JP7639818B2 - Authentication server, facial image update recommendation method, and computer program - Google Patents

Description

The present invention relates to an authentication server, a facial image update recommendation method, and a storage medium.

In recent years, various services using biometric information have started to become popular. For example, facial recognition is used for various procedures at airports (check-in, baggage drop-off, etc.) and hotel check-in.

In services that use facial recognition, the process is as follows: First, a terminal (installed at an airport or hotel) captures a facial image of the customer and generates features (feature vectors) that characterize the facial image. The generated features are then sent to a server on the network.

The server has a database that stores the biometric information and personal information (such as name and address) of users who receive services using facial recognition. When the server receives a matching request from the terminal, it searches (matches) the database and identifies the biometric information and personal information that correspond to the matching request from the terminal. The server transmits the identified personal information to the terminal, and the terminal installed at the airport or other location performs operations based on the acquired personal information.

Technological development is progressing regarding authentication using biometric information.

For example, Patent Document 1 states that a mobile information terminal device capable of improving the authentication success rate is provided. In the technology disclosed in Patent Document 1, when authentication is successful, assuming that certain conditions are satisfied, feature information when authentication failed in an authentication process performed prior to the successful authentication process (failure feature information) is added to a feature information storage unit as new registered feature information. In subsequent authentication processes, authentication is performed using the failure feature information in addition to the registered feature information already stored in the feature information storage unit.

Patent document 2 describes that the authentication device reduces authentication errors that occur due to the user's habit of reading biometric information or due to changes in the user's biometrics over time. The authentication device of Patent document 2 includes a user table, a fingerprint image reception unit, an authentication unit, a temporary storage unit, a comparison unit, and a replacement unit. The user table stores a fingerprint image as an authentication image. The fingerprint image reception unit accepts a fingerprint image. The authentication unit compares the fingerprint image with the authentication image and authenticates it. The temporary storage unit temporarily stores the fingerprint images accepted before authentication is successful as temporary storage images. If authentication is successful, the comparison unit compares the temporary storage image with a failure image associated with the authentication image, and if it is determined that they match, it counts up the number of matches corresponding to the failure image. If it is determined that they do not match, the comparison unit stores the temporary storage image as a failure image in association with the authentication image. The replacement unit replaces the authentication image with a failure image whose corresponding number of matches is equal to or greater than a predetermined value.

JP 2007-047931 A JP 2008-217442 A

As described above, facial authentication is performed based on the similarity between the facial image acquired by the terminal and the facial image registered on the server. In other words, if the facial image sent by the terminal to the server and the facial image registered on the server are not judged to substantially match (are the same person), facial authentication will fail. Here, if a long time has passed since the facial image was registered, the match between the two facial images will weaken due to changes in appearance, etc., and authentication will often fail. Note that Patent Documents 1 and 2 do not disclose any technology to prevent a deterioration in authentication accuracy due to changes in appearance.

The primary objective of the present invention is to provide an authentication server, a facial image update recommendation method, and a storage medium that contribute to maintaining authentication accuracy.

According to a first aspect of the present invention, there is provided an authentication server comprising: a first database that stores biometric information relating to the faces of each of a plurality of users; an authentication unit that refers to the first database to authenticate a person to be authenticated; and a recommendation unit that, if authentication of the person to be authenticated fails, recommends to a user among the plurality of users who is presumed to be the person to be authenticated that the biometric information stored in the first database be updated.

According to a second aspect of the present invention, there is provided a facial image update recommendation method in which, in an authentication server having a first database that stores biometric information relating to the faces of each of a plurality of users, a person to be authenticated is authenticated by referring to the first database, and if authentication of the person to be authenticated fails, a user among the plurality of users who is presumed to be the person to be authenticated is recommended to update the biometric information stored in the first database.

According to a third aspect of the present invention, there is provided a computer-readable storage medium that stores a program for causing a computer mounted on an authentication server having a first database that stores biometric information relating to the faces of each of a plurality of users to execute a process of authenticating a person to be authenticated by referring to the first database, and, if authentication of the person to be authenticated fails, a process of recommending to a user among the plurality of users who is presumed to be the person to be authenticated that the biometric information stored in the first database be updated.

According to each aspect of the present invention, an authentication server, a facial image update recommendation method, and a storage medium are provided that contribute to maintaining authentication accuracy. Note that the effects of the present invention are not limited to the above. The present invention may achieve other effects instead of or in addition to the effects.

FIG. 1 is a diagram for explaining an overview of an embodiment. 1 is a diagram illustrating an example of a schematic configuration of an authentication system according to a first embodiment. 1 is a diagram for explaining the operation of the authentication system according to the first embodiment in a user registration phase. FIG. 4 is a diagram for explaining an operation in a service registration phase of the authentication system according to the first embodiment. FIG. 4 is a diagram for explaining the operation of the authentication system according to the first embodiment in a service provision phase. FIG. FIG. 2 is a diagram illustrating an example of a processing configuration of an authentication server according to the first embodiment; 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 10 is a flowchart showing an example of an operation related to updating a face image of a user management unit according to the first embodiment; 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. 4 is a diagram for explaining the operation of a user management unit of the authentication server according to the first embodiment; FIG. FIG. 4 is a diagram illustrating an example of an authentication information database according to the first embodiment. FIG. 4 is a diagram illustrating an example of an authentication information database according to the first embodiment. FIG. 4 is a diagram illustrating an example of an authentication information database according to the first embodiment. 10 is a flowchart illustrating an example of an operation of an authentication unit according to the first embodiment. FIG. 4 is a diagram illustrating an example of an authentication failure database according to the first embodiment; FIG. 4 is a diagram showing an example of a screen displayed on a terminal according to the first embodiment; FIG. 4 is a diagram showing an example of a screen displayed on a terminal according to the first embodiment; 10 is a flowchart showing an example of an operation of a face image update recommendation unit according to the first embodiment. FIG. 2 is a diagram illustrating an example of a processing configuration of a management server according to the first embodiment; 6 is a diagram for explaining the operation of a personal information acquisition unit of the management server according to the first embodiment; FIG. FIG. 4 is a diagram illustrating an example of a user information database according to the first embodiment. FIG. 2 is a diagram illustrating an example of a processing configuration of an authentication terminal according to the first embodiment; FIG. 4 is a sequence diagram showing an example of an operation related to a service registration phase of the authentication system according to the first embodiment. FIG. 4 is a sequence diagram showing an example of an operation related to a service provision phase of the authentication system according to the first embodiment. FIG. 13 is a diagram illustrating an example of an authentication failure database according to the second embodiment. 13 is a flowchart illustrating an example of an operation of an authentication unit according to the second embodiment. FIG. 2 illustrates an example of a hardware configuration of an authentication server.

First, an overview of one embodiment will be described. The reference numbers in the drawings are added to each element for convenience as an example to aid in understanding, and the description of this overview is not intended to be limiting. Furthermore, unless otherwise specified, the blocks shown in each drawing represent functional units rather than hardware units. The connection lines between blocks in each drawing include both bidirectional and unidirectional. The unidirectional arrows are used to show the main signal (data) flow diagrammatically, and do not exclude bidirectionality. In this specification and drawings, elements that can be described in the same way may be given the same reference numbers to avoid duplicated explanations.

An authentication server 100 according to one embodiment includes a first database 101, an authentication unit 102, and a recommendation unit 103 (see FIG. 1). The first database 101 stores biometric information relating to the faces of each of a plurality of users. The authentication unit 102 refers to the first database 101 to authenticate the person to be authenticated. When authentication of the person to be authenticated fails, the recommendation unit 103 recommends that a user among the plurality of users who is presumed to be the person to be authenticated update the biometric information stored in the first database 101.

For example, if the authentication server 100 determines that authentication has failed due to a change in the appearance of the person to be authenticated, the authentication server 100 prompts the user presumed to be the person to be authenticated to update his or her facial image. As a result, the user can update the facial image registered in the authentication server 100 at an appropriate time, reducing the possibility of authentication failure. In other words, authentication accuracy can be maintained for a long period of time.

Specific embodiments are described in further detail below with reference to the drawings.

[First embodiment]
The first embodiment will be described in more detail with reference to the drawings.

[System Configuration]
Fig. 2 is a diagram showing an example of a schematic configuration of an authentication system according to the first embodiment. As shown in Fig. 2, the authentication system includes an authentication center and a plurality of service providers.

Each service provider participating in the authentication system provides a service using biometric authentication. Examples of services provided by a service provider include payment services at retail stores and accommodation services at hotels. Alternatively, a service provided by a service provider may be immigration inspections at airports or ports. The service provider disclosed in the present application may provide any service that can be provided using biometric authentication.

An authentication server 10 is installed in the authentication center. The authentication server 10 is an information processing device that operates as an authentication authority for authentication using biometric information. The authentication server 10 may be a server installed on the premises of the authentication center, or may be a server installed on the cloud.

Examples of the user's biometric information include data (feature amounts) calculated from physical characteristics unique to an individual, such as the face, fingerprint, voiceprint, veins, retina, and iris pattern. Alternatively, the user's biometric information may be image data such as a face image or fingerprint image. The user's biometric information may include information on the user's physical characteristics.

The authentication server 10 is a server device for providing services using biometric authentication. The authentication server 10 processes "authentication requests" sent from each service provider and sends the results of the authentication process to the service provider.

Each service provider has a management server and an authentication terminal.

For example, the service provider S1 is provided with a management server 20 and multiple authentication terminals 30. The service provider S2 is provided with a management server 20 and multiple authentication terminals 31.

