Secure biometric authentication with client-side feature extraction

US 10,713,345 B2
Filed: 02/28/2019
Issued: 07/14/2020
Est. Priority Date: 01/25/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

obtaining, with one or more processors, a repository of user authentication records, each record having a user identifier and set of features detected in a biometric measurement of a respective corresponding user;

receiving, with one or more processors, from a remote computing device, a first encrypted value and an identifier of a user to be authenticated based on the first encrypted value;

retrieving, with one or more processors, from the repository, a user authentication record corresponding to the received identifier of the user to be authenticated;

determining, with one or more processors, a second encrypted value based on the set of detected features in the retrieved authentication record, the set of detected features being obtained before receiving the first encrypted value;

determining, with one or more processors, that the first encrypted value matches the second encrypted value; and

based on the determination that the first encrypted value matches the second encrypted value, sending, with one or more processors, a message over a network indicating that the user is authenticated, wherein the detected features in the retrieved authentication record are obtained from the remote computing device that receives the biometric measurement and detects the features before sending the detected features to a computing device with access to the repository without sending the biometric measurement itself.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a process that includes: receiving, with a first device, a request to authenticate a user; obtaining, with the first device, an unstructured-data authentication input; extracting, with the first computing device, a plurality of features of the unstructured-data authentication input to form a structured-data representation; determining, with the first device, a first instance of a value that deterministically varies; and determining, with the first device, a first encrypted value based on both the structured-data representation and the first instance of the value that deterministically varies; and sending, with the first device, the first encrypted value to a second computing device.

Citations

19 Claims

1. A method, comprising:
- obtaining, with one or more processors, a repository of user authentication records, each record having a user identifier and set of features detected in a biometric measurement of a respective corresponding user;
  
  receiving, with one or more processors, from a remote computing device, a first encrypted value and an identifier of a user to be authenticated based on the first encrypted value;
  
  retrieving, with one or more processors, from the repository, a user authentication record corresponding to the received identifier of the user to be authenticated;
  
  determining, with one or more processors, a second encrypted value based on the set of detected features in the retrieved authentication record, the set of detected features being obtained before receiving the first encrypted value;
  
  determining, with one or more processors, that the first encrypted value matches the second encrypted value; and
  
  based on the determination that the first encrypted value matches the second encrypted value, sending, with one or more processors, a message over a network indicating that the user is authenticated, wherein the detected features in the retrieved authentication record are obtained from the remote computing device that receives the biometric measurement and detects the features before sending the detected features to a computing device with access to the repository without sending the biometric measurement itself.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - receiving a third encrypted value and an identifier of the user;
      
      determining that the third encrypted value does not correspond to a fourth encrypted value based on the set of features detected in the biometric measurement in the retrieved authentication record and, in response, sending another message over a network indicating a failed authentication attempt.
  - 3. The method of claim 1, further comprising:
    - determining a plurality of encrypted values based on;
      
      different respective subsets of the set of features detected in the biometric measurement in the retrieved authentication record,different respective sets of features detected in different respective biometric measurements in the retrieved authentication record, ora combination thereof; and
      
      determining that more than a threshold amount, the threshold having a value greater than two, of the plurality of encrypted values match the first encrypted value.
  - 4. The method of claim 1, wherein determining the second encrypted value comprises:
    - obtaining a value that varies between at least some authentication attempts; and
      
      hashing a combination of the value that varies and at least some of the set of features detected in a signature or other biometric measurement in the retrieved authentication record to produce a hash value.
  - 5. The method of claim 1, further comprisingreceiving the first encrypted value from a mobile computing device, the first encrypted value being based on a signature drawn on a touchscreen of the mobile computing device or a fingerprint sensed with the mobile computing device.
  - 6. The method of claim 5, further comprising sending the message indicating the user is authenticated to a different computing device from the mobile computing device.
  - 7. The method of claim 1, further comprising, in response to the user being authenticated, sending a message authorizing provision of goods or services to the user.
  - 8. The method of claim 1, further comprising, in response to the user being authenticated, granting access to a computer application or data.
  - 9. The method of claim 1, further comprising, in response to the user being authenticated, sending a message that causes an actuator to unlock a lock.

