Вы находитесь на странице: 1из 77



Security is of primary concern and in this busy, competitive world, humans cannot find
ways to provide security to his confidential belongings manually. Instead, we find an
alternative which can provide a full-fledged security.. In the ubiquitous network society,
where individuals can easily access their information anytime and anywhere, people are
also faced with the risk that others can easily access the same information anytime and
anywhere. Because of this risk, personal identification technology, which can distinguish
between registered legitimate users and imposters, is now generating interest.

1.1 Introduction

Fingerprint based biometric systems utilize fingerprint recognition technology to allow

access to only those whose fingerprints you choose. This eliminates the need for
keeping track of keys or remembering a combination password, or PIN. It can only be
opened when an authorized user is present, since there are no keys or combinations to be
copied or stolen, or locks that can be picked.
Currently, passwords, Personal Identification Numbers (4-digit PIN numbers) or
identification cards are used for personal identification. However, cards can be stolen,
and passwords and numbers can be guessed or forgotten. To solve these problems,
biometric authentication technology which identifies people by their unique biological
information is attracting attention. Biometrics can be defined as recognizing and
identifying a person based on physiological or behavioral characteristics. In biometric
authentication, an account holders body characteristics or behaviors (habits) are
registered in a database and then compared with others who may try to access that
account to see if the attempt is legitimate.

Biometrics studies commonly include fingerprint, face, iris, voice, signature, and hand
geometry recognition and verification. Many other modalities are in various stages of
development and assessment. Fingerprints provide good mismatch ratio and high
accuracy in terms of security and are also reliable. For this we are using R303A as a
scanner. This module has in-built ROM, DSP and RAM. In this we can store up to 100
users fingerprints.
This module can operate in 2 modes which are Master mode and User mode. We will be
using Master mode to register the fingerprints which will be stored in the ROM present
on the scanner with a unique id.

1.2 Problem Statement

Access to a reliable personal identification infrastructure is becoming increasingly

essential. Conventional methods of identification based on possession of ID cards or
exclusive knowledgelike a social security number or a passwordare not altogether
reliable. ID cards can be lost, forged, or misplaced; passwords can be forgotten or
Fingerprint recognition technology allows access to only those whose fingerprints that
are pre stored in the memory. Stored fingerprints are retained even in the event of
complete power failure or battery drain. These eliminates the need for keeping track of
keys or remembering a combination password, or PIN. The bank account details can only
be accessed when an authorized user is present, since there are no keys or combinations
to be copied or stolen, or locks that can be picked. The fingerprint based authentication
system therefore provides a wonderful solution to conventionally encountered
inconveniences in the banking system.

The main aim of this project is to design a fingerprint based banking security solution
which uses a persons fingerprint as a means of authenticating and verifying identity in
order to have access to account information. A second layer of security has been added by
using a GSM module to send a One Time Password (OTP) to the users mobile phone
after the fingerprint verification process is successful.

The fabricated module has the following features:

i) Interfacing a fingerprint scanner module to the ports of the


ii) Enrolling the clients fingerprint into the database system using the
fingerprint scanner.

iii) Storing the clients fingerprints in the scanners memory using a

unique ID corresponding to each fingerprint template.

iv) Matching the current fingerprint with the existing templates stored
in the database.

v) Using the GSM Module to send a OTP to the clients mobile phone after a

successful match.

vi) Displaying the account details on the PC after the valid OTP has been
entered by the client.

1.3 Fingerprint patterns

Basic patterns

The three basic patterns of fingerprint ridges are the arch, the loop, and the whorl.
An arch is a pattern where the ridge enters one side of the finger, then rises in the center
forming an arch, and exits on the other side of the finger. With a loop the ridge enters one
side of the finger, then forms a curve, and exits on the same side of the finger from which
it entered. Loops are the most common pattern in fingerprints. Finally a whorl is the
you have when ridges form circularly around a central point.

Minutiae features

Minutiae refer to specific points in a fingerprint, these are the small details in a
fingerprint that are most important for fingerprint recognition.

There are three major types of minutiae features: the ridge ending, the bifurcation, and
the dot (also called short ridge). The ridge ending is, as indicated by the name, the spot
where a ridge ends. A bifurcation is the spot where a ridge splits into two ridges. Spots
are those fingerprint ridges that are significantly shorter than other ridges.

1.4 Suitability of Fingerprints for Biometric Authentication

Universality: Only very few people miss all 10 fingers. Most fingerprint
recognition software allows to enroll multiple fingers which avoids that an
individual is no longer granted access after injury.

Uniqueness: It is generally accepted that fingerprints are unique to an individual.

However, there is a risk that fingerprints of two different individuals match if the
fingerprint image is of insufficient quality. Therefore the False Acceptance Rate
(FAR) is highly dependent on the quality of the fingerprint reader.

Permanence: Fingerprints do not change with ageing, but as people age they lose
collagen which makes their fingerprint harder to read and this can lead to
significantly more false rejects with elderly people. Injuries, such as fire wounds,
can damage a fingerprint but if multiple fingers are enrolled the likelihood of an
authorized individual being denied access is reduced.