In the following explanation, when it is necessary to distinguish between the components, the symbol to the right of the hyphen will be used. Since the operation of each device included in service provider S1 and service provider S2 can be the same, the following explanation will focus on service provider S1.

Each device shown in Figure 2 is connected to each other. For example, the authentication server 10 and the management server 20 are connected by a wired or wireless communication means and are configured to be able to communicate with each other.

The management server 20 is a server that controls and manages the overall business of the service provider. For example, if the service provider is a retail store, the management server 20 performs inventory management of products, etc. Alternatively, if the service provider is a hotel operator, the management server 20 performs management of guest reservation information, etc.

In addition to the functions related to providing the above services, the management server 20 also has control functions and management functions related to the biometric authentication of users.

The authentication terminal 30 is a device that serves as an interface for users (customers) who visit a service provider. The users receive various services via the authentication terminal 30. For example, if the service provider is a retail store, the user uses the authentication terminal 30 to pay for the service. Alternatively, if the service provider is a hotel operator, the user uses the authentication terminal 30 to carry out check-in procedures.

Figure 2 is an example and is not intended to limit the configuration of the authentication system disclosed herein. For example, an authentication center may include two or more authentication servers 10. Alternatively, a service provider may include at least one authentication terminal 30. Alternatively, the functions of the management server 20 and the authentication terminal 30 may be integrated, and a service using biometric authentication may be provided by the integrated device. Alternatively, in each service provider, multiple authentication terminals 30 may be connected to one management server 20 as shown in Figure 2, or one authentication terminal 30 may be connected to one management server 20.

[System Operation Overview]
Next, the general operation of the authentication system according to the first embodiment will be described.

The operation of the authentication system involves three phases.

The first phase is the phase in which users are registered in the system (user registration phase).

The second phase is the phase in which the service is registered (service registration phase).

The third phase is the phase in which services using biometric authentication are provided to users (service provision phase).

[User registration phase]
FIG. 3 is a diagram for explaining the operation in the user registration phase of the authentication system according to the first embodiment.

A user who wishes to use services using biometric authentication must register in advance. The user determines information to identify the user in the authentication system (user ID (identifier) and password (PW)) and registers it in the system. In the drawings including Figure 3, the user ID is represented as "uID."

In addition, the user registers their biometric information (e.g., face image), identity document (e.g., passport, etc.), and contact information (e.g., email address, etc.) in the system. The user registers the above five pieces of information (user ID, password, biometric information, identity document, contact information) in the system using any means.

For example, a user may operate a terminal 40 owned by the user to input a captured image of the user's face, a user ID, a password, an identification document, and contact information to the authentication server 10. Examples of terminals 40 include mobile terminal devices such as smartphones, mobile phones, game consoles, and tablets, as well as computers (personal computers, notebook computers), etc.

The authentication server 10 uses the acquired face image and the identity verification document to verify the identity of the user. Specifically, if the acquired face image and the face image recorded on the identity verification document are of the same person, the authentication server 10 determines that the system registration application is made by the user himself/herself.

The authentication server 10 then generates features (feature vectors consisting of multiple features) from the acquired facial image, and stores the features, facial image, user ID, password, and contact information in an authentication information database in association with each other. The identity verification documents acquired by the authentication server 10 may be discarded after identity verification is completed, or may be stored in association with the user ID, etc.

System users can update the facial image registered in the system. If a long time has passed since the user started using the system, the user may wish to register their current face (facial image) in the system. In this case, the authentication server determines whether or not the facial image can be updated, and changes the registered facial image according to the result.

Furthermore, if the authentication server 10 determines based on the result of the biometric authentication that it is better to update the registered face image, it notifies the user (terminal 40) of that effect. The authentication server 10 prompts the user to update the registered face image.

Detailed information regarding recommendations for updating facial images and whether or not facial images can be updated will be provided later.

In the first embodiment, an example is described in which a user ID and password are used as an identifier to uniquely define a system user, but it is also possible to use a user ID as the above identifier if there is no duplication of user IDs between users.

[Service registration phase]
FIG. 4 is a diagram for explaining the operation in the service registration phase of the authentication system according to the first embodiment.

After completing user registration, a user selects the service provider from which they would like to receive services using biometric authentication and registers the selected service provider in the system.

The user registers in the system the personal information (e.g., name, etc.) required to receive services from the selected service provider. Examples of the personal information include name, age, and gender. In addition to the personal information, the user also registers in the system the user ID and password determined in the user registration phase.

In this disclosure, personal information is defined as information that does not include biometric information of the user (person to be authenticated). In other words, biometric information and features generated from the biometric information are excluded from "personal information" in this disclosure.

The user inputs the above three pieces of information (personal information, user ID, and password) to the service provider using any means. For example, as shown in Figure 4, the user may operate a terminal 40 to input the above three pieces of information to the management server 20.

When the management server 20 acquires the above three pieces of information (personal information, user ID, and password), it sends a "service registration request" to the authentication server 10. Specifically, the management server 20 sends a service registration request including the service provider ID, user ID, and password to the authentication server 10.

The service provider ID is identification information for uniquely identifying a service provider (such as a retailer participating in an authentication infrastructure that uses biometric authentication) included in the authentication system. In the example of Figure 2, a different service provider ID is assigned to each of the service providers S1 and S2.

Note that the service provider ID is an ID assigned to each service provider, not an ID assigned to each service. For example, in FIG. 2, even if service providers S1 and S2 are businesses that provide the same type of service (e.g., accommodation services), if they are managed by different entities, different IDs will be assigned to these service providers.

The authentication server 10 and the management server 20 share the service provider ID by any method. For example, when a service provider joins the authentication infrastructure, the authentication server 10 generates a service provider ID and distributes (notifies) the generated service provider ID to the service provider. In the drawings including FIG. 4, the service provider ID is represented as "spID".

When the authentication server 10 receives a service registration request, it searches the authentication information database using the user ID and password included in the request as keys to identify the corresponding user. The authentication server 10 then generates a "service user ID."

The service user ID is identification information that uniquely defines the correspondence (combination) between a user and a service provider. In the example of Figure 2, the service user ID determined from the combination of user U1 and service provider S1 and the service user ID determined from the combination of user U1 and service provider S2 are each set to a different value.

The authentication server 10 stores the user ID, password, feature amount, facial image, contact information, service provider ID, and the generated service user ID in association with each other. In the drawings including FIG. 4, the service user ID is represented as "suID."

The authentication server 10 sends the generated service user ID to the sender of the service registration request.

The management server 20 associates the service user ID obtained from the authentication server 10 with the user's personal information and stores them. The management server 20 adds a new entry to the user information database and stores the above information (personal information, service user ID).

The user repeats the above registration process for each service provider from which they wish to receive services using biometric authentication.

[Service provision phase]
FIG. 5 is a diagram for explaining the operation in the service provision phase of the authentication system according to the first embodiment.

After completing the service registration (service registration phase), the user visits the service provider. The user moves to the authentication terminal 30.

The authentication terminal 30 acquires biometric information from a user in front of the user. Specifically, the authentication terminal 30 captures an image of the user and acquires a facial image. The authentication terminal 30 transmits the acquired facial image to the management server 20.

The management server 20 generates features from the acquired facial image. The management server 20 transmits an authentication request including the generated features and the service provider ID to the authentication server 10.

The authentication server 10 extracts features from the authentication request and performs a matching process (1:N matching; N is a positive integer, same below) using the extracted features and features registered in the authentication information database.

The authentication server 10 identifies the user through a matching process, and identifies a service user ID from among multiple service user IDs associated with the identified user that corresponds to the service provider ID included in the authentication request.

The authentication server 10 sends the identified service user ID to the sender of the authentication request. The authentication server 10 sends a response (response to the authentication request) including the identified service user ID to the management server 20.

The management server 20 searches the user information database using the acquired service user ID as a key, and identifies the personal information corresponding to the service user ID. The service provider (management server 20, authentication terminal 30) provides the user with a service (e.g., payment settlement, check-in procedures, etc.) based on the identified personal information.

Next, we will explain in detail each device included in the authentication system related to the first embodiment.

[Authentication Server]
Fig. 6 is a diagram showing an example of a processing configuration (processing module) of the authentication server 10 according to the first embodiment. Referring to Fig. 6, the authentication server 10 includes a communication control unit 201, a user management unit 202, a database management unit 203, a service registration unit 204, an authentication unit 205, a face image update recommendation unit 206, and a storage unit 207.

The communication control unit 201 is a means for controlling communication with other devices. For example, the communication control unit 201 receives data (packets) from the management server 20. The communication control unit 201 also transmits data to the management server 20. The communication control unit 201 passes the data received from the other devices to the other processing modules. The communication control unit 201 transmits the data acquired from the other processing modules to the other devices. In this way, the other processing modules send and receive data to and from the other devices via the communication control unit 201.

The user management unit 202 is a means for realizing the above-mentioned user registration and facial image update. The user management unit 202 has a function as a registration unit that registers users and a function as an update unit that updates registered facial images.

When the terminal 40 accesses the authentication server 10, the user management unit 202 displays a menu as shown in Figure 7.

When a user wishes to register, the user management unit 202 obtains the user ID, password, biometric information (facial image), identification documents, and contact information of the user (a user who wishes to receive services using biometric authentication; a system user).

The user management unit 202 acquires the above five pieces of information (user ID, password, biometric information, identity document, and contact information) using any means. For example, the user management unit 202 displays a GUI (Graphical User Interface) and an input form for determining a user ID and password on the terminal 40. For example, the user management unit 202 displays a GUI such as that shown in FIG. 8 on the terminal 40.

