Technical field

The present invention relates to access control systems, in particular for domestic residential premises, that use provide access based on biometric verification, to premises security monitoring systems including such access control systems, and corresponding methods.

Background

Historically, “access control systems” - typically computer-controlled access systems, were used in commercial premises such as factories and offices - both as a means of controlling access, so that only authorised people (typically employees or other workers) could gain access to the protected premises, and also as a means of gathering data about attendance including the number of hours present, and also the length and timing of absences such as lunch breaks.

Domestic use of access systems was largely confined to controlling access to communal parts of multi-occupancy properties and dwellings, such as apartment blocks and condominiums. But in recent years, with the emergence of electronically controlled locks as a feature of domestic security, there has been increased deployment of access control systems to individual domestic residences such as single-family dwellings such as houses.

In a domestic setting an access door, typically the main access door, of a house or other dwelling may be provided with an electronically controlled lock, and either the lock or a terminal on the exterior of the door or on an adjacent surface or structure, is provided with an interface by means of which an occupier can either enter a code or present an access token such as a card or “dongle” in order to unlock the lock to gain admittance to the property. Such systems may be provided effectively as a stand-alone system but are frequently part of a “home automation” package, or part of a security monitoring system installation. In the latter case the external terminal typically also enables the disarming, and optionally the arming, of the security monitoring system.

In some commercial applications of access control, provision may be made for biometrics such as face recognition, fingerprint recognition, and occasionally voice recognition, to be used in place of (or in addition to) some other access modality such as a smart card or token, particularly for access control to workplaces that require high security. It is recognised that biometric access control may both enhance security by making it harder for interlopers to gain access to the protected premises (whereas simply acquiring control of an access token such as a smart card may make access trivially easy) and also permit speedier and potentially hands-free access. Generally, such installations are supported by the presence of security guards who can assist when something goes wrong - such as an accredited person being denied admittance. Domestic access control systems that support facial recognition as an access modality are also known, but are not yet commonplace. Among the various reasons behind the slow uptake of such technology in the domestic sphere may be the fact that in some jurisdictions security monitoring systems are required to enter a lock-out (lockout) mode (during which it is not possible to disarm the system or electronically unlock the lock, which is typically several minutes and may be as much as 15 to 30 minutes) for a certain time if attempted authentication fails 5 times (or some other low number of attempts) in a row - and systems may attempt authentication repeatedly in quick succession so that 5 failures may occur before a user is even aware that the system is attempting to authenticate them. Also in some jurisdictions data privacy laws require user consent to start biometric authentication while according to rules in some countries, the access device is not allowed to give any indication of whether the system is armed or disarmed, until a person is authenticated - which means, no indicator lights, etc. But it also means that a person should not be able to deduce, from the behaviour of the device, whether the system is in fact armed. This complex web of difficulties conspires to make it difficult to deploy the kind of user-friendly interface and user experience that customers demand - perhaps explaining why the use of biometric authentication in domestic access control systems, particularly those aimed at single-occupancy dwellings, is so rare despite the obvious advantages of increased security and the possibility of hands-free access - something that is probably even more attractive in the domestic setting than it is for commercial buildings.

The present invention seeks to provide solutions to help overcome, at least in part, one or more of the barriers to deploying biometric access control technology particularly in a domestic setting.

Summary

According to a first aspect there is provided an access device for a security monitoring system, the access device being configured to perform biometric authentication on a user subject and to detect a user-initiated activation event to initiate an authentication attempt; the device being configured, in the event that a subject performs the user-initiated activation event, to: capture biometric data of the subject; attempt to authenticate the subject by comparing the captured biometric data with reference data stored on the device; and in the event that the comparison leads to authentication of the subject to generate an authentication token that identifies the user for the system.

Such a device may be configured, in the event that the comparison leads to authentication of the subject, to: obtain information and/or one or more permissions linked to the authenticated identity; present the subject with information and/or at least one option for action based on the obtained information and/or permissions. According to a second aspect there is provided an access device for a security monitoring system, the access device being configured to perform biometric authentication on a user (subject) and to detect a user-initiated activation event to initiate an authentication attempt; the device being configured, in the event that a subject/user performs the user-initiated activation event, to: capture biometric data of the subject; attempt to authenticate the subject by comparing the captured biometric data with reference data stored on the device; and in the event that the comparison leads to authentication of the subject to: obtain information and/or one or more permissions linked to the authenticated identity; present the subject with information and/or at least one option for action based on the obtained information and/or permissions.

Such a device may be further configured, in response to a selection made by the subject from the at least one option, to generate one or more commands based on the selection made.

An access device according to any variant of the first or second aspect may further comprise at least one user operable actuator to initiate authentication attempts. Such a device may comprise plural user operable actuators to initiate authentication attempts, each of the plural user operable actuators being dedicated to a parti cular/different “action”.

An access device according to any variant of the first or second aspect may be configured to accept a gesture as a user-initiated activation event to initiate an authentication attempt. Such an approach may permit secure hands-free entry to the protected premises.

An access device according to any variant of the first or second aspect may be configured to accept a voiced input as a user-initiated activation event to initiate an authentication attempt.

An access device according to any variant of the first or second aspect may comprise at least one camera and configured to authenticate using facial recognition. Such a device may comprises a facial sensor and applies a 3-D mapping model for facial recognition, or may comprise a 2-D image sensor and applies a 2-D image model for facial recognition. In such an access device the stored biometric models for individuals may include data relating to the heights of the individuals.

An access device according to any variant of the first or second aspect comprise at least one microphone and configured to authenticate using speaker recognition.

An access device according to any variant of the first or second aspect may include a camera and configured to attempt image-based biometric verification, a limited number of times, using images from the camera when a subject is positioned at a predetermined location within view of the camera, without requiring a user-initiated activation event prior to initiating the image-based biometric verification attempt. In such an access device the number of times is preferably such that if attempts at authentication fail for that number of times, the access device is still able to process at least one user-initiated verification attempt without entering a lockout state, and optionally at least two such user-initiated verification attempts, so that a user is not going to be denied the chance to attempt a prompted verification attempt by a system which attempts unprompted verification. For example, in Europe, the relevant EN standard sets the limit of verification attempts at 5 before an enforced system lockout, so preferably the access device will be configured to make no more than 3 or 4 unprompted verification attempts, and preferably no more than 2 or 3 such attempts. In this way users get the convenience of potential hands-free access without the need to initiate a verification attempt but are not then at risk of being locked out, unable to gain access to the protected premises for the duration of a mandatory lockout period. The user is always able to initiate a verification attempt, safe in the knowledge that the access device will not itself have exhausted the 5 verification opportunities.