Collectability: Fingerprints are easy to acquisition, the cheapest fingerprint readers

available use a digital camera. Fingerprint readers that are more difficult to fool,
such as CMOS readers, are even not overly expensive. In some environments, where

example people are unable to wash their hands, more expensive means might be

necessary to acquire a useable fingerprint image.

Acceptability: Fingerprints are easily accepted as soon as people reflect that they
leave their fingerprints everywhere and that no sensitive information, such as
medical conditions, can be derived from fingerprints.


The system consists of:

1. Fingerprint Module: The module would contain the sensor and an image
processor to acquire, scan and process the fingerprint of the user/client. It would
also have the necessary flash memory to store the reconstructed fingerprint
images. The module chosen is R305 Fingerprint Scanner Module.

2. Micro-Controller: This device would be the heart of the system. It will

supervise and command all the actions of the fingerprint module, the GSM
module and interact with the Database Management Software for its functions.
Arduino UNO is the chosen micro-controller.

3. GSM module: This module would have a SIM card and will be
responsible to send the OTP provided by the micro-controller to the clients cell
phone. SIM 900 is the chosen GSM Module.

4. Database Management software: This software would be configured to

store the account details of the client. Once the client has been authenticated and
verified the micro-controller will instruct this software to display the clients

5. Arduino IDE: This is the Integrated Development Environment used to

program the Arduino. It will also have the serial monitor which will display all the
instructions for the client to authenticate and verify himself.

Here is a brief description of the hardware:

2.1 Arduino Uno:

Arduino is an open-source prototyping platform based on easy-to-use hardware and

software. Arduino boards are able to read inputs - light on a sensor, a finger on a button,
or a Twitter message - and turn it into an output - activating a motor, turning on an LED,

publishing something online. You can tell your board what to do by sending a set of
instructions to the microcontroller on the board. The boards feature serial
communications interfaces, including USB on some models, for loading programs from
personal computers. For programming the microcontrollers, the Arduino project provides
an integrated development environment (IDE) based on the Processing project, which
includes support for the C and C++ programming languages.

Figure 2.1 Arduino UNO

An Arduino board historically consists of an Atmel 8-, 16- or 32-bit

AVR microcontroller (although since 2015 other makers microcontrollers have been
used) with complementary components that facilitate programming and incorporation
into other circuits. An important aspect of the Arduino is its standard connectors, which
lets users connect the CPU board to a variety of interchangeable add-on modules known
as shields. Some shields communicate with the Arduino board directly over various pins,
but many shields are individually addressable via an IC serial busso many shields
can be stacked and used in parallel. Official Arduinos use the Atmega AVR series of
chips, specifically thespecificallythe ATmega8, ATmega168, ATmega328,
ATmega1280and ATmega2560. M ATmega2560Mosto st boards include a 5 V linear
regulator and a 16 MHz crystal oscillator.

The Arduino IDE supports the C and C++ programming languages using special rules of
code organization. The Arduino IDE supplies a software library called "Wiring" from the
Wiring project, which provides many common input and output procedures. A typical A
typicalArduino C/C++ sketch consist of two functions that are compiled and linked with
a program stub main() into an executable cyclic executive program:

Arduino C/C++ sketch consist of two functions that are compiled and linked with a

program stub main() into an executable cyclic executive program:

setup(): a function that runs once at the start of a program and that can initialize

loop(): a function called repeatedly until the board powers off.

After compilation and linking with the GNU toolchain , also including with the IDE
distribution, the Arduino IDE employs the program avrdude to convert the executable
code into a text file in hexadecimal coding that is loaded into the Arduino board by a
loader program in the board's firmware.

2.2 R305 Fingerprint Module:

This is a finger print sensor module with TTL UART interface. The user can store the
finger print data in the module and can configure it in 1:1 or 1: N mode for identifying
the person. The finger print module can directly interface with 3.3V or 5V
Microcontroller. A level converter (like MAX232) is required for interfacing with PC.
Figure 2.2 R305 Fingerprint Module

Operation Principle

Fingerprint processing includes two parts: fingerprint enrollment and fingerprint

matching (the matching can be 1:1 or 1:N). When enrolling, user needs to enter the finger
two times. The system will process the two time finger images, generate a template of the
finger based on processing results and store the template. When matching, user enters the
finger through optical sensor and system will generate a template of the finger and
compare it with templates of the finger library. For 1:1 matching, system will compare
the live finger with specific template designated in the Module; for 1:N matching, or
searching, system will search the whole finger library for the matching finger. In both
circumstances, system will return the matching result, success or failure.

Hardware connection

Via serial interface, the Module may communicate with MCU of 3.3V or 5V
power: TD (pin 3 of P1) connects with RXD (receiving pin of MCU), RD (pin 4 of P1)
connects with TXD (transferring pin of MCU). Should the upper computer (PC) be in
RS-232 mode, please add level converting circuit, like MAX232, between the Module
and PC.

Serial communication protocol

The mode is semi duplex synchronism serial communication. And the default
baud rate is 57600bps. User may set the baud rate in 9600 115200bps.Transferring
frame format is 10 bit: the low-level starting bit, 8-bit data with the LSB first, and an
ending bit. There is no check bit.