The user management unit 202 verifies that the user ID and password acquired via the GUI or the like are not duplicated with a user ID and password that have already been registered. If no duplication has occurred, the user management unit 202 displays on the terminal 40 a GUI for acquiring the user's biometric information, identity verification documents, and contact information.

For example, the user management unit 202 displays a GUI as shown in FIG. 9 on the terminal 40. For example, the user presses the "File Selection" button shown in FIG. 9 to specify the image data of the face image to be registered in the system. The specified face image is displayed in the preview area (displayed as a selected face image in FIG. 9). When registering the previewed face image, the user presses the "Confirm" button. In addition, regarding inputting the face image into the system, the user may operate the terminal 40 to attach the face image to an e-mail or the like. Alternatively, the user management unit 202 may transmit information including the destination of the face image to the terminal 40, and the terminal 40 may transmit the face image to the destination of the face image. Alternatively, the user management unit 202 and the terminal 40 may transmit and receive the face image using a communication tool such as a chat. The user management unit 202 may acquire (receive) the face image by any means.

After acquiring the facial image, the user management unit 202 acquires the identification document. For example, the user management unit 202 displays a GUI such as that shown in FIG. 10 on the terminal 40. For example, the user captures an image of the identification document using the camera of the terminal 40. The user presses the "File Selection" button and specifies the image of the captured identification document. The user then presses the "Confirm" button to register the identification document.

Examples of identity verification documents that can be registered in the system include documents with a facial image, such as a passport or driver's license (documents issued by public institutions that contribute to identity verification). Identity verification documents include not only paper documents but also electronic documents.

Upon acquiring the identity verification document, the user management unit 202 acquires the contact information. For example, the user management unit 202 displays a GUI such as that shown in FIG. 11 on the terminal 40. The user enters the contact information (for example, the email address of an account that can be received on the terminal 40) and presses the "OK" button.

The user management unit 202 performs identity verification of the user after acquiring the user ID, password, biometric information (facial image), identity verification document, and contact information, for example, through a GUI such as those shown in Figures 8 to 11. Specifically, the user management unit 202 acquires a facial image for identity verification (hereinafter referred to as a verification facial image) from the identity verification document. The user management unit 202 extracts the verification facial image from a specified area of the identity verification document using a technique such as template matching.

During identity verification, the user management unit 202 generates features (feature vectors consisting of multiple features) from each of the acquired face image and the verification face image. Note that existing technology can be used for the feature point extraction process, so a detailed explanation is omitted. For example, the user management unit 202 extracts the eyes, nose, mouth, etc. as feature points from the face image. The user management unit 202 then calculates the position of each feature point and the distance between each feature point as feature amounts, and generates a feature vector (vector information characterizing the face image) consisting of multiple features.

Next, the user management unit 202 calculates the similarity between the two images. The similarity can be calculated using chi-square distance, Euclidean distance, or the like. Note that the greater the distance, the lower the similarity, and the closer the distance, the higher the similarity. The user management unit 202 performs threshold processing on the similarity and determines whether or not identity verification has been successful based on the result.

If the similarity is higher than the threshold TH1, the user management unit 202 determines that identity verification has been successful. On the other hand, if the similarity is equal to or lower than the threshold TH1, the user management unit 202 determines that identity verification has failed. In this case, the user management unit 202 takes action such as encouraging the user to register a good quality facial image. As described above, once identity verification is complete, the user management unit 202 may discard the identity verification document.

If identity verification is successful, the user management unit 202 passes the user ID, password, facial image, features generated from the facial image, and contact information to the database management unit 203. In the following explanation, the facial image registered in the authentication information database will be referred to as the "registered facial image."

Next, the operation of the user management unit 202 when updating a face image (registered face image) will be described. Figure 12 is a flowchart showing an example of the operation of the user management unit 202 related to updating a face image according to the first embodiment.

A user who wishes to update his/her facial image accesses the authentication server 10 using the terminal 40. The user management unit 202 displays a menu screen as shown in FIG. 7 on the terminal 40. A user who wishes to update his/her facial image presses the "Update facial image" button.

When the face image update button is pressed, the user management unit 202 displays a GUI for the user to log in to the system. For example, the user management unit 202 displays a screen as shown in FIG. 13 and acquires the user ID and password.

The user management unit 202 searches the authentication information database using the acquired user ID and password as keys, and if a corresponding entry is found, it determines that the user is registered in the system and proceeds with the facial image update process. In this case, the user management unit 202 reads out the registered facial image from the corresponding entry. On the other hand, if the above entry does not exist, the user management unit 202 determines that the user has failed to log in to the system. In this case, the user management unit 202 notifies the user of this fact. Note that the user management unit 202 may display the read facial image (registered facial image) so that the user can confirm it at the time the facial image is read out from the authentication information database.

After a user registered in the system logs in, the user management unit 202 acquires an update facial image (hereinafter referred to as an update facial image) (step S101 in FIG. 12). For example, the user management unit 202 displays a screen as shown in FIG. 14 to acquire an update facial image. The user selects the update facial image and presses the "OK" button.

The user management unit 202 determines whether it is acceptable to update the registered face image using the acquired updated face image.

The user management unit 202 calculates the similarity between the registered face image and the updated face image (step S102). The user management unit 202 performs threshold processing on the calculated similarity, and determines whether or not to update the registered face image based on the result.

If the similarity is greater than the threshold value TH2 (step S103, Yes branch), the user management unit 202 allows the update of the registered face image (step S108). Since two face images with a high similarity can be determined to be face images obtained from substantially the same person, the user management unit 202 allows the update of the registered face image. In this case, the user management unit 202 displays a message as shown in FIG. 15 to notify the user that the registered face image has been updated.

If the similarity is smaller than the threshold value TH3 (step S104, Yes branch), the user management unit 202 rejects the update of the registered face image. Since two face images with low similarity can be determined to be face images of different people, the user management unit 202 rejects the update of the registered face image (step S109). In this case, since there is a suspicion of fraudulent use of the system, the user management unit 202 displays a message as shown in FIG. 16.

If the similarity is greater than or equal to the threshold TH3 and less than or equal to the threshold TH2 (step S103, No branch; step S104, No branch), the user management unit 202 acquires the identity document (step S105). For example, the user management unit 202 acquires the identity document using a GUI as shown in FIG. 17. The user management unit 202 extracts a verification face image from the identity document.

In addition, if the identity verification document is not destroyed when the user registers with the system and is stored in the database, the user management unit 202 may omit execution of step S105 and use the identity verification document stored in the above database.

Alternatively, the user management unit 202 may take measures such as refusing to accept old identification documents (identification documents issued a predetermined period before the facial image update date) based on the expiration date or issue date of the acquired identification document. That is, the user management unit 202 may select an identification document from which to extract an updated facial image based on the description of the identification document (e.g., the date and period written on the document). That is, the user management unit 202 may decide whether or not to extract a verification facial image based on the description of the identification document. By making such a selection or decision, the user management unit 202 may acquire a verification facial image that reflects the user's current appearance, etc.

The user management unit 202 calculates the similarity between the updated face image and the verification face image (step S106). The user management unit 202 performs threshold processing on the calculated similarity, and determines whether or not to update the registered image based on the result.

If the similarity is higher than the threshold value TH4 (step S107, Yes branch), the user management unit 202 allows the update of the registered face image (step S108). In this case, the user management unit 202 displays the information as shown in FIG.

On the other hand, if the similarity is equal to or less than the threshold value TH4 (step S107, No branch), the user management unit 202 refuses to update the registered face image with the updated face image (step S109). In this case, the user management unit 202 displays the information as shown in FIG.

Alternatively, the user management unit 202 may display a display such as that shown in FIG. 18 to prompt the user to re-input an updated face image, etc. The user management unit 202 may repeat the determination process described above using the re-input face image.

When updating of the registered face image is permitted, the user management unit 202 generates features from the updated face image. The user management unit 202 passes the user ID, password, generated features, and updated face image to the database management unit 203, and instructs the database management unit 203 to update the biometric information (features, face image).

In this way, the user management unit 202, which functions as a facial image update unit, determines whether to update the registered facial image with the updated facial image depending on the similarity between the registered facial image (first facial image) and the updated facial image (second facial image). The user management unit 202 updates the registered facial image when the similarity between the registered facial image and the updated facial image is greater than threshold TH2. The user management unit 202 does not update the registered facial image when the similarity between the registered facial image and the updated facial image is less than threshold TH3.

Furthermore, the user management unit 202 acquires the user's identity document if the similarity between the registered face image and the updated face image is greater than or equal to threshold TH3 and less than or equal to threshold TH2. The user management unit 202 extracts a verification face image (third face image) from the identity document and determines whether to update the registered face image depending on the similarity between the updated face image and the verification face image. The user management unit 202 updates the registered face image if the similarity between the updated face image and the verification face image is greater than threshold TH4. The user management unit 202 does not update the registered face image if the similarity between the updated face image and the verification face image is less than or equal to threshold TH4.

The database management unit 203 is a means for managing the authentication information database. The authentication information database stores information identifying a system user (user ID, password), the user's biometric information (feature, facial image), a service provider ID identifying a service provider, and a service user ID identifying a user in each service, in association with each other. Furthermore, the authentication information database also stores the user's contact information in association with the above information. The authentication information database is a database that stores biometric information relating to the face of each of multiple users (registered facial image, feature generated from the image).

