Method and system for confirming the identity of a user
First Claim
1. A method of confirming the identity of a user comprising:
- collecting a plurality of biometric credentials from an individual;
extracting biometric data, personal data and an original security feature corresponding to the biometric and personal data from each of the biometric credentials, wherein the original security feature for each credential is different;
processing the extracted biometric and personal data to generate a set of biometric data and a set of personal data, respectively, by converting the extracted biometric and personal data into a computer-readable data containing format such that the original security feature corresponding to the biometric and personal data extracted from a same credential is separately associated with the corresponding biometric data as a biometric security feature and is separately associated with the corresponding personal data as a personal security feature;
storing the set of biometric data and the set of personal data in a device as device data;
associating an additional security feature with an item of biometric data included in the set of biometric data and associating the additional security feature with at least one item of personal data included in the set of personal data, wherein the at least one item of personal data is from a different credential than the item of biometric data;
generating a user configurable policy comprising identities of a plurality of authenticating entities, each of the authenticating entities being associated with one of a plurality of levels of trust and a default rule corresponding to the one level of trust, wherein the default rule is one of a plurality of default rules that permit releasing a portion of the device data in accordance with a corresponding one of the levels of trust;
storing the user configurable policy in the device;
presenting, by a user in possession of the device, the device to one of the authenticating entities at an authentication station;
requesting biometric and personal data of the user from the device data, the biometric data corresponding to at least one biometric feature desired for authenticating the user, said requesting operation being performed by a workstation of the one authenticating entity;
consulting the user configurable policy in response to said requesting operation to determine whether the requested biometric data is permitted to be released from the device data;
releasing the requested biometric and personal data from the device data to the one authenticating entity when the default rule associated with the one authenticating entity permits releasing the requested biometric and personal data;
validating a logical link between the user in possession of the device and the released personal data by establishing a logical link between the released personal data and the released biometric data by certifying that a biometric security feature associated with the released biometric data and a personal security feature associated with the released personal data have not been modified and were issued in an original credential by a suitable issuer, and authenticating a biometric link between the user and the released biometric data by comparing the released biometric data against actual biometric data captured from the user in possession of the device; and
generating an output after said validating operation indicating a result of said validating operation.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of confirming the identity of a user includes processing biometric credentials, generating a user configurable policy including identities of a plurality of authenticating entities, storing the user configurable policy in a device, presenting the device to an authenticating entity at an authentication station, and requesting biometric and personal data of the user from the device data. The biometric data corresponds to at least one biometric feature desired for authenticating the user and the requesting operation is performed by a workstation of the authenticating entity. Moreover, the method includes consulting the user configurable policy in response to the requesting operation to determine whether the requested biometric data is permitted to be released from the device data, and releasing the requested biometric and personal data from the device data to the authenticating entity when the default rule associated with the one authenticating entity permits releasing the requested biometric and personal data.
335 Citations
15 Claims
-
1. A method of confirming the identity of a user comprising:
-
collecting a plurality of biometric credentials from an individual; extracting biometric data, personal data and an original security feature corresponding to the biometric and personal data from each of the biometric credentials, wherein the original security feature for each credential is different; processing the extracted biometric and personal data to generate a set of biometric data and a set of personal data, respectively, by converting the extracted biometric and personal data into a computer-readable data containing format such that the original security feature corresponding to the biometric and personal data extracted from a same credential is separately associated with the corresponding biometric data as a biometric security feature and is separately associated with the corresponding personal data as a personal security feature; storing the set of biometric data and the set of personal data in a device as device data; associating an additional security feature with an item of biometric data included in the set of biometric data and associating the additional security feature with at least one item of personal data included in the set of personal data, wherein the at least one item of personal data is from a different credential than the item of biometric data; generating a user configurable policy comprising identities of a plurality of authenticating entities, each of the authenticating entities being associated with one of a plurality of levels of trust and a default rule corresponding to the one level of trust, wherein the default rule is one of a plurality of default rules that permit releasing a portion of the device data in accordance with a corresponding one of the levels of trust; storing the user configurable policy in the device; presenting, by a user in possession of the device, the device to one of the authenticating entities at an authentication station; requesting biometric and personal data of the user from the device data, the biometric data corresponding to at least one biometric feature desired for authenticating the user, said requesting operation being performed by a workstation of the one authenticating entity; consulting the user configurable policy in response to said requesting operation to determine whether the requested biometric data is permitted to be released from the device data; releasing the requested biometric and personal data from the device data to the one authenticating entity when the default rule associated with the one authenticating entity permits releasing the requested biometric and personal data; validating a logical link between the user in possession of the device and the released personal data by establishing a logical link between the released personal data and the released biometric data by certifying that a biometric security feature associated with the released biometric data and a personal security feature associated with the released personal data have not been modified and were issued in an original credential by a suitable issuer, and authenticating a biometric link between the user and the released biometric data by comparing the released biometric data against actual biometric data captured from the user in possession of the device; and generating an output after said validating operation indicating a result of said validating operation. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for confirming the identity of a user comprising:
-