Fingerprint Library

System sets aside a certain space within Flash for fingerprint template storage,
thats fingerprint library. Contents of the library remain at power off. Capacity of the
library changes with the capacity of Flash, system will recognize the latter automatically.
Fingerprint templates storage in Flash is in sequential order. User can only access library
by template number.


There are an image buffer and two 512-byte-character-file buffer within the RAM
space of the module. Users can read & write any of the buffers by instructions.

Image buffer

ImageBuffer serves for image storage and the image format is 256*288 pixels.
When transferring through UART, to quicken speed, only the upper 4 bits of the pixel is
transferred (that is 16 grey degrees). And two adjacent pixels of the same row will form a
byte before the transferring. When uploaded to PC, the 16-grey-degree image will be
extended to 256-grey-degree format. Thats 8-bit BMP format When transferring through
USB, the image is 8-bit pixel, thats 256 grey degrees.

Character file buffer

Character file buffer, CharBuffer1, CharBuffer2, can be used to store both

character file and template file.

There are a number of different ways to get an image of somebody's finger. The
most common methods today are optical scanning and capacitance scanning. Both types
come up with the same sort of image, but they go about it in completely different ways.
Optical scanner

The heart of an optical scanner is a charge coupled device (CCD), the same light
sensor system used in digital cameras and camcorders. A CCD is simply an array of light-
sensitive diodes called photosites, which generate an electrical signal in response to light
photons. Each photosite records a pixel, a tiny dot representing the light that hit that spot.
Collectively, the light and dark pixels form an image of the scanned scene (a finger, for
The scanning process starts when you place your finger on a glass plate, and a
CCD camera takes a picture. The scanner has its own light source, typically an array of
light-emitting diodes, to illuminate the ridges of the finger. The CCD system actually

an inverted image of the finger, with darker areas representing more reflected light (the
ridges of the finger) and lighter areas representing less reflected light (the valleys
between the ridges).

Before comparing the print to stored data, the scanner processor makes sure the
CCD has captured a clear image. It checks the average pixel darkness, or the overall
values in a small sample, and rejects the scan if the overall image is too dark or too light.
If the image is rejected, the scanner adjusts the exposure time to let in more or less light,
and then tries the scan again.

Capacitance scanner
Figure 2.3 Capacitance Scanner

The Figure 2.3 shows a simple capacitive sensor. The sensor is made up of one or
more semiconductor chips containing an array of tiny cells. Each cell includes two
conductor plates, covered with an insulating layer. The cells are tiny -- smaller than the
width of one ridge on a finger

The sensor is connected to an integrator, an electrical circuit built around an
inverting operational amplifier. The inverting amplifier is a complex semiconductor
device, made up of a number of transistors, resistors and capacitors.

To scan the finger, the processor first closes the reset switch for each cell, which
shorts each amplifier's input and output to "balance" the integrator circuit. When the
switch is opened again, and the processor applies a fixed charge to the integrator circuit,
the capacitors charge up. The capacitance of the feedback loop's capacitor affects the
voltage at the amplifier's input, which affects the amplifier's output. Since the distance to
the finger alters capacitance, a finger ridge will result in a different voltage output than a
finger valley.

The scanner processor reads this voltage output and determines whether it is
characteristic of a ridge or a valley. By reading every cell in the sensor array, the
processor can put together an overall picture of the fingerprint, similar to the image
captured by an optical scanner.

A simple pattern recognition algorithm for minutiae detection in fingerprint is

proposed. This will be a trivial task when an ideal thinned ridge map is available. Without
loss of generality, we assume if a pixel is on a thinned ridge, it has a value on one and
zero otherwise. Let (x,y) denote a pixel on a thinned ridge and N0,N1,N2 denote its
neighbours. A pixel is ridge ending if :
And a ridge bifurcation if

However the presence of undesired spikes and breaks present in a thinned ridge map
may lead to detection of many spurious minutiae.

2.3 Global System for Mobile Communication (GSM) Module

A GSM modem is a specialized type of modem which accepts a SIM card, and
operates over a subscription to a mobile operator, just like a mobile phone. From the
mobile operator perspective, a GSM modem looks just like a mobile phone. These GSM
modems are most frequently used to provide mobile internet connectivity, many of them
can also be used for sending and receiving SMS and MMS messages. It is used to
establish communication between a computer and a GSM-GPRS system. Global System
for Mobile communication (GSM) is an architecture used for mobile communication in
most of the countries. Global Packet Radio Service (GPRS) is an extension of GSM that
enables higher data transmission rate. GSM/GPRS module consists of a GSM/GPRS
modem assembled together with power supply circuit and communication interfaces (like
RS-232, USB, etc) for computer. The MODEM is the soul of such modules. GSM/GPRS
MODEM is a class of wireless MODEM devices that are designed for communication of
a computer with the GSM and GPRS network. It requires a SIM (Subscriber Identity
Module) card just like mobile phones to activate communication with the network. Also
they have IMEI (International Mobile Equipment Identity) number similar to mobile
phones for their identification. A GSM/GPRS MODEM can perform the following

1) Receive, send or delete SMS messages in a SIM.