When the database management unit 203 acquires the above five pieces of information (user ID, password, feature amount, facial image, contact information) from the user management unit 202, it adds a new entry to the authentication information database. For example, when the above five pieces of information about user U1 are acquired, the database management unit 203 adds the entry shown in the bottom row of Figure 19. Note that at the user registration stage, the service provider ID and service user ID have not been generated, so nothing is set in these fields.

When the database management unit 203 receives four pieces of information (user ID, password, features, and facial image) accompanied by an instruction to update a facial image from the user management unit 202, it updates (overwrites) the features and facial image of the corresponding entry.

The service registration unit 204 is a means for enabling individual service registration by system users. The service registration unit 204 processes service registration requests received from the service provider's management server 20.

The service registration unit 204 searches the authentication information database using the user ID and password included in the acquired service registration request as keys. The service registration unit 204 checks the service provider ID field of the identified user (the user identified from the user ID and password pair).

The service registration unit 204 determines whether the service provider ID included in the service registration request acquired from the management server 20 is set in the service provider ID field. If the service provider ID acquired from the management server 20 is already registered in the database, the service registration unit 204 notifies the management server 20 of this fact. In this case, since the service (service provider) that the user is attempting to register is already registered in the authentication information database, the service registration unit 204 sends a "negative response" in response to the service registration request.

On the other hand, if the service provider ID included in the service registration request is not set in the service provider ID field of the identified user, the service registration unit 204 generates a service user ID corresponding to the user and service provider.

As described above, the service user ID is identification information that is uniquely determined from the combination of a user and a service provider. For example, the service registration unit 204 calculates a hash value using the user ID, password, and service provider ID, and sets the calculated hash value as the service user ID. Specifically, the service registration unit 204 calculates a concatenated value of the user ID, password, and service provider ID, and generates the service user ID by calculating a hash value of the calculated concatenated value.

Note that the generation of the service user ID using the above hash value is merely an example and is not intended to limit the method of generating the service user ID. The service user ID may be any information that can uniquely identify the combination of a system user and a service provider. For example, the service registration unit 204 may assign a unique value each time a service registration request is processed and use this value as the service user ID.

After generating the service user ID, the service registration unit 204 passes the service provider ID and service user ID along with the user ID and password to the database management unit 203. The database management unit 203 registers the two IDs (service provider ID, service user ID) in the authentication information database. For example, when user U1 registers a service for service provider S1, the above two IDs are added to the entry shown in the bottom row of Figure 20.

Because service registration is performed for each service provider, multiple service providers and service user IDs may be set for one user. For example, if user U1 performs service registration for each of service providers S1 and S2, the entries in the second and third lines of Figure 21 are generated. Note that if user U2 performs service registration for service provider S1, the entry in the bottom row of Figure 21 is generated.

When the service provider ID and service user ID are registered in the authentication information database, the service registration unit 204 notifies the management server 20 that the service registration request has been processed successfully. The service registration unit 204 sends a "positive response" as a response to the service registration request. At that time, the service registration unit 204 sends a response including the service user ID to the management server 20.

The authentication unit 205 is a means for performing authentication processing of system users. The authentication unit 205 processes authentication requests received from the service provider's management server 20. The authentication unit 205 authenticates the person to be authenticated by referring to an authentication information database.

The authentication unit 205 extracts the features and the service provider ID contained in the authentication request. The authentication unit 205 searches the authentication information database using the extracted features and the service provider ID as keys to identify the corresponding service user ID. The authentication unit 205 sets the features extracted from the authentication request as the features on the matching side and the features stored in the database as the features on the registration side, and performs 1:N matching.

Figure 22 is a flowchart showing an example of the operation of the authentication unit 205 relating to the first embodiment.

The authentication unit 205 calculates the similarity between each of the multiple features registered in the authentication information database and the features to be compared (features of the person to be authenticated) (step S201).

The authentication unit 205 determines whether any of the calculated similarities is greater than a threshold value TH5 (step S202).

If there is at least one similarity greater than the threshold value TH5 (step S202, Yes branch), the authentication unit 205 identifies the user (user ID, password) with the greatest similarity (step S203).

Then, the authentication unit 205 determines whether there is an entry among at least one service provider ID associated with the identified user (user ID, password) that matches the service provider ID included in the authentication request (step S204).

If such an entry exists (step S204, Yes branch), the authentication unit 205 determines that the authentication of the user has been successful (step S205). In this case, the authentication unit 205 sends a "positive response" to the management server 20, which is the sender of the authentication request. At that time, the authentication unit 205 generates a response (response to the authentication request) including the service user ID of the identified entry and sends it to the management server 20.

If such an entry does not exist (step S204, No branch), the authentication unit 205 determines that the authentication of the user has failed (step S206). In this case, the authentication unit 205 sends a "negative response" to the management server 20, which is the sender of the authentication request.

If there is no similarity greater than the threshold value TH5 (step S202, No branch), the authentication unit 205 also determines that authentication of the user has failed (step S207).

Then, the authentication unit 205 determines whether or not there is a similarity greater than a threshold value TH6 (where TH6<TH5) among the multiple similarities calculated in step S201 (step S208). Note that the threshold value TH5 is a threshold value for determining that the person to be authenticated is the person himself/herself, and the threshold value TH6 is a threshold value for determining that the person to be authenticated is a different person.

If there is at least one similarity greater than the threshold value TH6 (step S208, Yes branch), the authentication unit 205 identifies the user with the greatest similarity (step S209).

The authentication unit 205 updates the "authentication failure database" using the information of the identified user (step S210). Note that the operation of the authentication failure database and updating the database will be described later.

If there is no similarity greater than the threshold value TH6 (step S208, No branch), the authentication unit 205 terminates the processing without performing any special action.

For example, in the example of Figure 21, when the authentication request contains a feature "FV1" and a service provider ID "S1", the feature FV1 identifies the entries (users) in the second and third lines, and the service provider ID "S1" identifies the entry in the second line. As a result, the authentication request is processed normally, and a positive response including the service user ID "U1S1" is sent to the management server 20.

If authentication of the authenticatee fails (step S202, No branch), the authentication unit 205 performs threshold processing on the calculated similarity to identify a user who is presumed to be the authenticatee among the users registered in the authentication information database (step S209). Specifically, if the calculated similarity falls within the range from the first threshold (threshold TH6) to the second threshold (threshold TH5), the authentication unit 205 determines that authentication has failed due to a change in the appearance of the authenticatee. The authentication unit 205 presumes that the user corresponding to the largest similarity value among the similarities falling within the above range is the authenticatee. The authentication unit 205 stores information of the user who is presumed to be the authenticatee in the authentication failure database (step S210).

Next, we will explain the authentication failure database and update control of the database.

The authentication failure database is a database that stores information about users who are assumed to have failed authentication due to a change in the person's appearance, etc. Figure 23 is a diagram showing an example of an authentication failure database. Referring to Figure 23, the authentication failure database stores user IDs, passwords, contact information, and the number of failures in association with each other.

Note that the authentication failure database shown in FIG. 23 is an example and is not intended to limit the items to be stored. For example, contact information can be obtained from the authentication information database based on the user ID and password, so it does not need to be included in the authentication failure database. Alternatively, facial images and feature amounts may be stored in the authentication failure database.

When the authentication unit 205 processes an authentication request, it calculates similarities between the features included in the authentication request and multiple features stored in the authentication information database. If there is at least one similarity that is greater than a threshold TH6 and less than or equal to a threshold TH5 among the calculated similarities (TH6<similarity≦TH5), the authentication unit 205 updates the authentication failure database or adds an entry.

That is, if the calculated similarity does not exceed the threshold TH5 at which the person is recognized as the actual person, but exceeds the similarity TH6 at which the person is determined to be a completely different person, the authentication unit 205 determines that the person to be authenticated has failed authentication due to a change in appearance. In this case, the authentication unit 205 registers information about the user who is most similar to the person to be authenticated (the user with the closest similarity) in the authentication failure database. Note that the user who is most similar to the person to be authenticated is the user who is presumed to be the person to be authenticated.

The authentication unit 205 reads out the user ID, password, and contact information from the feature entry (entry in the authentication information database) corresponding to the largest similarity among the similarities included in the above range (TH6<similarity≦TH5). The authentication unit 205 searches the authentication failure database using the read user ID and password as keys. If a corresponding entry does not exist, the authentication unit 205 adds a new entry to the database. At that time, the number of failures is set to "1".

When the authentication failure database is searched using the user ID and password as keys, if a corresponding entry is found, the authentication unit 205 increments the value of the failure count field of the identified entry (adds 1).

In this way, the authentication unit 205 stores (registers) the number of times authentication has failed for a user who is presumed to be the person to be authenticated in an authentication failure database.

The facial image update recommendation unit 206 is a means for recommending to a user that the registered facial image be updated. When authentication of a person to be authenticated fails, the facial image update recommendation unit 206 recommends to a user who is presumed to be the person to be authenticated among a plurality of users that the user be updated in biometric information (facial image) stored in the authentication information database. More specifically, when it is determined that the user's appearance, etc. has changed and facial authentication has failed, the facial image update recommendation unit 206 notifies the terminal 40 held by the user of this fact.

The facial image update recommendation unit 206 periodically or at a predetermined timing refers to the authentication failure database and obtains the value of the failure count field of each entry. The facial image update recommendation unit 206 decides whether or not to recommend updating of the facial image for a user who is presumed to be the person to be authenticated, based on the number of authentication failures. More specifically, the facial image update recommendation unit 206 performs threshold processing on the obtained number of failures, and transmits a "facial image update recommendation notification" to the terminal 40 according to the result.