Such a device may be configured only to attempt the image-based biometric verification attempt after the subject has been in position at the predetermined location for more than a threshold period, optionally at least 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 seconds or more.

An access device according to any variant of the first or second aspect comprise a camera and a ranging arrangement to determine the location of a subject with respect to the device.

An access device according to any variant of the first or second aspect may be configured as a video doorbell.

An access device according to any variant of the first or second aspect may be configured for wall mounting.

An access device according to any variant of the first or second aspect may comprise a camera and configured to recording a captured image of a person for whom an authentication event fails, and optionally to transmit the captured image to a control unit of the security monitoring system and/or a remote monitoring station.

According to a third aspect there is provided a premises security monitoring system including an access device according to any variant of the first or second aspect.

In such system, a controller of the security monitoring system may include a database of permission rights for each of a set of authorised users for whom a biometric model is stored on the access device, the controller, or on both the access device and the controller.

A system according to any variant of the third aspect may be operably connected to a remote monitoring centre, the remote centre including a database of permission rights for each of a set of authorised users for whom a biometric model is stored.

According to a fourth aspect there is provided a method performed on an access device of a security monitoring system, the method comprising: detecting a subject-initiated activation event; capturing biometric data of the subject; attempting to authenticate the subject by comparing the captured biometric data with reference data stored on the device; and, in the event that the comparison leads to authentication of the subject, generating an authentication token that identifies the user for the system.

Such a method may further comprise, in the event that the comparison leads to authentication of the subject: obtaining information and/or one or more permissions linked to the authenticated identity; and presenting the subject with information and/or at least one option for action based on the obtained information and/or permissions.

According to a fifth aspect there is provided a method performed on an access device of a security monitoring system, the method comprising: detecting a user-initiated activation event to initiate an authentication attempt; capturing biometric data of the subject; attempting to authenticate the subject by comparing the captured biometric data with reference data stored on the device; and in the event that the comparison leads to authentication of the subject to: obtaining information and/or one or more permissions linked to the authenticated identity; and presenting the subject with information and/or at least one option for action based on the obtained information and/or permissions.

In a method according to any variant of the fourth or fifth aspect the biometric data for each of a plurality of individuals includes data relating to facial features of the individual.

In such a method the biometric data for each of a plurality of individuals may include data relating to the height of the individual.

Brief description of the Figures

Embodiments of the invention will now be described, by way of example only, with reference to the accompanying Figures, in which:

Figure 1 shows a view of the front of a premises protected by a security monitoring system according to an aspect of the present invention.;

Figure 2 is a schematic part plan view of a premises protected by security monitoring system according to an aspect of the invention;

Figure 3 illustrates schematically the major components of an image capture arrangement according to an aspect of the invention in the form of a video doorbell;

Figure 4 is a flow chart illustrating a method according to an aspect of the invention;

Figure 5 is a flow chart illustrating a method according to an aspect of the invention;

Figure 6 is a flow chart illustrating a method according to an aspect of the invention; and Figure 7 illustrates a possible configuration of an access device according to an aspect of the invention.

Specific description Figure 1 shows a view of the front of a premises 100 protected by a security monitoring system according to an aspect of the present invention. The premises, here in the form of a house, have an exterior door, here front door, 102. The door gives access to a protected interior space. The security monitoring system secures at least part of a perimeter to the premises 100, and the door constitutes an exterior closure 102 in the secure perimeter giving access to a protected interior space 200 of the premises. A lock 104 on the exterior door is optionally electrically controlled so that it can be locked and unlocked remotely.

To the side of the door, on the facade of the house, is a first video camera in the form of a video doorbell 106 which looks out from the facade of the premises so that anyone approaching the door along the path 108 can be seen, and in particular when a visitor stands at the door their face should clearly be visible. The video doorbell includes an actuator, e.g. a push button, for a visitor to indicate their presence at the closure. The video doorbell also includes an audio interface to enable bidirectional audio communication with a visitor at the closure 102.

As is conventional, the video doorbell preferably includes an infrared light source to illuminate whatever is in front of the video doorbell. Optionally, as shown, the facade of the house also carries an external keypad (aka “access device”) 110 by means of which a user can disarm the security monitoring system, and unlock the lock 104 although, as will be explained, the video doorbell may itself incorporate the functionality of an access device - so that no separate access device need be provided for the front door (one may of course be provided adjacent another door if that door is also a main entrance . Also shown is an optional second video camera 112 which is coupled to a presence and/or movement detector 114. The detector may optionally be a thermal detector, for example a PIR sensor. The second video camera 112 may be arranged when the security monitoring system is armed, to capture video of the approach to the house and/or the private area, e.g. the garden, to the front or the car-parking space to the side of the house and signal an alarm event to a controller of the security monitoring system. As with the doorbell camera, the second video camera is preferably provided with an audio interface to enable bidirectional audio communication with anyone observed by the second video camera. Although the first video camera is illustrated in the form of a video doorbell, the first video camera may additionally or alternatively have the features described above for the second video camera, whether or not plural video cameras are used.

