Two-level authentication for secure transactions

US 8,433,919 B2
Filed: 05/05/2007
Issued: 04/30/2013
Est. Priority Date: 11/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method for electronic authentication comprising:

retrieving a biometric profile sample comprising transformed biometric information stored in a memory of a personal digital key (PDK), wherein the biometric profile sample is associated with a biometric profile and is based on less than the entirety of the biometric profile, and wherein the biometric profile is uniquely associated with an individual and is stored in the memory of the PDK;

receiving a biometric input;

receiving data for comparing the transformed information of the biometric profile sample to the biometric input;

comparing the transformed information of the biometric profile sample to the biometric input;

authorizing a transaction responsive to the transformed information of the biometric profile sample matching the biometric input;

establishing a secure communication channel with a remote registry;

transmitting PDK information to the remote registry using the secure communication channel, wherein the PDK information is uniquely associated with the PDK;

receiving a validation decision from the remote registry using the secure communication channel, the validation decision indicating whether the remote registry determines if the PDK is valid or invalid; and

determining if a transaction should be authorized based on (a) the validation decision and (b) the comparison between the biometric profile sample and biometric input,wherein the remote registry includes a database administered by a trusted third-party organization and the PDK is registered with the registry.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method provide efficient, secure, and highly reliable authentication for transaction processing and/or access control applications. A Personal Digital Key stores one or more profiles (e.g., a biometric profile) in a tamper-proof memory that is acquired in a secure trusted process. Biometric profiles comprise a representation of physical or behavioral characteristics that are uniquely associated with an individual that owns and carries the PDK. The PDK wirelessly transmits the biometric profile over a secure wireless transaction to a Reader for use in a biometric authentication process. The Reader compares the received biometric profile to a biometric input acquired at the point of transaction in order to determine if the transaction should be authorized.

198 Citations

37 Claims

1. A method for electronic authentication comprising:
- retrieving a biometric profile sample comprising transformed biometric information stored in a memory of a personal digital key (PDK), wherein the biometric profile sample is associated with a biometric profile and is based on less than the entirety of the biometric profile, and wherein the biometric profile is uniquely associated with an individual and is stored in the memory of the PDK;
  
  receiving a biometric input;
  
  receiving data for comparing the transformed information of the biometric profile sample to the biometric input;
  
  comparing the transformed information of the biometric profile sample to the biometric input;
  
  authorizing a transaction responsive to the transformed information of the biometric profile sample matching the biometric input;
  
  establishing a secure communication channel with a remote registry;
  
  transmitting PDK information to the remote registry using the secure communication channel, wherein the PDK information is uniquely associated with the PDK;
  
  receiving a validation decision from the remote registry using the secure communication channel, the validation decision indicating whether the remote registry determines if the PDK is valid or invalid; and
  
  determining if a transaction should be authorized based on (a) the validation decision and (b) the comparison between the biometric profile sample and biometric input,wherein the remote registry includes a database administered by a trusted third-party organization and the PDK is registered with the registry.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein receiving a biometric input comprises obtaining a representation of physical or behavioral characteristics derived from the individual.
  - 3. The method of claim 1, wherein receiving the biometric input comprises performing at least one of a fingerprint scan, a retinal scan, an iris scan, a facial scan, a palm scan, a DNA analysis, a signature analysis, and a voice analysis.
  - 4. The method of claim 1, further comprising performing a device authentication to verify that the PDK is a valid device responsive to the PDK entering a proximity zone.
  - 5. The method of claim 4, wherein performing a device authentication comprises performing a challenge-response authentication to verify the PDK is valid, wherein the PDK further verifies validity of an external device.
  - 6. The method of claim 4, wherein performing the device authentication comprises:
    - receiving available profile types from the PDK;
      
      comparing the available profile types to required profile types for authentication;
      
      responsive to the available profile types being sufficient, indicating that the PDK is valid; and
      
      responsive to the available profile types not being sufficient, indicating that the PDK is not valid.
  - 7. The method of claim 1, wherein a private registry is further coupled to the remote registry, comprising a database administered by a private controlling entity.
  - 8. The method of claim 1, further comprising receiving purchasing information from the PDK, the purchasing information comprising at least one of bank information, credit card information, debit card information, ATM card information, and coupon information.
  - 9. The method of claim 8, further comprising determining if the purchasing information is valid by querying a remote validation database.
  - 10. The method of claim 1, further comprising:
    - receiving a picture profile from the PDK comprising an image of the individual;
      
      displaying the image on a screen; and
      
      prompting an administrator to confirm or deny the identity of the individual based on the appearance of the individual and the displayed image.
  - 11. The method of claim 1, further comprising:
    - acquiring a personal identification number from the individual;
      
      receiving a PIN profile from the PDK; and
      
      determining if the acquired personal identification number matches the received PIN profile.
  - 12. The method of claim 1, wherein comparing the biometric profile to the biometric input further comprises:
    - computing a representation of the biometric input based on a mathematical hash of the biometric input; and
      
      comparing the representation of the biometric input to the biometric profile.

