Technical Field

The present disclosure relates, in general, to enrolment and sensing apparatuses for authentication systems. Aspects of the disclosure relate to obfuscating of biometric data to mitigate risks associated with replication of biometric templates.

Background

Biometric features are highly valuable human characteristics widely used in modem authentication systems in the form of biometric identifiers that typically comprise body measurements and calculations related to one or more of those human characteristics. Accordingly, biometric features can be used for authentication of a user of a device to regulate, e.g., device access.

Biometric identifiers are often categorized as physiological characteristics, which are related to, e.g., the shape of the body or a part thereof. Examples include, face, fingerprint, vein patterns, DNA, palm print, hand geometry, iris pattern, retina pattern and odour/scent and so on. Biometric identifiers may be provided in the form of templates. For example, in the context of the identifiers noted above, a biometric template can represent, e.g., a user’s face, fingerprint, retina and so on. As such, biometric templates comprise unique information related to a particular person. In contrast to other user credentials, such as passwords and so on, biometric features are tightly associated with a user’s body and generally irrevocable. They therefore form an increasingly important tool in regulating access to devices, such as user equipment.

However, despite the strength and utility of biometric identifiers, local data protection (such as that provided on user equipment) can compromise the use of biometric identifiers. That is, in many systems (consumer devices, loTs, etc.) local data protection may not be strong enough to prevent stored biometric templates for example from being disclosed to or obtained by adversaries. Furthermore, in order to verify the identity of a user it is often necessary for data representing a biometric template to traverse one or more networks to enable a verification system to attest to the authenticity of the template.

There are several methods that can be used in order to protect a biometric template and to prevent them from being discovered or obtained by an unwanted third party. For example, a template can be encrypted in storage on a server side of a system that implements a client- server structure where a template from a client is compared with one stored on the server side for example. However, this exposes the templates during verification operations, and decrypted templates can be attacked during processing by, e.g., server side adversaries.

In another alternative used to mitigate the compromise of template information, verification can be performed at the client side, thereby obviating the requirement to transmit sensitive data, and risk discovery of decrypted content at a versification system. However, this is computationally expensive, and therefore not practicable in lower end devices (at least) with limited processing capabilities.

Summary

An objective of the present disclosure is to provide protection against disclosure or determination of biometric templates used for, e.g., user authentication.

The foregoing and other objectives are achieved by the features of the independent claims.

Further implementation forms are apparent from the dependent claims, the description and the Figures.

A first aspect of the present disclosure provides an enrolment apparatus for an authentication system, the enrolment apparatus comprising a processor, a memory coupled to the processor, the memory configured to store program code executable by the processor, the program code comprising one or more instructions, whereby to cause the enrolment apparatus to generate first and second biometric data representing physical characteristics of a user, generate a obfuscating function on the basis of a set of selected information, combine the first and second biometric data using the generated obfuscating function to generate a user template, provide the obfuscating function to a sensing apparatus of the authentication system, and provide the user template to a verification apparatus of the authentication system.

Accordingly, in a multifactor authentication system, such as a system configured to enable a user to access device or device function, individual biometric templates are replaced by a user template comprising an irreversible combination of the individual biometric templates. The user template enables user verification, but cannot be reverse engineered to determine the original biometric data used to generate it.

In an implementation of the first aspect, the selected information can comprise at least one of user information and information relating the sensing apparatus, and wherein the program code comprises one or more instructions, whereby to cause the enrolment apparatus to use the set of selected information to generate a set of parameters for the obfuscating function.

An obfuscating function can be created per user, and/or platform and/or enrolment session instance. As such, a compromised obfuscating function can be revoked and replaced by a new one as many times as desired or required without compromising the underlying biometric data that is used to generate the user template.

The enrolment apparatus can receive the set of selected information from a storage apparatus of the authentication system. The program code can comprise one or more instructions, whereby to cause the enrolment apparatus to calculate a scaling factor for at least one of the first and second biometric data, whereby to normalise a size of respective projections representing the first and second biometric data. The program code can comprise one or more instructions, whereby to cause the enrolment apparatus to provide the scaling factor to the sensing apparatus of the authentication system. The program code can comprise one or more instructions, whereby to cause the enrolment apparatus to reduce a dimensionality of a vector representing one of the first and second biometric data, whereby to generate a reduced dimension vector, and use the reduced dimension vector, with the other one of the first and second biometric data, to generate the user template. A second aspect of the present disclosure provides a sensing apparatus for an authentication system, the sensing apparatus comprising a processor, a memory coupled to the processor, the memory configured to store program code executable by the processor, the program code comprising one or more instructions, whereby to cause the sensing apparatus to generate, using at least one sensor of the sensing apparatus, first and second biometric data representing physical characteristics of a user, combine the first and second biometric data using a obfuscating function to generate a user template, provide the generated user template to an authentication apparatus of the authentication system, and receive a response from the authentication apparatus of the authentication system, the response providing an indication of whether the user template matches an existing user template stored for the authentication apparatus of the authentication system.