Figure 2 is a schematic part plan view of a premises 100 protected by security monitoring system according to an aspect of the invention, together with other elements of the system, corresponding generally to the premises of figure 1. The front door 102, with electrically controlled lock 104, leads into the protected interior space 200 of the premises. Each of the windows 202, and the rear door 204 is fitted with a sensor 206 to detect when they are opened. Each of the sensors 206 includes a radio transceiver to report events to a controller , or central unit, 208 of the security monitoring system. If one of the sensors 206 is triggered when the system is armed, a signal is sent to the central unit 208 which in turn may signal an alarm event to a remote central monitoring station 210. The central unit 208 is connected to the remote central monitoring station 210 via the Internet 212, either via a wired or a wireless connection. Also wirelessly coupled to the central unit 208 are the video doorbell 106, the electrically controlled lock 104, and if present the access device 110, the second video camera 112, its associated presence and/or movement detector 114 (although the latter may be integral with the second video camera 112) and the audio interface 116. These items, and the sensors 206, are preferably coupled to the central unit 208 using transceivers operating in the industrial scientific and medical (ISM) bandwidths, for example a sub-gigahertz bandwidth such as 868 MHz, and the communications are encrypted preferably using shared secret keys. Preferably the central unit 208 and each image source (e.g. video camera, other camera, or video doorbell) also includes a transceiver to provide Wi-Fi connectivity (or equivalent wide bandwidth protocol), e.g. for the sharing of images and video, as timely transmission of image and video files requires a relatively large bandwidth, at least for the kinds of high resolution images which are typically wanted in security monitoring installations. Preferably the Wi-Fi or other large bandwidth transceiver is provided in addition to the low-bandwidth transceiver (e.g. ISM transceiver) used for the transmission and reception of control signals and event notifications and the like. The security monitoring system may also include other sensors within the protected interior space, such as an interior video camera 214 and associated movement detector 216 (which again may be integral with the camera 214), and each of the interior doors 218 may also be provided with a sensor 206 to detect the opening/closing of the door. Also shown in figure 2 are a user device 220, preferably loaded with an appropriate app - as will be described later, and a public land mobile network (PLMN) by means of which the central monitoring station 210, and the central unit 208, may communicate with the user device 220.

Operation of the security monitoring system may be controlled by one or more of: the controller 208, the remote monitoring station 210, and a security monitoring app installed on the user device 220. As previously mentioned, an access device 110 (stand alone or embodied within a video doorbell) may be provided outside the protected premises, e.g. on an exterior wall of the premises, optionally adjacent a main entrance, such as the front door 102, to enable an occupier to arm and disarm the security monitoring system and optionally also to lock and unlock a lock (e.g. 104) in the relevant door, e.g. to gain admittance to the premises.

The remote monitoring station 210, if provided, may receive one or more signals from any of the first camera and/or video doorbell 106, the second camera 112, the keypad 110, the sensors 206 and/or 520 (described in more detail later). The remote monitoring station 210 may transmit commands for controlling any one or more of: the arm state of the alarm system (e.g. armed or unarmed); commanding a tripped alarm state to be signalled by the alarm system (e.g. by triggering one or more sirens to generate alarm noise); commanding a lock state of the door lock 104 (e.g. locked or unlocked), commanding operation of one or more functions of the video doorbell 106 or the access device 110, commanding operation of one or more cameras to transmit images to the remote monitoring unit. Communication with the remote monitoring station 210 may pass through the controller 208, as described above. In other embodiments without the remote monitoring station 210, or in the event that communication with the remote monitoring station 210 is interrupted, operation of the alarm system may be controlled by the controller 208. In yet other embodiments, the controller 208 may be omitted, and the individual peripheral devices may communicate directly with the remote monitoring station 210.

The security monitoring system app is installed on a user device 220, here shown as a smartphone, although of course it could be almost any kind of electronic device, such as a laptop or desktop computer, a tablet such as an iPad, a smart watch, or even a television.

Having set the scene for the invention, we will now consider an approach according to aspects of the invention that can help overcome, at least in part, one or more of the barriers to deploying biometric access control technology particularly in a domestic setting. Figure 3 illustrates schematically the major components of an access device (also an image capture arrangement) 300 in the form of a video doorbell, for example a doorbell 106 as shown in Figure 1 and 2. A processing arrangement 302 (hereinafter “processor”), which may be an MCU, a microprocessor or a collection of processors or more than one MCU, is coupled to a memory arrangement 303 (comprising one or more memory devices) that stores software to control the operations of the processor 302 and also stores images/video captured by the image sensor 304 and any audio captured by the microphone. The memory arrangement 303 also stores biometric verification programs and algorithms for use in biometric verification, together with biometric data for one or more registered users of the system, for example facial feature data, voice files, etc., obtained during training sessions.

Also coupled to the processor 302 are an image sensor 304, here in the form of a video camera, a low power and/or thermal sensor 306 which may for example be a thermal sensor for detecting presence e.g. by detecting motion, and an optional ranging arrangement 308, for example a radar arrangement or a time of flight sensing arrangement, although ranging information may alternatively be derived from analysis of images captured by the image sensor 304. Time of flight ranging is typically based on the use of short ultrasound pulses. The processor 302 is also coupled to one or more RF transceiver(s) 310, (for example a transceiver to support the rapid transmission of large image files, e.g. a Wi-Fi transceiver, and a narrow bandwidth transceiver, e.g. a ISM transceiver, for transmitting and receiving notifications and control messages, etc.) A near field communication, NFC, antenna may also be coupled to the processor 302 to enable the use of a “dongle” or token (optionally in the form of a suitably programmed mobile phone, watch, or equivalent device) for use in arming and disarming the security monitoring system, and optionally unlocking any electronically controlled lock.

Also coupled to the processor 302 may be one or more user operable actuators 312 (e.g. buttons each coupled to an associated mechanical switch, or virtual buttons provided for example on optional display 322) useable by a subject (person) to initiate an authentication attempt - as will be explained later.

Also coupled to the processor 302 is a power supply unit 314 (which preferably includes one or more batteries to at least provide backup in the event of failure of any mains-fed power supply - although the power supply may instead be based on battery power rather than on mains- fed power), an audio interface 316, and preferably also a lighting arrangement 318 that at least provides infra-red illumination to enable images to be captured in the absence of significant levels of visible light. These elements are preferably also provided in image capture arrangements other than video doorbells, for example they may all be provided in a video camera of a security monitoring system such as that shown as camera 112 in Figures 1 and 2.

When the access device of Figure 3 is a video doorbell it further comprises an actuator 320 - a “bell push” which may be in the form of a mechanical switch or in the form of an actuation device that detects user input using one or more capacitive or inductive sensors and that preferably does not rely on moving parts to detect an activation event - although the use of a mechanical device which provides strong tactile feedback of operation (e.g. a metal dome switch) is preferred as such devices only use electrical energy when activated - unlike some capacitive or inductive switches, and generally the magnitude of the tactile feedback provided better enables a user to know that the switch has successfully been activated. Again, when the access device of Figure 3 is a video doorbell, the image capture arrangement of Figure 3 may further comprise a display 322 for the display of messages and visual feedback.

The elements shown in Figure 3 also largely correspond to those provided in a standalone access device such as 110, although in this case a keypad 321 may be provided in place of, or in addition to, the actuator 320. Again, the ranging arrangement 308 is optional.