13. An apparatus for electronic authentication comprising:
- a biometric reader adapted to receive a biometric input;
  
  a receiver/decoder circuit adapted to wirelessly receive a biometric profile sample from a personal digital key (PDK) over a wireless channel, wherein the biometric profile sample comprising transformed information is based on less than the entirety of a biometric profile stored in a memory of a personal digital key (PDK), wherein the biometric profile is uniquely associated with an individual;
  
  a processor coupled to the receiver/decoder circuit and the biometric reader, the processor adapted to compare the biometric profile sample to the biometric input, and indicate that a transaction should be authorized responsive to determining that the biometric profile sample matches the biometric input; and
  
  a network interface coupled to the processor and to the receiver/decoder circuit, the network interface adapted to establish the secure communication channel with a remote registry with which the PDK is registered, transmit PDK information uniquely associated with the PDK to the remote registry using the secure communication channel and receive a validation decision from the remote registry using the secure communication channel indicating whether the remote registry determines if the PDK is valid or invalid, wherein the processor determines whether to authorize the transaction using the validation decision and comparing the biometric profile sample to the biometric input.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus of claim 13, further comprising a credit card terminal input/output coupled to the receiver/decoder circuit, the credit card terminal input/output adapted to communicate with a credit card terminal.
  - 15. The apparatus of claim 13, wherein the biometric reader is further adapted to obtain a representation of physical or behavioral characteristics derived from the individual.
  - 16. The apparatus of claim 13, wherein the biometric reader comprises at least one of a fingerprint scanner, a retinal scanner, an iris scanner, a face scanner, a palm scanner, a DNA analyzer, a signature analyzer, and a voice analyzer.
  - 17. The apparatus of claim 13, wherein the receiver/decoder circuit is further adapted to receive the biometric profile sample in an encrypted format over a secure wireless channel, and decrypt the biometric profile sample to an unencrypted format.
  - 18. The apparatus of claim 13, wherein the receiver/decoder circuit is further adapted to detect a PDK in response to the PDK entering a proximity zone of the receiver/decoder circuit, and request the PDK to transmit the biometric profile.

19. A personal digital key (PDK) comprising:
- a memory adapted to store a biometric profile comprising transformed biometric information in a tamper-proof format, wherein the biometric profile is uniquely associated with an individual, adapted to store a biometric profile sample, the biometric profile sample associated with the biometric profile and based on less than the entirety of the biometric profile, and adapted to store a unique PDK ID in a tamperproof format, the PDK ID comprising information identifying the PDK among other PDKs;
  
  a transceiver coupled to the memory, the transceiver adapted to wirelessly receive over a secure wireless channel data based at least in part on a biometric input, the biometric input received from an external device and wirelessly transmit the PDK ID over a secure wireless channel to the external device; and
  
  a control logic to coordinate a comparison of data based at least in part on a biometric input to a set of transformed information comprising the biometric profile sample.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The apparatus of claim 19, wherein the memory further stores initialization information comprising at least one of a programmer ID, a notary ID, and a site ID associated with an initialization process.
  - 21. The apparatus of claim 19, wherein the memory is further adapted to store at least one of purchasing information, registration information and personal information.
  - 22. The apparatus of claim 19, further comprising a programmer interface adapted to write the biometric profile to the memory during a trusted initialization process.
  - 23. The apparatus of claim 19, wherein the memory and transceiver are integrated into items carried or worn by the individual.
  - 24. The apparatus of claim 19, wherein the memory and transceiver are integrated into a cell phone, a Personal Digital Assistant (PDA), an employee identification tag, clothing, or jewelry.