In an implementation of the second aspect, the program code can comprise one or more instructions, whereby to cause the sensing apparatus to receive the obfuscating function from an enrolment apparatus of the authentication system. The program code can comprise one or more instructions, whereby to cause the sensing apparatus to normalise a size of respective projections representing at least one of the first and second biometric data using a scaling factor. The program code can comprise one or more instructions, whereby to cause the sensing apparatus to receive the scaling factor from an enrolment apparatus of the authentication system. The program code can comprise one or more instructions, whereby to cause the sensing apparatus to execute the obfuscating function, whereby to generate a user template, in a trusted execution environment of the sensing apparatus. The program code can comprise one or more instructions, whereby to cause the sensing apparatus to provide information representing at least one of the first and second biometric data representing physical characteristics of a user to an enrolment apparatus of the authentication system. The program code can comprise one or more instructions, whereby to cause the sensing apparatus to determine the presence of missing information in a vector representing at least one of the first and second biometric data, and compensate for the missing information by filling at least one missing component of the vector with a replica of existing data.

A third aspect of the present disclosure provides an authentication system, comprising an enrolment apparatus as provided according to the first aspect, a sensing apparatus as provided according to the second aspect, and an authentication apparatus configured to provide an indication of whether a user template matches an existing user template stored for the authentication apparatus of the authentication system.

A fourth aspect of the present disclosure provides a machine-readable storage medium encoded with instructions for enabling authentication of a user, the instructions executable by a processor of an enrolment apparatus, whereby to cause the enrolment apparatus to generate first and second biometric data representing physical characteristics of a user, generate a obfuscating function on the basis of a set of selected information, combine the first and second biometric data using the generated function to generate a user template, provide the obfuscating function to a sensing apparatus of the authentication system, and provide the user template to a verification apparatus of the authentication system.

These and other aspects of the invention will be apparent from the embodiment(s) described below.

Brief Description of the Drawings

In order that the present invention may be more readily understood, embodiments of the invention will now be described, by way of example, with reference to the accompanying drawings, in which:

Figure 1 is a schematic representation of an enrolment apparatus for an authentication system according to an example;

Figure 2 is a schematic representation of a system according to an example;

Figure 3 is a schematic representation of a 3D point-cloud according to an example;

Figure 4 is a schematic representation of a scaling operation according to an example;

Figure 5 is a schematic representation of a process according to an example;

Figure 6 is a flow chart of a verification process according to an example;

Figure 7 is a schematic representation of an authentication system according to an example; Figure 8 is a schematic representation of a process according to an example; and

Figure 9 is a schematic representation of a machine according to an example.

Detailed Description

Example embodiments are described below in sufficient detail to enable those of ordinary skill in the art to embody and implement the systems and processes herein described. It is important to understand that embodiments can be provided in many alternate forms and should not be construed as limited to the examples set forth herein.

Accordingly, while embodiments can be modified in various ways and take on various alternative forms, specific embodiments thereof are shown in the drawings and described in detail below as examples. There is no intent to limit to the particular forms disclosed. On the contrary, all modifications, equivalents, and alternatives falling within the scope of the appended claims should be included. Elements of the example embodiments are consistently denoted by the same reference numerals throughout the drawings and detailed description where appropriate.

The terminology used herein to describe embodiments is not intended to limit the scope. The articles “a,” “an,” and “the” are singular in that they have a single referent, however the use of the singular form in the present document should not preclude the presence of more than one referent. In other words, elements referred to in the singular can number one or more, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises,” “comprising,” “includes,” and/or “including,” when used herein, specify the presence of stated features, items, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, items, steps, operations, elements, components, and/or groups thereof.