The access device 300 also includes a frame 340 with features such as flanges 350, with screw holes 355, to enable the access device to be securely fastened to the exterior of the wall of the house or some other convenient structure (such as a dedicated stand). Although here the flanges are shown extending outwardly from the frame 340, in practice the flanges are preferably so located that they and the screws securing the frame to the wall are concealed by the access device, or its frame.

At a high level the access device 300 comprises a processor 302, and coupled to the processor 302: an image sensor 304 to capture images of a monitored area, a low power and/or thermal sensor 306, such as a thermal sensor, to detect human presence in the monitored area; and a range determining or range-detecting sensing arrangement 308, for example a radar arrangement. The monitored area includes a target zone, preferably relatively close (typically less than about 2.5 metres, e.g. less than 2 metres, 1.75 metres, 1.5 metres, 1.2 metres, 1.1 metres, 1 metre, 0.9 metres, 0.8 metres, 0.7 metres, 0.6 metres, less than 0.5 metres) to the access device , within which biometric verification of someone standing before the access device can be achieved successfully on a reliable basis. Preferably the access device is mounted between 0.8 and 1.4 metres, e.g. between 1 and 1.3 metres from the ground level upon which a subject will be standing when subject to biometric verification. Conveniently, the access device may be mounted about 1.1 and 1.25 metres above the relevant ground level - although if the householders are either taller or shorter than average, or if they are wheelchair users, corresponding adjustment to the mounting height of the access device may need to be made.

The sensor 306 is preferably a presence sensor with a low power consumption - for example a lower power consumption than either the range detecting arrangement and/or the image sensor, and/or the processor when processing images. The sensor 306 may detect presence based on detecting motion or simply based on detection of presence without the need for motion. Such presence, with or without motion, may be detected by thermal sensors, and in general thermal sensors can be expected to have suitably low power consumption for this application. For example, the sensor 306 may be a PIR (passive infrared) sensor which detects motion by detecting changes in infrared radiation, or optionally a TMOS sensor which senses absolute temperature (rather than a differential temperature as a PIR does). Typically a high quality PIR sensor will consume less than O.OlmW, e.g. 0.005mW, while a TMOS sensor may consume no more than about 0.05mW. Depending on the desired implementation, an advantage of a TMOS sensor over a PIR sensor is that the TMOS sensor is generally harder for an intruder to fool because unlike a PIR sensor it does not rely on detecting motion - an advantage that stems from the fact that the TMOS sensor responds to absolute temperature. Also, over ranges likely to be of interest in the present application, TMOS sensors may not need to be provided with associated optics which is advantageous in terms of both cost and size, although optics may be provided if desired. While other types of presence sensing are available, for example based on the use of ultrasound or based on modulation of light from a powered light source, typically such presence sensing arrangements may consume too much power for this application - given that in many applications they may typically always be on. Hereafter, the terms low power sensor and thermal sensor may be used interchangeably. The low power sensor is preferably always active (“always on”), which at least in part explains why we want to use a sensing arrangement having a low power consumption. We may want the low power sensor to have a power consumption lower, and preferably much lower, than that of the range detecting arrangement because we may use signals from the low power sensor as a trigger to activate the range detecting arrangement that is usually off. Ranging signals from the range detecting arrangement may be used to determine whether or not there is presence within the specific area of interest of a camera, so that the camera can be turned on only when there is presence within the camera’s specific area of interest (unless it is decided to turn the camera - more generally image sensor - for some other reason, for example on instruction from the remote monitoring station 210).

The range detecting arrangement may, for example, comprise a radar arrangement, for example, a low power radar arrangement. A low power radar arrangement may have a power consumption of less than about 200mW, optionally less than about lOOmW, optionally less than about 50mW, optionally less than about 25mW. A radar arrangement can provide range information including distance and direction to a detected target. A radar arrangement may also provide information on the size of a detected target or targets, from which, for example, it may be possible to infer the presence of one or more humans (a person or people). Additionally or alternatively, the range detecting arrangement may comprise a so called time-of-flight sensor, for example, an ultrasonic time-of-flight sensor, or a light-based time-of-flight sensor comprising, for example, a laser or an LED. Such a sensor may provide distance and/or movement information, optionally information without direction. However, a time-of-flight sensor may be more power efficient and/or cost efficient than a radar arrangement.

The access device may be so configured that in a rest state the image sensor 304 and the ranging arrangement are powered down, to save energy, and the processor may be configured (e.g. programmed) in at least one operating mode to respond to a signal from the thermal sensor 306 that indicates human presence in the monitored area by powering up the ranging arrangement to determine the range of any human presence within the monitored area. The image sensor 304 has associated optics, not shown, for focusing light onto the image sensor, and may take the form of a camera module that includes dedicated processing and other features (e.g. memory) useful in a camera module, but equally the image sensor and optics may work in conjunction with the processor 302 and memory 303 to provide the functionality of a camera. In either format, the image capture arrangement is preferably configured to capture video as well as individual still images. Preferably there is also provided at least one microphone to capture audio, for example along with any video captures. The processor may further be configured (e.g. programmed) in the at least one operating mode to activate the image sensor only if information received from the ranging arrangement indicates presence within a target zone within the monitored area.

Any radar arrangement may conveniently operate in the 60Ghz band, where low power consumption system on chip solutions are available in very compact packages (for example, where the antennas are provided “on package” rather than as external components) from the likes of Infineon, Texas Instruments, and Socionext. Suitable devices include the BGT60LR11AIP device from Infineon, and the IWRL64322 from TI. Although these devices have surprisingly low power consumption, power savings can be made, and hence device battery life extended, by using a presence detector with a lower power consumption than the radar ( hence the use of the expression “low power sensor”) to monitor the monitored area while having the radar sleep. The lower power consumption presence detector may use for example a thermal sensor (IR sensing) such as a PIR sensor or a TMOS sensor to detect presence in the monitored area. TMOS sensors are particularly preferred because they sense absolute temperature rather than differential temperature as PIR sensors do, and this means that TMOS sensors are capable of detecting stationary objects as well as moving ones. TMOS sensors can also detect human-sized objects at up to 6 metres distance without the need to use optics, and up to 12 metres if suitable optics are used. Suitable TMOS sensors are available from ST Microelectronics - for example the STHS34PF80 device.