10. A method, comprising:
- obtaining, with one or more processors, a repository of user authentication records, each record having a user identifier and set of features detected in a biometric measurement of a respective corresponding user;
  
  receiving, with one or more processors, from a remote computing device, a first encrypted value and an identifier of a user to be authenticated based on the first encrypted value;
  
  retrieving, with one or more processors, from the repository, a user authentication record corresponding to the received identifier of the user to be authenticated;
  
  determining, with one or more processors, a plurality of encrypted values based on;
  
  (1) different respective subsets of the set of features detected in the biometric measurement in the retrieved authentication record, the set of features being obtained before receiving the first encrypted value,(2) different respective sets of features detected in different respective biometric measurements in the retrieved authentication record, the set of features being obtained before receiving the first encrypted value, or(3) a combination thereof;
  
  determining, with one or more processors, that more than a threshold amount, the threshold having a value greater than two, of the plurality of encrypted values match the first encrypted value; and
  
  based on the determining, sending, with one or more processors, a message over a network indicating that the user is authenticated.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the detected features in the retrieved authentication record are obtained from the remote computing device that receives the biometric measurement and detects the features before sending the detected features to a computing device with access to the repository without sending the biometric measurement itself.
  - 12. The method of claim 10, wherein determining the second encrypted value comprises:
    - obtaining a value that varies between at least some authentication attempts; and
      
      hashing a combination of the value that varies and at least some of the set of features detected in a signature or other biometric measurement in the retrieved authentication record to produce a hash value.
  - 13. The method of claim 10, further comprising receiving the first encrypted value from a mobile computing device, the first encrypted value being based on a signature drawn on a touchscreen of the mobile computing device or a fingerprint sensed with the mobile computing device.
  - 14. The method of claim 13, further comprising sending the message indicating the user is authenticated to a different computing device from the mobile computing device.
  - 15. The method of claim 10, further comprising, in response to the user being authenticated, sending a message authorizing provision of goods or services to the user.
  - 16. The method of claim 10, further comprising, in response to the user being authenticated, granting access to a computer application or data.
  - 17. The method of claim 10, further comprising, in response to the user being authenticated, sending a message that causes an actuator to unlock a lock.

18. A method, comprising:
- obtaining, with one or more processors, a repository of user authentication records, each record having a user identifier and set of features detected in a biometric measurement of a respective corresponding user;
  
  receiving, with one or more processors, from a remote computing device, a first encrypted value and an identifier of a user to be authenticated based on the first encrypted value;
  
  retrieving, with one or more processors, from the repository, a user authentication record corresponding to the received identifier of the user to be authenticated;
  
  determining, with one or more processors, a second encrypted value based on the set of detected features in the retrieved authentication record, the set of detected features being obtained before receiving the first encrypted value;
  
  determining, with one or more processors, that the first encrypted value matches the second encrypted value; and
  
  based on the determination that the first encrypted value matches the second encrypted value, sending, with one or more processors, a message over a network indicating that the user is authenticated, wherein determining the second encrypted value comprises;
  
  obtaining a value that varies between at least some authentication attempts; and
  
  hashing a combination of the value that varies and at least some of the set of features detected in a signature or other biometric measurement in the retrieved authentication record to produce a hash value.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the detected features in the retrieved authentication record are obtained from the remote computing device that receives the biometric measurement and detects the features before sending the detected features to a computing device with access to the repository without sending the biometric measurement itself.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Sandeep, Banisetti, Kaladgi, Mohammed Mujeeb, Sawant, Yashwant Ramkishan, Kaladgi, Ruqiya Nikhat
Primary Examiner(s)
Holder, Bradley W

Application Number

US16/289,577
Publication Number

US 20190197228A1
Time in Patent Office

502 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06V 40/30   Writer recognition; Reading...

G06V 40/53   Measures to keep reference ...

G06V 40/70   Multimodal biometrics, e.g....

G09C 1/00   Apparatus or methods whereb...

H04L 2463/121   Timestamp

H04L 63/0428   wherein the data content is...

H04L 63/0861   using biometrical features,...

H04L 63/10   for controlling access to d...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3236   using cryptographic hash fu...

H04W 12/06   Authentication

H04W 12/062   Pre-authentication

H04W 12/068   using credential vaults, e....

Secure biometric authentication with client-side feature extraction

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure biometric authentication with client-side feature extraction

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links