RU2670648C1 - Interactive method of biometric user authentication - Google Patents

Abstract

FIELD: biometrics.SUBSTANCE: invention relates to biometric authentication methods. On the side of the authentication center (AC) a request signal sent by a computer tool (CT) user is formed, and a decision on authentication by comparing the response received from the user with the biometric characteristics of legitimate users from the AC database is taken. Request signal for each successive authentication cycle is formed again, according to the program ensuring the inclusion of the part controlling at least one of the information display devices in the CT in its composition. Request signal is formed so that its audio and/or visual display is an irritant, stimulating a physiological response at the unconscious level, depending on his individual characteristics, which is dynamically registered by means of at least one sensor in the CT. It is taken into account when forming the response signal transmitted by the AC, on the side of which the authentication solution is generated by means of calculations with the initial data presented by the response received and characteristics of legitimate users.EFFECT: technical result consists in improvement of reliability of user authentication.5 cl

Description

The invention relates to biometric authentication methods of users, in particular, mobile computer tools (CS) - smartphones, tablets, laptops, etc. - with installed touch systems, in particular, photo / video cameras and / or touch-sensitive (touch) screens (English - touch-screen).

Biometric authentication systems, including the appropriate methods (technologies) and the CS supporting them, are most convenient for users, because they are based on the parameters of a person who is always with him. Therefore, their security problems do not arise - unlike passwords and storage media, which are less secure in this regard, since they can be lost, stolen, copied [1]. However, the known methods of biometric authentication of a user — not only static (based on invariant physiological characteristics of a person), but also dynamic (based on also, in principle, invariant behavioral characteristics, manifested in the form of subconscious movements during human reproduction of a predetermined action) vulnerability to malicious attacks. They are related to the fact that, on an untrusted CS, in principle, it is not excluded that any invariant characteristics are fake - for example, by memorizing previous ones and replaying (regardless of the actual reaction), etc. [2].

In this respect, interactive methods (ie, not based on the user’s passive presentation of invariant characteristics, but on the active interaction between him and the CS) are much more robust because of the characteristics that need to be presented in this authentication cycle in advance unknown since they are a response to a new request.

Interactive (however, not fully meeting the criteria of biometrics in connection with the development of a response by a person not on the unconscious, but on a conscious level) refers to the method of user authentication (in this case, not as a specific individual, but as a bioobject, unlike programmed KS), called "captcha" (from the English. SARTSNA - Completely automated public Turing test to distinguish between computers and people) [3]. For its passage, the user is offered the simplest for a person, but difficult to algorithmize task, the solution of which he must present: for example, read and enter the number (word) of the distorted pattern, recognize and highlight a series of fogged images in pictures, etc.

The unpredictability of the request, and, consequently, the impossibility of predicting the correct answer, are the strengths of the captcha, however, this test cannot be used as an interactive method of personal authentication (with the establishment of a specific user), but only for group authentication purposes, and besides, it is unlike from true biometric methods - requires conscious activity.

The closest to the invention is the user authentication method [4], which with good reason can be positioned as a biometric and interactive - but, due to the invariance of the request, does not realize the potential of the latter.

This method involves two-way communication between the user of the CS and the authentication center (AC): on the side of the AC, a request signal is sent by the CS to the user, and the authentication decision is made by comparing the response received from the user with the biometric characteristics of legitimate users from the database of the AC.

The basis of the known method is authentication of the iris (iris) of the eye - a technology that is recognized as the most accurate among other biometric authentication technologies, however, due to the high price of electronic-optical modules that scan the iris, it is relatively uncommon. In particular, all mass-produced tablets and smartphones with front-facing cameras installed, displaying users' faces, cannot be supported by this technology, because the resolution of general-purpose cameras installed in them is much less than is necessary to distinguish the smallest details of the structure of irises in the images used in as authentication features [5].

Its feature — essentially making the method interactive — consists in that, along with the use of the generally accepted user authentication algorithm in the image of the iris, a short flash of light is sent to it as a request, and in response the presence of pupillary motility is recorded as an addition to the biometric template legitimate user. This makes this - static in its basis - a way less vulnerable to attacks by intruders, excluding the interactive addition of the possibility of cheating the system by presenting a scanned or dead eye to the scanner.

The objective of the invention is to further increase the stability of the method in relation to malicious attacks. The technical result associated with its solution - the creation of the most reliable, and at the same time, easy-to-use biometric authentication systems - is not limited to specialized systems, but extends to mass products - smart phones and tablets as standard.

This problem is solved by the fact that in the interactive method of biometric user authentication based on two-way communication between the user of the CS and the AD, in which a request signal is sent on the AC side, sent by the CS of the user, and decide on authentication by matching the response received from the user, with the biometric characteristics of legitimate users from the database of the AC, the request signal for each successive authentication cycle is formed again. This allows you to make changes, including random, in the next signal in relation to the previous one.

