METHOD AND SYSEM FOR FINGERPRINT VERIFICATION AND ENROLLMENT WITH SECURE STORAGE OF TEMPLATES

Abstract

A method (600) for fingerprint verification of a user is presented. The method (600) comprises receiving (602) a sample (108) of a fingerprint from the user, extracting (604) key points (204) from the sample (108), extracting (606) descriptors (202) from the sample (108), wherein the descriptors (202) are based on information gathered from areas surrounding the key points (204), retrieving (608) enrolled descriptors (302), matching the descriptors (202) and the enrolled descriptors (302), thereby forming a list (304) of matching descriptor pairs, transferring (610) the list (304) of matching descriptor pairs and the key points (204) from a first module (104) to a second module (106), retrieving (614) enrolled key points (308), matching (616) the key points (204) and the enrolled key points (308) in combination with the list (304) of matching descriptor pairs, and in case of match (618), signaling (620) a positive verification outcome using the second data communications device (122), else, signaling (622) a negative verification outcome using the second data communications device (122).

Claims

1. A method for fingerprint verification of a user by using a system comprising a first module provided with a first processor, a first memory and a first data communications device, and a second module provided with a second processor, a second memory and a second data communications device, the method comprising receiving a sample of a fingerprint from the user by the first module, extracting key points from the sample using the first processor, extracting descriptors from the sample using the first processor, wherein the descriptors are based on information gathered from areas surrounding the key points, retrieving enrolled descriptors from the first memory, matching the descriptors and the enrolled descriptors using the first processor, thereby forming a list of matching descriptor pairs, transferring the list of matching descriptor pairs and the key points from the first module to the second module (106) using the first and second data communications device, retrieving enrolled key points from the second memory, matching the key points and the enrolled key points in combination with the list of matching descriptor pairs using the second processor, and in case of match, signaling a positive verification outcome using the second data communications device, else, signaling a negative verification outcome using the second data communications device.

2. The method according to claim 1, wherein the step of extracting sample descriptors from the sample by using the first processor is performed by using a general-purpose image analysis algorithm for identifying descriptors, and wherein the step of extracting sample key points from the sample by using the first processor is performed by using a fingerprint specific algorithm for identifying key points and the position data and the direction data associated to the key points.

3. The method according to claim 1, wherein for each descriptor of the sample descriptors and the enrolled descriptors, a combination of features related to any one selected from a group consisting of colour, texture, shape, motion and location is provided.

4. The method according to claim 1, wherein an operating speed of the first processor is greater than an operating speed of the second processor.

5. The method according to claim 1, wherein the first module is a micro-controller unit (MCU) and the second module is a secure element (SE).

6. The method according to claim 1, wherein the first module and the second module are provided on a smart card.

7. A method for fingerprint enrollment of a user by using a system comprising a first module provided with a first processor, a first memory and a first data communications device, and a second module provided with a second processor, a second memory and a second data communications device, the method comprising receiving a sample of a fingerprint from the user by the first module, extracting key points from the sample using the first processor, extracting descriptors from the sample using the first processor, wherein the descriptors are based on information gathered from areas surrounding the key points, enrolling the descriptors to the first memory, thereby forming enrolled descriptors stored on the first memory, transferring the key points from the first module to the second module, and enrolling the key points to the second memory, thereby forming enrolled key points stored on the second memory.

8. A first module, such as a micro-controller unit (MCU), comprising a first processor, a first memory and a first data communications device, wherein the first module is configured to receive a sample of a fingerprint from the user by the first module, extract key points from the sample using the first processor, extract descriptors from the sample using the first processor, retrieve enrolled descriptors from the first memory, match the descriptors and the enrolled descriptors using the first processor, thereby forming a list of matching descriptor pairs, and transfer, using the first data communications device, the list of matching descriptor pairs and the key points from the first module to a second module, such as a secure element (SE), comprising a second processor, a second memory, and a second data communications device, wherein the second module is configured to receive the list of matching descriptor pairs and the key points from the first module using the second data communications device, retrieve enrolled key points from the second memory, match the key points and the enrolled key points in combination with the list of matching descriptor pairs, and in case of match, signal a positive verification outcome using the second data communications device, else, signal a negative verification outcome using the second data communications device.