2) Read, add, search phonebook entries of the SIM.

3) Make, Receive, or reject a voice call.

The MODEM needs AT commands, for interacting with processor or controller,

which are communicated through serial communication. These commands are sent by the
controller/processor. The MODEM sends back a result after it receives a command.
Different AT commands supported by the MODEM can be sent by the
processor/controller/computer to interact with the GSM and GPRS cellular network. A
GSM/GPRS module assembles a GSM/GPRS modem with standard communication
interfaces like RS-232 (Serial Port), USB etc., so that it can be easily interfaced with a
computer or a microprocessor / microcontroller based system. The power supply circuit is
also built in the module that can be activated by using a suitable adaptor.

Figure 2.4 GSM Module

Features of GSM Module:

Improved spectrum efficiency International roaming Compatibility with

integrated services digital network (ISDN)

Support for new services.

SIM phonebook management

Fixed dialing number (FDN)

Real time clock with alarm

management High-quality speech

Uses encryption to make phone calls more
secure Short message service (SMS)

The GSM network architecture as defined in the GSM specifications can be grouped into
four main areas:

Mobile station (MS)

Base-Station Subsystem (BSS)

Network and Switching Subsystem (NSS)

Operation and Support Subsystem (OSS)

The different elements of the GSM network operate together and the user is not aware
of the different entities within the system.

A basic diagram of the overall GSM system architecture with these four major elements
is shown below:
Figure 2.5 Architecture of GSM

Mobile station

Mobile stations (MS), mobile equipment (ME) or as they are most widely known,
cell or mobile phones are the section of a GSM cellular network that the user sees and
operates. In recent years their size has fallen dramatically while the level of functionality
has greatly increased. A further advantage is that the time between charges has
significantly increased.

There are a number of elements to the cell phone, although the two main elements are the
main hardware and the SIM.

Base Station Subsystem (BSS)

The Base Station Subsystem (BSS) section of the GSM network architecture that is
fundamentally associated with communicating with the mobiles on the network. It
consists of two elements:

Base Transceiver Station (BTS): The BTS used in a GSM network comprises the
radio transmitter receivers, and their associated antennas that transmit and receive
to directly communicate with the mobiles. The BTS is the defining element for
each cell. The BTS communicates with the mobiles and the interface between the
two is known as the Um interface with its associated protocols.

Base Station Controller (BSC): The BSC forms the next stage back into the GSM
network. It controls a group of BTSs, and is often co-located with one of the
BTSs in its group. It manages the radio resources and controls items such as
handover within the group of BTSs, allocates channels and the like. It
communicates with the BTSs over what is termed the Abis interface.
Network Switching Subsystem (NSS)

The GSM system architecture contains a variety of different elements, and is

often termed the core network. It provides the main control and interfacing for the
whole mobile network. The major elements within the core network include:

Mobile Switching services Centre (MSC): The MSC acts like a normal
switching node within a PSTN or ISDN, but also provides additional
functionality to enable the requirements of a mobile user to be supported.
These include registration, authentication, call location, inter-MSC
handovers and call routing to a mobile subscriber.

Home Location Register (HLR): This database contains all the

administrative information about each subscriber along with their last
known location. In this way, the GSM network is able to route calls to the
relevant base station for the MS.

Visitor Location Register (VLR): This contains selected information

from the HLR that enables the selected services for the individual
subscriber to be provided.

Authentication Centre (AuC): The AuC is a protected database that

contains the secret key also contained in the user's SIM card.

Gateway Mobile Switching Centre (GMSC): The GMSC is thus in

charge of obtaining the MSRN (Mobile Station Roaming Number)
from the HLR based on the MSISDN (Mobile Station ISDN number,
the "directory number" of a MS) and routing the call to the correct

Operation and Support Subsystem (OSS):It is used to control and monitor the overall
GSM network and it is also used to control the traffic load of the BSS

2.4 One-Time-Password System (OTP)

A one-time password (OTP) is a password that is valid for only one login session or
transaction, on a computer system or other digital device. OTPs avoid a number of
shortcomings that are associated with traditional (static) password-based authentication; a
number of implementations also incorporate two factor authentication by ensuring that
the one-time password requires access to something a person has (such as a small keyring
fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as
well as something a person knows (such as a PIN).

The most important advantage that is addressed by OTPs is that, in contrast to static
passwords, they are not vulnerable to replay attacks. This means that a potential intruder
who manages to record an OTP that was already used to log in to a service or to conduct
a transaction will not be able to abuse it, since it will no longer be valid. A second major
advantage is that a user, who uses the same (or similar) password for multiple systems, is
not made vulnerable on all of them, if the password for one of these is gained by an
attacker. A number of OTP systems also aim to ensure that a session cannot easily be
intercepted or impersonated without knowledge of unpredictable data created during the
previous session, thus reducing the attack surface further.

OTPs have been discussed as a possible replacement for, as well as enhancer to,
traditional passwords. On the downside, OTPs are difficult for human beings to
memorize. Therefore, they require additional technology to work.

