BR102013024095A2 - biometric recognition transaction authentication method - Google Patents

Abstract

Biometric Recognition Transaction Authentication Method The invention relates to a method for transaction authentication, wherein both the user's identity and the transaction itself are authenticated by voice, using speaker verification and speech recognition technologies, respectively. where authentication characterizes a signature for the transaction, not requiring the use of passwords and / or cards, tokens or equivalents. The method comprises the steps of entering transaction data, generating sentence with transaction data, reading aloud the generated sentence, recognizing the speaker by comparison with said biometric reference, recognizing speech by comparison with the generated sentence, extracting dynamic and transaction-specific data, audio components, and biometrically scan extracted data segments.

Description

AUTHENTICATION METHOD OF BIOMETRIC RECOGNITION TRANSACTIONS

Field of Application The present invention applies to the field of Information Technology with regard to transactions, particularly their security. More specifically, it refers to a method for transaction authentication, wherein both the user identity and the transaction itself are authenticated by voice, using speaker recognition and speech recognition technologies.

Such method provides a "signature" for the transaction, ensuring its authenticity, and may dispense with the use of passwords, cards, tokens and other such devices.

For a better understanding of the descriptive report, the following are some expressions and terms used in it.

Applet - application software that runs in the context of another program, usually performing very specific functions.

Bluetooth - is an industry specification for wireless personal networking areas providing a way to connect and exchange information between devices such as mobile phones, notebooks, computers, printers, digital cameras and digital video game consoles over a short-range radio frequency globally. licensed and secure.

Liveness detection - A set of techniques designed to perform vitality detection.

Non-keyboard - data entered by means other than the keyboard.

Near Field Communication (NFC) - A standard that allows wireless communication between two nearby devices.

Password - password Speech recognition - set of pattern recognition techniques used to perform speech recognition, ie given an audio file, to recognize the text being spoken in this audio.

Speaker recognition - set of pattern recognition techniques used to recognize the speaker, ie given an audio file, to recognize who is speaking in this audio.

Voiceprint - a trademark of the inventor Lawrence Kersta in the 1960s based on a sound spectrograph (cited in Bell Telephone Labs US Patent No. 2,440,385 dated July 16, 1946, to W.Koenig Jr.), for an identification system of individuals through the voice by means of a graph that displays the relative amplitude of the frequency components of a speech as a function of time, that is, a spectrogram. This term acquired a broader meaning and was later used to designate other representations of each individual's speech characteristics. Today, it is an obsolete designation which, although widely used in patents, should be replaced by the more accurate expression biometric reference described below.

Biometric Reference - According to ISO / IEC 2382-37 Harmonized Biometríc Vocabulary, still in its preliminary phase, the biometric reference may consist of one or more of: (i) biometric samples, for example, an image representing the biometric characteristic; (ii) biometric templates, that is, a set of biometric attributes comparable directly to proof biometric attributes; or (iii) biometric models, ie a function generated from biometric data. This term applies to any biometric trait (voice, face, fingerprint, etc.). In the context of speaker biometrics, the biometric reference is often called a template.

ZigBee - This term designates a set of specifications for wireless communication between electronic devices, with an emphasis on low operating power, low data rate and low deployment cost. It is intended to connect small data collection and remote control units using unlicensed radio frequency signals. The technology used is comparable to WiFi and Bluetooth networks and differs from them by lower consumption, reduced range (about 10 meters) and communications between two units can be repeated successively by the units on the network until reaching the final destination.

State of the Art The use of automatic biometric recognition techniques is already fairly widespread and has been applied to services such as physical access control, surveillance or authentication, with fingerprint and face being the most recurrent biometric features.

Regarding voice, although it is a very prolific field of study, applications using voice (or speaker) biometrics are still rare, although the use of voice, rather than another feature, is not new.

Some approaches have already been proposed for speaker recognition applications, such as artificial neural networks, vector quantization techniques, and Hidden Markov Models (HMM) based techniques.