at least one computer configured as a server, said server comprising a processor and a database said processor being configured to extract biometric data, personal data and an original security feature corresponding to the biometric and personal data from each of a plurality of biometric credentials collected from an individual, wherein the original security feature for each credential is different, process the extracted biometric and personal data to generate a set of biometric data and a set of personal data, respectively, by converting the extracted biometric and personal data into a computer-readable data containing format such that the original security feature corresponding to the biometric and personal data extracted from a same credential is separately associated with the corresponding personal biometric security feature and is separately associated with the corresponding personal data as a personal security feature, and associate an additional security feature with at least one item of biometric data included in the set of biometric data and associate the additional security feature with at least one item of personal data included in the set of personal data, wherein the at least one item of personal data is from a different credential that the at least one item of biometric data; a device having stored therein the set of biometric data and the set of personal data as device data, wherein each item of biometric data included in the set of biometric data corresponds to an item of personal data included in the set of personal data, said device being configured to store a user configurable policy comprising identities of a plurality of trusted authenticating entities, each of the trusted authenticating entities being associated with one of a plurality of levels of trust and a default rule corresponding to the one level of trust, the default rule being one of a plurality of default rules that permit releasing a portion of the device data in accordance with a corresponding one of the levels of trust, wherein each item of biometric data includes at least one representation of a biometric feature of an individual; and at least one workstation positioned at an authenticating station, said workstation comprising at least a workstation computer operationally coupled to a biometric credential reading device, wherein said server and said at least one workstation communicate and wherein said at least one workstation is configured to at least request biometric and personal data of a user in possession of said device from said device data when the user presents said device to said at least one workstation, the biometric data corresponding to at least one biometric feature desired to be used for authenticating the user, said device is further configured to consult the user configurable policy in response to the request for biometric and personal data, to determine whether the requested biometric and personal data are permitted to be released from the device data, and to release the requested biometric and personal data from the device data to an authenticating entity when an appropriate one of the default rules associated with the authenticating entity permits releasing the requested biometric and personal data, and said at least one workstation is further configured to validate a logical link between the user and personal data released by said device by establishing a logical link between the personal data and biometric data released by said device by certifying that the biometric security feature associated with the released biometric data and the personal security feature associated with the released personal data have not been modified and were issued in an original credential by a suitable issuer, and authenticating a biometric link between the user and the released biometric data by comparing the released biometric data against actual biometric data captured from the user, and generate an output indicating whether or not the logical link between the user and the released personal data is valid. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A universal biometric credential device for confirming the identity of a user at an authenticating station, said universal biometric credential device comprising:
-
a computer-readable recording medium configured to store a user configurable policy, a set of biometric data and a set of personal data, wherein the user configurable policy comprises identities of a plurality of trusted authenticating entities, each of the trusted authenticating entities being associated with one of a plurality of levels of trust and a default rule corresponding to the one level of trust, the default rule being one of a plurality of default rules that permit releasing a portion of the device data in accordance with a corresponding one of the levels of trust, wherein each item of biometric data includes at least one representation of a biometric feature of an individual, and each item of biometric data included in the set of biometric data corresponds to an item of personal data included in the set of personal data; and a device processor configured to receive a request from each of the trusted authenticating entities for biometric and personal data stored in said universal biometric credential device, configured to consult the user configurable policy in response to the request to determine whether the requested biometric and personal data are permitted to be released from said universal biometric credential device, and configured to release the requested biometric and personal data from said universal biometric credential device when an appropriate one of the default rules permits releasing the requested biometric and personal data, wherein said universal biometric credential device communicates with at least one workstation positioned at an authentication station of each of the authenticating entities, the at least one workstation comprises at least a workstation computer operationally coupled to a biometric credential reading device and is operable to communicate with a server, request biometric and personal data of a user in possession of said universal biometric credential device from the device data when the user presents said universal biometric credential device to the at least one workstation, the biometric data corresponding to at least one biometric feature desired to be used for authenticating the user, validate a logical link between the user and personal data released by said universal biometric credential device by establishing a logical link between the personal data and biometric data released by said universal biometric credential device by certifying that the biometric security feature associated with the released personal data have not been modified and were issued in an original credential by a suitable issuer, and authenticating a biometric link between the user and the released biometric data by comparing the released biometric data against actual biometric data captured from the user, and generate an output indicating whether or not the logical link between the user and the released person data is valid, the server comprises a server processor and a database, wherein the server processor is operable to extract biometric data, personal data and an original security feature corresponding to the biometric and personal data from each of a plurality of biometric credentials collected from an individual, wherein the original security feature for each credential is different, process the extracted biometric and personal data to generate the set of biometric data and the set of personal data, respectively, by converting the extracted biometric and personal data into a computer-readable data containing format such that the original security feature corresponding to the biometric and personal data extracted from a same credential is separately associated with the corresponding biometric data as a biometric security feature and is separately associated with the corresponding personal data as a personal security feature, and associate an additional security feature with at least one item of biometric data included in the set of biometric data and associate the additional security feature with least one item of personal data included in the set of personal data, wherein the at least one item of personal data is from a different credential that the at least one item of biometric data. - View Dependent Claims (12, 13, 14, 15)
-
Specification