If the number of failures is greater than the threshold TH7, the face image update recommendation unit 206 sends a "face image update recommendation notification" to the corresponding contact. The terminal 40 that receives the notification displays a message as shown in FIG. 24, and prompts the user to update the registered face image.

The facial image update recommendation notice may include various information. For example, the facial image update recommendation unit 206 may transmit a facial image update recommendation notice including a facial image of a user presumed to be authenticated (a facial image registered in the authentication information database) to the terminal 40. In this case, the terminal 40 may display a display such as that shown in FIG. 25. A user who sees a display such as that shown in FIG. 25 will be satisfied if his or her own face is displayed and will update the facial image registered in the authentication server 10.

Alternatively, when the user registers in the system, the date of system registration, the age at the time of registration, etc. may also be stored in the authentication information database, and the facial image update recommendation unit 206 may transmit a facial image update recommendation notice including this information to the terminal 40. Alternatively, the facial image update recommendation unit 206 may transmit a facial image update recommendation notice including the system registration period since the facial image was registered (or updated) to the terminal 40. In this case, the user can recognize that the facial image has not been updated for a long period of time, which may motivate the user to update the facial image.

The operation of the facial image update recommendation unit 206 can be summarized as shown in the flowchart in Figure 26.

The facial image update recommendation unit 206 compares the number of failures in the authentication failure database with a threshold value TH7 (step S301).

If the number of failures is greater than the threshold value TH7 (step S301, Yes branch), the facial image update recommendation unit 206 sends a facial image update recommendation notification to the terminal 40 (step S302).

If the number of failures is less than or equal to threshold TH7 (step S301, No branch), the facial image update recommendation unit 206 does not take any special action.

The memory unit 207 stores information necessary for the operation of the authentication server 10. In the memory unit 207, an authentication information database (first database) and an authentication failure database (second database) are constructed.

[Administration Server]
Fig. 27 is a diagram showing an example of a processing configuration (processing module) of the management server 20 according to the first embodiment. Referring to Fig. 27, the management server 20 includes a communication control unit 301, a personal information acquisition unit 302, a service registration request unit 303, a database management unit 304, an authentication request unit 305, and a storage unit 306.

The communication control unit 301 is a means for controlling communication with other devices. For example, the communication control unit 301 receives data (packets) from the authentication server 10 and the authentication terminal 30. The communication control unit 301 also transmits data to the authentication server 10 and the authentication terminal 30. The communication control unit 301 passes the data received from the other devices to the other processing modules. The communication control unit 301 transmits the data acquired from the other processing modules to the other devices. In this way, the other processing modules send and receive data to and from the other devices via the communication control unit 301.

The personal information acquisition unit 302 is a means for acquiring personal information required when the service provider provides the service. For example, if the service provider is a "retailer", the personal information acquisition unit 302 acquires payment-related information (e.g., credit card information, bank account information) in addition to the user's name, etc. Alternatively, if the service provider is a "hotel operator", the personal information acquisition unit 302 acquires reservation information regarding accommodation (e.g., accommodation date, etc.) in addition to the user's name, etc.

The personal information acquisition unit 302 acquires the above personal information such as the name, as well as the user ID and password determined when the user registered with the system.

The personal information acquisition unit 302 acquires personal information, user ID, and password using any means. For example, the personal information acquisition unit 302 displays a GUI or form for inputting the above information on the terminal 40 (see Figure 28). Alternatively, information such as that shown in Figure 28 may be displayed on a web page managed and operated by the service provider. Alternatively, the terminal 40 may download an application provided by the service provider, and the application may display the information as shown in Figure 28. In particular, the web page may be a web page that manages the member information of the service provider. In other words, service registration may be performed on a web page where members of each service provider manage their own member information.

The personal information acquisition unit 302 passes on the personal information, user ID, and password acquired using a GUI, etc. to the service registration request unit 303.

The service registration request unit 303 is a means of requesting (asking) the authentication server 10 to register the user's use of the service.

The service registration request unit 303 selects the user ID and password from the above three pieces of information (personal information, user ID, and password) acquired from the personal information acquisition unit 302. The service registration request unit 303 transmits a service registration request including the selected user ID, password, and service provider ID to the authentication server 10.

The service registration request unit 303 obtains a response to the service registration request from the authentication server 10. If the obtained response is a "negative response," the service registration request unit 303 notifies the user of this fact. For example, the service registration request unit 303 notifies the user that the service registration has already been performed.

If the acquired response is a "positive response," the service registration request unit 303 notifies the user that the service registration was successful. The service registration request unit 303 also passes the service user ID included in the response and the personal information acquired from the personal information acquisition unit 302 to the database management unit 304.

The database management unit 304 is a means for managing the user information database. The user information database is a database that manages information on users (system users) to whom services are provided. The user information database stores the personal information of the user (e.g., name, etc.) in association with the service user ID obtained from the authentication server 10.

When the database management unit 304 acquires the above information (personal information, service user ID) from the service registration request unit 303, it adds a new entry to the user information database. For example, when the management server 20 of the service provider S1 acquires the above information regarding the user U1, the entry shown in the bottom row of Figure 29 is added.

The authentication request unit 305 is a means for requesting authentication of a user from the authentication server 10.

When the authentication request unit 305 acquires biometric information (face image) from the authentication terminal 30, it generates features from the face image. The authentication request unit 305 transmits an authentication request including the generated features and the service provider ID to the authentication server 10.

If the response from the authentication server 10 is a "negative response" (authentication fails), the authentication request unit 305 notifies the authentication terminal 30 of this fact.

If the response from the authentication server 10 is an "affirmative response" (authentication is successful), the authentication request unit 305 extracts the service user ID included in the response from the authentication server 10. The authentication request unit 305 searches the user information database using the service user ID as a key to identify the corresponding entry.

The authentication request unit 305 reads out the personal information set in the personal information field of the identified entry and transmits it to the authentication terminal 30. For example, in the example of FIG. 29, if the service user ID is "U1S1", the personal information in the bottom row is transmitted to the authentication terminal 30.

The memory unit 306 stores information necessary for the operation of the management server 20. A user information database is constructed in the memory unit 306.

[Authentication device]
The authentication terminal 30 transmits the biometric information acquired from the user to the management server 20, thereby acquiring personal information of the user from the management server 20. The authentication terminal 30 provides services to the user using the acquired personal information.

Figure 30 is a diagram showing an example of a processing configuration (processing module) of the authentication terminal 30 according to the first embodiment. Referring to Figure 30, the authentication terminal 30 includes a communication control unit 401, a biometric information acquisition unit 402, a service providing unit 403, a message output unit 404, and a memory unit 405.

The communication control unit 401 is a means for controlling communication with other devices. For example, the communication control unit 401 receives data (packets) from the management server 20. The communication control unit 401 also transmits data to the management server 20. The communication control unit 401 passes the data received from the other devices to the other processing modules. The communication control unit 401 transmits the data acquired from the other processing modules to the other devices. In this way, the other processing modules send and receive data with the other devices via the communication control unit 401.

The biometric information acquisition unit 402 is a means for controlling the camera and acquiring the biometric information (facial image) of the user. The biometric information acquisition unit 402 captures an image in front of the device periodically or at a predetermined timing. The biometric information acquisition unit 402 determines whether the acquired image contains a human facial image, and if a facial image is included, extracts the facial image from the acquired image data.

Note that the facial image detection process and facial image extraction process performed by the biometric information acquisition unit 402 can use existing technology, so detailed explanations will be omitted. For example, the biometric information acquisition unit 402 may extract a facial image (face area) from image data using a learning model trained by a CNN (Convolutional Neural Network). Alternatively, the biometric information acquisition unit 402 may extract a facial image using a method such as template matching.

The biometric information acquisition unit 402 passes the extracted facial image to the service providing unit 403.

The service providing unit 403 is a means for providing a specific service to a user. The service providing unit 403 transmits the facial image acquired from the biometric information acquisition unit 402 to the management server 20. The management server 20 returns personal information (e.g., name, etc.) corresponding to the facial image. The service providing unit 403 uses the returned personal information to provide a service to the user.

The message output unit 404 is a means for outputting various messages to the user. For example, the message output unit 404 outputs a message regarding the user's authentication result or a message regarding the provision of services. The message output unit 404 may display a message using a display device such as an LCD monitor, or may play an audio message using audio equipment such as a speaker.

The memory unit 405 stores information necessary for the operation of the authentication terminal 30.

[System Operation]
Next, a description will be given of the operation of the authentication system according to the first embodiment. Note that the description of the operation will focus on the service registration phase and the service provision phase, and a description of the user registration phase will be omitted.

Figure 31 is a sequence diagram showing an example of operation related to the service registration phase of the authentication system relating to the first embodiment.

The management server 20 obtains personal information (information necessary to provide the service), user ID, and password from the user (step S01).

The management server 20 sends a service registration request including the acquired user ID and password and the service provider ID to the authentication server 10 (step S02).

The authentication server 10 generates a service user ID using the acquired user ID, password and service provider ID (step S03).

The authentication server 10 stores the service provider ID and the service user ID in the authentication information database (step S04).

The authentication server 10 sends a response (response to the service registration request) including the service user ID to the management server 20 (step S05).

The management server 20 associates the personal information acquired in step S01 with the service user ID acquired from the authentication server 10 and stores them in the user information database (step S06).

Figure 32 is a sequence diagram showing an example of operation related to the service provision phase of the authentication system relating to the first embodiment.

The authentication terminal 30 acquires a facial image (biometric information) of the user and transmits the acquired facial image to the management server 20 (step S11).