More recently, the literature in the area has been dominated by techniques based on Gaussian Mixture Models (GMMs) to model data, usually from a Universal Background Model (UBM), followed by other classification techniques. , such as SVM (Support Vector Machines), JFA (Joint Factor Analysis) and iVector. This approach is used in many Machine Learning applications, and in a speaker recognition system a GMM is used as a generic probabilistic model capable of representing arbitrary multivariate densities. A GMM seeks to model this any distribution of multidimensional data as a linear combination of normal, or Gaussian, distributions.

In the case of speech, the data is usually obtained by a process of dividing the speech signal into frames, usually with overlapping adjacent frames, window trimming, attenuating the edges and thus avoiding the insertion of mainly high frequency distortions, followed by the extraction of parameters itself. The frame's duration is usually in the tens of milliseconds, while its frequency is in the order of a few kilohertz.

The most widely used parameters in speaker recognition applications are undoubtedly mel-cepstral coefficients, or MFCCs (Honey Frequency Cepstral Coefficients), which can be obtained, for example, by a technique known as bank analysis. filters. The mel-cepstral coefficients are the discrete cosine transform (DCT) of the signal energy logarithm resulting from the original signal filtering by a bandpass filter bank, where each filter defines a critical band (therefore often these bandpass filters are also called critical band filters), evenly spaced on the mobile scale and covering the spectrum of interest of the signal. The proposed method is independent of the techniques used for speaker recognition, whether in the parameter extraction, data modeling, classification or any other stage of the recognition process itself.

In general, authentication systems exist to guarantee or to make sure that a certain resource is being accessed by authorized persons. People authentication can be based on something the person knows, for example a password; something that the person has, for example, a card; or something the person is, such as biometrics. These factors can still be combined, often increasing authentication security but often compromising system usability.

However, such systems are subject to the action of fraudsters who attempt to access the resource without proper authorization. In the case of biometrics is no different.

One way to attack a biometric recognition system is by using a sample of the biometric trait (in question) of an authentic user to pass through it (for example, in the case of a face, a photo). In the case of speaker biometrics, a recording could be used.

This type of attack is known as spoofing and countermeasures to combat it from antispoofing. One category of techniques for this purpose is called liveness detection techniques, as they are known in the field of biometrics. Such techniques are employed to recognize that it is a real person who is trying to access the resource and not a photo or recording, for example.

In the case of voice, one of the liveness detection techniques used is to ask the person to speak a specific text known by the system; and then to associate speaker recognition software with a speech recognition system, the purpose of which is to extract audio from the content of what was spoken. Thus, you can compare this result with the text provided and check if they match.

Among the most commonly used techniques for this task, Markov hidden chains (HMM) represent the state of the art today. Nevertheless, there are also those who use neural networks and even a combination of neural networks and HMM.

All this framework can be used to authenticate a transaction, so that after a previous step of registering your biometric reference, a user is authenticated by reading a text provided by the system at the time of the transaction.

Although there are patent documents and other publications related to this subject, neither is speech used to simultaneously authenticate the user and the transaction. The fundamental difference from the method proposed by the present invention lies in the nature of the system generated text that should be read by the user. In this, the text must contain information of the transaction itself, ensuring, through speech, the signature of the transaction. In other words, the user authorizes the transaction by speaking it.

