One way of simplifying the use of various types of appliances which are protected by, for example, passwords, access codes and the like, is to replace the codes with devices which recognize the user on the basis of different physical characteristics, so called biometrics. One type of biometrical characteristic is fingerprint information, which can be used to either confirm or reject a user's attempt to gain access to an appliance, a premises, etc., referred to as user identity verification. Verification with the aid of fingerprint information is in most cases done by the user having stored his fingerprint information in the equipment in question in advance, the stored information is commonly referred to as a template. The process of extracting the template information and connecting it to a user identity is known as enrolment. The information for creating this template can either be input into the appliance which the user will later want to have access to, or via a central appliance. For systems utilizing fingerprint sensors that are significantly smaller than a typical fingerprint, the enrolment will consist of a procedure with multiple touches and the template will contain information either assembled from several smaller part-fingerprint images or will contain a plurality of separate part-fingerprint images linked together.
When the user attempts to gain access to the equipment in question, a biometric device inputs information from the user's finger and compares the input information to the template in order to decide if the user is to be granted access to the equipment or not. This comparison is referred to as fingerprint verification. To perform the verification, the input data needs to be processed into a format that can be mathematically compared with the data stored in the previously enrolled template. The method that evaluates the similarity between the input data and the template data is referred to as a matching algorithm. Typically a matching algorithm will output a match score, which e.g. may be a number between 1 and 0. A high match score will indicate a close match between input data and template data and a low match score will indicate that the input data and the template data is significantly dissimilar. In order to determine if a user is to be verified as a legitimate user, i.e. to decide if the input data and the template data is coming from the same finger or not, a security threshold is set. The security threshold is compared to the match score, and if the match score is above or equal to the security threshold, the user data is accepted and the user is verified. If the match score is below the security threshold, the user data is rejected and the user is refused access.
Equipment which verifies with the aid of fingerprint information must satisfy a number of requirements, for example reliability and speed. Verification in portable devices, for example mobile telephones, portable computers, different types of cards, etc., further requires that the equipment must be as small, lightweight and energy-efficient as possible. Another requirement is that the equipment should preferably be inexpensive. The biometric performance of a device or system is typically described with two error rates: the False Acceptance Rate (FAR) that is a measure of the systems security and the False Rejection Rate (FRR) that is a measure of the ease of use of the system. Different applications could have different preferred trade-offs between these two error rates. For some cases, convenience is more important than security and vice versa.
Known types of devices for verifying a user's identity with the aid of fingerprint information captures information from a user's fingerprint and compares this information with a template by means of the input information being combined into a representation of the fingerprint, which is then compared with the template which has been stored in advance. The capturing of fingerprint information and the matching of the fingerprint information and the template can be done in several different ways. The used method will partly depend on the size and type of the used fingerprint reader.
The security of the matching algorithm is normally determined by computing a match score distribution based on a large dataset of stored templates. By performing a very large number of match attempts using templates belonging to different fingers, an impostor score distribution can be formed. By performing a very large number of match attempts, where each match attempt uses the significant data obtained from the fingerprint information of a user and the template belonging to that user, an genuine score distribution can be formed. A security threshold for the specific matching algorithm is then set such that the security threshold will give a predefined average FAR for the complete stored dataset that gives an acceptable security. A FAR in the order of less than 0.002% or 1/50 000 may give an acceptable security level for everyday use. The corresponding FRR can be measured by performing a large number of match attempts between templates belonging to the same finger forming a distribution of genuine scores. The stored dataset is considered to represent a general public, and should comprise a large number of different templates from different persons. Normally, the stored dataset comprises several thousands of stored templates. This security threshold is determined for a specific algorithm and sensor combination at the time when the device is designed and manufactured, and is programmed into the device system. This security threshold is then used as a standard security threshold for all users of that device type.
One problem of using a predefined average security threshold based on a fixed stored dataset of templates when verifying significant data representing the fingerprint image of a user is that some templates are stronger than other templates, since individual templates differ and may e.g. resemble a normal distribution. This means that when the average security threshold is applied to a strong template, the FAR for this template will be lower than required which results in an unnecessary high FRR for the user of this template. In such a case, the significant data extracted from the fingerprint image of the user may falsely be rejected when compared to the stored template during verification. The user may have to try to verify himself several times before the significant data is accepted, which will be annoying for this user.
A strong template may be defined in the following manner: When a “normal” template is matched to a large set of impostor templates, the probability of generating a match score that is larger than the average security threshold is at the required level, for instance 1/50000. When a strong template is matched to the same large set of impostor templates, the probability of generating a match score that is larger than the average security threshold is significantly smaller than required. When a weak template is matched to the same large set of impostor templates, the probability of generating a match score that is larger than the average security threshold is significantly larger than required.
When a verification with a strong template is performed using an average security threshold, an unnecessarily high matching threshold will be applied. The usability of the system depends on the value of the matching threshold. The usability of the system will decrease when the matching threshold is increased, such that the user will be rejected more often than needed.
At the same time, a weak template using the same average security threshold may result in the FAR being too high such that the security will be lower than acceptable. In such a case, the significant data extracted from the fingerprint image of another user may falsely be accepted when compared to the stored template. This means that a device on the market using an average security threshold and having an average template will meet the security requirements, but a device having a weak template will not.
When the template is determined at the enrolment of the user at the device, the template may be given a specific score that will represent one or more numerical values for the created template. The system may use an algorithm that prompts the user to make a new enrolment if the score differs too much from a predefined numeric range or value. In this way, it may be possible to avoid templates that are too strong or too weak. However, such a system may also annoy a user and further, some fingerprints will inherently give stronger templates and some fingerprints will inherently give weaker templates.
There is thus a need for an improved way of determining a security threshold for a template representing a fingerprint image.