WO2004077208A2 - Authentication system and method - Google Patents
Authentication system and method Download PDFInfo
- Publication number
- WO2004077208A2 WO2004077208A2 PCT/IB2004/050162 IB2004050162W WO2004077208A2 WO 2004077208 A2 WO2004077208 A2 WO 2004077208A2 IB 2004050162 W IB2004050162 W IB 2004050162W WO 2004077208 A2 WO2004077208 A2 WO 2004077208A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- biometric information
- user
- information
- authentication system
- previously stored
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Collating Specific Patterns (AREA)
Abstract
This invention relates to an authentication system and method and more particularly, but not exclusively, to an online authentication system and method. In accordance with this invention there is provided an authentication system comprising a server computer having communication means for receiving biometric information, computing means for comparing the received biometric information with biometric information previously stored on a storage means associated with the server computer and authentication means for authenticating the received biometric information if it differs within a predetermined range, and does not exactly match, the previously stored biometric information.
Description
AUTHENTICATION SYSTEM AND METHOD
FIELD OF THE INVENTION
This invention relates to an authentication system and method and more particularly, but not exclusively, to an online authentication system and method.
BACKGROUND TO THE INVENTION
When a user wants to obtain goods or services over a computer network, such as the Internet, the user connects to a host server from which the provision of such goods and services are administered.
The host server must positively identify the user to prevent fraudulent transactions. For this reason the host server facilitates a registration process during which a unique user identification and password is recorded against each user.
Users are then required to provide their identifications and passwords when conducting a transaction. The identifications and passwords are checked against the identifications and passwords stored previously during the registration process. If the identifications and passwords do not match, a transaction will not be authorised.
Identifications and passwords may however be stolen or intercepted during transmission for fraudulent use. Even encrypted passwords and/or identifications may be intercepted, decrypted and then used fraudulently. In case of a compromise, a user may record a new password and/or identification to ensure integrity.
The above authentication method authenticates a user computer or user identification and an associated password. The user himself is not authenticated.
Biometric information is required to authenticate a specific user. Fingerprints and retina readers and voice recognition systems have been used to authenticate a user.
Biometric data such as fingerprint, retina or voice data may also, however, be intercepted during transmission, for later fraudulent use by another party. This may happen even where such data is encrypted. A difficulty with this type of authentication is that the biometric data cannot be changed as in the case of a password.
Authentication systems that overcome the above difficulties include well known systems using trusted third parties and digital signatures issued by such trusted third parties. Digital signatures are encrypted using private keys and decrypted using public keys. Although such private/public key systems
may be more secure, they pose an additional cost as the trusted third party becomes invqlved with the authentication part of transactions.
OBJECT OF THE INVENTION
It is an object of the invention to provide an authentication system and method which, at least partially, alleviates some of the abovementioned difficulties.
SUMMARY OF THE INVENTION
In accordance with this invention there is provided an authentication system comprising a server computer having communication means for receiving biometric information, computing means for comparing the received biometric information with biometric information previously stored on a storage means associated with the server computer and authentication means for authenticating the received biometric information if it differs within a predetermined range, and does not exactly match, the previously stored biometric information.
The communication means receives new biometric information submitted by a user and a copy of biometric information previously submitted by a user and now stored on the storage means, from the user, and the authentication means compares the new biometric information and the old biometric information received from the user with previously stored biometric information on the storage means and authenticates the information if the old biometric
information exactly matches the previously stored information on the storage means and the new biometric information does not exactly match and differs only within a predetermined range, from the previously stored biometric information on the storage means.
The old biometric information received from the user is a copy of a randomly chosen part of biometric information previously stored on the storage means and the comparison is between this part and the corresponding part of previously stored information.
The authenticated new biometric informatiot. is stored, upon authentication, on the storage means.
The biometric information is coded biometric information.
Alternatively the biometric information is a coded fingerprint image.
Yet alternatively, the biometric information is a coded retina image.
Yet, further alternatively, the biometric information is coded audio information.
The coded audio information is a coded voice recording.
This invention extends to an authentication method comprising the steps of storing biometric information received from a user on a storage means of a
iT is invontion-oxtonda to on authentication- method comprising the steps o t- /storing bio otrio information roooivod-from a user on α storage means of aι server computer; receiving new biometric information through communication means of the server computer, comparing the received ew biometric information from the ussr with th® stored biometric information; and authenticating the received biometric information if 'ύ differs within a predetermined range, but does not match, the previously stored biometric information.
The method which includes the step of also receiving a copy of biometric information from a user of at least part of biometric information which was previously stored on the storage means.
The method includes the further step of randomly choosing the at least part of the biometric information required from the user. ;
The biometric information is a fingerprint, a set of fingerprints, a retina image a set of retina images, a voice recording or a set of voice recordings.