Understanding the state of the art various patent documents disclosing methods pertinent to the subject. Patent document EP1669836 A1 (Wang) where authentication is based on a system generated phrase. However, in this proposal, the generated phrase is a question based on the user's personal information; The user must speak the answer, which is then recognized by the system, which checks if it is correct. Therefore in Wang's patent proposal only the user is authenticated (not the transaction). In addition, a fraudster could have access to this personal information (socially engineered, for example), which is static and, with few user recordings, could circumvent the system. Publication W09900719 A1 (Van Compernolle et al.) “ACCESS-CONTROLLED COMPUTER SYSTEM WITH AUTOMATIC SPEECH RECOGNITION” discloses a system that controls a user's access using non-keyboard inputs. The idea is that the user can access a system using a different keyboard interface and then interact without using it. However, in this proposal access to the system is not done with a system generated phrase. The user says some information (for example, a password) that is checked for the sole purpose of freeing their access. Thus, the voiceover issued by the user does not feature a process signature. US2003037004A1 (Buffum et al.) “DIALOG-BASED VOICEPRINT SECURITY FOR BUSINESS TRANSACTONS” describes a system that allows users to authenticate a particular transaction by combining speech recognition and speaker recognition. The described architecture is of client-server type, where there is: an authentication server where the application in which the user intends to authenticate is executed; and a client running an applet that collects voice samples. The document does not define the type of device to capture, which may be a desktop, a phone, a mobile device, etc. The registration and user verification steps are described; and for each of the steps, the user interaction screens. Some features of the system revealed in this document are: (i) in the first registration step, the user reads his "account ID", and then reads the digits from 1 to 9; (ii) In the verification step, the user should not read data associated with the transaction he intends to perform, but rather a random digit sequence. That is, voice authentication does not work as a transaction signature and speech recognition is limited to reading digits. Publication W02006128171 (Di Mambro et al.) Entitled METHOD AND SYSTEM FOR BIO-METRIC VOICE PRINT AUTHENTICATION comprises receiving one or more utterances from a user, recognizing a phrase corresponding to one of the lines, identifying biometric characteristics designated as the user's voiceprint from the phrase received, determination of an associated device identifier, and user authentication based on the phrase, biometric characteristics, and device identifier. The location of the communication terminal or user may also be used as a criterion to allow access to one or more services. These biometric characteristics, or voiceprint, depend on the anatomical configuration of the vocal tract, and are user specific. As it turns out, the object of this document refers only to user identification regardless of the transaction content. Publication WO2012050780 (Moganti et al.) Entitled METHOD AND APPARATUS FOR VOICE SIGNATURE AUTHENTICATION refers to a scalable method for voice signature authentication used in various services such as user identification (used in banking), voice signature used as password allowing access to remote services and document retrieval as well as other services via the internet such as online shopping. The system comprises a voice signature server (VSS) that receives and stores miscellaneous information such as biometric characteristics, analog or digitized voice samples, voice channel properties, call information, authentication data, context (for example: (i) location, (ii) whether or not it is roaming), personal data, or any other information that may serve as a basis for creating a voice meta-signature. The goal is ultimately to confirm the user's identity without, however, taking into account the specific content of the transaction. In addition, the method does not use speech recognition and therefore does not check the content that is spoken.

As it turns out, none of the analyzed documents requires that the “meaning” of the incoming speech signal be tied to the operation to be performed by the user.

Also, when used, speech recognition is used only as a liveness detection mechanism, and although in some cases with dynamically generated phrase, it is quite limited in its content.

In summary, in prior art documents there is no relationship between the sentence to be read and the transaction to be performed.

Objectives of the Invention In view of the foregoing, it is the principal object of the present invention to provide a method for enhancing transaction security.

Another goal is to provide a method that dynamically relates transaction data to the generated phrase to be read by the user.

Still another object of the present invention is to provide voice authentication that acts as a transaction signature.

Another object of the present invention is to provide greater transaction security without forcing the user to memorize additional passwords or carry objects such as cards and tokens.

Summary Description of the Invention As will be seen from the following description, there are inherent advantages to using biometrics in authentication compared to traditional alphanumeric passwords because it cannot be stolen or borrowed, need not be memorized and cannot be inferred, discovered or guessed.

In addition, according to the invention to be set forth below there is a single procedure for simultaneously authenticating both the user and the transaction itself, which represents a true "signature" for the transaction, ensuring its authenticity.

The above objectives are achieved by the invention described below, which primarily comprises a method that, in a first step of registration, the user has one or more samples of his voice captured, and his biometric reference is created and stored by the system. .

In a second step, when wishing to perform a transaction, the method comprises a step where the user reads aloud a sentence constructed and provided by the system, with the transaction data itself whose text is dynamic, generated during the execution of the transaction, and the system records this reading. The new voice sample, provided with the sentence reading, is then compared with the previously obtained biometric reference to check whether it is the user's own or not, which constitutes the speaker verification step.