The program, which form the request signal, should ensure the inclusion in its composition of the part controlling at least one of the information display devices in the CS, and so that its audio and / or visual display is an irritant that stimulates the user to unconscious level of physiological response, depending on its individual characteristics. This reaction is dynamically recorded by means of at least one sensor in the CS, and is taken into account when generating the response signal transmitted by the AC. On the side of the AC, the decision on authentication is generated by means of calculations with the initial data presented by the received response and the characteristics of legitimate users (natural biometric images of "one's own") from the database of the AC.

Thus, for the first time, not static images were taken as authentication features (and corresponding biometric characteristics), but functions reflecting individual (ideally unique for each person) features of unconscious physiological reactions stimulated by audiovisual stimuli (essentially unconditioned reflexes) .

Audiovisual stimuli of sufficient strength, as is well known - even without regard to their semantic content - at the unconscious (unconditionally reflex) level have a noticeable effect on the human condition, leading, in particular, to changes in heart rhythm, pupil diameters of the eyes, etc. Since the body of each person is unique in nature, it is certainly unique and the nature (flow dynamics) of such reactions. Solving the problem of using the individual features of these functions as user authentication features is thus reduced to the correct choice of the appropriate reaction — assuming, in particular, that its excitation and registration be provided by the capabilities of the CS in the basic configuration.

Obviously, replacing static biometric templates of legitimate users with dynamic functions of biological processes that reflect their individual characteristics, does not allow to make a decision on authentication by comparing the response of a given user with a set of reference ones, but requires making such a decision by means of calculations with the above initial data, having its natural origin is a significant factor of uncertainty. Therefore, to solve this problem, it is advisable to use artificial neural networks that are used in biometric identification systems [6] precisely because they are capable of producing the correct result based on data that was partially missing in the training set, as well as incomplete and / or “noisy”.

These differences, in principle, solve the problem of the invention, since the biometric user authentication method, in which the interactive test is not an additional criterion (the presence of pupillary motility) in relation to the main, static criterion - matching the iris pattern to the biometric pattern, but basically interactive, and with a variable request signal, is significantly more resistant to malicious attacks. As for the accuracy of authentication achievable in it, it is not determined by this principle, but by the choice of the appropriate reaction and the technical details of implementation, which are discussed below.

In some cases, it may be advisable to register (during irritation from the CS) at least one of the indicators of the user's heart activity. These include heart rate or pulse wave, which, according to physiology, are subject to reflex changes under external influences, and therefore at an unconscious level must respond to the display of the CS, at least one of the stimuli: audio (including, in infrasonic area - from the side of the vibrator) or visual. Sensors built into the CS and suitable for recording those are the camera, which is switched to the capillary blood measurement mode, and / or its touch screen. At least one user's finger should be brought into contact with at least one of these sensors in order to complete the registration. A number of models of modern smartphones, using specialized applications, are known to be able to measure the pulse of the capillary blood volume of a finger pad without a special photoelectric sensor, which was needed earlier, but through an integrated photo / video camera with a nearby light source (flash lamp). In addition, the touch screen has a touch screen of a smartphone, which you can also try to use in this capacity. Registration of heart rhythms in two spaced points (fingertips of both hands) allows you to register a pulse wave - a characteristic more informative than the heart rate received at one point.

The most accurate and convenient for most practical applications of the method implementation is the registration of the user's eye pupil motility in response to a request signal of an AC, the display of which dynamically forms an audiovisual stimulus presented at each time point by at least one of the following factors: brightness and / or color of the screen, frequency and / or loudness of the sound of the electro-acoustic transducer.

Constriction of the pupils with increasing light is well known. Therefore, taking into account the individual characteristics of color perception, individual differences in the characteristics of both eyes in one person, and different reaction rates in different people, the possibility of successfully applying this reflex to authenticate the user of the COP is obvious. Compared with the options based on cardiac activity, this variant has high sensitivity and low inertia. This option is completely contactless, and the presence of glasses or contact lenses is not an obstacle to its use. The fact that, according to physiology, the pupils of a person react not only to light, but also to sound, also contributes to the achievement of the highest accuracy of authentication in it, the so-called. cochleopupillary (cochlear-pupillary) Holmgren-Shurygin reflex [7]. Obviously, with a complex audiovisual irritant, it is possible to identify and use much more individual features of pupillary mobility — the user's distinguishing features — than with a visual one. In addition, for the registration of pupillary motility - in contrast to the recognition of the smallest details of the structure of irises - the resolution of the cameras of smartphones is sufficient.

