Security tokens compliant with the ISO-7816 international standards utilize a relatively slow serial communications pathway to transfer information between a host computer system and an electromagnetically connected security token. The serial pathway is operated in a half duplex mode where information only travels in one direction at a time. This limited communications ability can create a communications bottleneck for users and applications seeking to gain access to one or more security resources, services or applications contained therein. Additionally, security tokens are further limited by relatively slow processors and available storage memory.
This communications bottleneck is further exacerbated when using biometrics for user identification and authentication due to inefficient data extraction, relatively large data transfer requirements and lack of data packet prioritization. In the relevant art, biometric templates can be quite large with some implementations having templates in excess of 100 kilobytes and the best state of the art implementations having biometric templates closer to 300 bytes.
Even 300 bytes of data is still a considerable amount of information to be transferred when compared to a 6 character personal identification number (PIN) which requires only 48 bits of data (plus header overhead) to be transmitted from the host to the security token for about a 1 per 1,000,000 false acceptance rate.
Furthermore, in order to efficiently process the data packet, the receiving security token must have sufficient memory space available to store the incoming data packet in an APDU buffer located on the security token. If the size of the data packet exceeds the available APDU buffer size, the data will need to be segmented and sent sequentially, increasing both the number of handshakes between the host and the security token and the data transmission overhead (e.g., header information), thus reducing data transmission efficiency. A large biometric data transmission will require multiple data packets to be transmitted from the host to the security token, which considerably slows the overall authentication transaction to the point where a user may become impatient with the access delay. Therefore, it is highly desirable to reduce the number of data packets as much as possible, security permitting.
Another significant limitation in the relevant art is the manner in which data is extracted from the raw biometric sample. Currently, there is no mechanism available to direct the host to focus pre-processing of the raw biometric sample on areas or regions having a high probability of matching a reference template stored inside the security token. Rather, a “shotgun” approach is taken where a great deal of non-relevant information is extracted along with relevant data features, encapsulated in data packets and sent to the security token without any processing priority. The security token may process a significant number of data packets before it receives the information necessary to match the extracted biometric sample to the stored reference template.
A similar situation also exists in the relevant art art where a biometric sample is processed by a local client and sent over a network to authentication server. While processing capabilities and available memory storage are not specific limitations, the large amount of data transmission and subsequent processing required by the authentication server limits the ability to perform multiple simultaneous authentication transactions and unnecessarily ties up communications channels and available bandwidth.
A statistically based method to improve false acceptance and rejection rates in matching a biometric sample is disclosed in U.S. patent application 2001/0048025. However, the statistical approach does not attempt to optimize for extraction of relevant biometric data nor addresses the prioritization of data packets for matching a reference biometric template.
Thus, it would be advantageous to provide a mechanism for use with biometric systems, which reduces the number and size of data packet transmissions and provides data packet transmission prioritization.