9. The second module, such as the secure element (SE), comprising the second processor, the second memory, and the second data communications device, wherein the second module is configured to receive the list of matching descriptor pairs and the key points from the first module according to claim 8 using the second data communications device, retrieve enrolled key points from the second memory, match the key points and the enrolled key points in combination with the list of matching descriptor pairs, and in case of match, signal a positive verification outcome using the second data communications device, else, signal a negative verification outcome using the second data communications device.

10. A system comprising a first module, such as a micro-controller unit (MCU), and a second module, such as a secure element (SE), wherein the first module comprises a first processor, a first memory and a first data communications device, wherein the first module is configured to receive a sample of a fingerprint from the user by the first module, extract key points from the sample using the first processor, extract descriptors from the sample using the first processor, retrieve enrolled descriptors from the first memory, match the descriptors and the enrolled descriptors using the first processor, thereby forming a list of matching descriptor pairs, and transfer, using the first data communications device, the list of matching descriptor pairs and the key points from the first module to the second module, wherein the second module comprises a second processor, a second memory, and a second data communications device, wherein the second module is configured to receive the list of matching descriptor pairs and the key points from the first module using the second data communications device, retrieve enrolled key points from the second memory, match the key points and the enrolled key points in combination with the list of matching descriptor pairs, and in case of match, signal a positive verification outcome using the second data communications device, else, signal a negative verification outcome using the second data communications device.

11. The system according to claim 10, wherein the system is a smart card.

12. The system according to claim 10, further comprising a finger print reader for capturing the sample of the fingerprint.

13. The system according to claim 10, wherein the system is part of a payment solution.

14. A non-transitory computer-readable medium having stored thereon instructions which, when the program is for implementing the method according to claim 1, when executed on the first module and the second module having processing capabilities.

15. A non-transitory computer-readable medium having stored thereon instructions for implementing the method according to claim 7, when executed on the first module and the second module having processing capabilities.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0029] Embodiments of the invention will now be described, by way of example, with reference to the accompanying schematic drawings, in which

[0030] FIG. 1 is a general illustration of a system for fingerprint verification and fingerprint enrollment.

[0031] FIG. 2 is a more detailed illustration of the system during fingerprint enrollment.

[0032] FIG. 3 is a more detailed illustration of the system during fingerprint verification.

[0033] FIG. 4 illustrates another embodiment of the system.

[0034] FIG. 5 is a flowchart illustrating a method for fingerprint enrollment.

[0035] FIG. 6 is a flowchart illustrating a method for fingerprint verification.

DETAILED DESCRIPTION

[0036] FIG. 1 generally illustrates a system 100 for fingerprint verification by way of example. The system 100 comprises a fingerprint reader 102, a first module 104, herein exemplified by a mobile phone, and a second module 106, herein exemplified by a secure element (SE). After a sample 108 is captured by the fingerprint reader 102 this can be transferred to the first module 104. In the first module 104, a first part of the verification can be performed, as described more in detail below. After having performed this first part, extracted sample data 110 can be transferred from the first module 104 to the second module 106. To perform the first part of the verification, the first module 104 can comprise a first processor 112, a first memory 114 and a first communications device 116. Similarly, to perform the second part of the verification, the second module 106 can comprise a second processor 118, a second memory 120 and a second communications device 122.

[0037] The template can be divided into two different sets of data, one set being stored in the first memory 114 and another set being stored in the second memory 120. An advantage of having different sets stored in different parts of the system 100 is that the set stored in the first memory 114 may be information of less sensitive nature, that is, information that cannot be used on its own for recreating fingerprint information, while the set stored in the second memory 120 may be of more sensitive nature, that is, information that should not be spread. This combined with that a processing capability of the first processor 112 can be greater than a data processing capability of the second processor 118 provides for that verification operations involving significant data processing and template data of less sensitive nature can be performed in the first module 104 and verification operations involving less significant data processing and template data of sensitive nature can be performed in the second module 106.