Upon receiving a “presence” signal from the low power sensor 306, the processor can wake the ranging arrangement to obtain a ranging signal which can be used to determine whether the presence is within the desired “target zone”. If the presence is, for example too far away to be of interest, the processor doesn’t wake the image sensor , but if the presence is within the target zone the image sensor is activated and images of whoever or whatever is in the target zone are captured. If the ranging arrangement is also configured (e.g. programmed and arranged) to determine a size of a detected target, the image sensor may only be woken if the determined size is indicative of the presence of one or more people. Depending upon the arrangement and the system settings, the captured images may be transmitted to a controller of a security monitoring system or they may be transmitted, directly or indirectly, to a system back end for analysis or assessment and/or transmitted to the householder or other designated person(s) for viewing on a device via, for example an installed app.

Defocusing energy received from ground level can help a PIR to distinguish between human and animal presence in that thermal energy is then received primarily from standing objects, rather than ground-level animals. Image processing can use image recognition or patern matching to detect human forms in the image.

A method 400 according to an aspect of the invention will now be described with reference to the flow chart of Figure 4. An access device such as the video doorbell 300 of Figure 3 (which may equate to the video doorbell 106 of Figures 1 and 2) in a rest state awaits either a doorbell press 402 or an authentication prompt 404. In this state the image sensor 304 may be powered down with just the thermal or low power sensor 306 active. Alternatively, the image sensor 304 may be permanently powered, for example to provide a surveillance capability.

Upon the thermal or low power sensor 306 detecting presence, the processor 302 is woken and may determine whether the signal from the sensor 306 is indicative of human presence. If it is, the processor may wake the ranging arrangement 308, if used, or the image sensor 304 directly. If the ranging arrangement 308 is used, the processor may use any information that it provides in determining whether or not to activate the image sensor 304.

With the image sensor 304 powered, the access device may receive a doorbell press, e.g. activation of actuator 320, which may be handled in a conventional manner, optionally with the video doorbell communicating with a back end system and optionally a user via user device 220, either via the controller of the security monitoring system or via another Wi-Fi gateway of the premises.

Alternatively, and more interestingly, the detected presence may be an occupier of the protected premises who wishes to be biometrically authenticated, for example in order to disarm the security monitoring system to allow access to the protected interior of the premises without triggering the alarm. In this case the occupier must perform a user-initiated activation event 406 to initiate an authentication attempt. One way in which this may be done is by actuating a prompter buton 312, if present.

By using a prompter buton the user indicates to the access device that biometric authentication should begin. The biometric verification may, for example, involve facial analysis - and this may be the only biometric verification mode of the access device - in which case a single prompter buton 312 may be sufficient. Facial recognition may for example use either a 3- D mapping model using a “facial sensor” or a 2-D image model using a 2-D image sensor Alternatively, more than one biometric verification mode may be offered, e.g. facial recognition and speaker recognition, and each of the multiple biometric verification modes may have a corresponding prompter buton 312. Authentication using speaker recognition may rely on a biometric voice model. Authentication via speaker recognition may use active voice biometrics in which a specific statement (or one of several specific statements) must be utered in range of the device’s microphone. We will describe later, with reference to Figure 5, examples of arrangements which use multiple prompter buttons in a more sophisticated way.

Operating a prompter button 312 may result in the device making a voiced announcement, such as “please stand facing the camera” or “please remove any caps, hats, other head coverings, and dark glasses”, or the like. So that the system does not indicate the status of the security monitoring system, it is important that any such announcements are made irrespective of the arm state of the system. Suitable alternative statements may of course be made if authentication is via speaker recognition.

In any event, when the person initiate an authentication attempt he/she will normally put themselves in the correct position in front of the device, adopt a suitable posture & keep relatively stationary while the authentication is being carried out. This increases the chances of successful authentication, compared to a situation in which a person is not really prepared.

At 408 the access device 300 performs authentication data capture, for example capture of one or more images of the face of the person standing before the camera of the device. These data are then compared, at step 410, with stored reference data in the form of stored biometric models 411 which were previously acquired during a training session for each registered user.

A further factor which may usefully be taken into account both when training the device to capture biometric data of an individual and later when trying to identify a subject as someone for whom biometric data have been stored is the individual’s height (as perceived by the device). Once installed, an access device is to be expected to remain fixed in position and the height of a subject - as detected from the height of the image portion corresponding to the subject in a captured image can be used in effect as a filter to assist in identifying potentially relevant matches potentially reducing the processing burden, and speeding up, the authentication stage. Thus a person’s height could be recorded as part of the biometric model. Height on its own is not sufficient, but being able to detect height in the image may help predict which model(s) are most likely to be relevant, and so reduce the searching/comparison burden for the access device.

Because FacelD consists of comparing biometric features from a person in front the device, one by one, with a pool of model data, to find the closest match, or a match within tolerance, information such as height can act as a predictor to order the comparison with mostly likely matched height. This can make matching faster, and reduce power consumption.

If the captured data are found to be a sufficiently close match to one of the stored biometric reference models, corresponding to a particular registered user, authentication is achieved at step 412. At this stage the device 300 may generate 413 an authentication token that identifies the particular registered user of the system. The device may then proceed at 414 to obtain permission(s) that correspond to the authenticated identity - for example the primary householder(s) - e.g. the parents in a household, may be authorised to both arm and disarm the security monitoring system, including for example turning of an armed at home state (which provides a secure perimeter but which doesn’t consider internal presence to constitute an alarm condition), as well as locking and unlocking an electronic lock in the associated door, but the children of the house may have more restricted privileges - for example entitled to open the relevant door without triggering an alarm event but not entitled to turn off an armed at home state. The permissions for each authorised user may be stored on the device, but preferably the device is configured to attempt to obtain up to date, i.e. current permissions from the security monitoring centre or failing that from the controller 208 of the security monitoring system.

The “master list” 416 of security permissions will normally be held by the security monitoring centre (ARC) 210, although it may be convenient also to store a (relatively ) up to date copy of these permissions on the central unit of the security monitoring system - where they may be updated whenever there is a change in their details. In this way, even if it is not possible on occasion to communicate with the remote security monitoring centre 210, it is still possible to benefit from up to date permission data - hopefully meaning that authorised users are not locked out of their homes, while recently de-authorised people (such as former guests or lodgers) will no longer have access to the premises via the security monitoring system.