Methods of Generating OTPs

OTP generation algorithms typically make use of pseudorandomness or randomness,

making prediction of successor OTPs by an attacker difficult, and also hash functions,
which can be used to derive a value but are hard to reverse and therefore difficult for an
attacker to obtain the data that was used for the hash. This is necessary because otherwise
it would be easy to predict future OTPs by observing previous ones. Concrete OTP
algorithms vary greatly in their details. Various approaches for the generation of OTPs
are listed below:

Based on time-synchronization between the authentication server and the client

providing the password (OTPs are valid only for a short period of time)

Using a mathematical algorithm to generate a new password based on the previous

password (OTPs are effectively a chain and must be used in a predefined order).
Using a mathematical algorithm where the new password is based on a challenge
(e.g., a random number chosen by the authentication server or transaction details)
and/or a counter.

There are also different ways to make the user aware of the next OTP to use. Some
systems use special electronic security tokens that the user carries and that generate
OTPs and show them using a small display. Other systems consist of software that runs
on the user's mobile phone. Yet other systems generate OTPs on the server-side and send
them to the user using an out-of-band channel such as SMS messaging. Finally, in some
systems, OTPs are printed on paper that the user is required to carry.


A time-synchronized OTP is usually related to a piece of hardware called a

security token (e.g., each user is given a personal token that generates a one-time
password). It might look like a small calculator or a keychain charm, with an LCD that
shows a number that changes occasionally. Inside the token is an accurate clock that has
been synchronized with the clock on the proprietary authentication server. On these OTP
systems, time is an important part of the password algorithm, since the generation of new
passwords is based on the current time rather than, or in addition to, the previous
password or a secret key. This token may be a proprietary device, or a mobile phone or
similar mobile device which runs software that is proprietary, freeware, or open-
source. An example of time-synchronized OTP standard is Time-based One-time
Password Algorithm (TOTP).

All of the methods of delivering the OTP below may use time-synchronization instead of

Mathematical algorithms

Each new OTP may be created from the past OTPs used. An example of this type of
algorithm, credited to Leslie Lamport, uses a one-way function (call it f). This one-time
password system works as follows:

1. A seed (starting value) s is chosen.

2. A hash function f(s) is applied repeatedly (for example, 1000 times) to the
seed, giving a value of: f(f(f( .... f(s) ....))). This value, which we will call f 1000(s)
is stored
on the target system.

3. The user's first login uses a password p derived by applying f 999 times to the
seed, that is, f999(s). The target system can authenticate that this is the correct
password, because f(p) is f1000(s), which is the value stored. The value stored is
then replaced by p and the user is allowed to log in.

4. The next login, must be accompanied by f998(s). Again, this can be

validated because hashing it gives f999(s) which is p, the value stored after the
previous login. Again, the new value replaces p and the user is authenticated.

5. This can be repeated another 997 times, each time the password will be f
applied one fewer times, and is validated by checking that when hashed, it gives
the value stored during the previous login. Hash functions are designed to be
extremely hard to reverse, therefore an attacker would need to know the initial
seed s to calculate the possible passwords, while the computer system can
confirm the password on any given occasion is valid by checking that, when
hashed, it gives the value previously used for login. If an indefinite series of
passwords is wanted, a new seed value can be chosen after the set for s is

To get the next password in the series from the previous passwords, one needs to find
a way of calculating the inverse function f1. Since f was chosen to be one-way, this is
extremely difficult to do. If f is a cryptographic hash function, which is generally the
case, it is (so far as is known) a computationally infeasible task. An intruder who happens
to see a one-time password may have access for one time period or login, but it becomes
useless once that period expires. The S/KEY one-time password system and its
derivativeOTP are based on Lamport's scheme.
In some mathematical algorithm schemes, it is possible for the user to provide the
server with a static key for use as an encryption key, by only sending a one-time

The use of challenge-response one-time passwords requires a user to provide a

response to a challenge. For example, this can be done by inputting the value that the
token has generated into the token itself. To avoid duplicates, an additional counter is

involved, so if one happens to get the same challenge twice, this still results in different
one-time passwords. However, the computation does not usually involve the previous
one-time password; that is, usually this or another algorithm is used, rather than using
both algorithms.

The methods of delivering the OTP which are token-based may use either of these types
of algorithm instead of time-synchronization.

Methods of delivering OTP

Text messaging

A common technology used for the delivery of OTPs is text messaging. Because
text messaging is a ubiquitous communication channel, being directly available in nearly
all mobile handsets and, through text-to-speech conversion, to any mobile or landline
telephone, text messaging has a great potential to reach all consumers with a low total
cost to implement. However, the cost of text messaging for each OTP may not be
acceptable to some users. OTP over text messaging may be encrypted using an A5/x
standard, which several hacking groups report can be successfully decrypted within
minutes or seconds,[2][3][4][5] or the OTP over SMS might not be encrypted by one's service-
provider at all. In addition to threats from hackers, the mobile phone operator becomes
part of the trust chain. In the case of roaming, more than a single mobile phone operator
has to be trusted. Anyone using this information may mount a man-in-the-middle attack.