The management server 20 generates features from the acquired facial image (step S12).

The management server 20 sends an authentication request including the generated features and the service provider ID to the authentication server 10 (step S13).

The authentication server 10 performs an authentication process using the features included in the authentication request and the service provider ID, and identifies the corresponding service user ID (step S14).

The authentication server 10 sends a response (response to the authentication request) including the identified service user ID to the management server 20 (step S15).

The management server 20 searches the user information database using the acquired service user ID and identifies the corresponding personal information (step S16).

The management server 20 transmits the identified personal information to the authentication terminal 30 (step S17).

The authentication terminal 30 provides services using the acquired personal information (step S18).

As described above, when the authentication system according to the first embodiment fails to authenticate a person to be authenticated, it judges whether the authentication has failed due to a change in the person's appearance or the like. When it is judged that the authentication has failed due to a change in appearance or the like, the authentication server 10 identifies a user who is presumed to be the person to be authenticated from among the users registered in the authentication information database. The authentication server 10 accumulates information on such people to be authenticated (people who have failed authentication but cannot be determined to be completely different people) in an authentication failure database. In addition, when authentication has failed multiple times for the same user (a user presumed to be the person to be authenticated), the authentication server 10 prompts the user to update the face image. As a result, the user can update the face image registered in the authentication server 10 at an appropriate time, and the possibility of authentication failure is reduced. That is, the authentication accuracy of the authentication system is maintained at a high level for a long period of time.

In addition, in the authentication system according to the first embodiment, the authentication server 10 determines whether or not to update the registered face image based on the similarity between the registered face image and the updated face image. If the similarity between the two face images is extremely high, the authentication server 10 determines that the face image of the user who was initially registered in the system was used as the face image for updating, and updates the face image. On the other hand, if the similarity between the two face images is extremely low, the authentication server 10 determines that the face image of a person other than the user who was initially registered in the system was used as the face image for updating, and rejects the update of the face image. For example, if the user's appearance, etc. changes over time and the two face images are somewhat different, the authentication server 10 requests the user to submit an identity verification document. The authentication server 10 updates the face image when the identity of the person in the face image used for updating can be confirmed by comparing the verification face image and the updated face image described in the identity verification document. That is, when it is unclear from only the registered face image and the updated face image whether the user registered in the system and the person updating the face image match, the authentication server 10 uses an identity document to confirm the match between the system user and the provider of the updated face image. As a result, the authentication server 10 can prevent unauthorized updating of the registered face image.

Second Embodiment
Next, the second embodiment will be described in detail with reference to the drawings.

In the first embodiment, the authentication server 10 identifies users who have been registered in the system and have failed authentication due to changes in appearance, etc. Furthermore, the authentication server 10 prompts the identified users to update their facial images via the terminal 40 they possess. In the second embodiment, a case will be described in which the authentication server 10 prompts the users to update their facial images via the authentication terminal 30.

The configuration of the authentication system according to the second embodiment can be the same as that of the first embodiment, so the explanation corresponding to Fig. 2 will be omitted. Also, the processing configurations of the authentication server 10, management server 20, and authentication terminal 30 according to the second embodiment can be the same as those of the first embodiment, so the explanation will be omitted.

The following will focus on the differences between the first and second embodiments.

In the second embodiment, the user does not need to register contact information in the authentication server 10 when registering for the system. In other words, the contact information field does not need to exist in the authentication information database shown in FIG. 19, etc. In addition, the terminal 40 as a means for receiving a facial image update recommendation notification from the authentication server 10 does not need to be included in the system.

The authentication failure database of the second embodiment stores the biometric information (features) of individuals who have failed authentication in association with the number of failures (see Figure 33).

Figure 34 is a flowchart showing an example of the operation of the authentication unit 205 according to the second embodiment. In Figure 34, when the similarity is greater than the threshold value TH5 (step S202, Yes branch), the subsequent operation can be the same as the operation of the authentication unit 205 according to the first embodiment described with reference to Figure 22, and therefore the description thereof will be omitted.

When the authentication unit 205 fails to authenticate the person to be authenticated, it determines whether the calculated similarity is greater than the threshold value TH6 (step S211). If the similarity is greater than the threshold value TH6 (step S211, Yes branch), the authentication unit 205 performs a matching process using the authentication failure database (step S212). Specifically, the authentication unit 205 sets the features of the person to be authenticated on the matching side and the features registered in the authentication failure database on the registration side, and performs 1:N matching.

Then, the authentication unit 205 updates the authentication failure database (step S213).

If the result of the above matching process is that there is no feature that substantially matches the feature of the person to be authenticated, the authentication unit 205 adds a new entry to the authentication failure database and sets the number of failures field to "1." The authentication unit 205 also sets the feature of the person to be authenticated in the added entry.

If, as a result of the above matching process, there is a feature that substantially matches the feature of the person to be authenticated, the authentication unit 205 adds "1" to the value of the number of failures field of the corresponding entry.

Thereafter, the authentication unit 205 passes the features of the person to be authenticated to the facial image update recommendation unit 206, and instructs the user corresponding to the features to determine whether or not a recommendation to update the facial image is necessary (step S214). As in the first embodiment, the facial image update recommendation unit 206 applies threshold processing to the number of failures of the person to be authenticated, and determines whether or not a recommendation to update the facial image is necessary based on the result. The facial image update recommendation unit 206 responds with the determination result to the authentication unit 205.

If a recommendation is not required (step S215, No branch), the authentication unit 205 notifies the sender of the authentication request of the authentication failure (step S216). Note that, even if the calculated similarity is not greater than the threshold TH6 (step S211, No branch), the authentication unit 205 also notifies the sender of the authentication request of the authentication failure.

If a recommendation is necessary (step S215, Yes branch), the authentication unit 205 instructs the facial image update recommendation unit 206 to send a facial image update recommendation notification (step S217).

The facial image update recommendation unit 206 that receives the instruction transmits a facial image update recommendation notification to the management server 20 that is the sender of the authentication request. The notification is forwarded to the authentication terminal 30 that has acquired the biometric information of the person to be authenticated. The authentication terminal 30 displays a message as shown in FIG. 24, and prompts the person to be authenticated to update his or her facial image.

In this way, the authentication server 10 according to the second embodiment transmits a facial image update recommendation notification instead of the authentication result when it is necessary to prompt a facial image update. Alternatively, the authentication server 10 may include information (a flag) in the negative response to the authentication request indicating that the negative response corresponds to a "facial image update recommendation notification." In this case, the authentication terminal 30 can display different messages to the authenticatee who has failed in authentication depending on whether a normal authentication failure has been received or an authentication failure corresponding to a facial image update recommendation has been received.

As described above, the authentication system according to the second embodiment can urge the person to be authenticated to update his/her facial image if the person fails authentication a predetermined number of times. That is, in the second embodiment, instead of the user presumed to be the person to be authenticated, the person to be authenticated, whose identity is verified in front of the authentication terminal 30, is recommended to update his/her facial image. As a result, authentication accuracy can be maintained, as in the first embodiment.

Next, we will explain the hardware of each device that makes up the authentication system. Figure 35 is a diagram showing an example of the hardware configuration of the authentication server 10.

The authentication server 10 can be configured by an information processing device (so-called a computer) and has the configuration shown in Fig. 35. For example, the authentication server 10 has a processor 311, a memory 312, an input/output interface 313, a communication interface 314, etc. The components such as the processor 311 are connected by an internal bus or the like and are configured to be able to communicate with each other.

However, the configuration shown in FIG. 35 is not intended to limit the hardware configuration of the authentication server 10. The authentication server 10 may include hardware not shown, and may not have an input/output interface 313 as necessary. Furthermore, the number of processors 311, etc. included in the authentication server 10 is not intended to be limited to the example shown in FIG. 35, and for example, multiple processors 311 may be included in the authentication server 10.

The processor 311 is, for example, a programmable device such as a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or a DSP (Digital Signal Processor). Alternatively, the processor 311 may be a device such as an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit). The processor 311 executes various programs including an operating system (OS).

Memory 312 is a RAM (Random Access Memory), a ROM (Read Only Memory), a HDD (Hard Disk Drive), a SSD (Solid State Drive), etc. Memory 312 stores an OS program, application programs, and various data.

The input/output interface 313 is an interface for a display device and an input device (not shown). The display device is, for example, a liquid crystal display. The input device is, for example, a device that accepts user operations such as a keyboard or a mouse.

The communication interface 314 is a circuit, module, etc. that communicates with other devices. For example, the communication interface 314 includes a NIC (Network Interface Card), etc.

The functions of the authentication server 10 are realized by various processing modules. The processing modules are realized, for example, by the processor 311 executing a program stored in the memory 312. The program can be recorded on a computer-readable storage medium. The storage medium can be a non-transitory medium such as a semiconductor memory, a hard disk, a magnetic recording medium, or an optical recording medium. That is, the present invention can also be embodied as a computer program product. The program can be downloaded via a network or updated using a storage medium that stores the program. The processing modules may also be realized by a semiconductor chip.

In addition, the management server 20, the authentication terminal 30, and the terminal 40 can also be configured using information processing devices, just like the authentication server 10, and their basic hardware configurations are no different from those of the authentication server 10, so a description of them will be omitted. For example, the authentication terminal 30 may be equipped with a camera for capturing an image of the user.

The authentication server 10, which is an information processing device, is equipped with a computer, and the functions of the authentication server 10 can be realized by having the computer execute a program. The authentication server 10 also executes a facial image update recommendation method by the program.