25. A method for secure authentication using a physical, portable key (PDK) comprising:
- storing a biometric profile in a tamper-proof memory, wherein the biometric profile is uniquely associated with an individual and comprises transformed biometric information;
  
  storing a biometric profile sample associated with the biometric profile and based on less that the entirety of the biometric profile;
  
  wirelessly receiving data based at least in part on a biometric input from an external; and
  
  responsive to receiving data based at least in part on a biometric input, the external device authorizes a transaction based on (a) a comparison between the biometric profile sample and the data based at least in part on the biometric input acquired from the individual performed by the PDK and (b) a validation decision received from a remote registry using a secure communication channel, wherein the validation decision authenticates the PDK based at least in part on whether the PDK is registered with the remote registry.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
- - 26. The method of claim 25, further comprising encrypting the stored biometric profile for transmission over the secure wireless channel.
  - 27. The method of claim 25, further comprising storing at least one of purchasing information, registration information and personal information.
  - 28. The method of claim 25, further comprising writing the biometric profile to the tamper-proof memory during a one time trusted initialization process.
  - 29. The method of claim 25, wherein the physical, portable key is integrated into a cell phone, a Personal Digital Assistant (PDA), an employee identification tag, clothing, or jewelry.
  - 30. The method of claim 25, further comprising storing a unique ID in a tamperproof format.
  - 31. The method of claim 25, further comprising performing a device authentication to verify that the external device is valid responsive to entering a proximity zone of the external device.
  - 32. The method of claim 31, wherein performing a device authentication comprises performing a challenge-response authentication to verify validity of the external device, wherein the external device further verifies validity of a personal digital key.
  - 33. The method of claim 25, further comprising:
    - receiving the biometric input from the individual;
      
      computing a representation of the biometric input by performing a mathematical hash on the biometric input; and
      
      transmitting the representation of the biometric input to the external device.

34. A method for secure electronic authentication comprising:
- wirelessly receiving uniquely identifying information from a personal digital key (PDK);
  
  transmitting the uniquely identifying information from the PDK to a remote registry with which the PDK is registered;
  
  receiving a validation decision from the remote registry using a secure communication channel, the validation decision indicating whether the PDK is valid based at least in a part on the uniquely identifying;
  
  receiving profile information from the PDK indicating types of profiles stored in the PDK;
  
  determining if the types of profiles are compatible with allowable authentication types;
  
  performing one or more authentication tests to determine if a profile is valid, wherein performing the one or more authentication tests includes wirelessly receiving a biometric profile sample from the PDK, wherein thebiometric profile sample is associated with a biometric profile and is based on less than the entirety of the biometric profile and wherein the biometric profile is uniquely associated with an individual,acquiring a biometric input anddetermining that the profile is valid responsive to the acquired biometric input matching the received biometric profile sample; and
  
  authorizing a transaction responsive to determining that the PDK is valid, determining that the types of profiles are compatible, and determining that the profile is valid.
- View Dependent Claims (35, 36, 37)
- - 35. The method of claim 34, wherein performing one or more profile authentication tests comprises:
    - wirelessly receiving a Personal Identification Number (PIN) profile from the PDK, wherein the PIN profile is uniquely associated with an individual;
      
      acquiring a PIN input; and
      
      determining that the profile is valid responsive to the acquired PIN matching the received PIN profile.
  - 36. The method of claim 34, wherein performing one or more profile authentication tests comprises:
    - wirelessly receiving a picture profile from the PDK, wherein the picture profile is uniquely associated with an image of an individual;
      
      acquiring an image; and
      
      determining that the profile is valid responsive to the acquired image matching the received picture profile.
  - 37. The method of claim 34, wherein performing one or more profile authentication tests comprises:
    - receiving a registry profile from the PDK, wherein the registry profile is uniquely associated with an individual;
      
      establishing a secure communication channel with a remote registry;
      
      transmitting the registry profile to the remote registry;
      
      receiving status information from the remote registry; and
      
      determining that the profile is valid responsive to the status information indicating a valid registry entry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proxense, LLC
Original Assignee
Proxense, LLC
Inventors
Giobbi, John J., Brown, David L., Hirt, Fred S.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US11/744,831
Publication Number

US 20070245157A1
Time in Patent Office

2,187 Days
Field of Search

None
US Class Current

713/186
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

G06F 2221/2115   Third party

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/4014   Identity check for transact...

G06Q 20/40145   Biometric identity checks

G07C 2209/12   Comprising means for protec...

G07C 9/257   electronically G07C9/26 tak...

G07C 9/26   using a biometric sensor in...

G07F 7/1008   Active credit-cards provide...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0861   using biometrical features,...

H04L 9/0866   involving user or device id...

H04L 9/3231   Biological data, e.g. finge...

H04W 12/06   Authentication

H04W 12/068   using credential vaults, e....

Two-level authentication for secure transactions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

198 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Two-level authentication for secure transactions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

198 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links