In 2011, Google has started offering OTP to mobile and landline phones for all
Google accounts. The user can receive the OTP either as a text message or via an
automated call using text-to-speech conversion. In case none of the user's registered
phones is accessible, the user can even use one of a set of (up to 10) previously generated
one-time backup codes as a secondary authorization factor in place of the dynamically
generated OTP, after signing in with their account password.

Mobile phones

A mobile phone keeps costs low because a large customer-base already owns a
mobile phone for purposes other than generating OTPs. The computing power and
storage required for OTPs is usually insignificant compared to that which modern
camera-phones and smartphones typically use. Mobile phones additionally support any
number of tokens within one installation of the application, allowing a user the ability to
authenticate to multiple resources from one device. This solution also provides model-
specific applications to the user's mobile.

A user wishing to access a protected resource, such as a VPN or internet banking

site, uses the Mobile Token App to generate a One-Time Password. The application can
be PIN protected. It is licensed per user, and licenses can be used across multiple personal
mobile devices. The Mobile Token App is available for all leading mobile devices.

Proprietary tokens

EMV is starting to use a challenge-response algorithm (called "Chip

Authentication Program") for credit cards in Europe. On the other hand, in access
control for computer networks, RSA Security's SecurID is one example of a time-
synchronization type of token or HID Global. Like all tokens, these may be lost,
damaged, or stolen; additionally there is an inconvenience as batteries die, especially for
tokens without a recharging facility or a non-replaceable battery. A variant of the
proprietary token was proposed by RSA in 2006 and was described as "ubiquitous
authentication", in which RSA would partner with manufacturers to add physical
SecurID chips to devices such as mobile phones.

Recently, it has become possible to take the electronic components associated

with regular keyfob OTP tokens and embed them in a credit card form factor. However,
the thinness of the cards, at 0.79mm to 0.84mm thick, prevents standard components or
batteries from being used. Special polymer-based batteries must be used which have a
much lower battery life than coin (button) cells. Semiconductor components must not
only be very flat but must minimise power used in standby and when operating.

Yubico offers a small USB token with an embedded chip that creates an OTP
when a key is pressed and simulates a keyboard to facilitate easily entering a long
password. [7] Since it is a USB device it avoids the inconvenience of battery replacement.

A new version of this technology has been developed that embeds a keypad into a
payment card of standard size and thickness. The card has an embedded keypad, display,
microprocessor and proximity chip.

Web-based methods

Authentication-as-a-service providers offer various web-based methods for

delivering one-time passwords without the need for tokens. One such method relies on
the users ability to recognize pre-chosen categories from a randomly generated grid of
pictures. When first registering on a website, the user chooses several secret categories of
things; such as dogs, cars, boats and flowers. Each time the user logs into the website
they are presented with a randomly generated grid of picalphanumeric character overlaid
on it. The user looks for the pictures that fit their pre-chosen categories and enters the
associated alphanumeric characters to form a one-time access code. [8][9]


In some countries' online banking, the bank sends to the user a numbered list of OTPs
that are printed on paper. Other banks send plastic cards with actual OTPs obscured by a
layer that the user has to scratch off to reveal a numbered OTP. For every online
transaction, the user is required to enter a specific OTP from that list. Some systems ask
for the numbered OTPs sequentially, others pseudorandomly chose an OTP to be entered.
In Germany and many other countries like Austria and Brazil, those OTPs are
typically called TANs (for 'transaction authentication numbers'). Some banks even
dispatch such TANs to the user's mobile phone via SMS, in which case they are called
mTANs (for 'mobile TANs').

2.5 Database system

A database management system (DBMS) is system software for creating and

managing databases. The DBMS provides users and programmers with a systematic way
to create, retrieve, update and manage data.

A DBMS makes it possible for end users to create, read, update and delete data in a
database. The DBMS essentially serves as an interface between the database and end
users or application programs, ensuring that data is consistently organized and remains
easily accessible.

Existing DBMSs provide various functions that allow management of a database and
its data which can be classified into four main functional groups:

Data definition Creation, modification and removal of definitions that define

the organization of the data.

Update Insertion, modification, and deletion of the actual data.

Retrieval Providing information in a form directly usable or for further

processing by other applications. The retrieved data may be made available in
a form basically the same as it is stored in the database or in a new form
obtained by altering or combining existing data from the database.

Administration Registering and monitoring users, enforcing data security,

monitoring performance, maintaining data integrity, dealing with concurrency
control, and recovering information that has been corrupted by some event
such as an unexpected system failure.


The fingerprint of the client is scanned using the fingerprint scanner module.
From the image of the fingerprint a template is generated and stored in the memory of the
fingerprint module using a unique ID for each fingerprint for future references.

The step after enrollment is to verify that a person is who he or she claims to be
(i.e., the person who enrolled). A data base of the user accounts their details (balance, last
transactions, deposit/ withdrawn amount with dates) are maintained in the pc. The users
are registered through a fingerprint module. After scanning and verification of the
Figure3.1 Schematic Diagram

fingerprint a randomly generated password is sent using GSM module to the

users mobile to add a second layer of security. On entering the correct password using a
keypad, the user is authenticated and his bank account details are displayed.

