KOSTER, Robert Paul (AE Eindhoven, NL-5656, NL)
BRUEKERS, Alphons Antonius Maria Lambertus (AE Eindhoven, NL-5656, NL)
BREEBAART, Dirk Jeroen (AE Eindhoven, NL-5656, NL)
KOSTER, Robert Paul (AE Eindhoven, NL-5656, NL)
BRUEKERS, Alphons Antonius Maria Lambertus (AE Eindhoven, NL-5656, NL)
1. A method of enrolling an individual in a bio metric system, the method comprising the steps of:
acquiring, in a first biometric system (101), a first biometric template (121) from an individual (199);
- acquiring, in a second biometric system (102), a second biometric template
verifying a correspondence (131) of the first biometric template and the second biometric template;
verifying (132), in the first biometric system, an identity (111) of the individual; and
associating (141) said identity to the second biometric template in the second biometric system, wherein the individual is enrolled in said second system.
2. A method according to claim 1, further comprising the step of acquiring, in the first biometric system, an identity (212) claimed to correspond to the first biometric template, wherein the step of verifying an identity of the individual includes authenticating said claimed identity using the first biometric template.
3. A method according to claim 1 or 2, wherein the step of verifying an identity of the individual is based on matching the first biometric template to a third biometric template, which has been previously stored in the first biometric system.
4. A method according to any one of the preceding claims, wherein the correspondence relates to spatial and/or temporal proximity of respective acquisitions of the first biometric template and the second biometric template.
5. A method according to any one of the preceding claims, wherein the correspondence is deduced from a chain of correspondences, each being associated with a certainty weight.
6. A method according to any one of the preceding claims, wherein the second bio metric template is acquired over a time interval which is within a predetermined lapse of time from the acquisition of the first biometric template.
7. A method according to any one of the preceding claims, further comprising:
identifying a new biometric template by submitting a query for the new biometric template to the second biometric system and obtaining the associated identity; or authenticating a claimed identity by submitting a query for the claimed identity to the second biometric system, obtaining the first biometric template from the second biometric system and ascertaining a match between this and a new biometric template associated with the claimed identity.
8. A self- configuring biometric system comprising:
- means for acquiring a first biometric template from an individual;
means for receiving, from another biometric system, a communication indicating that this system has acquired a second biometric template;
means for verifying a correspondence between the first biometric template and the second biometric template;
- means for obtaining, from said other biometric system, a verified identity of the individual; and
means for associating said verified identity to said first biometric template, wherein the individual is enrolled in the biometric system. 9. A self- configuring biometric system according to claim 8, further comprising means for receiving, from the other biometric system, a communication indicating that this system has acquired an identity claimed to correspond to the first biometric template,
wherein the obtained verified identity of the individual has been authenticated using the first biometric template.
10. A self- configuring biometric system according to claim 8 or 9, further comprising means for communicating with at least one other self-configuring biometric system, the communications including at least one of:
a query for an identity or a biometric template; a triplet of a queried identity, a matching biometric template and a certainty weight;
a triplet of a queried biometric template, a matching biometric template and a certainty weight;
- a time-stamped biometric template reading;
a location-stamped biometric template reading; and
a biometric template reading and macro data characterizing the reading, the system further comprising means for performing automatic enrolment by associating and storing an identity and a biometric template.
11. A self- configuring biometric system according to claim 10, wherein the macro data include the number of visible persons at the time the reading was made.
12. A self- configuring biometric system according to claim 10 or 11, the system further comprising means for associating another biometric enabled system with a certainty weight determined on the basis of at least one communication sent to or from this other biometric enabled system.
13. A computer program product comprising executable components for causing a device having computing capabilities to perform the steps recited in any one of the claims 1-7 when the components are executed on said device having computing capabilities.
FIELD OF THE INVENTION
The invention disclosed herein generally relates to authentication based on biometric information. More particularly, it relates to improved management of user information in biometric systems.
BACKGROUND OF THE INVENTION
The process of authenticating a physical object is undertaken in many applications, such as conditional access to secure buildings or conditional access to digital data (e.g., stored in a computer or removable storage media), or for identification purposes (e.g., for authenticating an identified individual's participation in a particular activity, or for boarding passengers at an airport).