The part of biometric information is a fingerprint or a retina image or a voice recording or a part thereof.
The part of biometric information is one of a fingerprint or a retina image or a voice recording chosen randomly out of a set of fingerprints or retina images or voice recordings.
BRIEF DESCRIPTION OF THE DRAWING
One embodiment of the invention is described below, by way of escample only, and with reference to the accompanying drawing which shows a schematic diagram of an authentication system.
DETAILED DESCRIPTION OF THE DRAWING
With reference to the drawing, an authentication system is generally indicated by reference numeral 1.
The authentication system includes a remote user computer (2 ) connected to a biometric reader (5) and to a computer network (4), such as the Internet. The system (1) also includes a server computer (3) having communication means for communicating with the network (4), storage means for storing information, as well as computing means, as is all known in art.
The provision of goods or services is administered by the host computer (3).
When a user wishes to order goods or services over the network (4) the user connects to the server computer (3) through the network (4). Should the user not be registered with the server computer (3), the server computer (3) facilitates a registration process through which the user defines or provides a
user identification as well as biometric information. The registration process may be an online or may be a physical registration process i.e. registration may take place at the host computer.
In this embodiment, the user provides biometric information in the form of a coded fingerprint image online. The user computer (2) encodes the user's fingerprint image as sensed by the fingerprint reader (5) to facilitate the transmission thereof in electronic format over the network (4) to the server computer (3). The server computer (3) stores the fingerprint information against the user identification.
When conducting an online transaction through the network (4), the user is required to provide his user identification as well as his fingerprint information. The server computer (3) receives the user identification and fingerprint information and compares it with the previously stored fingerprint information and user identification. The server computer (3) authorises the transaction if the received user identification matches the previously stored user identification and if the received fingerprint information matches, within a predetermined range, and does not equal the previously stored information.
The server computer will not authorise a transaction if the received fingerprint information matches the previously stored fingerprint information in all respects. The reason for this is that the possibility is low that a user will every time use the fingerprint reader in exactly the same manner. An exact match of the fingerprint information may indicate the repeated use of previously
stored fingerprint information, which in turn points to the possible fraudulent use of intercepted fingerprint information.
In the unlikely event of an exact match occurring, the user may be requested to again provide fingeφrint information by applying another fingeφrint to the fingerprint reader. Computer software may also be utilised to establish a realtime link with the reader and server computer to ensure the provision of fingeφrints in real-time.
Every authenticated fingerprint information package is stored so that a new fingerprint information package received during a new transaction can be checked against all the. previously authorised packages. If the new package matches any one of the old packages exactly, the transaction will not be authorised, as described and for the reasons stated above.
The first fingerprint information package or "token" stored during the registration process will be of high resolution and the user may even be required to provide this information, in person, at a fingerprint reader of the server computer to ensure positive identification.
A further reason for not authorising transactions upon an exact fingerprint match of biometric information is that physical changes may influence such information. Fingerprint, retina and voice information may change due to physical changes such as scars, colds and light conditions.
The server thus builds up a history file of all the biometric "tokens" of a user, say user A received by the server from user A up to a point in time, (suppose there are x tokens in this file).
The authorisation process now works as follows: User A's biometric is read on the user side and it is sent to the server. The server compares it to all stored copies. If a perfect match arises the supplied biometric is rejected as a replay. If there are no perfect or exact matches, and the supplied biometric matches within the predetermined parameters, the biometric is accepted, and stored in the server's history for user A (the file now has x+1 copies). Authorisation is now complete.
The implementation of a proof-of-concept system highlighted the danger of replay when the biometric is intercepted and the communication between user A and the server is interrupted before the copy reaches the server. The server has not received this new biometric copy, and will accept the subsequent intercepted replay.
To address this problem the following methodology is followed: A personal history file is kept by user A on a smart card or memory stick or on his computer. This file is in synchronisation with user A's file at the server, i.e. the same number of copies, in the same order.
During utilisation, a random number between 1 and x i.e. a number representing a copy of a stored (old) biometric of user A at the server is chosen. Say this is z with 1<=z <=x. Copy z is referred to the assurance copy.
All communication of information between user A and the server is encrypted.
The authorisation process is now as follows:
User A's biometric is read on the user side and stored in user A's personal file.
The assurance biometric z in user A's personal file is retrieved.
The newly read and stored biometric and the assurance biometric z is encrypted and sent to the server in the order (new, assurance copy z).
