[go: up one dir, main page]

US20150113616A1 - Mobile device-based authentication with enhanced security measures - Google Patents

Mobile device-based authentication with enhanced security measures Download PDF

Info

Publication number
US20150113616A1
US20150113616A1 US14/057,663 US201314057663A US2015113616A1 US 20150113616 A1 US20150113616 A1 US 20150113616A1 US 201314057663 A US201314057663 A US 201314057663A US 2015113616 A1 US2015113616 A1 US 2015113616A1
Authority
US
United States
Prior art keywords
user
biometric data
biometric
mobile device
site
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/057,663
Inventor
George P. Sampas
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US14/057,663 priority Critical patent/US20150113616A1/en
Priority to US14/213,684 priority patent/US20140201537A1/en
Publication of US20150113616A1 publication Critical patent/US20150113616A1/en
Priority to US15/448,345 priority patent/US20170180361A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • G06Q20/206Point-of-sale [POS] network systems comprising security or operator identification provisions, e.g. password entry
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3224Transactions dependent on location of M-devices
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels

Definitions

  • the present disclosure relates generally to biometric systems and access control, and more particularly, to mobile device-based authentication in connection with secure transactions.
  • one private property interest may be in a physical facility, and access to the inside may be safeguarded by a keyed mechanical lock on a door.
  • the owner of the physical facility along with any other individuals granted access thereby, may possess a key that unlocks the mechanical lock to open the door. Any other unauthorized individual who does not have the key will be unable to unlock the mechanical lock.
  • the mechanical lock may be bypassed in any number of different ways, including picking the lock, destroying the lock and the door altogether, or by pilfering the key from the authorized individuals.
  • the complexity of the lock may be increased, the strength of the lock and the door may be bolstered, and so forth. Increasingly sophisticated attacks may defeat these further safeguards, so security remains an ever-evolving field.
  • a property interest may also lie in an individual's bank accounts, credit card accounts, retail installment accounts, utilities accounts, or any other resource that is frequently encountered and used in modern day life, access to which must be properly limited by security systems.
  • these resources or property interests can be accessed electronically, and there are conventional security systems and devices that are currently in use.
  • access to monetary funds in a bank account may be possible via an automated teller machine (ATM).
  • ATM automated teller machine
  • Authentication may utilize one or more factors, which include something the requestor knows, something the requestor has, and something the requestor is. Most often, only one, or at most two factors are utilized because of the added cost and complexity of implementing additional authentication factors.
  • the ATM card with basic accountholder information encoded thereon is one factor (something the requestor has), and access to the account is granted only upon the successful validation of a corresponding personal identification number (PIN, or something the requestor knows).
  • PIN personal identification number
  • Conventional banking services are also accessible online through the Internet, and while most financial-related web services have additional security measures, access to some other less critical web services may be protected only with an account name and a password constituting a single factor (something the requestor/user knows).
  • tokens are expensive to license, expensive to maintain, and cumbersome for the user to carry. As with any diminutive device, tokens are easy to lose, especially when it represents yet another addition to the clutter of items that must be managed and carried on the person on a daily basis; many individuals already have enough difficulty keeping track of keys, wallets, and mobile phones.
  • SMS Short Message Service
  • Much functionality is converging upon the mobile phone, particularly those full-featured variants that have substantial computing resources for accessing the web, run various software applications, and so forth, which are referred to in the art as a smart phone.
  • credit card payments and the act of physically presenting the physical card itself may be replaced with a software application running on the smart phone.
  • the application may be in communication with a point of sale (POS) terminal via a modality such as Near Field Communication (NFC) or Bluetooth low energy, and transmits credit card payment information, such as credit card number, expiration date, billing ZIP code, and other such verification information.
  • NFC Near Field Communication
  • Bluetooth low energy transmits credit card payment information, such as credit card number, expiration date, billing ZIP code, and other such verification information.
  • the POS terminal may then complete the payment process with the received information.
  • services such as Google Wallet are in existence and progressing toward widespread deployment.
  • RFID Radio Frequency Identification
  • a third factor utilizes unique biometric attributes of a person such as fingerprints, retinal and facial patterns, voice characteristics, and handwriting patterns.
  • biometric attributes of a person such as fingerprints, retinal and facial patterns, voice characteristics, and handwriting patterns.
  • prior biometric systems were challenging to implement because of the high costs associated with accurate reader devices and database systems for storing and quickly retrieving enrollment data, the increasing demand for biometrics-based security has resulted in the development of substantially improved reader devices, and user interfaces and back-end systems therefor.