The use of biometrics for identification and/or authentication is considered to be a better option than traditional identification means such as passwords, PIN codes and authentication tokens. In biometric identification, features that are unique to a user, such as fingerprints, irises, shape of ears, facial appearance, etc., are used to provide identification of the user. During enrolment - i.e., the initial process when an enrolment authority acquires the biometric template of a user - the user offers her biometric to an enrolment device of the enrolment authority which generates and stores the template, possibly encrypted, in the system. During verification, the user again offers her biometric to the system, whereby the stored template is retrieved (and decrypted if required) and matching of the stored and a newly generated template is effectuated. If there is a good enough match, the user is considered authenticated.
In a practical situation, the enrolment authority may coincide with the verifier, but they may also be distributed. As an example, if the biometric system is used for banking applications, then typically, all larger branches of the bank will be allowed to enroll new individuals into the system, such that a distributed enrolment authority is created. If, after enrolment, the individual wishes to withdraw money from a bank office while using her biometric data as authentication, this office will assume the role of verifier. On the other hand, if the user makes a payment in a convenience store using her biometric data as authentication, the store will assume the role of the verifier, but it is unlikely that the store ever will act as enrolment authority.
The major driver behind biometric verification algorithms has been the supposedly enhanced security. In this context, biometrics are assumed to be secret and difficult to spoof. However, more recent insights have thrown doubts on these statements. There is more and more consensus that biometric characteristics cannot be regarded as secrets. There is an increasing interest to use biometrics for convenience-driven rather than security-driven applications. Examples of such convenience-driven applications are personalized user interfaces, recommenders, atmospheres and the like.
The shift in focus from security towards convenience has important consequences for biometric systems. Firstly, the number of enrolled subjects is generally smaller. Biometric verification systems for security are often designed to operate on databases with thousands or millions of enrolled subjects. Convenience-driven applications, on the other hand, often operate on small databases with typically tens of users (for example in a home setting). Secondly, the convenience character dictates that registration procedures should be minimized. A system should preferably operate without burdening its users with an imperative initial enrolment procedure. Thirdly, the convenience character also suggests that users can be identified without any behavioral requirements such as placing a finger on a sensor, or posing in front of a camera. The system should operate in the background without influencing the subjects.
Available biometric systems are not fully in line with the requirements emerging in connection with convenience-driven applications. Besides, the popularity of biometric systems in any context would benefit from simpler enrolment procedures and a decreased false rejection rate.
SUMMARY OF THE INVENTION
It is an object of the present invention to overcome this problem, and to provide a biometric system allowing a facilitated enrolment of new users. It is a further object to provide a biometric system interacting with similar systems in its vicinity, irrespective of their modalities, and making use of information provided from these. Another object of the invention is to limit the number of false rejections without lessening the reliability of the system.
According to a first aspect of the invention, at least some of these objects are achieved by a method of enrolling an individual in a biometric system. The method comprises the following steps, to be performed in any order:
acquiring, in a first biometric system, a first biometric template from an individual;
acquiring, in a second biometric system, a second biometric template;
- verifying a correspondence of the first biometric template and the second biometric template;
verifying, in the first biometric system, an identity of the individual; and associating said identity to the second biometric template in the second biometric system, wherein the individual is enrolled in said second system.
The first biometric system may be one adapted to identify an individual using biometric information.
According to a second aspect of the invention, a self-configuring biometric system is adapted to the play the role of the second biometric system referred to in the above method.
As used herein, enrolment is the process of associating a biometric template and an identity; a biometric system is delimited by the domain of validity of an enrolment; a correspondence between two biometric templates refers to both originating from the same physical person. A correspondence may be more or less certain, ranging from a conjecture to a fact established with the highest possible certainty. Correspondence can be assessed automatically while enrolment includes ascertaining the association, e.g., by checking an individual's identification document and/or by supervising the recording of the individual's biometric template.
It is noted that when verification of an individual's identity is performed in the present invention, this verification may imply either that authentication of an individual is performed or that identification of an individual is performed. In authentication (identity verification), the individual claims to have a certain identity and offered biometric data is compared with stored biometric data (associated with the claimed identity) in order to verify correspondence between the offered and stored data. In identification, the offered biometric data is compared with a plurality of stored available biometric data sets, in order to verify correspondence between the offered and stored data. In any case, the offered data is compared to one or more stored data sets. Thus, it is clear that the term "verification" may denote either "authentication" or "identification" throughout the application, depending on the context in which the term is used. In one embodiment, the step of verifying an identity of the individual is based on matching the first biometric template to a third template, which has been previously stored in the first biometric system and is associated with the identity. The third template then is the best match out of the templates known to the first biometric system and, preferably, it is ascertained that the degree of matching is greater than a predefined threshold level. The matching may take place directly if the templates are available in clear. In systems where biometric templates are hidden, an indirect matching may be performed, e.g., by means of a trusted application adapted to retrieve two indicated biometric templates and return a positive or negative match decision.