In parallel, by speech recognition, the system checks that the exact sentence generated by the system has been spoken, which serves not only to (i) prevent a recording from being used by fraudsters to circumvent the system (a form of liveness detection in jargon from the biometrics community), but also to (ii) “sign” the transaction in question, as the user will only read the verification sentence if the data is correct so that in the future it cannot be claimed that the transaction desired was not made.

In addition, dynamic and transaction-specific data is “trimmed” from the write and re-biometrically verified, reducing the chances of partial writes being used by fraudsters.

Description of the Figure The invention will be better understood from the following detailed description and the related figure, wherein: Figure 1 is a flowchart illustrating the step of performing a transaction and its steps.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT As already mentioned in the general description, the present invention provides a method that, in a first step of registration, the user has one or more samples of his voice captured and his biometric reference is created and stored by the system. .

In a later step, when a transaction is desired, the method proposes that the user read aloud a sentence, constructed and provided by the system, with the transaction data itself whose text is dynamic, generated during the execution of the transaction, and the system records this reading. The method of the invention is characterized by comprising the following essential steps: - Entering transaction data Through a human machine interface (web page or an application, among others), the user enters the desired transaction data (eg , by typing the transaction characteristics on a keyboard, mouse navigation, webshop screens, speech recognition, NFC, ZigBee, WiFi, Bluetooth, or any other human-machine media). This step is represented by step 1 of figure 1. - Generate Sentence with Transaction Data The system, based on user-entered data, automatically creates a sentence. This step is represented by step 2 of figure 1. - Read out the generated sentence The user records the reading of the sentence generated by the system and displayed to him. This step is represented by step 3 of figure 1. - Recognizing the speaker by comparison with said biometric reference Through computational algorithms (eg, Gaussian mix, artificial neural networks or Markov hidden chains, among others), the speech signal The recorded data is processed and compared to the stored biometric reference corresponding to the user in question. The answer can be either in the form of a binary decision (yes / no) or in the form of a score that expresses a measure of confidence that the speech signal was generated or not by the user. This step is represented in step 4 of figure 1. - Recognize speech by comparison with the generated sentence Through computational algorithms (such as artificial neural networks, Markov chains, deep belief network, among others), the recorded speech signal is processed and the content that has been spoken is extracted and compared to the sentence generated by the system. The answer can be either in the form of a binary decision (yes / no) or in the form of a punctuation that expresses a measure of confidence in the text recognized from This confidence can be measured individually for each acoustic event of the signal (speech / word, pause / silence etc.). In addition, the speech recognition system resumes the duration of each such event, allowing signal fragmentation to extract parts of interest. This step is represented in step 5 of figure 1. - Extract the transaction-specific and dynamic data, audio components Based on the answer of the previous two items, the system “cuts” the original speech signal, separating the parts of interest, that is, those that specifically refer to the transaction. This step is represented in step 6 of Figure 1. - Verify the extracted data segments biometrically Each of these parts of interest is also individually verified by the speaker verification system, comparing these signal segments with the stored biometric reference corresponding to the user in question. question. The answer can be either in the form of a binary decision (yes / no) or in the form of a punctuation that expresses a measure of confidence that that portion of the speech signal was generated or not by the user. This step is represented in step 7 of figure 1.

In the scenario of figure 1, if speaker or speech recognition fails, the transaction is not executed. It is obvious that this behavior can be changed so that, for example, the entire process is repeated until a certain maximum number of retries are reached before the transaction is denied. Other alternatives could be thought of without altering the scope of the invention.

As an example, consider the case of a bank transaction where the user wishes to make a transfer via Internet Banking or equivalent. The user first accesses their bank's website with their username and password.

Then enter the transfer data you want to make, such as the amount, agency, and destination account. The system then, according to the method of the invention, assembles with this data a sentence to be read by the user, such as: “Transfer X reais to account A, agency B.” The system then records the reading of this sentence. , made by the user to authenticate this operation. The voice sample is biometrically analyzed to verify that it is the voice of the user whose account is being accessed. This same sample also goes through a speech recognition system, which checks if what was said matches the sentence given.

