minimal cost, as many IoT devices are themselves inexpensive by design. In such cases, fingerprint identification can be easily added alongside security badges.

The advantage of the IoT in these networks is that notification of the results of a fingerprint scan can be transmitted over the network. If an unauthorized access is detected, an alarm can be sounded, or in extreme cases, the IoT network can lock down all systems and even place a phone call to authorities.

Fingerprint enrollment for security identification is best performed in the presence of a technician or security professional to ensure it is done properly. The scanner and finger must both be clean. The technician must positively verify the identity of the person being scanned. Once the enrollment is successful, any additional information such as the person’s name or employee ID number may be added by the security professional.

The technical details involved with designing a fingerprint scanning system from scratch have made its implementation prohibitive for many designers on a tight budget. Now, off-the-shelf hardware such as DFRobot’s SEN0188 fingerprint sensor, a self-contained fingerprint enrollment and verification unit can do all the hard work of a fingerprint recognition system (Figure 1).

Figure 1: The DFRobot SEN0188 fingerprint sensor unit contains all the hardware and firmware needed to enroll and verify fingerprints. It communicates with a microcontroller over a UART interface. (Image source: DFRobot)

The SEN0188 can operate from 3.8 to 7.0 volts and draws a maximum of 130 milliamps (mA). It has a wide operating temperature of -20°C to +60°C and can withstand up to 80% relative humidity, making it appropriate for many outdoor environments.

Looking at Figure 1, a user places their finger on the fingerprint optical sensor on the left. It takes less than one second to acquire a fingerprint image for enrollment or verification. Each fingerprint is stored in internal flash memory as a 512 byte template file. The SEN0188’s internal flash can store up to 1000 fingerprints.

The SEN0188’s UART is accessible on the underside of the sensor (Figure 2).

Figure 2: The UART connections are on the underside of the DFRobot SEN0188 fingerprint sensor. (Image source: DFRobot)

On power-up, the default baud rate of the SEN0188 is 57600 bits per second (bps). This can be adjusted to between 9600 bps and 115200 bps. The UART connection uses the following signals:

Pin Number Signal Name Direction Description
 1  VTOUCH  -  No connect
 2  SOUT  -  No connect
 3  VIN  In  Power in (3.8 to 7.0 volts)
 4  TD (Tx)
 Out  UART transmit data out
 5  RD (Rx)
 In  UART receive data in
 6  GND    Signal ground

Table 1: The pinout for the SEN0188 uses an asynchronous UART connection to communicate with a host. (Table source: DFRobot)

The UART interface can also connect to DFRobot’s software on a PC or laptop which can assist in the development of a fingerprint system, including debugging enrollment and verification firmware.

Using the DFRobot SEN0188 in a microcontroller system

For a self-contained microcontroller system, the SEN0188 should interface to a board that has both a sufficiently powerful microcontroller and a visual indicator of the status of a fingerprint placed on the sensor. The STM32F7308-DK Discovery kit from STMicroelectronics has all the features required of a self-contained fingerprint identification system. It uses a powerful STM32F730I8K6 microcontroller, which is based on an Arm® Cortex®-M7 core. The board is populated with a 25 megahertz (MHz) oscillator for the high-speed clock and a 32.768 kilohertz (kHz) oscillator for the low speed clock. It is supported by 64 kilobytes (Kbytes) of on-chip program flash memory, an additional 64 megabytes (Mbytes) of external flash memory, and 256 Kbytes of system SRAM.

For peripheral support and communications, it has multiple serial interfaces including three I2C and five SPI interfaces. It also has four UART/USARTs, enabling it to easily communicate with the SEN0188. When powered at 3.6 volts, the STM32F730I8K6 microcontroller is compatible with the DFRobot fingerprint sensor’s TTL logic level interface.

The Discovery board comes with an Arduino™-compatible daughter board (Figure 3). While this board might be useful during development, it is not needed for this fingerprint identification application and can be disconnected from the main board.

Figure 3: The STMicroelectronics STM32F7308-DK Discovery board has all the features needed for a self-contained fingerprint identification system. The attached board on the upper left supports Arduino daughter boards, while the ESP-01 connector on the lower right supports any compatible ESP8266 board. (Image source: STMicroelectronics)

It also has a 240 x 240 TFT LCD display that can be used to provide a visual indication of a fingerprint pass or fail.

To connect to a Wi-Fi network, the STM32F7308-DK Discovery kit has a socket to connect to any industry standard ESP8266 Wi-Fi board. For example, the WRL-13678 is an ESP8266-compatible board from SparkFun Electronics (Figure 4).

Figure 4: The SparkFun Electronics WRL-13678 is an ESP8266-compatible board with an ESP-01 header connector. It plugs into the STMicroelectronics Discovery board to provide easy Wi-Fi access. (Image source: SparkFun Electronics)

The board plugs into the ESP-01 connector on the lower right of the Discovery board pictured in Figure 3. The WRL-13678 has its own on-board antenna and allows the Discovery board to easily connect to a 2.4 gigahertz (GHz) Wi-Fi network.