Having obtained the permissions, the device presents at 418 permissible options, including for example the current arm status and current lock status - so that the user knows what change(s) they may make. An interesting feature regarding how the access device interacts with a person is that, according to rules in some countries, an access device is not allowed to give any indication of whether the associated security monitoring system is armed or disarmed, until a person is authenticated. This means, for example no indicator lights to show system status, etc., until after authentication has been achieved. But it also means that a person should not be able to deduce, from the behaviour of the device, whether the system is in fact armed.

The user then selects an action to be performed - e.g. disarming the system and unlocking the lock. The device then generates appropriate commands 420 and transmits these at 422 to the central unit of the security monitoring system (which may in turn communicate these to the ARC 210 if that is appropriate).

If authentication fails the process may revert to state 404. The device may also announce that the attempt to authenticate has failed - and invite the user to try again. At this point the user can choose whether to make another attempt at biometric authentication, by once again indicating a desire to authenticate e.g. by pressing a prompt button 312, or attempt to disarm the system/gain access to the premises in another way - such as by presenting a dongle or other token to the device to make use of NFC communication, or by entering an access code at the keypad 321.

If the next attempt at authentication is successful the process passes to 412. If not we pass to 424 again until the system goes into lockout 426.

The EN standard for security monitoring systems includes rules for access devices for security systems include limitations regarding authentication. In particular, for facial identification, if authentication fails 5 times in row, the device has to enter a lock-out mode for a certain time, for security reasons. Therefore, performing authentication when prompted reduces the risk of this happening. But the rules of the EN standard impose a limit on the number of failed access attempts are permitted within a period, failing which the system is locked against changes to arm status for some minutes.

Although the method of Figure 4 has been described with reference to the use of what we have termed “prompter buttons”, devices according to aspects of the invention may be configured to accept user initiated authentication attempt made without reliance on buttons. For example, the device may be configured to accept gesture-based requests for authentication - with a user using their hands, arms, head, or even possibly legs for example, to gesture to the camera of the device as a way of requesting biometric verification. For example, different gestures may be associated (for a particular user, or more generally) with a particular action - e.g. disarm/arm “home”, “leaving”, so that if a particular gesture is used, and authentication succeeds, the device may generate the corresponding command which is then communicated to the controller of the security monitoring system - for example resulting in the alarm system being disarmed and the door lock unlocked to permit entry. As an another alternative, devices according to aspects of the invention may be configured to accept voiced requests for biometric verification - and again each user may have different voiced requests to access different commands. Speaker recognition may be performed on the command word (e.g. “Home”) as well as on an authentication codeword or phrase (e.g. “Nigel Incubator Jones” or “Lemon Curry”). In this way, an approach akin to that illustrated in Figure 5 becomes possible.

After successful authentication the device may remain “authenticated” for a certain time window, avoiding need for repeated authentications during the session corresponding to the time window. Alternatively, a new authentication may be required for every significant interaction. Or a hybrid approach of having valid time window for some commands, but requiring a new authentication for critical disarming and/or unlocking commands.

Biometric Enrolment Y1

Biometric data are preferably recorded directly on the access device 300. An app running on the person’s smart-device 220 can guide the person through the recording and enrolment process, for example, guiding a person how to turn and place his/her head while being recorded by the access device 300, and a model generated. The access device 300 can preferably communicate directly with the app (directly peer-to-peer e.g. via BT or indirectly via the CU or other communications path), so that the person’s smart phone 220 can act as a real visual interface for the access device 300 during enrolment.

To avoid data-privacy complications, (e.g. issues with GDPR and the like) biometric data may be stored and processed only on the device.

Once authentication has been made on the device, an authentication token that identifies the person may be generated, and is transmitted to the controller 208 of the security monitoring system (CU) and on to the back-end (e.g ARC 210), where the access-rights or permission rights associated with that person may be verified. The master copy of permission rights is preferably stored at the back end (e.g ARC 210), but could also be verified at the CU (208) if an up to date copy of the permission rights is stored there in case of disrupted communication with the back- end (210).

Once the permission right(s) have been determined, the access device 300 and the CU 208 may cooperate to command the security system in response to the access device 300.

Figure 5 corresponds quite closely to Figure 4 but illustrates a method performed by an access device having more than one prompt button 312. As we saw from Figure 4, devices according to aspects of the invention may have a single prompt button 312 for authentication, followed by selectable options, such as arm/disarm or lock/unlock. But in an alternative configuration an access device may have multiple prompt buttons each for different intended operations, but that each involve authentication before the operation is authorized. Buttons could for example be authenticate and arm/or authenticate and disarm; authenticate and lock/authenticate and unlock, or “leave (= authenticate, arm & lock)” or “home (=authenticate, disarm & unlock). Pressing the button prompts authentication, followed by the commanded operation if successful.

As above, the device may remain “authenticated” for a certain time window, avoiding need for repeated authentications during the session corresponding to the time window. Alternatively, a new authentication may be required for every significant interaction. Or a hybrid approach of having a valid time window for some commands, but requiring a new authentication for critical disarming and/or unlocking commands.

Devices having multiple user operable actuators to initiate an authentication attempt may be configured to obtain only the relevant permission(s) associated with the particular actuator that has been actuated - rather than, for example, obtaining all the permissions associated with the authenticated identity. In this way the device may move directly to generate the command selected by the subject’s selection of the relevant actuator.

It will be appreciated that, unless otherwise described, the other process steps of Figure 5 correspond to the like-numbered process steps of Figure 4 (and the same holds true for Figure 6).

Figure 6 illustrates a further method performed by access devices according to aspects of the invention. In this case the access device is configured to attempt a biometric authentication attempt(s) without a user needing actively to request biometric verification, but with a ceiling to the number of attempts, the ceiling being less than the number of attempts whose failure would lead to lockout.

This builds on the above model by allowing the system to attempt to authenticate a person who is next to, e.g. stationary or approaching the device, a limited number of times Before the person gives a prompt. A combination of image processing, movement and proximity detection can be used to determine whether a person is in a suitable position in front of the device, and looks like he/she is awaiting authentication.

Such “opportunistic” unprompted authentication may provide convenience to avoid the person having to manually prompt the device.