In a particular embodiment, the above method of enrolling an individual in a biometric system further comprises the step of
acquiring, in the first biometric system, an identity claimed to correspond to the first biometric template,
wherein the step of verifying an identity of the individual includes authenticating said claimed identity using the first biometric template. In this embodiment, the first biometric system may be one adapted to authenticate an individual, i.e., to verify her claimed identity, using biometric information. In particular, the first biometric template may be matched to a third biometric template which has been previously stored and associated with the identity in the first biometric system. The third biometric template may be retrieved in response to a query for the identity; this constitutes an implicit positive match decision.
In other embodiments, or in those already referred to, the second correspondence relates to spatial proximity, temporal proximity, or both, of respective acquisitions (recordings) of the first biometric template and the second biometric template. In a preferred embodiment, the first biometric template and the second biometric template are recorded by recording means spatially arranged in such manner that the templates necessarily stem from the same individual, at least if the recordings take place nearby in time.
Advantageously, the recordings of the first biometric template and the third biometric template are simultaneous, thereby increasing the probability of a common origin.
Whether the matching decision is based on a direct or an indirect comparison, it is advantageous to account for the fluctuating character of biometric measurements by not requiring strict equality for a positive match decision. A tolerance may be set, in accordance with the actual biometric modality, the accuracy of the measuring devices etc., or "fuzzy" matching methods may be employed. In the same vein, an individual's record in the database of a bio metric system may comprise more than one biometric template. Because this permits a greater number of comparisons, a low false rejection rate can be ensured without using a greater tolerance. For example, the recording of biometric information, in particular the second biometric template, may be carried out over a time interval. The time interval may be chosen in order to correspond to the presence of one person, i.e., it should not continue past an absence interval. In a system where several biometric sensors cooperate, the recording time interval of a durative sensor may be synchronized with the activity of a momentary sensor to ensure that the data originate from the same individual. The recordings should not be separated by a lapse of time exceeding a predetermined length. In particular, a recording interval of the durative sensor may last up to a time instant at which the momentary sensor records a biometric template.
Embodiments of the invention may verify the second correspondence by establishing the existence of a chain of correspondences connecting the first and second biometric template. The chain of correspondences may include data acquired by a third biometric system. Each of the links in this chain may be associated with a certainty weight. The certainty weight may indicate the strength of the correspondence. The certainty of a correspondence may be expressed as a probability that the correspondence is of the highest certainty in the context of the biometric system; thus, the product of the certainty weights in a chain are an estimate of the strength of the correspondence between the ends of the chain. The certainty weights may be fixed, each depending only on the pair of biometric systems involved in the acquisition of templates, or may vary with respect to other factors, such as the time interval or the spatial distance separating two measurements. The enrolment decision, whether to associate a biometric template to an identity and store these in a biometric system, may be governed by different criteria in different systems. For instance, a system for use in a security application may require a higher certainty for enrolling than a system aimed at a convenience application.
Certainty weights for a given pair of biometric systems may be set as a result of these systems interacting in a self-configuring manner. By observing other sensors or by recording a pattern of measurements that are conformal in terms of time proximity and macro data, a biometric system may establish that it shares a field of view with another biometric system or that it is located nearby in space. As used herein, the term macro data refers to different secondary quantities, such as the number of persons in a group or the presence of tracked features, which help characterize the context in which a biometric template is recorded. The system may also establish a temporal correspondence, such as the typical time interval between two conformal measurements; a pattern if this kind may be observed, for instance, in a one-way corridor for pedestrians.
In an advantageous embodiment of the invention, a method for identity verification (authentication) uses a preliminary enrolment procedure. The method performs identification with respect to identities of individuals having been enrolled in accordance with this preliminary procedure or enrolled in another fashion. In another advantageous embodiment, a method for identification based on biometric data matches a recorded biometric template against stored biometric templates, including those belonging to persons having been enrolled in accordance with the preliminary enrolment procedure; if a sufficiently close match is retrieved, the associated identity is returned.