3.1 Present Design with Schematic Diagram

The hardware consists of:

1) Finger print module

2) A host PC

3) Bread Board for intermediate connections

The Fingerprint module has an internal memory which will store all the images
taken it. On Power-On-Reset, the Arduino communicates with the module and initializes
it. Once the module is ready, it will prompt the user to enter the location where the image
is to be stored. The location also acts as the id for the user in our current prototype.

Once the system is scanned properly the module will store the image in the required
location. To validate whether the finger-print was stored in the specified location ID
properly, the Arduino repeats the above process. Once the validation is successfully done,
the serial monitor will display a success message and the system will be ready for the
next enrolment.
3.2 Connection Diagram

Figure 3.2 R305 Arduino Connection Diagram

The pins 2 and 3 of the Arduino Uno have been configured as the serial port pins
using Software Serial. Pin 2 is the RX port and Pin 3 is the TX port. The RX port of the
R305 fingerprint scanner module is connected to the TX port (Pin 3) of the Arduino and
TX port is connected to the RX port (Pin 2) of the Arduino in order to achieve serial
communication for transmission of data between the Arduino and the R305 fingerprint
module. The supply port of R305 is connected to the 5 V power supply of the Arduino
and the ground port is connected to the ground of the Arduino.

Figure 3.3 Arduino GSM Connection Diagram
The pins 10 and 11 of the Arduino Uno have been configured as the serial port
pins using Software Serial. Pin 10 is the RX port and Pin 11 is the TX port. The RX port
of the R305 fingerprint scanner module is connected to the TX port (Pin 11) of the
Arduino and TX port is connected to the RX port (Pin 10) of the Arduino in order to
achieve serial communication for transmission of data between the Arduino and the R305
fingerprint module. The supply port of R305 is connected to the 5 V power supply of the
Arduino and the ground port is connected to the ground of the Arduino.

3.3 Working

The first step is detection of the SIM card placed in the GSM Module. Once the
validity of the SIM card and its registration is confirmed, the GSM Module is initialized.
It is now ready to send or receive messages through the use of appropriate AT commands.
Interfacing between the GSM Module and the Arduino takes place through the Software
Serial ports 10 and 11. Once the modem has been initialized, communication with ports
10 and 11 is stopped and the Software Serial ports 2 and 3 are activated in order to
interface with R305 Fingerprint Module. The user is prompted to enter his choice-
whether he wants to perform enrollment or search. In order to enroll a fingerprint into the
library the user is asked to enter e as his input and for searching the library for a
particular fingerprint the user has to enter s as his input.
Figure 4.1 Results Obtained

The enrollment process requires the user to enter the location where he wants to
store the fingerprint. After entering the desired location the user is instructed to place his
finger on the scanner. The relevant information about the fingerprint is temporarily stored
in Character Buffer 1. The user has to place his finger a second time and the data is stored
in Character Buffer 2. If the fingerprint module does not find a match it displays a
mismatch error message and repeats the enrollment process. In case of a successful
match, the information in both the Character Buffers is combined to create a template and
it is stored in the desired location. The user is then asked to enter his personal details and
information regarding his bank account and all the information is stored in a database.
Figure 4.2 Results Obtained

For searching the user places his finger on the scanner and the module performs a
1:N search on all the fingerprints stored in the fingerprint library. If no match is found the
system displays the message No Match Found. If a successful match is found at a

particular location, the system displays the success message along with the ID of the
location where the matching fingerprint has been found. Once the searching operation
finds a match, serial communication with the fingerprint is ceased and the Arduino now
resumes communication with the GSM Module. The GSM Module sends a randomly
generated OTP to the mobile phone number which was entered at the time of enrollment
of the fingerprint. The user is prompted to enter the OTP. If the OTP entered is incorrect
the error
Figure 4.3 Results obtained

message is displayed and the user is once again asked to enter his choice for enrollment
or searching. On entering the correct OTP the second stage of authentication is
successfully verified and the account details of the user are displayed and the user is
given the choice to perform any transactions.



Fingerprint scanning technology is the most favoured biometric security

alternative to passwords in banking solutions. Many banks in USA and UK have
integrated fingerprint scanners in their digital banking systems. Due to rapid increasing
popularity of online and digital banking among clients, banks around the world are
looking at fingerprint and other forms of biometric authentication to offer higher levels of
security for their clients information.

Fingerprint recognition systems are primarily used in forensic applications for

investigating criminals but this technology has now become a viable alternative to
traditional identification systems in many government and commercial application

4.1 Relevance in Todays World

When customer visit branches they can be authenticated at the counter through
finger print scanners that match the customers existing biometric template within the
bank database, and after successful authentication, the customer will be allowed to move
forward with their banking transactions. The same concept can be used for mobile
banking authentication.

Business and governmental organizations across the board have used Biometric
Fingerprinting technology to improve productivity and reducing absenteeism. The
Rajasthan government has resorted to fingerprint attendance to improve the quality of
education in schools, located deep in rural Rajasthan. The new initiative seems to be

working as the cases of absenteeism are on the decline, increasing the quality of the
education being imparted.