Unless otherwise defined, all terms (including technical and scientific terms) used herein are to be interpreted as is customary in the art. It will be further understood that terms in common usage should also be interpreted as is customary in the relevant art and not in an idealized or overly formal sense unless expressly so defined herein. As described above, biometric templates can be used to authenticate a user of a device. For example, it is commonplace for a user to provide a fingerprint or facial identification to access a device, such as a smart phone for example. In some case, an additional layer of security can be provided by a user needing to provide multiple forms of biometric identification in order to enable device access. For example, a user can provide a fingerprint and a facial identification. Nevertheless, this does not overcome the mechanisms associated with detection of a biometric template as noted above, which can just as easily be applied to two such templates as it can to one.

According to an example, an authentication system can utilise two forms of biometric template, such as facial template and a fingerprint template for example. However, the biometric templates associated with these physiological factors can be substituted with a combined template that can be generated using one or more irreversible manipulations to the original templates. As such, a stored combined template comprises information that is applicable for verification, but which cannot be used for disclosure and replication of the original biometric data used to generate it.

Figure 1 is a schematic representation of an enrolment apparatus for an authentication system according to an example. In the example of figure 1, the enrolment apparatus 100 can form part of user equipment, such as a smart phone for example, or may be a standalone (e.g., distinct from user equipment) apparatus. Enrolment apparatus 100 comprises a processor 103 and a memory 105 coupled to the processor 103. The memory 105 is configured to store program code executable by the processor 103, the program code comprising one or more instructions 107. In executing the program code, the processor 103 causes the enrolment apparatus 100 to generate (or receive) first 109 and second 111 biometric data representing physical characteristics of a user. For example, the first biometric data 109 can comprise data representing a fingerprint template of the user. The second biometric data 111 can comprise data representing a facial template.

In an example, the first biometric data 109 can be generated on the basis of data captured using a fingerprint scanner, which could be an optical, capacitive or optical-capacitive hybrid scanner for example. The first biometric data 109 can be generated by the enrolment apparatus as part of a user enrolment process, or generated using user equipment of the user for example, and provided to the enrolment apparatus by, e.g., transmitting the first biometric data 109 thereto. The second biometric data 111 can be generated using an optical capture system, such as a camera for example. The second biometric data 111 can be generated by the enrolment apparatus as part of a user enrolment process, or generated using user equipment of the user for example, and provided to the enrolment apparatus by, e.g., transmitting the second biometric data 111 thereto. The enrolment apparatus is agnostic to the manner in which data representing a biometric template is generated or provided to it, and the above is provided merely by way of example.

An obfuscating function 113 is generated on the basis of a set of selected information. In an example, the obfuscating function 113 can be generated as part of an enrolment process. In the example of figure 1, the enrolment apparatus 100 comprises a function generator 115 configured to generate an obfuscating function 113. In an example, obfuscating function 113 is generated on the basis of one or more of user and/or platform information 116. For example, information representing one or more characteristics of a user and/or a platform/user equipment can be used as seed data for the function generator 115 to generate an obfuscating function 113. For example, user information can comprise a user’s age, full name, passport ID, and so on). Platform information can comprise, e.g., a device serial number, MAC address, and so on. As such, function generator 115 can generate a user and/or platform specific obfuscating function 113. User information could, for example, be used to determine or define the order of a polynomial function used by the function generator 115, and platform information or settings can be used to determine or define coefficients of the function. User and/or platform information 116 can be provided to enrolment apparatus 100 by the user, determined by the enrolment apparatus 100 by querying the user and/or platform and so on.

In an example, an obfuscating function 113 can be generated per any one or more of user, platform and enrolment session instance. Accordingly, and as will be explained in more detail below, a compromised template can be revoked by replacing an obfuscating function 113 with a newly generated one. According to an example, an obfuscating function can be replaced by another upon demand. Accordingly, if a user template is compromised, a new function can be generated (as many times as desired) in order to generate a new user template.

The enrolment apparatus 100 uses the generated obfuscating function 113 to combine the first 109 and second 111 biometric data to generate a user template 117. That is, the generated obfuscating function 113, which as noted above is specific to one or more of user, platform and enrolment session instance, is used to obfuscate the first 109 and second 111 biometric data by performing an operation (such as combining or fusing for example) on the first 109 and second 111 biometric data in a manner defined by the generated obfuscating function 113, as will be described in more detail below.

The obfuscating function 113 can be transmitted or otherwise provided to a sensing apparatus of the authentication system, and the user template 117 can be transmitted or otherwise provided to a verification apparatus of the authentication system. As such, an attack surface of an authenticating party is significantly decreased, with a concomitant increase in attack effort required by a sensing apparatus.