In accordance with this, it is advisable to display the user's face during the audiovisual exposure by means of the front camera of the CS, and then program the CS processor so that it recognizes pupils on each display and calculates — for each eye individually — the current changes in the pupil diameters relative to initial (thereby minimizing the effect of ambient light), and the sequence of calculated values characterizing the pupillary motility, transmitted for sending AC.

These calculations, depending on the functionality and speed of the processor, can be performed either in real time (on-line or in-line) or off-line — namely, with a sequence of initial mappings with processing written to the buffer memory and transfer the result of the AC at the end of the recording cycle. They require a special software application, which should be installed in the COP.

Obviously, the changing image on the CS screen, when demonstrated, detects the motor skills of pupils of the eyes, presents many requirements, the most important of which is the unconditional user motivation to focus on the image from a short distance, clearly fixing the gaze at a certain point on the screen.

To do this, it is advisable to include an inquiry signal in the control program in the central zone of the screen - as a mandatory object to be examined in the field of view that fixes the position of the eye - images with fine details, for example, from the captcha used in the test, and for the peripheral zone to change brightness and / or color luminescence controlling pupillary motility.

Combining the described method, therefore, with passing the captcha test is the best solution to this problem, because there can be no more compelling motive for the user to accomplish what is required of him than the need to recognize the hidden symbolism in the image, which he must enter in the COP, otherwise the test will not be passed.

In accordance with the foregoing, the described method is new, inventive and industrially applicable. The best results can be achieved by using it to ensure the security of remote user interaction through untrusted CSs with network services that support the authentication procedure (that is, play the role of an AC), including for verification and / or authorization purposes, for example, for remote banking services or the provision of public services. On the other hand, in simpler and less important cases (when user authentication is performed by the CS without the involvement of third-party ACs) - for example, to unlock the CS screen after switching on - the application of the described method is impractical.

INFORMATION SOURCES

1. Biometric authentication: system protection and user privacy. - https://www.osp.ru/os/2012/10/13033122/

2. Konyavsky V.A., Lopatkin S.V. Computer crime. In 2 volumes. T.2. - M .: RFK-Image Lab, 2006. - 840 p.

3. Captcha. Source - https://ru.wikipedia.org/wiki/Kapcha

4. Biometrics Researcher Asks: Is that Eyeball Dead or Alive? - https://spectrum.ieee/org/

5. Biometric authentication systems. - https://android-smartfon.ru/article/biometricheskie-sistemy-autentifikikii

6. Protection of information. Information security techniques. Automatic training of neural network converters "biometrics-access code". - GOST R 52633.5-2011.

7. (Holmgren-) Shurygin (cochlear-pupillary) reflex | Saratov neurological portal. http://www.neurosar.ru/?page_id=4726

Claims (5)

1. An interactive user biometric authentication method based on two-way communication between a user of a computer tool (CS) and an authentication center (AC), in which a request signal is sent on the AC side, sent by the user CS, and an authentication decision is made by matching the response received from side of the user, with the biometric characteristics of legitimate users from the database of the AC, characterized in that the request signal for each subsequent authentication cycle form again, according to the program ensuring the inclusion in its structure of the part that controls at least one of the information display devices in the CS, so that its audio and / or visual display is an irritant that excites the physiological response of the user at an unconscious level depending on its individual characteristics, which is dynamically registered by means of at least one sensor in the CS, and taken into account when generating the response signal transmitted by the AC, on the side of which the decision Authentication is generated by computing the source data represented by the received response and the characteristics of legitimate users. 2. The method according to p. 1, characterized in that register at least one indicator of the user's heart activity: heart rhythm and / or pulse wave, in response to the display of the COP, at least one stimulus: audio (in t. in the infrasonic region - from the vibrator side) and / or visual, by means of the built-in camera transferred to the capillary blood filling measurement mode and / or the CS touch screen, for which at least one user's finger is brought into contact with at least least one of these sensors. 3. The method according to claim 1, characterized in that they register the motility of the pupils of the user's eyes in response to the request signal of the AC, the display of which by the CS forms the audiovisual stimulus presented at each time point by at least one of the following factors: brightness and / or the color of the glow of the screen, the frequency and / or loudness of the sound of the electroacoustic transducer QS 4. The method according to paragraphs. 1, 3, characterized in that during an audiovisual exposure, the user's face is displayed at a given frequency by a front camera; the CS processor is programmed so that it recognizes pupils on each display and calculates — for each eye individually — the current changes in pupil diameters from relation to the initial, and a sequence of calculated values passed to send the AC. 5. The method according to paragraphs. 1, 3, characterized in that they register the motility of the user's pupils of the eye in response to the request signal of the AC, the control program of which includes the formation of an object in the user's view in the central area of the CS screen that records the position of the eyes - fine details, for example, from among the captcha used in the dough, and for the peripheral zone of the screen, the COPs set a luminance varying in brightness and / or color, controlling the pupillary motility.