[0038] In case it already in the first module 104 can be concluded that there is no match between the template and the sample, a first verification outcome 124 may be output from the first module 104. Alternatively, instead of or in addition to providing a binary statement, the first verification outcome 124 may comprise information about the verification performed in the first module 104. From the second module 106, a second verification outcome 126 may be output. This may be a binary statement of match or no match, but it may also be more detailed output comprising information about the verification performed in the second module 106.

[0039] In case the second module 106 is a smart card comprising the secure element, it is possible to instead of providing the second verification outcome 126, make crypto keys and functions on the smart card available such that external software may access these. This approach improves the security and makes fraudulent abuse more difficult.

[0040] FIG. 2 illustrates a more detailed illustration of the example generally illustrated in FIG. 1. More specifically, FIG. 2 illustrates how the system 100 can be used during an enrollment process by way of example.

[0041] As illustrated in FIG. 1, the sample 108 can be fed to the first module 104. To extract information from the sample, an extractor 200 can be used. The extractor 200 can be a piece of software stored on the first memory 114 and executed by using the first processor 112. The extractor 200 can have dual purposes. On one hand, it can provide for that the descriptors 202 are extracted from the sample 108 and on another hand, it provides for that key points 204 can be extracted. A difference in this context between descriptors 202 and key points 204 is that descriptors 202 are descriptions of general visual features in the sample 108, while the key points 204 are fingerprint specific features, such as points or areas of specific relevance for fingerprint comparison purposes. As illustrated, the descriptors 202 can be stored in the first memory 114 and the key points 204 may be transferred to the second module 106 and stored in the second memory 120.

[0042] The descriptors 202 may be based on the key points 204. More particularly, the descriptors 202 may be based on information gathered from areas surrounding the key points 204. For instance, if a swirl center of the finger print is identified as the key point, an area surrounding the swirl center may be used as basis for the descriptor.

[0043] FIG. 3 illustrates how the system 100 can be used during a verification process by way of example.

[0044] In line with the enrollment process, the sample 108 can be received by the first module 104, and the descriptors 202 and the key points 204 can be extracted from the sample by using the extractor 200.

[0045] After having extracted the descriptors 202 and the key points 204, the descriptors 202 can be transferred to a descriptor matcher 300. In addition to the descriptors 202, enrolled descriptors 302, that is, descriptors transferred to the first memory 114 during the enrollment process, retrieved from the first memory 114 are fed to the descriptor matcher 300. Next, the descriptor matcher 300 can compare the descriptors 202 and the enrolled descriptors 302, which forms part of the template, to form a list 304 of matching descriptor pairs, that is, a list of points or areas in the sample 108 that are to be found both among the descriptors 202 and the enrolled descriptors 302. A matching descriptor pair may comprise one point or area found both among the descriptors as well as the enrolled descriptors. Put it in other words, one point or area among the descriptors which may match one point or area among the enrolled descriptors.

[0046] The list 304 of matching descriptor pairs and the key points 204 can be transferred from the first module 104 to a matcher 306 in the second module 106. In addition to the list 304 and the key points 204, enrolled key points 308 can be retrieved from the second memory 120 and be fed into the matcher 306. In the matcher 306, the key points 204 can be compared with the enrolled key points 308 in order to determine whether the two originates from the same finger, i.e. that it can be verified that the finger related to the sample 108 is the same finger as was used during the enrollment process.

[0047] By also providing the list 304 of matching descriptor pairs, the matcher 306 can be provided with additional input, thereby making it possible to achieve a higher degree of certainty. For instance, by using the list 304, more particularly using a number of identified pairs and to what degree these pairs are found to match, in combination with a comparison of the key points 204 and the enrolled key points 308, for instance a number of matching key points pair and to what degree they match, a similarity score can be determined. In case the similarity score is above a threshold, a positive verification outcome can be output.

[0048] FIG. 4 illustrates an embodiment in which part of the system 100 is comprised in a smart card 400. More particularly, the smart card 400 may comprise the first module 104 and the second module 106. The smart card 400 may be used for different applications where an identity of the user is to be confirmed. For instance, the smart card 400 may be a payment card. The first module 104 may be a micro-controller unit (MCU) and the second module 106 may be a secure element (SE).

