Now with added fingerprints Bernhard Claﬂen/imageBROKER/Superstock

HAS your bank recently sent you a credit or debit card with a chip in it? If so, you may now be in possession of a little piece of tech that is quietly helping to secure the ever-expanding realm of internet-connected devices – which, yes, includes your card.

At least one US bank has started supplying its customers with cards that contain what is known as a physically unclonable function – or, more snappily, a PUF. Every silicon-based chip gets this unique fingerprint from the way it is manufactured, and it is almost impossible to replicate.

“It’s a biometric in a way,” says Boris Kennes at Intrinsic-ID in Eindhoven, the Netherlands. “Each chip is born with unique characteristics that are completely uncontrollable and different, just like a fingerprint.”


Many people are concerned that the proliferation of improperly secured internet-connected devices are easy targets for hackers. If we want to live in a world where our fridge can order food for us online, or where our bath starts running when our phone tells it we are 10 minutes from home, then PUFs could be a way to protect ourselves.

There are lots of systems out there for storing encryption keys securely, says Steve Owen at NXP Semiconductors, which is using PUFs supplied by Intrinsic-ID to make secure chips in credit cards. NXP’s chips have 112 different security features, he says.

The best security systems at present – such as Apple’s “secure enclave”, which recently prevented the FBI from accessing an iPhone – are expensive and complicated works of engineering. With billions of devices being connected to the internet – many of which are throwaway – a low-cost alternative is needed. “You can’t afford to put a big computational engine into everything,” says Owen.

PUFs could provide an answer. The alignment of silicon crystals in a chip is fixed when it is produced. Upon applying a current, bits flip to a 1 or 0 state on the basis of this arrangement – producing a pattern that amounts to a signature for the chip.

But just as a human fingerprint is only a useful method for identifying someone once you know how to read it, the trick with PUFs has been to harness these production patterns for the purposes of encryption. A signature can be read simply by passing electricity through the chip – and then used to sign a message destined for just one place. But only recently has this technique become accurate and efficient enough to be built into cheap off-the-shelf devices.

What’s more, because a chip’s fingerprint is only produced when current is flowing, the system is even more secure than most existing approaches – at least in theory. Securing a device such as a smartphone is usually done using a system based on digital keys stored on a hard drive. But there is a small – yet real – risk of the key being copied, even when the device is turned off. With PUFs, the fingerprint disappears without the current. “When you turn off the power, there is nothing left,” says Kennes.

“Like humans, every silicon chip has a fingerprint that can be used to uniquely identify it“

However, before becoming widespread, PUFs must be vetted by the security community. In a 2012 paper, researchers from Technische Universität Darmstadt in Germany evaluated different kinds of PUF. They found that three types have features that could make them vulnerable to attacks that involve raising a chip’s temperature – but not the kind being rolled out in credit cards.

Owen says he sees the tech not as a replacement for existing systems, but as an additional layer that may allow us to secure more devices more cheaply.

This article appeared in print under the headline “Chip design quirks make our lives more secure”