In a Wi-Fi networked IoT security system, any security access or denial can be transmitted to any IoT node. This can be useful for enabling access to additional areas or systems that are highly restricted. For example, if access is requested to a highly restricted area inside a facility but no one with that clearance has been logged in and reported by the fingerprint scanner at any entrance, then the system may classify this attempt as a potential security violation and take the appropriate action.

It’s not unusual for facilities with this level of security to also require identity verification for anyone leaving the facility. This not only provides a log of all entrances and exits, but also traps unauthorized personnel inside the building while security professionals are alerted.

Implementing fingerprint security

The SEN0188 sensor communicates with the host STMicroelectronics Discovery board over the UART interface using a simple command set. There are a total of 22 commands which include enrolling, verifying, and deleting fingerprints; various search commands; reading and writing directly to the internal flash memory; reading status; and setting security for the sensor. The sensor can also retrieve the stored bitmap image of any fingerprint and transmit it to the host, which the Discovery board can display on its TFT LCD.

Fingerprint enrollment can be enabled at the fingerprint identification station using a PIN or password. However, a more secure method of enrollment is to enable it by transmitting a command to the Discovery board IoT endpoint from somewhere across the network, such as from a security guard station. Alternatively, a mobile device such as a phone or tablet, can be used to authorize enrollment. The success of the enrollment can also be verified on the mobile device.

The fingerprint optical sensor area on the SEN0188 has an LED backlight which can be easily turned on and off by the host using the OpenLED and CloseLED commands. This can be useful in a secure environment by lighting the fingerprint sensor only when the system is ready to accept a fingerprint. The backlighting can be turned off during a security event to indicate that no access will be accepted at that time, even by authorized personnel.

The SEN0188 default UART frame uses one start bit, 8 bits of data, and one stop bit. The least significant bit (LSB) of data is transmitted first. Upon power-up, the SEN0188 takes 300 milliseconds (ms) to initialize and run a self-test. It then transmits one byte of 55h to the host to indicate it is ready. The host can also send a GetEcho command to the sensor to request the 55h confirmation code. If this byte is not received by the host, it can indicate a SEN0188 malfunction, an interruption in the communications between the SEN0188 and the host, or that the SEN0188 is not powered.

The SEN0188 is designed to provide a secure environment for fingerprint authentication and provides many security features, including password protection. The default four byte factory password is 00000000h and should be changed before the system is placed in the field. The password is stored in the sensor’s internal flash using the sensor’s set password command SetPwd.

For added security the sensor command set does not include a read password command. If the sensor password is lost, the SEN0188 sensor becomes unusable—there is no hardware or software reset that can recover the sensor or the stored fingerprints.

The sensor also has a default four byte address of FFFFFFFFh that is stored in internal flash and can also be changed using the SetAddr command.

All fingerprint authentication and storage are performed internal to the sensor. This prevents tampering with the stored fingerprints or the verification process.

Before first use, it is a smart security precaution to delete all fingerprints stored in the fingerprint scanner. This is supported by the Empty command, which deletes all fingerprint templates stored in the sensor’s internal flash memory.

Conclusion

Access security is an increasingly important application for embedded and IoT systems, but it needs to be done effectively with the appropriate balance of cost, simplicity, and effectiveness. As shown, the DFRobot SEN0188 fingerprint sensor allows designers to quickly prototype and develop a system to provide access security to sensitive areas. When interfaced with the STM32F7308-DK Discovery kit with a TFT LCD display and the SparkFun Electronics WRL-13678 Wi-Fi board, a security system can be developed that is simple, reliable, and easy to use.

Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.

About this author

Bill Giovino

Bill Giovino is an Electronics Engineer with a BSEE from Syracuse University, and is one of the few people to successfully jump from design engineer, to field applications engineer, to technology marketing.

For over 25 years Bill has enjoyed promoting new technologies in front of technical and non-technical audiences alike for many companies including STMicroelectronics, Intel, and Maxim Integrated. While at STMicroelectronics, Bill helped spearhead the company’s early successes in the microcontroller industry. At Infineon Bill orchestrated the company’s first microcontroller design wins in U.S. automotive. As a marketing consultant for his company CPU Technologies, Bill has helped many companies turn underperforming products into success stories.

Bill was an early adopter of the Internet of Things, including putting the first full TCP/IP stack on a microcontroller. Bill is devoted to the message of “Sales Through Education” and the increasing importance of clear, well written communications in promoting products online. He is moderator of the popular LinkedIn Semiconductor Sales & Marketing Group and speaks B2E fluently.

About this publisher

Digi-Key's North American Editors