[Modification]
The configuration, operation, and the like of the authentication system described in the above embodiment are merely examples, and are not intended to limit the system configuration, and the like.

In the above embodiment, it has been described that a user determines a user ID and password, and identifies a user (system user) registered in the system using the user ID and password. However, the authentication system may determine an ID (identifier) that uniquely identifies a system user. For example, in the user registration phase, the authentication server 10 acquires biometric information (facial image, features) of the user. The authentication server 10 may generate the ID based on the biometric information. For example, the authentication server 10 may calculate a hash value from the features of the facial image, and use the calculated hash value as a substitute for the user ID and password. The features of the facial image differ for each user, and the hash value generated from the features also differs for each user, so it can be used as the ID of the system user.

In the above embodiment, it has been described that the user registration phase and the service registration phase are executed at different times, but these phases may be executed at substantially the same time. For example, an authentication terminal 30 installed at a service provider to which the user wishes to provide a service may be used to execute the above two registration phases. Specifically, the user may use the authentication terminal 30 to perform user registration (input of biometric information, user ID, and password), and then continuously perform service registration (input of personal information, user ID, and password). In this case, the authentication terminal 30 may be provided with a user registration function (user management unit 202) of the authentication server 10 and a personal information acquisition function (personal information acquisition unit 302) of the management server 20.

The multiple authentication terminals 30 owned by a service provider do not have to be installed on the same premises, building, etc. If the service provider is the same, each authentication terminal 30 may be installed in a spatially separated location.

In the above embodiment, one service provider ID is assigned to one service provider, but one service provider ID may be assigned to multiple service providers. Multiple service providers may be grouped together and a service provider ID may be issued for each group. For example, when service providers S1 and S2 cooperate with each other to provide the same service, a common service provider ID may be issued to service providers S1 and S2.

In the above embodiment, a case has been described in which biometric information related to "feature amounts generated from a facial image" is transmitted from the management server 20 to the authentication server 10. However, biometric information related to a "facial image" may also be transmitted from the management server 20 to the authentication server 10. In this case, the authentication server 10 may generate feature amounts from the acquired facial image and execute the authentication process (matching process).

In the above embodiment, a case has been described in which the authentication terminal 30 acquires a facial image and the management server 20 generates features from the facial image. However, the authentication terminal 30 may generate features from the facial image and transmit the generated features to the management server 20. In other words, the management server 20 does not have to generate features.

In the above embodiment, a case has been described in which the authentication server 10 stores the user's biometric information (facial image, features) and the management server 20 stores the user's personal information (name, etc.). However, these two servers may be integrated, and the integrated server may store the biometric information and personal information. That is, the authentication terminal 30 may transmit the biometric information to the integrated server, and the server may transmit the corresponding personal information to the authentication terminal 30 as a result of the authentication process.

In the above embodiment, the feature amount generated from the registered face image is stored in the authentication information database, but the feature amount does not have to be stored in the database. The authentication server 10 may generate the feature amount from the registered face image each time it processes an authentication request.

In the above embodiment, it has been described that identity verification is performed using an identification document when the user registers with the system, but this identity verification may be omitted. Identity verification of system users may be performed individually by the service provider. That is, the management server 20 may perform identity verification using biometric information (facial image) and an identification document. In this case, the management server 20 may delete the biometric information after identity verification is completed.

Alternatively, staff at the authentication center may verify the identity of the user using a facial image and identification documents obtained from the user, and input the information of the identified user (user ID, password, facial image) into the authentication server 10.

In the above embodiment, it has been described that old features and facial images are deleted (overwritten with new features and facial images) when updating a facial image, but the old features and facial images may also be left in the database. Furthermore, if old features remain, the authentication server 10 may also use the old features in the matching process. For example, if the matching process using new features (updated features) is unsuccessful, the authentication server 10 may use the old features in the matching process. This approach makes it possible to absorb slight changes in appearance, etc., and improve authentication accuracy.

The form of data transmission and reception between each device (authentication server 10, management server 20, authentication terminal 30) is not particularly limited, but data transmitted and received between these devices may be encrypted. Biometric information is transmitted and received between these devices, and in order to appropriately protect the biometric information, it is desirable to transmit and receive encrypted data.

In the above embodiment, the user's terminal 40 is described as being used to update a facial image. The terminal 40 may be used for purposes other than updating a facial image. For example, the user may use the terminal 40 to update other information registered in the authentication server 10. For example, the user may use the terminal 40 to access the authentication server 10 and select a service provider from which a service is to be provided by biometric authentication. That is, the user may register for a service via the authentication server 10. In this case, if there are a large number of service providers, service providers that are used less frequently or have not been used recently may be displayed preferentially. Alternatively, the user may use the terminal 40 to apply for withdrawal from the system or service.

In the above embodiment, the face image update recommendation unit 206 transmits a face image update recommendation notification based on the number of authentication failures of a user who is presumed to be authenticated. However, the face image update recommendation unit 206 may determine whether or not to transmit a face image update recommendation notification based on other information instead of or in addition to the number of failures. For example, it may be determined whether or not to transmit a face image update recommendation notification based on the age of the user. For example, if the user is a minor, the face changes quickly over time, so the face image update recommendation unit 206 may transmit a face image update recommendation notification with a small number of failures. That is, the face image update recommendation unit 206 may change the threshold value TH7 that determines the transmission of the face image update recommendation notification based on the age of the user (user registered in the authentication failure database). Alternatively, the face image update recommendation unit 206 may change the threshold value TH7 according to the period that has elapsed since the time of system registration. Specifically, if the period of system registration is short, the threshold value TH7 is set large, and if the period is long, the threshold value TH7 is set small. By taking such measures, the longer a user remains registered in the system, the more likely it is that a facial image update recommendation notification will be sent.

When authentication fails multiple times in response to an authentication request from the same authentication terminal 30 (management server 20), the authentication server 10 may prompt the authentication terminal 30 to update the face image. For example, when authentication fails, the authentication server 10 may retain the most recent feature value of the person to be authenticated, and when it is determined that authentication has failed for the same person, the authentication server 10 may prompt the authentication terminal 30 to update the face image via the management server 20 and the authentication terminal 30.

The authentication server 10 may change the threshold value TH6 for estimating the subject who has failed authentication depending on the sender of the authentication request (management server 20). For example, consider a case where the environment in which the authentication terminal 30 is installed is poor and there is a high tendency for authentication to fail. The reliability of face images acquired in such an environment and the authentication results using said face images is low. Therefore, the authentication server 10 sets the threshold value TH6 high. As a result, it is possible to prevent unreliable results obtained in a poor environment from being registered in the authentication failure database.

The authentication server 10 may store the authentication history of a user registered in the authentication failure database. Specifically, the authentication server 10 may store information on the service providers (management server 20) that have successfully authenticated the user and the service providers that have failed to authenticate the user in association with each other. If there are many authentication failures for a particular service provider, the authentication server 10 may notify the service provider of this fact. For example, if the probability of successful authentication differs greatly between multiple service providers, the authentication server 10 may notify the service provider with many authentication failures of this fact and urge them to improve the face image capture environment, etc.

In the above embodiment, the authentication server 10 registers users who are presumed to have failed authentication due to a change in appearance or the like in an authentication failure database. When registering the user in the database, the authentication server 10 may notify the authentication terminal 30 of this fact via the management server 20. For example, upon receiving the notification, the authentication terminal 30 may display a message such as "Customer authentication has failed. The facial image registered in the system may be out of date. We recommend updating your facial image." When urging (recommending) to update the facial image via the authentication terminal 30 in this way, the user does not need to register contact information in the authentication server 10.

In the above embodiment, a case has been described in which, for users who have failed authentication and whose similarity falls within a predetermined range (TH6<similarity≦TH5), information on the users is stored using an authentication failure database. However, the authentication server 10 may be configured to uniformly store information on each user who has failed authentication. When authentication fails, the authentication server 10 may register information on the user corresponding to the greatest similarity in the authentication failure database.

In the second embodiment, the authentication unit 205 registers the feature of the authenticated person who failed to be authenticated in the authentication failure database. However, instead of the feature of the authenticated person, the authentication unit 205 may register the feature corresponding to the largest value of the calculated similarities in the authentication failure database. That is, the authentication failure database may store the feature of a user who is presumed to be the authenticated person among multiple users (the user with the largest similarity) in association with the number of authentication failures. Furthermore, when the authentication unit 205 fails to authenticate the authenticated person, it identifies the entry of the authenticated person who failed to be authenticated by a matching process using the feature stored in the authentication failure database and the feature of the authenticated person who failed to be authenticated. The authentication unit 205 updates the value of the failure count field of the identified entry.

In the flow diagrams (flowcharts, sequence diagrams) used in the above explanation, multiple steps (processes) are described in order, but the order of execution of the steps performed in the embodiments is not limited to the order described. In the embodiments, the order of the steps shown in the diagrams can be changed to the extent that does not interfere with the content, such as by executing each process in parallel.

The above embodiments have been described in detail to facilitate understanding of the present disclosure, and it is not intended that all of the configurations described above are required. Furthermore, when multiple embodiments are described, each embodiment may be used alone or in combination. For example, it is possible to replace part of the configuration of an embodiment with the configuration of another embodiment, or to add the configuration of another embodiment to the configuration of an embodiment. Furthermore, it is possible to add, delete, or replace part of the configuration of an embodiment with other configurations.

The above explanation makes clear the industrial applicability of the present invention, which is suitably applicable to authentication systems that authenticate customers of retail stores, hotels, etc. However, the application of the present disclosure is not limited to authentication systems, and the present disclosure is suitable for systems that update biometric information (especially registered facial images).