The server receives the 2 biometrics and decrypts them. The second biometric (assurance copy z) is compared with copy z on the server. If they do not match exactly, the request is rejected. If they match, the new biometric is compared with the master copy. If they match within the parameters of the algorithm, (i.e. within the predetermined parameters without being an exact or perfect match) the request is accepted and the. new copy stored in the history file for user A.
An acknowledgement is sent to user A together with a new random number between 1 and (x+1), representing a new assurance copy. This is the number of the biometric which must be sent along by user A on the next request for authorization. The number is also stored on the server.
A physical copy of this new assurance is also sent to user A. User A compares the received copy with the corresponding copy stored on User-A's personal file. If they match, there is mutual authentication, because only the server will have such a copy. If they do not match user A expects foul play, and immediately contacts the server for clarification.
If during a transaction, the communication between user A and the server is interrupted , the server will immediately blacklist the (present) assurance copy z, and will never again accept a request containing copy z. The reason for this is that the communication may have been broken by a third party who interceptes the (new biometric, copy z) and who wants to replay it at a later stage. If the server does not blacklist copy z, the third party may successfully replay the (new biometric, copy z) pair, and the server would not know it. However, by blacklisting copy z, the third party may replay the (new biometric, copy z) pair, but because the server had blacklisted copy z, the server will recognise the replay, and reject it. If the communication is broken, and user A does not receive an acknowledgement from the server, user A would not receive an indication of the new assurance copy for the next transaction. A special session between the user A and the server will now be created in which user A will send the new biometric which was sent during the broken
transaction, to the server to blacklist it. This biometric will therefore never be accepted again by the server.
It is envisaged that the system and method described herein will assist in limiting or will prevent fraudulent transactions. Intercepted fingerprint information packages used fraudulently will be an exact match with stored information packages and transactions will not be allowed. It will be appreciated that other biometric information may be used such as retina or voice information.
Claims
1. An authentication system comprising a server computer having communication means for receiving biometric information, computing means for comparing the received biometric information with biometric information previously stored on a storage means associated with the server computer and authentication means for authenticating the received biometric information if it differs within a predetermined range, and does not exactly match, the previously stored biometric information.
2. An authentication system as claimed in claim 1 in which the communication means receives new biometric information submitted by a user and a copy of biometric information previously submitted by a user and now stored on the storage means, from the user, and the authentication means compares the new biometric information and the old biometric information received from the user with previously stored biometric information on the storage means and authenticats the information if the old biometric information exactly matches the previously stored information on the storage means and the new biometric information does not exactly match and differs only within a predetermined range, from the previously stored biometric information on the storage means.
3. An authentication system as claimed in claim 2 in which the old biometric information received from the user is a copy of a randomly chosen part of biometric information previously stored on the storage means and the comparison is between this part and the corresponding part of previously stored information.
4. An authentication system as claimed in any one of the preceding claims in which the authenticated new biometric information is stored, upon authentication, on the storage means.
5. An authentication system as claimed in any one of the preceding claims in which the biometric information is coded biometric information.
6. An authentication system as claimed in any one of the preceding claims in which biometric information is a coded fingerprint image.
7. An authentication system as claimed in any one of claims 1 to 5 in which the biometric information is a coded retina image.
8. An authentication system as claimed in any one of claim 1 to 5 in which biometric information is coded audio information.
9. An authentication system as claimed in claim 8 in which the coded audio information is a coded voice recording.
10. An authentication method comprising the steps of storing biometric information received from a user on a storage means of a server computer; receiving new biometric information through communication means of the server computer; comparing the received new biometric information from the user with the stored biometric information; and authenticating the received biometric information if it differs within a predetermined range, but does not match, the previously stored biometric information.
11. The method of claim 10 which includes the step of also receiving a copy of biometric information from a user of at least part of biometric information which was previously stored on the storage means.
12. The method of claim 11 which includes the further step of randomly chosing the at least part of the biometric information required from the user.
13. The method of any one of claims 10 to 12 in which the biometric information is a fingerprint, a set of fingerprints, a retina image, a set of retina images, a voice recording or a set of voice recordings.
14. The method of claims 11 to 13 in which the part of biometric information is a fingerprint or a retina image or a voice recording or a part thereof.