Authentication in this way may be less reliable, because the person may not be in an optimum position and/or posture, or may not remain stationary. Therefore the risk of authentication failure may be higher. The device may try only a limited number of times, e.g. max two, before suspending unprompted authentication, in order to leave a sufficient number of authentication tries available for prompted authentication, before reaching the lockout limit. Limiting the number of tries also avoids too high battery power consumption.

After the e.g. two failed unprompted authentications, the device awaits prompting (as above) before trying authentication again.

This “pre-authorization” routine is illustrated as option 650. If this functionality is enabled in an access device, the device is configured to detect presence 652 - for example using the sensor 306 and, if present, the ranging arrangement 308. The device should be configured to attempt this pre-authorization authentication only when a subject is suitably located for authentication of a known subject to have a reasonably high chance of success - we do not want the device to attempt biometric verification when a subject is out of range or when they are not standing suitable still - both qualities/conditions that can be assessed by the device’s processor based on information from the sensor 306 and the ranging arrangement 308. However it may be found to be beneficial also to use image analysis on images captured by image sensor /camera 304 to establish that a subject’s face is turned sufficiently towards the camera and is suitably oriented - if not, no attempt should be made to authenticate until conditions are determined to be right, or the subject actually makes an authentication request. Also, in terms of “stillness” the device may be configured only to perform pre-authorization authentication after the subject has been in position at the predetermined location for more than a threshold period, optionally at least 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 seconds or more.

Only if the processor determines that conditions are right does the process proceed to step 658 in which authentication data are captured. Although conceptually pre-authorization authentication could be based on speaker recognition, in practice we prefer to restrict this process to visual biometric authentication such as facial recognition. Thus, the capture of authentication data typically involves the capture of one or more images of the face of the subject. At step 660 authentication is performed using the captured image(s) using for example either a 3-D mapping model using a “facial sensor” or a 2-D image model using a 2-D image sensor. If authentication is successful, with the comparison leading to authentication of the subject, the device may generate 613 an authentication token that identifies the user for the system. Additionally or otherwise the device progresses to step 614 where permissions are obtained.

These permission(s) correspond to the authenticated identity - for example the primary householder(s) - e.g. the parents in a household, may be authorised to both arm and disarm the security monitoring system, including for example turning of an armed at home state (which provides a secure perimeter but which doesn’t consider internal presence to constitute an alarm condition), as well as locking and unlocking an electronic lock in the associated door, but the children of the house may have more restricted privileges - for example entitled to open the relevant door without triggering an alarm event but not entitled to turn off an armed at home state. The permissions for each authorised user may be stored on the device, but preferably the device is configured to attempt to obtain up to date, i.e. current permissions from the security monitoring centre or failing that from the controller 208 of the security monitoring system.

The “master list” 616 of security permissions will normally be held by the security monitoring centre (ARC) 210, although it may be convenient also to store a (relatively ) up to date copy of these permissions on the central unit of the security monitoring system - where they may be updated whenever there is a change in their details. In this way, even if it is not possible on occasion to communicate with the remote security monitoring centre 210, it is still possible to benefit from up to date permission data - hopefully meaning that authorised users are not locked out of their homes, while recently de-authorised people (such as former guests or lodgers) will no longer have access to the premises via the security monitoring system.

Having obtained the permissions, the device presents at 618 information, for example on permissible options, including for example the current arm status and current lock status - so that the user knows what change(s) they may make. An interesting feature regarding how the access device interacts with a person is that, according to rules in some countries, an access device is not allowed to give any indication of whether the associated security monitoring system is armed or disarmed, until a person is authenticated. This means, for example no indicator lights to show system status, etc., until after authentication has been achieved. But it also means that a person should not be able to deduce, from the behaviour of the device, whether the system is in fact armed.

The user then selects an action to be performed - e.g. disarming the system and unlocking the lock. The device then generates appropriate commands 620 and transmits these at 622 to the central unit of the security monitoring system (which may in turn communicate these to the ARC 210 if that is appropriate).

If the authentication attempt at 660 fails the device may be configured to retry by reverting to step 652 and, if the subject is still present, to repeat steps 658 and 660. But we want to avoid attempting authorization so many times that we enter a lockout state. For this reason the device is configured to make no more than say 2 or 3 pre-authorization authentication attempts - and if unsuccessful stopping at 665 before reaching the lockdown threshold.

It will be appreciated that the functionality illustrated in Figure 6 and described with reference to that figure may also be provided in devices as shown in and described with reference to each of Figures 4 and 5. Also, the “advance authentication” that may happen before a user/subject knowingly performs a user-initiated activation event may be turned off, or disabled, for example if a user knows that they will be away from the property for an extended period of days or weeks - so that no biometric verification is going to be needed or be appropriate until they return from vacation say.

Figure 7 illustrates a possible configuration of an access device according to an aspect of the invention, here in the form of a video doorbell. The device 700 may be secured to the wall of the premises by means of a frame 760 that is fastened to the wall by screws through holes 755. The device may be coupled to the frame 760 by means of corresponding male and female members on the device and frame, or vice versa. Conveniently the device 700 may be configured to twist into locking engagement with the frame 760 by means of co-operating locking elements provided on the frame 760 and on reverse face of the device 700. The two parts may be secured together by means of one or more hidden grub screws, for example concealed in a lateral face of the device, optionally a lower face so that likelihood of ingress of rainwater via the aperture(s) for the grub screw(s) is reduced. The frame and the device may also include co-operating electrical connectors to enable the device to be connected to an external power supply (e.g. located inside the premises and fed for example by mains electricity) when the device and frame are coupled together, for example on the device being twisted into locking engagement with the frame.

The device 700 includes a camera 704 behind a lens 705. An actuator (or bell push) 720 is provided for use by visitors in a conventional manner. An audio interface 716, including one or more microphones and one or more speakers is provided to enable dialogue between a user of the device and an occupier of the premises and/or a user provided with a corresponding app on a user device 220.

