Multi-Modal Biometric Continuity Coupling

Mechanism

The continuity coupler ingests time-aligned sample streams from a set of admitted biometric channels and produces, on a sliding window, a single continuity attestation describing the present subject as the same biological entity observed across the prior window. Channels are heterogeneous in sampling rate, modality semantics, and physical sensor topology. Cardiovascular channels include photoplethysmographic (PPG) waveforms from wrist or finger optical sensors, single-lead or multi-lead electrocardiogram (ECG) traces from contact electrodes, and ballistocardiographic signals from seat or bed instrumentation. Respiratory channels include strain-gauge thoracic expansion, capnographic exhalation traces, and acoustic breath-sound profiles. Behavioral channels include keystroke dwell and flight intervals, pointer micro-jitter signatures, gait inertial profiles from worn devices, and saccadic gaze trajectories from eye-tracking optics. Remote-sensing channels include millimeter-wave radar micro-Doppler returns, thermal infrared signatures, and ultra-wideband presence reflections.

Each channel feeds a per-modality feature extractor that produces a credentialed observation: a structured record carrying the extracted features, a timestamp, the sensor identity, the credentialing authority's signature, and a confidence interval reflecting the channel's local signal quality. The credentialed observations from all admitted modalities at a given window enter the coupler. The coupler does not compute a weighted sum. Instead, it evaluates pairwise and joint structural correlations against a subject-specific continuity model: does the cardiovascular waveform's instantaneous heart rate track the respiratory waveform's sinus arrhythmia phase coupling expected for this subject? Does the behavioral channel's keystroke cadence reflect the autonomic state that the cardiovascular and respiratory channels jointly imply? Does the remote-sensing micro-Doppler envelope encode a chest-wall mechanical signature consistent with the contact-sensed cardiac and respiratory traces?

The continuity model is itself a credentialed object. It is constructed during enrollment from a multi-session capture across modalities, signed by the credentialing authority, and revised through credentialed update transactions as the subject's physiology drifts (training-state changes, age progression, illness recovery). The model encodes not raw templates but inter-modal coupling parameters: the expected phase relationships, amplitude couplings, statistical co-occurrences, and admissible variability bounds across modality pairs. At run time, the coupler computes a continuity score over the present window by evaluating how closely the observed cross-modal couplings match the model's predicted couplings. The score is graduated rather than binary; downstream consumers (access controllers, transaction authorizers, attestation issuers) apply threshold policy appropriate to the action being gated.

Disagreement is handled structurally. When a single channel's observation falls outside the model's admissible bounds while remaining channels agree, the coupler downgrades that channel's contribution rather than failing the attestation outright — channel-local sensor error, transient noise, or temporary occlusion is the expected explanation. When two or more channels disagree with one another in a manner that the model classifies as physiologically incoherent (cardiovascular state implying high autonomic arousal while respiratory and behavioral channels imply rest, for instance), the coupler triggers a continuity break: it publishes a credentialed break observation, withdraws the present attestation, and requires re-enrollment or supervised re-coupling before reissuing identity claims for this subject. The break is recorded in the subject's lineage and is observable to authorities and downstream verifiers.

Operating Parameters

The coupling window is a primary tunable. Short windows (one to three seconds) provide low-latency attestations suitable for transaction authorization but constrain the modalities the coupler can usefully integrate — gait, for instance, requires multiple stride cycles to express its signature. Long windows (thirty seconds to several minutes) admit more modalities and produce more stable continuity scores but introduce latency unsuitable for real-time gating. Operating deployments specify a window policy keyed to the action being gated: short for high-frequency low-stakes actions, long for high-stakes or initial-binding actions.

Modality admission is policy-controlled. A given deployment specifies which modalities are required, which are optional, and which are forbidden (for privacy, regulatory, or sensor-availability reasons). The coupler's continuity model encodes the admitted modality set; modalities outside the set are ignored even if their sensors are present. Modality-set transitions (adding a new sensor type to the deployment) trigger re-enrollment under the expanded set. The coupler enforces a minimum admitted-modality count for valid attestations: a deployment may, for example, require at least one cardiovascular channel, one behavioral channel, and one independently sourced channel before any continuity attestation issues.

Confidence threshold parameters govern the graduated continuity score's mapping to discrete authorization decisions. Thresholds are scope-specific. A scope governing physical access to a low-security area may accept continuity scores above 0.6; a scope governing transaction signing for high-value financial actions may require 0.95. Thresholds are themselves credentialed policy objects, signed by the scope's governing authority, observable, and subject to the same admissibility framework as any other policy object.

Drift-tolerance parameters control how rapidly the continuity model accepts revisions to its inter-modal coupling expectations. Aggressive drift tolerance allows the model to track subject physiology changes quickly but admits gradual adversarial poisoning. Conservative drift tolerance resists poisoning but requires more frequent supervised re-enrollment as physiology evolves. Deployments configure drift tolerance according to threat model.

Continuity-break recovery parameters govern the procedure for restoring identity after a break. Some deployments require physical-presence re-enrollment under supervision; others permit self-service recovery using a fallback authentication factor combined with a fresh multi-modality capture. The recovery policy is itself credentialed and is subject to authority-bound policy controls.