Figure 2 is a schematic representation of a system according to an example. The example of figure 2 can represent an authentication system 200. The authentication system 200 comprises an enrolment apparatus as described above with reference to figure 1. A sensing apparatus 201 is configured to receive the obfuscating function 113. An authentication apparatus 203 is configured to receive the user template 117. In an example, sensing apparatus 201, which can be a user platform such as user equipment (e.g., a smart phone) can generate first biometric data 210 and second biometric data 212 of a user of the sensing apparatus 201. First biometric data 210 of the user can be generated using, e.g., a fingerprint scanner of the sensing apparatus 201. Second biometric data 212 of the user can be generated using, e.g., a facial sensor such as a camera of the sensing apparatus 201. The first biometric data 210 and the second biometric data 212 are combined using the obfuscating function 113 received from the enrolment apparatus 100, whereby to generate a user template 214 for the user. The user template 214 is provided by sensing apparatus 201 to authentication apparatus 203. The authentication apparatus 203 can compare the user template 214 with the user template 117 provided by the enrolment apparatus 100 to provide an indication of whether the user template 214 matches the existing user template 117 stored for the authentication apparatus 203 of the authentication system 200. Accordingly, the user can be authenticated and access provided to the apparatus 201 in the event there is match. That is, access to the apparatus 201 can be regulated on the basis of information used at enrolment using enrolment apparatus 100.

According to an example, in order to generate a user template (117; 214) biometric data is normalised. That is, for example, first biometric data (109; 210) and second biometric data (111; 212) can be normalised in order to enable a user template (117; 214) to be generated using the obfuscating function 113. Put another way, in order to fuse or combine first and second biometric data according to the operations of the obfuscating function, values of the features defined by the biometric data should be comparable. For example, if one feature is in the range 0 - 100 and the other is in the range 0 - 1, having 90.03 can be split into 90 and 0.03. As such, original features can be recovered from a user template. Accordingly, normalization can be applied to make all features, e.g., in the range 0-1. After normalization (e.g., by first dividing by 100) a sum is defined as 0.93 it will not be possible to determine which portion of the data is contributed by which feature.

In general, in relation to fingerprints for example, a fingerprint template, which can comprise, e.g., first biometric data (109; 210) can be defined according to the ISO/IEC 19794-2:2011 standard, which provides an interoperable format for capturing, storage and matching of fingerprint minutiae. In an example, a fingerprint template can comprise information relating to, for example, fingerprint scan details (such as resolution, size, etc.) plus any applicable vendor extended data, a finger ID, a scan rotation angle, a fingerprint core location (x, y ,z) , where x, y - location is (0,0) and z - direction is (0), a number of fingerprint minutiae, N, and minutiae records such as, e.g., a set of information comprising {Angle/Type, Location-X, Location-Y} [N].

In an example, a fingerprint template representing, e.g., first biometric data, can comprise a fixed number of minutiae forming a 3 dimensional point cloud. As such, a sensing apparatus 201 can capture a pre-defined number of minutiae N. X and Y coordinates of the minutiae can be used as is. In an example, type and angle values are combined to provide a TA value defined as Angle/Type, where angle is measured in degrees (float) and type is an enumeration value (1 to 8) corresponding to the fingerprint feature at a location selected from {Island, Dot, Termination, Crossover, Short Ridge, Bridge, Bifurcation, Spur}. As such, the angle value is rounded by the type value. As a result, a fingerprint template, in the form of, e.g., first biometric data, template can be defined in the form of a 3D point-cloud centred at the core of a fingerprint.

Figure 3 is a schematic representation of a 3D point-cloud according to an example. In the example of figure 3, points defined by fingerprint characteristics as described above can be transformed to using a geometrical projection. In an example, the radius 301 of the sphere 303 can be calculated as:

R*MAX(ABS(X) or ABS(Y)) (i)) for all i, where R is a resolution factor and X and Y represent the x and y coordinates of a feature in question. R can be shared between face and finger scan templates to ensure fair (comparable weights) composition.

So, for example, and with reference to figure 3, the point cloud representing a fingerprint is centred at the core 305, with points p representing the minutiae of the fingerprint (i.e., certain distinct features of the fingerprint as outlined above). A point p 307 will therefore transform to a point P 309.

