By embedding a fingerprint reader into an access control card, Zwipe claims it can increase security without requiring facilities to new / expensive fingerprint readers.
Zwipe is a contactless credential [link no longer available] that combines a standard 125 kHz or 13.56 MHz formats with an onboard fingerprint reader. In order to read the contactless credential information, a user must scan a valid finger to turn it on. Essentially the credential becomes multi-factor, rather than the reader, and can improve security without requiring reader or panel replacement.
We profiled Zwipe in an earlier note, fresh off a $3.5M VC raise, when the company was finalizing design and production details. In this note the final production product is reviewed.
In the clip below, we demo Zwipe and compare it to traditional CR80-size credential cards:
Overall performance is mixed, with some users/fingers requiring multiple reads before a valid print is read, activating the card. Physically, Zwipe is the same overall size as a normal card, but is significantly thicker and rigid.
After a valid read is made however, performance is similar to other contactless credentials. Zwipe supports leading card formats like iClass, HID Prox, MiFARE, and DESFire [link no longer available], and operates with existing readers with no changes needed.
One Finger Only: Unlike many standalone print readers, Zwipe cards support only one fingerprint to activate. Each finger is enrolled ten times, with slight variations on position recommended to increase read success.
LED Feedback: The card has two LEDs that give the user feedback on the success/failure of a print read or when being enrolled for use.
Battery Powered: Zwipe uses a CR-2032 size coin cell battery that is commonly available on the street. Zwipe claims a fresh battery is good for 4,000 fingerprint reads, which for a card used six times per day is about 1.5 years.
Water Resistent, not Water-Proof: Unlike a typical fob or card that is bonded together, Zwipe is similar to a clamshell composed of glued halves. The card itself is prone to damage if submerged in water or can be broken if bent. Zwipe recommends cards be 'treated like cellphones', in contrast to the normal exposed and rugged environments cards are normally used/stored in.
A single Zwipe card has a suggested resell price of $49.95. Distribution is through local dealers, with reseller and volume discounts available.
While the biggest strength of Zwipe is adding multi-factor authentication on the card, it faces several significant problems:
Inconsistent Reads: The biggest problem with Zwipe is for some, getting consistent reads will be difficult. Unlike a traditional badge that reads the first time, a user may not be able to quickly credental into a door with Zwipe. While alternativng finger position during enrollment may improve performance, users may still have troubles getting the card to 'read right the first time'. In our test lot of three cards, we enrolled five different adult users and various fingers for each subject, and while some had an easier time registering valid reads than others, none read consistently the first time, everytime.
At ~$50 per card, issuing Zwipe to a population of users can quickly become more expensive than simply outfitting the door with a standard fingerprint reader. Many fingerprint readers are available in the sub $500 range
and after figuring cost of install, Zwipe's financial case is weak for more than 15 - 20 users.
Vague Low-Battery Warning: Zwipe does have a low battery warning programmed via blinking LEDs, but it is easy to miss. Unless users are focused on the pattern of LED blinks after a valid read, the result is likely missing the signal and the onboard battery dying unexpectedly.
No Backup: Unlike traditional contactless cards/fobs, dead batteries are a weakness of Zwipe. Once the battery dies, there is no manual method to send credential details. This means that most Zwipe users will need to carry mechanical keys, backup cards, or PIN numbers for keypads readers in order to have secondary options for access.
Based on these factors, Zwipe's applications are limited. Rather than issuing cards to entire populations of users, only the select few with 'all-access' cards or with access to sensitive areas recieve Zwipe cards.
The added verification needed to use those cards of access those specific areas could improve overall facility security inexpensively compared to changing over to door-mounted fingerprint readers used by a low number of users.