This invention relates to biometric identification and authentication systems and methods, more particularly to authentication for financial transactions using biometrics.
Biometric identification and authentication systems are known in the art, for example systems to compare facial features, iris imagery, fingerprints, finger vein images, and palm vein images have been used. Such systems are known to be useful for either comparing biometric data acquired from an individual to stored sets of biometric data of known “enrolled” individuals, or to compare biometric data acquired from an individual to a proposed template such as when an identification card is supplied to the system by the individual.
Turk, et al., U.S. Pat. No. 5,164,992, discloses a recognition system for identifying members of an audience, the system including an imaging system which generates an image of the audience; a selector module for selecting a portion of the generated image; a detection means which analyzes the selected image portion to determine whether an image of a person is present; and a recognition module responsive to the detection means for determining whether a detected image of a person identified by the detection means resembles one of a reference set of images of individuals. If the computed distance is sufficiently close to face space (i.e., less than the pre-selected threshold), recognition module 10 treats it as a face image and proceeds with determining whose face it is (step 206). This involves computing distances between the projection of the input image onto face space and each of the reference face images in face space. If the projected input image is sufficiently close to any one of the reference faces (i.e., the computed distance in face space is less than a predetermined distance), recognition module 10 identifies the input image as belonging to the individual associated with that reference face. If the projected input image is not sufficiently close to any one of the reference faces, recognition module 10 reports that a person has been located but the identity of the person is unknown.
Daugman, U.S. Pat. No. 5,291,560, disclosed a method of uniquely identifying a particular human being by biometric analysis of the iris of the eye.
Yu, et al., U.S. Pat. No. 5,930,804, discloses a Web-based authentication system and method, the system comprising at least one Web client station, at least one Web server station and an authentication center. The Web client station is linked to a Web cloud, and provides selected biometric data of an individual who is using the Web client station. The Web server station is also linked to the Web cloud. The authentication center is linked to at least one of the Web client and Web server stations so as to receive the biometric data. The authentication center, having records of one or more enrolled individuals, provides for comparison of the provided data with selected records. The method comprises the steps of (i) establishing parameters associated with selected biometric characteristics to be used in authentication; (ii) acquiring, at the Web client station, biometric data in accordance with the parameters; (iii) receiving, at an authentication center, a message that includes biometric data; (iv) selecting, at the authentication center, one or more records from among records associated with one or more enrolled individuals; and (v) comparing the received data with selected records. The comparisons of the system and method are to determine whether the so-compared live data sufficiently matches the selected records so as to authenticate the individual seeking access of the Web server station, which access is typically to information, services and other resources provided by one or more application servers associated with the Web server station. If the computed distance is sufficiently close to face space (i.e., less than the pre-selected threshold), recognition module 10 treats it as a face image and proceeds with determining whose face it is (step 206). This involves computing distances between the projection of the input image onto face space and each of the reference face images in face space. If the projected input image is sufficiently close to any one of the reference faces (i.e., the computed distance in face space is less than a predetermined distance), recognition module 10 identifies the input image as belonging to the individual associated with that reference face. If the projected input image is not sufficiently close to any one of the reference faces, recognition module 10 reports that a person has been located but the identity of the person is unknown.
Different biometrics perform differently. For example, the face biometric is easy to acquire (a web camera for example) but it's ability to tell an impostor from an authentic person is somewhat limiting. In fact in most biometrics a threshold must be set which trades off how many impostors are incorrectly accepted versus how many true authentics are rejected. For example, if a threshold is set at 0 (figuratively), then no authentics would be rejected, but every impostor will also be accepted. If the threshold is set at 1 (again figuratively), no impostors will get through but neither will any authentics. If the threshold is set at 0.5 (again figuratively), then a fraction of impostors will get through and a fraction of authentics will not get through. Even though some biometrics such as the iris are sufficiently accurate to have no cross-over between the authentics and impostor distributions when the iris image quality is good, if the iris image is poor then there will be a cross-over and the problem reoccurs.
In the field of authentication of financial transactions, most systems are designed to compare biometric data from an individual to a known template rather than to a set of enrolled individuals.
However, in the field of authentication of financial transactions, high levels of accuracy and speed are critical. For example, to authenticate a banking transaction, there is high motivation for an imposter to try to spoof the system and yet the financial institution would require a fast authentication process and a low rate of false rejects or denials. In this field, even a small percentage of rejections of authentics can result in an enormous number of unhappy customers, simply because of the huge number of transactions. This has prevented banks from using certain biometrics.
In addition, informing the customer (or attempted fraudster) that they successfully got through a biometric system (or not) is not desirable because it enables fraudsters to obtain feedback on methods for trying to defeat the system. Also, there is little or no deterrent for an attempted fraudster to keep on attempting to perform a fraudulent transaction.
One problem faced by biometric recognition systems involves the possibility of spoofing. For example, a life-sized, high-resolution photograph of a person may be presented to an iris recognition system. The iris recognition systems may capture an image of this photograph and generate a positive identification. This type of spoofing presents an obvious security concern for the implementation of an iris recognition system. One method of addressing this problem has been to shine a light onto the eye, then increase or decrease the intensity of the light. A live, human eye will respond by dilating the pupil. This dilation is used to determine whether the iris presented for recognition is a live, human eye or merely a photograph—since the size of a pupil on a photograph obviously will not change in response to changes in the intensity of light.
In biometric recognition systems using fingerprint, finger vein, palm vein, or other imagery, other methods of determining whether spoofing is being attempted use temperature or other measures of liveness, the term liveness being used herein for any step or steps taken to determine whether the biometric data is being acquired from a live human rather than a fake due to a spoof attempt. More specifically however, in this invention, we define probability of liveness as the probability that biometric data has been acquired that can be used by an automatic or manual method to identify the user.
In prior biometric systems which include means and steps to determine liveness, the liveness test is conducted or carried out first, prior to the match process or matching module.
More specifically, in the prior art the decision to authorize a transaction does not separately consider a measure of liveness and a measure of match. By match step or module, we mean the steps and system components which function to calculate the probability of a match between acquired biometric data from an individual or purported individual being authenticated and data acquired from known individuals.
The prior systems and methods have not achieved significant commercial success in the field of authenticating financial transactions due, in part, from the insufficient speed and accuracy from which prior biometric authentication systems for financial transactions suffered. More specifically, the current methods of basing a decision to perform a financial transaction on the measure of match means that many valid customers are rejected, due to the finite false reject rate. There is therefore a need in this field of biometric authentication systems and methods for financial transactions for improved deterrent against attempted fraudulent transactions, and decreased rejection of valid customers.