In relation to a template for a face, representing the second biometric data for example, a face can be represented by a number of landmark/feature points. For example, the ISO/IEC 19794-5 and 2:2017 standards define interoperable formats for capturing, storage and matching of face images for the purposes of providing face templates and are defined by a structure including image details (such as image resolution, size, position, quality, orientation, expression, light , occlusions, surgery, etc.), a number of facial feature Points, N, and a feature point location {Location-X, Location- Y, Location-Z} [N]. As such, in an example, and similarly to a fingerprint template, a face template can comprise a fixed number N of marker points, each having X,Y,Z coordinates. Accordingly, in an example, data representing a face can be projected to a 3D point cloud as well. According to an example, in order to ensure that the first biometric data and the second biometric data are properly obfuscated using the obfuscating function, the projections representing the, e.g., fingerprint and face templates must be properly scaled. This may be achieved according to the following:

P’(X,Y,Z)’ = P(X,Y,Z) * (R1/R2) in which coordinates of the points of the smaller projection sphere are multiplied by (R Bigger / R Smaller).

Figure 4 is a schematic representation of a scaling operation according to an example. In the example of figure 4, a projection 401 for the features of or defining a fingerprint is depicted. A projection 403 for the features of or defining a face is depicted. According to the relationship noted above, the projection for the face (being the smaller in size of the two projections in the example of figure 4) can be scaled. That is, the points P in the projection 403 for the face can be scaled using a factor R1/R2 in this example (R1 representing the radius of the sphere of the larger projection and R2 representing the radius of the sphere of the larger projection) to generate scaled points P’. This results in a scaled version 405 of the projection 403 for the features of or defining a face.

It will be appreciated that in some circumstances, captured or generated finger and face templates may have differing numbers of features. In order to compensate for this, in an example, data representing template with fewer features than another template can be augmented with randomized data. For example, randomly selected replicas of existing points can be used to ‘fill” gaps, thereby increasing the size of the data representing a template. In an example, filling points selection is a part of the composition function generated during provisioning of the composition function to the sensing subsystem.

As described above, after data representing the first and second biometric has been generated from, e.g., captured fingerprint and facial templates, the obfuscating function generated and provided by the enrolment apparatus can be used to generate a user template. Figure 5 is a schematic representation of a process according to an example. In the example of figure 5, first biometric data (109; 210; 501) representing a fingerprint and second biometric data (111; 212; 503) representing a face can be projected to sphere(s) as described above, which can then be normalised in size. Any discrepancies in the degree of information provided can be dealt with as described above by, e.g., replicating information to fill gaps, whereby to ensure that data sets for the first biometric data (109; 210; 501) and the second biometric data (111; 212; 503) are the same size, thereby resulting in a pair of normalised templates 505.

As described above, an obfuscating function is used to combine the first biometric data (109; 210; 501) and the second biometric data (111; 212; 503) to form a user template that cannot be reverse engineered to determine either of the first biometric data (109; 210; 501) and the second biometric data (111; 212; 503). The nature of the obfuscating function selected can vary. That is, a modality of the obfuscating function can be selected from a set of operations. For example, operations could vary per product and may include more or less sophisticated sequences such as Pl+PF, Pl- PF , al+bl*Pl+cl*Pl ^A 2 - a2+b2*PF+c2*PF ^A 2, etc., where Pl and PF are the points of FiT (fingerprint template) and FaT (face template) correspondingly (referring to figure 5). The user template 507 is generated by applying operations of the obfuscating function to the original first biometric data (109; 210; 501) and the second biometric data (111; 212; 503).

According to an example, tolerance boundaries R”min and R”max can be implemented considering the combined delta between the points from the projections associated with the fingerprint and face templates. For example, R”min < OF(P1,PF) < R”max, where OF is the obfuscating function. NaN can be calculated as a random “impossible” number within, e.g., R”min/10.