A part or all of the above-described embodiments can be described as, but is not limited to, the following supplementary notes.
[Appendix 1]
a first database that stores biometric information relating to the face of each of a plurality of users;
an authentication unit that refers to the first database and authenticates a person to be authenticated;
a recommendation unit that, when authentication of the person to be authenticated fails, recommends an update of biometric information stored in the first database to a user who is presumed to be the person to be authenticated, among the plurality of users;
An authentication server comprising:
[Appendix 2]
2. The authentication server according to claim 1, wherein the recommendation unit recommends updating the biometric information when it is determined that authentication has failed due to a change in the appearance of the person to be authenticated.
[Appendix 3]
the first database stores feature amounts generated from face images of the respective users;
The authentication unit
calculating a similarity between each of the plurality of feature amounts stored in the first database and the feature amount of the person to be authenticated;
Identifying a user who is presumed to be the person to be authenticated based on a result of threshold processing of the calculated similarity;
3. The authentication server according to claim 1 or 2, further comprising: a second database configured to store information about the identified user.
[Appendix 4]
The authentication server described in Appendix 3, wherein the authentication unit estimates that the user corresponding to the largest similarity among the calculated similarities that is greater than a first threshold and less than or equal to a second threshold is the person to be authenticated.
[Appendix 5]
5. The authentication server according to claim 4, wherein the first threshold is a threshold for determining that the person to be authenticated is the person himself/herself, and the second threshold is a threshold for determining that the person to be authenticated is a different person.
[Appendix 6]
the authentication unit stores in the second database at least the number of times authentication has failed for the user presumed to be authenticated;
The authentication server according to any one of Supplementary claims 3 to 5, wherein the recommendation unit determines whether to recommend updating the biometric information based on the number of times the authentication has failed.
[Appendix 7]
The authentication server according to claim 6, wherein the recommendation unit recommends updating the biometric information based on a result of threshold processing for the number of authentication failures.
[Appendix 8]
8. The authentication server according to claim 3, wherein the second database stores contact information of the user who is presumed to be the person to be authenticated.
[Appendix 9]
9. The authentication server of claim 8, wherein the recommendation unit sends a facial image update recommendation notification to contacts stored in the second database.
[Appendix 10]
The authentication server according to claim 9, wherein the recommendation unit transmits the facial image update recommendation notification including a facial image of a user who is presumed to be the person to be authenticated, the facial image being stored in a first database.
[Appendix 11]
The authentication server according to claim 9 or 10, wherein the recommendation unit transmits the face image update recommendation notification including at least one of an age of the user presumed to be the person to be authenticated, a system registration date, and a system registration period.
[Appendix 12]
The authentication server according to any one of appendices 9 to 11, wherein the recommendation unit determines whether or not to send the facial image update recommendation notification depending on the age or system registration period of the user who is presumed to be the person to be authenticated.
[Appendix 13]
2. The authentication server according to claim 1, wherein the recommendation unit, on behalf of a user presumed to be the person to be authenticated, recommends to the person to be authenticated that the biometric information stored in the first database be updated.
[Appendix 14]
a second database for storing the number of times authentication of the authenticated person has failed if authentication of the authenticated person has failed;
14. The authentication server of claim 13, wherein the recommendation unit recommends the person to be authenticated to update the biometric information if the number of times authentication failures of the person to be authenticated is greater than a predetermined value.
[Appendix 15]
the second database stores the biometric information of the person to be authenticated and the number of times the authentication has failed in association with each other;
The authentication server of claim 14, wherein, when authentication of the subject fails, the authentication unit identifies an entry of the subject who has failed to be authenticated by performing a matching process using the biometric information stored in the second database and the biometric information of the subject who has failed to be authenticated, and updates the number of times authentication has failed for the identified entry.
[Appendix 16]
the second database stores biometric information of a user who is presumed to be the person to be authenticated among the plurality of users in association with a number of times the authentication has failed;
The authentication server of claim 14, wherein, when authentication of the subject fails, the authentication unit identifies an entry of the subject who has failed to be authenticated by performing a matching process using the biometric information stored in the second database and the biometric information of the subject who has failed to be authenticated, and updates the number of times authentication has failed for the identified entry.
[Appendix 17]
An authentication server including a first database that stores biometric information relating to the faces of a plurality of users,
referring to the first database to authenticate the person to be authenticated;
a face image update recommendation method for, when authentication of the person to be authenticated fails, recommending an update of biometric information stored in the first database to a user who is presumed to be the person to be authenticated among the plurality of users;
[Appendix 18]
A computer installed in an authentication server having a first database that stores biometric information on the faces of each of a plurality of users,
a process of authenticating an authentication subject by referring to the first database;
a process of recommending, when authentication of the person to be authenticated fails, to a user who is presumed to be the person to be authenticated among the plurality of users to update biometric information stored in the first database;
A computer-readable storage medium that stores a program for executing the above.

The disclosures of the above cited prior art documents are incorporated herein by reference. Although the embodiments of the present invention have been described above, the present invention is not limited to these embodiments. Those skilled in the art will understand that these embodiments are merely illustrative and that various modifications are possible without departing from the scope and spirit of the present invention. In other words, the present invention naturally includes various modifications and amendments that a person skilled in the art can make in accordance with the entire disclosure, including the scope of the claims, and the technical ideas.

10, 100 Authentication server 20 Management server 30 Authentication terminal 40 Terminal 101 First database 102, 205 Authentication unit 103 Recommendation unit 201, 301, 401 Communication control unit 202 User management unit 203, 304 Database (DB) management unit 204 Service registration unit 206 Facial image update recommendation unit 207, 306, 405 Storage unit 302 Personal information acquisition unit 303 Service registration request unit 305 Authentication request unit 311 Processor 312 Memory 313 Input/output interface 314 Communication interface 402 Biometric information acquisition unit 403 Service provision unit 404 Message output unit

Claims (11)

a first database that stores first biometric information relating to the faces of each of a plurality of users;
an authentication unit that refers to the first database and authenticates a person to be authenticated;
a recommendation unit that uses the number of times authentication of the subject has failed to recommend to a user who is presumed to be the subject of authentication among the plurality of users to update the first biometric information stored in the first database;
a receiving unit that receives second biometric information related to a face of the user presumed to be the person to be authenticated from the user presumed to be the person to be authenticated;
an update unit that determines whether or not to update the first biometric information stored in the first database with the second biometric information based on a similarity between the first biometric information and the second biometric information of the user who is presumed to be the subject of authentication;
An authentication server comprising : The authentication unit stores at least the number of times authentication has failed for the user presumed to be authenticated in a second database;
the recommendation unit determines whether or not to recommend updating the biometric information depending on a result of threshold processing for the number of authentication failures, and recommends updating the biometric information when a recommendation is necessary.
The authentication server of claim 1 . The authentication server according to claim 1, wherein the recommendation unit recommends updating the biometric information when it is determined that authentication has failed due to a change in the person's appearance. the first database stores feature amounts generated from face images of the respective users;
The authentication unit
calculating a similarity between each of the plurality of feature amounts stored in the first database and the feature amount of the person to be authenticated;
Identifying a user who is presumed to be the person to be authenticated based on a result of threshold processing of the calculated similarity;
The authentication server according to claim 2 , further comprising: storing information of the identified user in the second database. 5. The authentication server according to claim 4, wherein the authentication unit presumes that the user corresponding to the largest similarity value among the calculated similarities that is greater than a first threshold value and is equal to or smaller than a second threshold value is the person to be authenticated. 6. The authentication server according to claim 5 , wherein the first threshold is a threshold for determining that the person to be authenticated is a different person, and the second threshold is a threshold for determining that the person to be authenticated is the person himself/herself. 7. The authentication server according to claim 1, wherein the recommendation unit recommends updating the biometric information by a recommendation notification including a facial image of a user who is presumed to be the person to be authenticated, the facial image being stored in the first database. The authentication server according to claim 1 , wherein the recommendation unit determines whether or not to recommend updating the biometric information based further on at least one of an age of the user and a period of system enrollment. The authentication server according to claim 1, wherein the recommendation unit, instead of the user presumed to be the person to be authenticated, recommends the person to be authenticated to update the biometric information stored in the first database. An authentication server including a first database that stores first biometric information relating to the faces of each of a plurality of users,
referring to the first database to authenticate the person to be authenticated;
performing a recommendation process for recommending an update of the first biometric information stored in the first database to a user who is presumed to be the person to be authenticated among the plurality of users, using the number of times authentication of the person to be authenticated has failed;
receiving second biometric information relating to a face of the user presumed to be the person to be authenticated from the user presumed to be the person to be authenticated;
A facial image update recommendation method for determining whether or not to update the first biometric information stored in the first database with the second biometric information based on the similarity between the first biometric information and the second biometric information of a user who is presumed to be the person to be authenticated . A computer installed in an authentication server having a first database that stores first biometric information related to the faces of each of a plurality of users,
a process of authenticating an authentication subject by referring to the first database;
a recommendation process for recommending an update of the first biometric information stored in the first database to a user who is presumed to be the person to be authenticated, among the plurality of users, by using the number of times authentication of the person to be authenticated has failed;
receiving second biometric information relating to a face of the user presumed to be the person to be authenticated from the user presumed to be the person to be authenticated;
and determining whether or not to update the first biometric information stored in the first database with the second biometric information based on the degree of similarity between the first biometric information and the second biometric information of a user who is presumed to be the person to be authenticated .

Images