Then, and optionally only if the biometric and speech checks are successful, the system uses the speech recognition result to segment the speech sample and obtain only the dynamic and operation-specific sections, for example, “X”, “ A ”and“ B ”. These three passages are also each individually verified by biometrics.

Consider as another example the case of an online store where the user wants to buy a product over the internet.

He first accesses the online store website with his username and password.

Then, select an item available on the site for purchase and select an option to confirm the purchase, specifying, for example, the form of payment (debit or credit). Such selection can be made, for example, by means of the keyboard, by speaking or by navigating with a mouse in one or more screens of the online store. The system then, according to the method of the invention, assembles, with this data, a sentence to be read by the user, such as: “Buy item X, in the value of real Y, with payment option Z.” As in In the previous example, the system records the reading of the phrase made by the user to authenticate the operation. The voice sample goes through a speech recognition system that checks if what has been said matches the given sentence and is also biometrically analyzed to see if it is actually the owner of the accessed account that is performing the transaction.

Then, and also as in the previous example, the sections “X”, Ύ ”and“ Z ”can also be verified by biometrics.

Another example would be the case of a Near Field Communication (NFC) transaction performed by an application installed on a smartphone where the user wishes to purchase a product.

He first performs the registration of his personal data, including, for example, credit card data. In this registration process, the user also performs the biometric registration of his voice. All this data is stored in a secure area of the app on the smartphone.

After registering, the user is able to make a purchase via NFC. For this, the user simply has to approach an item available for purchase, containing an NFC code tag, from your smartphone. The application then, according to the method of the invention, assembles, with the data of the item being purchased, a sentence to be read by the user, such as: “Purchase of item A, in the value of B reais, with option of payment C, ”The smartphone app records the reading of this phrase by the user to authenticate this purchase. As in the previous examples, this voice sample goes through a speaker and speech recognition system and, if successful in these checks, the speech sample can be segmented and sections “A”, “B” and “C” can be checked separately. Then the smartphone app contacts the store to send the transaction details. The realization of the presented scenarios is merely exemplary, not limiting the scope of the invention. Thus, access to the website of a bank, online store or equivalent institution may be through any communication device such as a computer, a smartphone, a tablet, a bank totem, or equivalent.

In addition, the operation data can be entered by typing, speaking, browsing the institution's website through mouse or touch screen, ZigBee, WiFi, bluetooth communication or approaching an item containing the NFC tag, among others. others.

Accordingly, for one skilled in the art, many variations of the invention will be possible, without departing from the scope of the invention, which will be defined by the following claims.

Claims (7)

1. Biometric recognition transaction authentication method, comprising a prior registration step, in which one or more samples of the user's voice are captured and their biometric reference is created and stored, comprising both user authentication and the transaction itself by performing the following steps: - Enter the transaction data into a communication device; - Automatically generate a sentence based on transaction data; - Read aloud the generated sentence; - Recognize the speaker by comparison with said biometric reference; - Recognize speech by comparison with the generated sentence. Method according to claim 1, characterized in that it further comprises the steps of: - Extracting dynamic and transaction-specific data, audio components; - Biometrically check the extracted data segments. Method according to claim 1 or 2, characterized in that the generated sentence is displayed on the communication device screen. Method according to claim 1, 2 or 3, characterized in that the speaker recognition comprises capturing the reading, aloud, of the sentence displayed on the screen containing the transaction data and, by means of computational algorithms, comparing the biometric characteristics of the voice captured with the previously registered biometric reference. Method according to claim 1, 3 or 4, characterized in that speech recognition comprises the transcription by computational algorithms of the sentence read and its comparison with the sentence containing the transaction data. Method according to any one of claims 1 to 5, characterized in that the answer given by the method is a binary decision. Method according to any one of claims 1 to 5, characterized in that the answer given by the method is expressed as a measure of confidence.