Secure biometric authentication with client-side feature extraction
First Claim
Patent Images
1. A method, comprising:
- obtaining, with one or more processors, a repository of user authentication records, each record having a user identifier and set of features detected in a biometric measurement of a respective corresponding user;
receiving, with one or more processors, from a remote computing device, a first encrypted value and an identifier of a user to be authenticated based on the first encrypted value;
retrieving, with one or more processors, from the repository, a user authentication record corresponding to the received identifier of the user to be authenticated;
determining, with one or more processors, a second encrypted value based on the set of detected features in the retrieved authentication record, the set of detected features being obtained before receiving the first encrypted value;
determining, with one or more processors, that the first encrypted value matches the second encrypted value; and
based on the determination that the first encrypted value matches the second encrypted value, sending, with one or more processors, a message over a network indicating that the user is authenticated, wherein the detected features in the retrieved authentication record are obtained from the remote computing device that receives the biometric measurement and detects the features before sending the detected features to a computing device with access to the repository without sending the biometric measurement itself.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided is a process that includes: receiving, with a first device, a request to authenticate a user; obtaining, with the first device, an unstructured-data authentication input; extracting, with the first computing device, a plurality of features of the unstructured-data authentication input to form a structured-data representation; determining, with the first device, a first instance of a value that deterministically varies; and determining, with the first device, a first encrypted value based on both the structured-data representation and the first instance of the value that deterministically varies; and sending, with the first device, the first encrypted value to a second computing device.
-
Citations
19 Claims
-
1. A method, comprising:
-
obtaining, with one or more processors, a repository of user authentication records, each record having a user identifier and set of features detected in a biometric measurement of a respective corresponding user; receiving, with one or more processors, from a remote computing device, a first encrypted value and an identifier of a user to be authenticated based on the first encrypted value; retrieving, with one or more processors, from the repository, a user authentication record corresponding to the received identifier of the user to be authenticated; determining, with one or more processors, a second encrypted value based on the set of detected features in the retrieved authentication record, the set of detected features being obtained before receiving the first encrypted value; determining, with one or more processors, that the first encrypted value matches the second encrypted value; and based on the determination that the first encrypted value matches the second encrypted value, sending, with one or more processors, a message over a network indicating that the user is authenticated, wherein the detected features in the retrieved authentication record are obtained from the remote computing device that receives the biometric measurement and detects the features before sending the detected features to a computing device with access to the repository without sending the biometric measurement itself. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method, comprising:
-
obtaining, with one or more processors, a repository of user authentication records, each record having a user identifier and set of features detected in a biometric measurement of a respective corresponding user; receiving, with one or more processors, from a remote computing device, a first encrypted value and an identifier of a user to be authenticated based on the first encrypted value; retrieving, with one or more processors, from the repository, a user authentication record corresponding to the received identifier of the user to be authenticated; determining, with one or more processors, a plurality of encrypted values based on; (1) different respective subsets of the set of features detected in the biometric measurement in the retrieved authentication record, the set of features being obtained before receiving the first encrypted value, (2) different respective sets of features detected in different respective biometric measurements in the retrieved authentication record, the set of features being obtained before receiving the first encrypted value, or (3) a combination thereof; determining, with one or more processors, that more than a threshold amount, the threshold having a value greater than two, of the plurality of encrypted values match the first encrypted value; and based on the determining, sending, with one or more processors, a message over a network indicating that the user is authenticated. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A method, comprising:
-
obtaining, with one or more processors, a repository of user authentication records, each record having a user identifier and set of features detected in a biometric measurement of a respective corresponding user; receiving, with one or more processors, from a remote computing device, a first encrypted value and an identifier of a user to be authenticated based on the first encrypted value; retrieving, with one or more processors, from the repository, a user authentication record corresponding to the received identifier of the user to be authenticated; determining, with one or more processors, a second encrypted value based on the set of detected features in the retrieved authentication record, the set of detected features being obtained before receiving the first encrypted value; determining, with one or more processors, that the first encrypted value matches the second encrypted value; and based on the determination that the first encrypted value matches the second encrypted value, sending, with one or more processors, a message over a network indicating that the user is authenticated, wherein determining the second encrypted value comprises;
obtaining a value that varies between at least some authentication attempts; and
hashing a combination of the value that varies and at least some of the set of features detected in a signature or other biometric measurement in the retrieved authentication record to produce a hash value. - View Dependent Claims (19)
-
Specification