Hotels in New York have resorted to biometric technology to reduce crime. This new
system requires the employees to log into the biometric system, while checking in and
logging out of the system at the end of their shift. According to hotel management, this
became necessary after the visitors complained about increasing instances of theft in the
hotel premises. The management has declared the new method a success as it has reduced
instances of theft and crime in and around the hotel premises.

4.2 Advantages

Fingerprint based security system is most secured system as compared to other

systems, the reason being that RFID card or keys of lock can be stolen, password may be
leaked. However thumbnail of every human being is unique, so the lock will not open
unless the same person is present to give the impression of fingerprint. There is no need
to carry the keys to open the lock or even remember the password or any pin number.
One of the main advantages is that this system remembers the stored password even if the
power supply is turned off.


As fraud in our society grows, as the pressure to deliver inexpensive

authentication services mounts, and as geographically mobile individuals increasingly
need to establish their identity as strangers in remote communities, the problem of
reliable personal identification becomes more and more difficult. To catapult fingerprint
biometric technology into the mainstream identification market, it is important to
encourage its evaluation in realistic contexts, to facilitate its integration into end-to-end
solutions, and to foster innovation of inexpensive and user-friendly implementations. To
foster improvements and encourage widespread deployment, biometric fingerprint
technology needs to be made easily accessible for system integration and implementation.
Harnessing and integrating biometric technology is not easy in its present form; one of
the reasons is the lack of industry-wide standards.


[1] Anil K Jain , An introduction to Biometric Recognition , IEEE

transactions circuits and systems for video technology, vol. 14, no. 1, january

[2] D. Maltoni, D. Maio, A. K. Jain, and S. Prabhakar, Handbook of

Finger print Recognition , New York: Springer-Verlag , 2003.

[3] L. OGorman, Seven issues with human authentication


in Proc.Workshop Automatic Identification Advanced Technologies (AutoID),

Tarrytown, NY, Mar. 2002, pp. 185186.

[4] www.instructables.com (as on may 2016)

[5] www.github.com ( as on may 2016)

[6] www.arduinoforum.com ( as on may 2016)

[7] www.adafruit.com ( as on may 2016)



Setup and Loop

1) The setup function: This function is used to initiate serial communication

between the Arduino and the R305. The baud rate is set at 9600 for data
transmission between the Arduino and the fingerprint module. The data rate for
the sensor serial port is set at 57600.

void setup() {
while (!


Serial.println("Adafruit Fingerprint sensor enrollment");


2) The loop function: The loop function runs indefinitely as long as the
Arduino is connected to the power supply. It displays instructions for the user to
enroll his or her fingerprint in the fingerprint module and asks for an ID as input
for saving the current fingerprint image.

void loop() // run over and over again

Serial.println("Ready to enroll a fingerprint! Please Type in the ID # you want

to save this finger as...");

id = readnumber();
Serial.print("Enrolling ID
#"); Serial.println(id);

while (! getFingerprintEnroll() );

Stages Involved in Enrollment Phase:

1) Obtaining the fingerprint image:

uint8_t A_Fingerprint::getImage(void) {

uint8_t packet[] = {FINGERPRINT_GETIMAGE};

writePacket(theAddress, FINGERPRINT_COMMANDPACKET, 3, packet);
uint8_t len = getReply(packet);

if ((len != 1) && (packet[0] != FINGERPRINT_ACKPACKET))

return -1;

return packet[1];

2) Creating a template from the image:

uint8_t A_Fingerprint::createModel(void) {

uint8_t packet[] = {FINGERPRINT_REGMODEL};

writePacket(theAddress, FINGERPRINT_COMMANDPACKET, sizeof(packet)+2,


uint8_t len = getReply(packet);

if ((len != 1) && (packet[0] != FINGERPRINT_ACKPACKET))

return -1;

return packet[1];

3) Storing the template in flash memory:

uint8_t A_FingerprinT::storeModel(uint16_t id) {

uint8_t packet[] = {FINGERPRINT_STORE, 0x01, id >> 8, id & 0xFF};

writePacket(theAddress, FINGERPRINT_COMMANDPACKET, sizeof(packet)+2,


uint8_t len = getReply(packet);

if ((len != 1) && (packet[0] != FINGERPRINT_ACKPACKET))

return -1;

return packet[1];}

4) Reading a fingerprint template from flash to CharBuffer 1

uint8_t A_Fingerprint::loadModel(uint16_t id) {

uint8_t packet[] = {FINGERPRINT_LOAD, 0x01, id >> 8, id &

0xFF}; writePacket(theAddress, FINGERPRINT_COMMANDPACKET,

sizeof(packet)+2, packet);
uint8_t len =

if ((len != 1) && (packet[0] != FINGERPRINT_ACKPACKET))

return -1;

return packet[1];

5) Transferring the template from CharBuffer 1 to the host computer

uint8_t A_Fingerprint::getModel(void) {

uint8_t packet[] = {FINGERPRINT_UPLOAD, 0x01};


sizeof(packet)+2, packet);
uint8_t len =

if ((len != 1) && (packet[0] != FINGERPRINT_ACKPACKET))

return -1;

return packet[1];}