The dependent claims define currently preferred embodiments. It is noted that the invention relates to all possible combinations of features recited in the claims. BRIEF DESCRIPTION OF THE DRAWINGS
These and other aspects of the present invention will now be described in more detail, with reference to the appended drawings showing embodiment(s) of the invention. On the drawings,
figure 1 represents a method, in accordance with a first embodiment of the invention, of enrolling an individual in a biometric system;
figure 2 represents a method, in accordance with a second embodiment of the invention, of enrolling an individual in a biometric system;
figure 3 is a layout of a dwelling, in which several biometric systems are deployed; and
figure 4 is a representation of the interactions of the biometric systems shown in figure 3.
Figure 1 shows a method of enrolling an individual in a biometric system without requiring participation from an enrolment authority. Enrolment may take place by storing an identity 111 (II), recorded in a first biometric system 101, and a second biometric template 122 (T2), recorded in a second biometric system 102, in the second biometric system 102. Additionally, an association 141 between the identity 111 and the second biometric template 122 is established. It is known that an individual 199 has provided a first bio metric template 121 (Tl) to the first bio metric system 101. Further - for reasons of spatial or temporal proximity or the like - it is known that the individual 199 has provided the second biometric template 122, and this is expressed as a correspondence 131 between the first biometric template 121 and the second biometric template 122. The identity 111 is provided 132 by the first biometric system in response to a query for the first biometric template 121; more precisely, the identity 111 has been stored earlier in the first biometric system 101 in association with a third biometric template (not shown) that matches the first biometric template 121. Therefore, because it is possible to establish a chain of
correspondences from the second biometric template 122 to the identity 111 (via the first biometric template 121), these are associated 141 and stored in the second biometric system 102. Thus, the individual 199 has been enrolled in the second biometric system 102.
In other words, the method described above acquires a biometric template in a first biometric system; acquires a second biometric template in a second biometric system; verifies a correspondence of the first and the second templates; verifies the identity of the individual; and enrolls the individual in the second system by associating the identity to the second biometric template in this second biometric system. Just like the embodiments to be described below, the method can be carried out by an apparatus (or several connected apparatus) having functional means for extracting biometric templates, data storage means, data processing means, biometric matching means etc. It is noted that no particular partition of the apparatus carrying out the method is envisioned, but several functional means may be embodied as one physical unit. Thus, a multifunctional component, such as a programmable general-purpose central processing unit, may be used for performing several steps of the method. For instance, such an apparatus, or system, could be arranged with microprocessors or other similar electronic equipment having computing capabilities, for example
programmable logic devices such as ASICs, FPGAs, CPLDs, etc. Further, the
microprocessors may execute appropriate software stored in memories, on discs or on other suitable media for accomplishing tasks of the present invention.
Figure 2 shows another method of enrolling an individual in a biometric system without assistance from an enrolment authority. An individual 299 provides a first biometric template 221 (Tl) and a claimed identity 212 (II) to a first biometric system 201. Another individual - and it will be verified later that she is in fact identical to the individual 299 - provides a second biometric template 222 (T2) to a second biometric system 202. The first biometric system 201 verifies the claimed identity 212 by retrieving a third biometric template (not shown), which has been previously stored in the first biometric system 201 and associated with the identity 212, and compares this with the first biometric template 221. In case of a positive match decision, the claimed identity 212 is verified 232 by the first biometric system 201. Like in the method shown in figure 1 , a correspondence 231 between the first and second biometric templates 221, 222 is verified based on the nature of the first and second biometric systems 201, 202. Hence, the second biometric template 222 corresponds (via the first biometric template 221) to the claimed and verified identity 232, and an association 241 can be established: both the identity 212 and the second biometric template 222 originate from the individual 299. Thus, enrolment of the individual 299 in the second biometric system 202 takes place upon storing the second biometric template 222, the identity 212 and the association 241 therein.