[0049] The sample 106 may be provided to the smart card 400 via a mobile phone equipped with the fingerprint reader 102 or the smart card itself may comprise the fingerprint reader 102, even though not illustrated.

[0050] The smart card 400 may be configured to communicate with external devices using for example contactless near-field communication (NFC).

[0051] FIG. 5 is a flowchart illustrating a method 500 for fingerprint enrollment of the user by using the system 100.

[0052] First, the sample 102 can be received 502.

[0053] Next, the key points 204 can be extracted 504 from the sample 102 by using the first processor 112, and the descriptors 202 can be extracted 506. The descriptors (202) may be based on information gathered from areas surrounding the key points (204).

[0054] The descriptors 202 can be enrolled 508 in the first module 104, while the key points 204 can be transferred 510 to the second module 106 and enrolled 512 in the second module 106.

[0055] As can be readily understood by the skilled person in the art, the flow chart illustrated in FIG. 5 presents one out of many possible orders of the steps involved in the enrollment process.

[0056] FIG. 6 is a flow chart illustrating a method 600 for fingerprint verification.

[0057] First, the sample 108 of the fingerprint from the user can be received 602 by the first module 104.

[0058] Thereafter, the key points 204 from the sample 108 can be extracted 604 by using the first processor 112. Further, the descriptors 202 can be extracted 606 from the sample 108 by using the first processor 112. The descriptors (202) may be based on information gathered from areas surrounding the key points (204).

[0059] The enrolled descriptors 302 can be retrieved 608 from the first memory 114.

[0060] Next, the descriptors 202 and the enrolled descriptors 302 can be matched 610 by using the first processor 112, thereby forming the list 304 of matching descriptor pairs.

[0061] The list 304 of matching descriptor pairs and the key points 204 can be transferred 612 from the first module 104 to the second module 106 by using the first and second data communications device 116, 122.

[0062] The enrolled key points 308 can be retrieved 614 from the second memory 120.

[0063] Thereafter, the key points 204 and the enrolled key points 308 can be matched in combination with the list 304 of matching descriptor pairs using the second processor 118.

[0064] In case of match 618, a positive verification outcome can be signaled 620 by using the second data communications device 122, else, a negative verification outcome can be signaled 622 using the second data communications device 122.

[0065] By having the list 304 of matching descriptor pairs and since the descriptors 202 can be based on the key points 204, information on which of the key points 204 and the enrolled key points 308 that correspond to each other can be indirectly provided. This may be utilized in different ways. For instance, the information may be used for aligning the key points 204 and the enrolled key points 308 or it may be taken into account during the comparison by for instance determining differences, such as translational and rotational differences, between the key points 204 and the enrolled key points 308.

[0066] As can be readily understood by the skilled person in the art, the flow chart illustrated in FIG. 6 presents one out of many possible orders of the steps involved in the verification process.

[0067] From the description above follows that, although various embodiments of the invention have been described and shown, the invention is not restricted thereto, but may also be embodied in other ways within the scope of the subject-matter defined in the following claims.

METHOD AND SYSEM FOR FINGERPRINT VERIFICATION AND ENROLLMENT WITH SECURE STORAGE OF TEMPLATES

Assignee

Inventors

Cpc classification

Classification Explorer

H04W12/06

ELECTRICITY

Classification Explorer

H04L9/3231

ELECTRICITY

Classification Explorer

G06V40/50

PHYSICS

Classification Explorer

H04L63/0861

ELECTRICITY

Classification Explorer

G06F21/32

PHYSICS

Classification Explorer

G06V40/1347

PHYSICS

Classification Explorer

G06V40/1365

PHYSICS

Classification Explorer

H04L63/08

ELECTRICITY

Classification Explorer

G06F21/30

PHYSICS

International classification

Classification Explorer

G06F21/32

PHYSICS

Classification Explorer

G06V40/12

PHYSICS

Classification Explorer

G06V40/50

PHYSICS

Abstract

Claims

Description