According to an example, projection adjustment parameters (i.e. a scaling factor) as described above, as well as operation settings (e.g., type, order, constants, etc.), and a map representing empty slot fulfilment can be provided to the sensing apparatus 201 for future use. Scaling factors, polynomial composition order and variables for use with an obfuscating function can be generated per enrolment session using user, platform, context, etc. settings. Figure 6 is a flow chart of a verification process according to an example. With reference to figure 2, the sensing apparatus 201 can capture local samples using appropriate sensing devices as described above, which are then normalized using settings provided from a provisioning stage (e.g., using settings as described above and provided by the enrolment apparatus 100). In block 601 a user template is generated using the first biometric data and the second biometric data and the obfuscating function. The user template is provided to the authentication apparatus 203 to enable verification to take place. The authentication apparatus 203 can calculate a score and compare this with a predefined value or set of values. For example, in the case where the number of NaN, N_NaN, (missed points caused by, e.g., partial finger scan capture, face occlusion, shadows, etc.) and/or exceptional measurements, N_Excp, are less than corresponding predetermined values, Max_NN and Max_N_Excp (i.e., N_NaN < Max_NaN and N_Excp < Max_N_Excp), a distance measure between the user template 214 and the user template 117 can be calculated (block 605). If the calculated distance measure is less than a predetermined threshold (block 607) a user request (e.g., access request) based on user template 214 can be approved (block 609), otherwise it will be declined (block 611).

Figure 7 is a schematic representation of an authentication system according to an example. According to an example, sensing apparatus 201 can comprise a trusted execution environment 701 configured to store the obfuscating function 113 and to calculate the user template 214. That is, a combiner module 703 can be used to generate the user template 214 on the basis of the first and second biometric data and the obfuscating function 113 received from the enrolment apparatus 100, taking into account any setting received from the enrolment apparatus 100 as noted above. For example, combiner module 703 can generate, normalize and combine according to configuration settings (including, e.g., function definitions, empty slots fulfilment map, etc.).

In the example of figure 7, the function generator 115 can be implemented as part of or executed within a trusted environment of the enrolment apparatus 100, and can further use stored or enrolled users finger and face templates and may interact with other platforms and external systems (such as sensing apparatus 201) to obtain, e.g., contextual information that can be used to generate unique and user/platform specific obfuscating functions. In an example, the enrolment apparatus can compare features of a user’s voice with expected feature (e.g., with Lombard features in mind). Additionally background learning and update of a Lombard Features template can be implemented.

Sensing apparatus 201 can comprise a face processor 705 and fingerprint scanner 707 that can be used to generate the first biometric data (109; 210; 501) such as a fingerprint, and the second biometric data (111; 212; 503) such as a face template of the user. These data can be provided 709 to the enrolment apparatus 100 to enable enrolment of the user to take place. Alternatively, enrolment apparatus 100 can trigger generation of the biometric data using other, e.g., face processor and fingerprint scanner apparatus (not shown). As described above, user template 117 generated at enrolment can be provided to the authentication apparatus 203 and stored in a storage device 713. A matching module 715 can be used to compare the user template 117 generated at enrolment with a user template 214 generated using data from the processor 705 and scanner 707 of the sensing apparatus 201 as part of a user authentication 715.

Figure 8 is a schematic representation of a process according to an example. The process with respect to figure 8 is described in the context of a provisioning (or enrolment) stage 801, a sensing stage 803, and a matching (or authentication) stage 805. In block 810 a user is provisioned or enrolled using enrolment apparatus 100 and as described above. In the example of figure 8, platform information (and/or user information) 812 can be obtained by enrolment apparatus 100 from sensing apparatus 201. As described above, the information 812 can be used to generate 814 the obfuscating function 113 at the enrolment apparatus 100. The generated function can be sent to the sensing apparatus where it can be stored 816 in a trusted execution environment for example. The generated function and the biometric data from the user is used by the enrolment apparatus 100 to generate the user template 117, which is deployed 818 to the authentication apparatus 203 where it can stored 820 in a trusted execution environment for example.

In an authentication stage, sensing apparatus can capture samples 822 of a user’s, e.g., fingerprint and face using a finger scanner 707 and face processor 705 for example. The captured samples define the first and second biometric data. These data are normalised and combined 824 as described above, using the obfuscating function 113 and combiner 703. The resultant user template 214 can be sent 826 (715) to the authentication apparatus 203 for matching 828 using matching module 715 with the result 830 passed to sensing apparatus 201.

In an example, a user’s biometric samples can therefore be captured and consequently processed by the enrolment apparatus to create face and finger templates representing the first and second biometric data for example. A system according to an example can also re-use pre-recorded data and/or stored templates instead of implementing user reenrolment As noted above, the obfuscating function is generated per enrolment session and is deployed to the sensing apparatus. The user template 117 is deployed to the authentication apparatus 203, which can also store data representing tolerance settings.

Examples in the present disclosure can be provided as methods, systems or machine- readable instructions, such as any combination of software, hardware, firmware or the like. Such machine-readable instructions may be included on a computer readable storage medium (including but not limited to disc storage, CD-ROM, optical storage, etc.) having computer readable program codes therein or thereon.

