A Dual-Factor Access Control System Based on Device and User Intrinsic Identifiers

This paper proposes an access control system based on the simultaneous authentication of what the user has and who the user is. At enrollment phase, the wearable access device (a smart card, key fob, etc.) stores a template that results from the fusion of the intrinsic device identifier and the user biometric identifier. At verification phase, both the device and user identifiers are extracted and matched with the stored template. The device identifier is generated from the start-up values of the SRAM in the device hardware, which are exploited as a Physically Unclonable Function (PUF). Hence, if the device hardware is cloned, the authentic identifier is not generated. The user identifier is obtained from level-1 fingerprint features (directional image and singular points), which are extracted from the fingerprint images captured by the sensor in the access device. Hence, only genuine users with genuine devices are authorized to access and no sensitive information is stored or travels outside the access device. The proposal has been validated by using 560 fingerprints acquired in live by an optical sensor and 560 SRAM-based identifiers.