5. The method of any one of claims 11 to 14 in which the part of biometric information is one of the fingerprint or a retina image or a voice recording chosen randomly out of a set of fingerprints or retina images or voice recordings.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| ZA2003/1616 | 2003-02-27 | ||
| ZA200301616 | 2003-02-27 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| WO2004077208A2 true WO2004077208A2 (en) | 2004-09-10 |
| WO2004077208A3 WO2004077208A3 (en) | 2004-11-25 |
Family
ID=32928216
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/IB2004/050162 WO2004077208A2 (en) | 2003-02-27 | 2004-02-27 | Authentication system and method |
Country Status (1)
| Country | Link |
|---|---|
| WO (1) | WO2004077208A2 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7519815B2 (en) | 2003-10-29 | 2009-04-14 | Microsoft Corporation | Challenge-based authentication without requiring knowledge of secret authentication data |
| US7657745B2 (en) | 2003-10-29 | 2010-02-02 | Microsoft Corporation | Secure electronic transfer without requiring knowledge of secret data |
| GB2547954A (en) * | 2016-03-03 | 2017-09-06 | Zwipe As | Attack resistant biometric authorised device |
| CN108959865A (en) * | 2017-05-25 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of verification method and device |
| CN109376703A (en) * | 2018-11-30 | 2019-02-22 | Oppo广东移动通信有限公司 | Fingerprint identification method and Related product |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2331825A (en) * | 1997-11-28 | 1999-06-02 | Nec Corp | Personal identification authentication using fingerprints |
| US6084977A (en) * | 1997-09-26 | 2000-07-04 | Dew Engineering And Development Limited | Method of protecting a computer system from record-playback breaches of security |
-
2004
- 2004-02-27 WO PCT/IB2004/050162 patent/WO2004077208A2/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6084977A (en) * | 1997-09-26 | 2000-07-04 | Dew Engineering And Development Limited | Method of protecting a computer system from record-playback breaches of security |
| GB2331825A (en) * | 1997-11-28 | 1999-06-02 | Nec Corp | Personal identification authentication using fingerprints |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7519815B2 (en) | 2003-10-29 | 2009-04-14 | Microsoft Corporation | Challenge-based authentication without requiring knowledge of secret authentication data |
| US7657745B2 (en) | 2003-10-29 | 2010-02-02 | Microsoft Corporation | Secure electronic transfer without requiring knowledge of secret data |
| GB2547954A (en) * | 2016-03-03 | 2017-09-06 | Zwipe As | Attack resistant biometric authorised device |
| GB2547954B (en) * | 2016-03-03 | 2021-12-22 | Zwipe As | Attack resistant biometric authorised device |
| CN108959865A (en) * | 2017-05-25 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of verification method and device |
| CN108959865B (en) * | 2017-05-25 | 2022-12-16 | 创新先进技术有限公司 | Verification method and device |
| CN109376703A (en) * | 2018-11-30 | 2019-02-22 | Oppo广东移动通信有限公司 | Fingerprint identification method and Related product |
| CN109376703B (en) * | 2018-11-30 | 2021-05-04 | Oppo广东移动通信有限公司 | Fingerprint identification method and related product |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2004077208A3 (en) | 2004-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7447910B2 (en) | Method, arrangement and secure medium for authentication of a user | |
| JP4433472B2 (en) | Distributed authentication processing | |
| US6185316B1 (en) | Self-authentication apparatus and method | |
| O'Gorman | Comparing passwords, tokens, and biometrics for user authentication | |
| KR101226651B1 (en) | User authentication method based on the utilization of biometric identification techniques and related architecture | |
| US6970853B2 (en) | Method and system for strong, convenient authentication of a web user | |
| US5706427A (en) | Authentication method for networks | |
| US7627895B2 (en) | Trust tokens | |
| US8782427B2 (en) | System and method for sequentially processing a biometric sample | |
| JP4578244B2 (en) | Method for performing secure electronic transactions using portable data storage media | |
| US20060206723A1 (en) | Method and system for integrated authentication using biometrics | |
| US20030101348A1 (en) | Method and system for determining confidence in a digital transaction | |
| US20040034784A1 (en) | System and method to facilitate separate cardholder and system access to resources controlled by a smart card | |
| EP2513834B1 (en) | System and method for verifying the identity of an individual by employing biometric data features associated with the individual as well as a computer program product for performing said method | |
| US20070118758A1 (en) | Processing device, helper data generating device, terminal device, authentication device and biometrics authentication system | |
| US20120032782A1 (en) | System for restricted biometric access for a secure global online and electronic environment | |
| JP2003534589A (en) | Authentication system and method | |
| US20090293111A1 (en) | Third party system for biometric authentication | |
| JPWO2007094165A1 (en) | Identification system and program, and identification method | |
| US20060204048A1 (en) | Systems and methods for biometric authentication | |
| KR100974815B1 (en) | System for Authenticating a Living Body Doubly | |
| EP1465380A1 (en) | Device which executes authentication processing by using offline information, and device authentication method | |
| JP2005208993A (en) | User authentication system | |
| WO2004077208A2 (en) | Authentication system and method | |
| KR100546775B1 (en) | Method for issuing a note of authentication and identification of MOC user using human features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
| AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
| 122 | Ep: pct application non-entry in european phase |