One or more user operable actuators to initiate authentication attempts are provided, here in the form of buttons 712A, 712B, 712C, and 712D. The buttons may each have an associated switch, optionally a mechanical switch and preferably one that provides clear tactile feedback upon operation - e.g a metal dome switch. If plural operable actuators 712 are provided, as here, each may have an associated function, e.g. as described with reference to Figure 5. For example, here we see that one button 712A is labelled “home” and actuation of this button indicates a user’s desire to disarm the security monitoring system (if it is armed) and to unlock any associated electronic lock in the relevant entrance door. Another button 712D is labelled “away”, and actuation of this button indicates a user’s desire to arm the security monitoring system (if it is disarmed) and to lock any associated electronic lock in the relevant entrance door. Additionally or alternatively, a second pair of actuators 712B and 712C may be provided, one being used to indicate a desire to disarm the alarm system (if it is in an armed state), and the other being used to indicate a desire to arm the alarm system (if it is in a disarmed state),

A small display 722, typically occupying less than 60, 50, 40, 30, 25, 20% of the area of the face of the device, is provided to give feedback to a user - for example to indicate the arm state of the associated security monitoring system, and/or to indicate successful authentication and/or to indicate the nature of a command received.

Although some aspects have been described in the context of an apparatus, these aspects also represent a description of the corresponding method, where a block or device corresponds to a method step or a feature of a method step. Analogously, aspects described in the context of a method step also represent a description of a corresponding block or item or feature of a corresponding apparatus.

Embodiments of the invention may be implemented on a computer system. The computer system may be a local computer device (e.g., personal computer, laptop, tablet computer or mobile phone) with one or more processors and one or more storage devices or may be a distributed computer system (e.g., a cloud computing system with one or more processors and one or more storage devices distributed at various locations, for example, at a local client and/or one or more remote server farms and/or data centres). The computer system may comprise any circuit or combination of circuits. In one embodiment, the computer system may include one or more processors which can be of any type. As used herein, processor may mean any type of computational circuit, such as but not limited to a microprocessor, a microcontroller, a complex instruction set computing (CISC) microprocessor, a reduced instruction set computing (RISC) microprocessor, a very long instruction word (VLIW) microprocessor, a graphics processor, a digital signal processor (DSP), multiple core processor, a field programmable gate array (FPGA), or any other type of processor or processing circuit. Other types of circuits that may be included in the computer system may be a custom circuit, an application-specific integrated circuit (ASIC), or the like, such as, for example, one or more circuits (such as a communication circuit) for use in wireless devices like mobile telephones, tablet computers, laptop computers, two-way radios, and similar electronic systems. The computer system may include one or more storage devices, which may include one or more memory elements suitable to the particular application, such as a main memory in the form of random-access memory (RAM), one or more hard drives, and/or one or more drives that handle removable media such as compact disks (CD), flash memory cards, digital video disk (DVD), and the like. The computer system may also include a display device, one or more speakers, and a keyboard and/or controller, which can include a mouse, trackball, touch screen, voice-recognition device, or any other device that permits a system user to input information into and receive information from the computer system.

Some or all of the method steps may be executed by (or using) a hardware apparatus, like for example, a processor, a microprocessor, a programmable computer or an electronic circuit. In some embodiments, some one or more of the most important method steps may be executed by such an apparatus.

Depending on certain implementation requirements, embodiments of the invention can be implemented in hardware or in software. The implementation can be performed using a non- transitory storage medium such as a digital storage medium, for example a floppy disc, a DVD, a Blu-Ray, a CD, a ROM, a PROM, and EPROM, an EEPROM or a FLASH memory, having electronically readable control signals stored thereon, which cooperate (or are capable of cooperating) with a programmable computer system such that the respective method is performed. Therefore, the digital storage medium may be computer readable.

Some embodiments according to the invention comprise a data carrier having electronically readable control signals, which are capable of cooperating with a programmable computer system, such that one of the methods described herein is performed.

Generally, embodiments of the present invention can be implemented as a computer program product with a program code, the program code being operative for performing one of the methods when the computer program product runs on a computer. The program code may, for example, be stored on a machine-readable carrier.

Other embodiments comprise the computer program for performing one of the methods described herein, stored on a machine-readable carrier.

In other words, an embodiment of the present invention is, therefore, a computer program having a program code for performing one of the methods described herein, when the computer program runs on a computer.

A further embodiment of the present invention is, therefore, a storage medium (or a data carrier, or a computer-readable medium) comprising, stored thereon, the computer program for performing one of the methods described herein when it is performed by a processor. The data carrier, the digital storage medium or the recorded medium are typically tangible and/or non- transitionary. A further embodiment of the present invention is an apparatus as described herein comprising a processor and the storage medium.

A further embodiment of the invention is, therefore, a data stream or a sequence of signals representing the computer program for performing one of the methods described herein. The data stream or the sequence of signals may, for example, be configured to be transferred via a data communication connection, for example, via the internet.

A further embodiment comprises a processing means, for example, a computer or a programmable logic device, configured to, or adapted to, perform one of the methods described herein.

A further embodiment comprises a computer having installed thereon the computer program for performing one of the methods described herein.

A further embodiment according to the invention comprises an apparatus or a system configured to transfer (for example, electronically or optically) a computer program for performing one of the methods described herein to a receiver. The receiver may, for example, be a computer, a mobile device, a memory device or the like. The apparatus or system may, for example, comprise a file server for transferring the computer program to the receiver.

In some embodiments, a programmable logic device (for example, a field programmable gate array) may be used to perform some or all of the functionalities of the methods described herein. In some embodiments, a field programmable gate array may cooperate with a microprocessor to perform one of the methods described herein. Generally, the methods are preferably performed by any hardware apparatus.

Modifications and other variants of the described embodiments will come to mind to one skilled in the art having benefit of the teachings presented in the foregoing description and associated drawings. Therefore, it is to be understood that the embodiments are not limited to the specific example embodiments described in this disclosure and that modifications and other variants are intended to be included within the scope of this disclosure. For example, while embodiments of the invention have been described with reference to variants of video doorbells and security alarm systems, persons skilled in the art will appreciate that the embodiments of the invention can equivalently be applied to two-factor authentication in other devices and systems.

Furthermore, although specific terms may be employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation. Therefore, a person skilled in the art would recognize numerous variations to the described embodiments that would still fall within the scope of the appended claims. Furthermore, although individual features may be included in different claims (or embodiments), these may possibly advantageously be combined, and the inclusion of different claims (or embodiments) does not imply that a combination of features is not feasible and/or advantageous. In addition, singular references do not exclude a plurality.

Finally, reference signs in the claims are provided merely as a clarifying example and should not be construed as limiting the scope of the claims in any way.