Figure 3 shows a dwelling 300 consisting of three rooms Rl, R2, R3, in which two users Hl, H2 can move freely. Three doorways connect the rooms, and a fourth doorway is an entrance from outside into the third room R3. A sensor corresponding to each of four biometric systems PPl, PP2, PP3, PP4 is provided at each of the first, second, third and fourth doorways. The sensors may be adapted to record, e.g., the height of persons passing through the doorways. A television set in the first room Rl is equipped with a face sensor belonging to a fifth biometric system TV, which is additionally adapted to perform enrolment by recording an identity and storing it in association with a biometric template. The biometric systems are communicatively coupled to a network that allows them to exchange queries and other communications, and are to some extent aware of their degree of spatial proximity. For instance, the sensor of the fifth biometric system TV is likely to record biometric templates correlated with those recorded by the sensors of the first and second systems PPl, PP2, for the latter are provided at the doorways of the first room Rl, in which the fifth biometric system TV is located. This potential correspondence between the recordings of the first and fifth biometric systems PPl, TV is expressed as a first internal state II, and the potential correspondence between recordings of the second and fifth biometric systems PP2, TV is expressed as a second internal state 12.
With reference to figures 3 and 4 jointly, the cooperation of the systems will now be elucidated by an example. In figure 4, four of the biometric systems are indicated as rectangles 401, 402, 403, 404, corresponding to PP4, PPl, TV and PP2, respectively. Internal states II, 12 are indicated by dotted lines between the relevant systems. Biometric templates X, Z, Y and K are shown as circles 421, 422, 423, 424, and the identity ID-H2 of the user H2 is also shown as a circle 411. Initially, the user H2 enters room R3 through the external door, and system PP4 extracts 431 a biometric template X. Template X is stored together with the time of recording by system PP4, which also broadcasts a query for template X. No other system has recorded template X, and so, system PP4 obtains no response.
User H2 then proceeds to room Rl, wherein system PPl extracts 432 template
Z. No system responds to system PPl 's broadcast query for template Z; typically, biometric templates based on body height are more useful to provide reliable negative match decisions than positive ones. However, PP4 answers PPl 's subsequent query for any recent template by returning 433 template X with its time stamp.
Still in room Rl, user H2 is recorded by system TV, which extracts 434 biometric template Y. TV queries the other systems for template Y, gets no answer, and then queries again for any recent templates, irrespective of their modalities. Systems PPl and PP4 then returns 435 templates Z and X, respectively, with time stamps. By virtue of the internal state II, the closeness in time of the recordings and the absence of other persons, system TV deduces a correspondence 436 between templates Y and Z. The correspondence 436 is
'high', which is not the highest certainty. However, when the user H2 proceeds to register
437 her identity ID-H2 with system TV, an association 441 between template Y and identity ID-H2 is established with certainty 'certain', the highest degree, which is motivated by system TV's ability to record an identity and a face template simultaneously and completely reliably. Hence, identity ID-H2 and template Z are linked by a chain of two correspondences, one 'high' and one 'certain', which implies that the chain as a whole has certainty 'high'.
Further, user H2 passes from room Rl into room R2, whereby PP2 extracts
438 template K. PP2 obtains no answer to its query for template K, while its query for any recent template causes PPl, PP4 and TV to return 439 templates Z, X and Y, respectively. Since systems PP2 and TV are linked by the internal state 12 and the recordings of templates are fairly close in time, PP2 establishes a 'likely' (the lowest degree of certainty)
correspondence 440 between templates K and Y. Hence, a 'likely' correspondence holds between template K and identity ID-H2. Since system PP2 is configured to accept enrolments based on 'likely' correspondences, it enrolls user H2 by associating 442 identity ID-H2 and template K and storing these.
In the course of this example, the various biometric systems may have made further queries even in the absence of detection activity. This allows each system to enroll new users (e.g., system PPl would be able to enroll template Z in association with identity ID-H2, provided system PPl accepts enrolments based on a 'high' correspondence) or to increase the amount of information stored for each enrolled user. As already noted, this may help decrease the false rejection rate without lowering the reliability of the system. The systems PPl, PP2, PP3, PP4 and TV may also create new internal states based on correlations established a posteriori between the template recordings. Moreover, the information gathered by the biometric systems may be used as triggers to other systems in the dwelling; e.g., a height sensor detecting the presence of a small individual may alert a child alarm if no accompanying adult is observed.
The person skilled in the art realizes that the present invention by no means is limited to the preferred embodiments described above. On the contrary, many modifications and variations are possible within the scope of the appended claims. For example, the communications over a network of cooperating biometric systems according to the invention may be tailored to fit the needs of particular applications, with emphasis on high reliability, low false rejection rate, user convenience or some other aspect.