Alternative Embodiments

A wearable embodiment integrates the coupler within a wrist-worn device combining PPG, accelerometric gait, and skin-conductance channels with a paired phone supplying behavioral channels (keystroke and pointer telemetry). The wearable issues short-window continuity attestations to nearby controllers over a credentialed proximity protocol, replacing legacy proximity tokens with continuity-bound claims.

A vehicular embodiment instruments the cabin with seat-integrated ballistocardiographic sensors, steering-wheel ECG contacts, in-cabin radar, and infotainment behavioral telemetry. The coupler produces driver-identity attestations continuously throughout a trip, replacing one-shot key-fob or face-unlock paradigms and enabling continuous driver monitoring for fleet, insurance, and autonomy-handover applications.

A facility embodiment uses ceiling-mounted millimeter-wave radar arrays and thermal imagers for remote-sensing channels, paired with workstation-instrumented behavioral channels and an optional opt-in wrist wearable. The coupler issues facility-scope continuity attestations that survive movement between workstations and unattended workstation wake events without re-authentication friction.

A clinical embodiment couples bedside monitor channels (multi-lead ECG, capnography, pulse oximetry) with patient-worn behavioral and remote-sensing channels to produce continuous patient-identity attestations binding clinical observations to verified subjects across shift changes, transports, and procedure transitions.

An expeditionary embodiment minimizes infrastructure dependence: each subject carries a small set of contact and inertial sensors; the coupler runs locally; continuity attestations are exchanged peer-to-peer through credentialed mesh transport without backend connectivity. Identity binds to the subject across austere deployments where centralized verification infrastructure is unavailable.

A federated embodiment partitions modality processing across organizational boundaries: an employer holds behavioral channels, a wearable provider holds cardiovascular and respiratory channels, a facility operator holds remote-sensing channels. Each partition produces credentialed observations; the coupler operates on the credentialed feature surfaces without requiring any single partition to hold raw multi-modal data, supporting privacy-respecting cross-domain identity composition.

Composition With Other Primitives

Multi-modal continuity coupling composes with the credentialed observation framework: every per-modality feature, every continuity attestation, every continuity-break, and every model revision is a credentialed object. Existing infrastructure for credentialed propagation, admissibility evaluation, lineage tracking, and authority-bound policy applies without modification.

It composes with keyless-identity scoping: continuity attestations bind to subject-scoped identity records rather than to per-device credentials, allowing a subject's identity thread to span devices, sessions, and deployments without device-keyed correlation. The coupling primitive supplies the substrate over which keyless scoping reasons about subject continuity.

It composes with anchor-group governance for the continuity model itself: model enrollment, revision, and revocation are anchor-group consensus events, providing tamper-evident control over the very model used to evaluate continuity. Anchor-group elasticity allows the governance overhead of model maintenance to scale with the criticality of the identities the model represents.

It composes with mesh transport for offline-capable deployments: continuity attestations propagate across the mesh as credentialed payloads under the same admissibility framework as any other observation, allowing identity to survive backend-disconnected operating environments.

Prior-Art Distinction

Existing multi-modal biometric systems combine modalities at the score level (score fusion) or at the feature level (feature fusion) to improve recognition accuracy on a single-shot authentication event. The fusion is statistical rather than structural: the system asks whether the combined evidence exceeds an enrollment template threshold. Multi-modal continuity coupling differs structurally. The primitive is the inter-modal coupling — the predicted relationship between modalities for this subject — rather than the per-modality match score. Adversarial reproduction of any one modality, even with a high per-modality score, fails the cross-modal coupling check unless the adversary also reproduces the specific physiological correlations between modalities.

Existing liveness-detection layers attached to single-modality biometric systems address replay and spoofing through per-modality liveness checks (pulse detection on a face camera, sweat-pore detection on a fingerprint reader). The liveness layer is a per-modality plug-in. Continuity coupling makes the liveness property emerge from the architecture: cross-modal coherence is itself a strong liveness signal, with no per-modality liveness retrofit required.

Existing continuous-authentication systems track behavioral signals over time but typically do so within a single modality (keystroke dynamics, mouse dynamics) or as independent parallel channels. The continuity primitive disclosed here couples modalities structurally rather than running them in parallel; the coupling is the identity claim.

Disclosure Scope

This disclosure (Provisional Application 64/050,895) covers: methods for composing identity attestations from credentialed observations across two or more biometric modalities by structural cross-modal correlation; subject-specific continuity models encoding inter-modal coupling parameters as credentialed objects; graduated continuity scoring with policy-controlled thresholds; structural disagreement handling including channel downgrade and continuity-break procedures; window-policy and modality-admission controls; drift-tolerance and recovery procedures; and embodiments across wearable, vehicular, facility, clinical, expeditionary, and federated deployments. The disclosure positions the primitive at the architectural layer where identity emerges from cross-modal structure, distinct from score-fusion, feature-fusion, per-modality liveness, and parallel continuous-authentication approaches.