The present disclosure is described with reference to flow charts and/or block diagrams of the method, devices and systems according to examples of the present disclosure. Although the flow diagrams described above show a specific order of execution, the order of execution may differ from that which is depicted. Blocks described in relation to one flow chart may be combined with those of another flow chart. In some examples, some blocks of the flow diagrams may not be necessary and/or additional blocks may be added. It shall be understood that each flow and/or block in the flow charts and/or block diagrams, as well as combinations of the flows and/or diagrams in the flow charts and/or block diagrams can be realized by machine readable instructions.

The machine-readable instructions may, for example, be executed by a machine such as a general-purpose computer, a platform comprising user equipment such as a smart device, e.g., a smart phone, a special purpose computer, an embedded processor or processors of other programmable data processing devices to realize the functions described in the description and diagrams. In particular, a processor or processing apparatus may execute the machine-readable instructions. Thus, modules of apparatus (for example, a module implementing a combiner module 703, a matching module 715, a function generator 115 and so on) may be implemented by a processor executing machine readable instructions stored in a memory, or a processor operating in accordance with instructions embedded in logic circuitry. The term 'processor' is to be interpreted broadly to include a CPU, processing unit, ASIC, logic unit, or programmable gate set etc. The methods and modules may all be performed by a single processor or divided amongst several processors.

Such machine-readable instructions may also be stored in a computer readable storage that can guide the computer or other programmable data processing devices to operate in a specific mode. For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor.

Figure 9 is a schematic representation of a machine according to an example. The machine 900 can be, e.g., a system or apparatus (e.g., 100, 201, 203), user equipment, or part thereof. The machine 900 comprises a processor 903, and a memory 905 to store instructions 907, executable by the processor 903. The machine comprises a storage 909 that can be used to store data representing first and/or second biometric data and so on as described above with reference to figures 1 to 8 for example.

The instructions 907, executable by the processor 903, can cause the machine 900 to generate first and second biometric data representing physical characteristics of a user, generate a obfuscating function on the basis of a set of selected information, combine the first and second biometric data using the generated function to generate a user template, provide the obfuscating function to a sensing apparatus of the authentication system, and provide the user template to a verification apparatus of the authentication system.

Accordingly, the machine 900 can implement a method for regulating access to a sensing apparatus and/or a function or application thereof.

Such machine-readable instructions may also be loaded onto a computer or other programmable data processing devices, so that the computer or other programmable data processing devices perform a series of operations to produce computer-implemented processing, thus the instructions executed on the computer or other programmable devices provide an operation for realizing functions specified by flow(s) in the flow charts and/or block(s) in the block diagrams.

Further, the teachings herein may be implemented in the form of a computer or software product, such as a non-transitory machine-readable storage medium, the computer software or product being stored in a storage medium and comprising a plurality of instructions, e.g., machine readable instructions, for making a computer device implement the methods recited in the examples of the present disclosure.

In some examples, some methods can be performed in a cloud-computing or networkbased environment. Cloud-computing environments may provide various services and applications via the Internet. These cloud-based services (e.g., software as a service, platform as a service, infrastructure as a service, etc.) may be accessible through a web browser or other remote interface of the user equipment for example. Various functions described herein may be provided through a remote desktop environment or any other cloud-based computing environment.

While various embodiments have been described and/or illustrated herein in the context of fully functional computing systems, one or more of these exemplary embodiments may be distributed as a program product in a variety of forms, regardless of the particular type of computer-readable- storage media used to actually carry out the distribution. The embodiments disclosed herein may also be implemented using software modules that perform certain tasks. These software modules may include script, batch, or other executable files that may be stored on a computer-readable storage medium or in a computing system. In some embodiments, these software modules may configure a computing system to perform one or more of the exemplary embodiments disclosed herein. In addition, one or more of the modules described herein may transform data, physical devices, and/or representations of physical devices from one form to another.

The preceding description has been provided to enable others skilled in the art to best utilize various aspects of the exemplary embodiments disclosed herein. This exemplary description is not intended to be exhaustive or to be limited to any precise form disclosed. Many modifications and variations are possible without departing from the spirit and scope of the instant disclosure. The embodiments disclosed herein should be considered in all respects illustrative and not restrictive. Reference should be made to the appended claims and their equivalents in determining the scope of the instant disclosure.