Method of and system for biometric-based access to secure resources with dual authentication
First Claim
1. A method to manage access to a given resource by an authorized user in a distributed computing system, the system including a client having an associated biometric capture device, and an authentication server in which are stored first and second templates derived from a given biometric characteristic of the authorized user by applying first and second functions to a biometric data set, the method comprising:
- upon a given request to access the given resource, generating, at the client, third and fourth templates by re-applying the respective first and second functions to a biometric data set that is generated at the client contemporaneously;
forwarding the third template to the to the authentication server while maintaining the fourth template in-memory at the client;
determining, at the authentication server, whether the third template matches the first template within a first acceptance criteria;
if the third template matches the first template with the first acceptance criteria, forwarding an indication of the match and the second template from the authentication server to the client;
determining, at the client, whether the second template forwarded from the authentication server matches, within a second acceptance criteria, the fourth template with then held in-memory;
if the second template matches the fourth template within the second acceptance criteria, enabling access to the given resource by the authorized user.
0 Assignments
0 Petitions
Accused Products
Abstract
A biometric-based access mechanism implements a dual authentication scheme. It is assumed that an authorized user has enrolled in the system by generating a set of biometric data from which at least first and second templates have been generated and stored in an authentication server. When the user at a client later seeks to obtain access to a protected resource (e.g., a data file, a database, an application, or the like) stored on an application server or other host, a new set of biometric data is generated at the client, together with new templates. The templates are generated using the same functions that were used to generate the first and second templates during the enrollment process. The client maintains one of the two templates in-memory at a client while at least one other template is exported to the authentication server for matching. If the authentication server matches the template received from the client, the authentication server exports to the client a template that must then be matched with the template being held in-memory before authentication is complete and access to the protected resource at the application server or other host provided. This “dual authentication” approach prevents a third party from spoofing the communications between the client and authentication server.
59 Citations
9 Claims
-
1. A method to manage access to a given resource by an authorized user in a distributed computing system, the system including a client having an associated biometric capture device, and an authentication server in which are stored first and second templates derived from a given biometric characteristic of the authorized user by applying first and second functions to a biometric data set, the method comprising:
-
upon a given request to access the given resource, generating, at the client, third and fourth templates by re-applying the respective first and second functions to a biometric data set that is generated at the client contemporaneously;
forwarding the third template to the to the authentication server while maintaining the fourth template in-memory at the client;
determining, at the authentication server, whether the third template matches the first template within a first acceptance criteria;
if the third template matches the first template with the first acceptance criteria, forwarding an indication of the match and the second template from the authentication server to the client;
determining, at the client, whether the second template forwarded from the authentication server matches, within a second acceptance criteria, the fourth template with then held in-memory;
if the second template matches the fourth template within the second acceptance criteria, enabling access to the given resource by the authorized user. - View Dependent Claims (2, 3, 5, 6, 7)
-
-
4. The method as described in claim 4 wherein each communication is encrypted.
-
8. A biometric-based access method operative in a distributed networking environment comprising a client machine having a biometric capture device, an authentication server, and an application server or other host having a protected resource, wherein at least first and second templates generated from a biometric data set have been stored in or in association with the authentication server, comprising:
-
upon an access request at the client machine, generating a new set of biometric data and associated third and fourth templates;
maintaining the third template in-memory at the client machine while exporting the fourth template to the authentication server where it can be matched against the second template;
upon any receipt at the client machine of the first template, allowing access to the protected resource if the first template matches the third template. - View Dependent Claims (9)
-
Specification