  • fingerprint reader peripheral devices that are connectible to a Universal Serial Bus (USB) port on personal computer system, and restrict access without providing a valid, enrolled fingerprint.
  • USB Universal Serial Bus
  • Mobile devices may also be incorporated with biometric readers, and front-facing video cameras such as those already existing in smart phones such as the Apple iPhone may be utilized for facial recognition.
  • a method for tracking user authentication may include receiving a first user biometric data set from a mobile device on an authentication server. Additionally, the method may include receiving a second user biometric data set from a site resource on the authentication server. The second user biometric may be transmitted from the site resource in response to receipt of an authentication command from the mobile device on the site resource. There may additionally be a step of rejecting the user for access to the site resource if either one of the first set of biometric data and the second set of biometric data is not validated against respective first and second sets of pre-enrolled biometric data for the user stored independently of each other on the remote authentication server.
  • the method may include initiating a security procedure on at least one of the mobile device and a remote physical device separate from the mobile device in response to the rejecting of the user for access to the site resource.
  • the method may involve setting an emergency mode if either one of the first set of biometric data and the second set of biometric data is validated against a pre-enrolled emergency biometric data.
  • the pre-enrolled emergency biometric data may be stored on the remote authentication server.
  • the method may continue with initiating a security procedure on at least one of the mobile device and a remote physical device separate from the mobile device in response to setting the emergency mode.
  • a method of authenticating a user to a site resource may include capturing a first biometric input from the user on an integrated first biometric reader on a mobile device.
  • the first biometric input may correspond to a first biometric feature of the user.
  • the second biometric input may correspond to a second biometric feature of the user.
  • the method may include rejecting the user for access to the site resource if either one of the first set of biometric data and the second set of biometric data is not validated against respective first and second sets of pre-enrolled biometric data for the user stored independently of each other on the remote authentication server. Then, there may be a step of initiating a security procedure on at least one of the mobile device and a remote physical device separate from the mobile device in response to the rejecting of the user for access to the site resource. The first set of biometric data and the second set of biometric data are transmitted to the remote authentication server for validation.
  • FIG. 1 is a block diagram illustrating an exemplary environment in which embodiments of the present disclosure may be implemented
  • FIG. 2 is a block diagram of another exemplary environment utilizing secured communications channels and external monitoring sites to provide additional layers of security for the methods of the present disclosure
  • FIG. 3 is a flowchart illustrating one embodiment of the contemplated method for authenticating a user to a site resource
  • FIG. 4 is a perspective view of a first embodiment of a mobile device which may be utilized in connection with the present disclosure including a fingerprint reader and a front-facing camera; and
  • FIGS. 5A , 5 B and 5 C show an exemplary user interface for a software application running on the mobile device for authenticating the user to the site resource in various states.
  • FIG. 1 depicts one exemplary environment 10 in which various embodiments of the present disclosure may be implemented.
  • a user 12 is in physical possession of a mobile device 14 that has various data processing and communications features as will be detailed more fully below.
  • the mobile device 14 is a smart phone type apparatus that has a wireless network connectivity module 16 for placing telephone calls over a mobile telecommunications network 18 managed by a service provider 20 , among other functions.
  • the service provider 20 is understood to be connected to a greater telephone network 21 .
  • Currently several competing communication protocols, standards, and technologies such as CDMA2000, EDGE, UMTS, and so forth are deployed, depending on the service provider 20 .
  • the wireless network connectivity module 16 includes components such as the RF (radio frequency) transceiver, the RF modulator/demodulator, the RF front end module, one or more antennas, digital/analog converters, among other minor components as implemented in conventional communications devices.
  • the relatively short range of wireless transmissions between the mobile device 14 there are multiple antenna towers 22 a - c , for example, that provide coverage for separate geographic areas 24 a - c , respectively.
  • the operational principles of the telecommunications network 18 in conjunction with the wireless network connectivity module 16 are well known in the art, and to the extent any specifics are described, it is by way of example only and not of limitation.
  • the wireless network connectivity module 16 may also be utilized for data communications besides voice telephone calls.
  • the service provider 20 may also have a link to the Internet 23 , the utility for which will become more apparent below.
  • the wireless network connectivity module 16 may be configured for Wi-Fi (IEEE 8012.11x), Bluetooth, and the like.
  • Wi-Fi IEEE 8012.11x
  • Bluetooth Bluetooth
  • One data communications modality that is also understood to be incorporated into the mobile device 14 is Near Field Communication (NFC), which facilitates simple data transfers between closely positioned transceivers.
  • NFC Near Field Communication
  • some implementations may involve the integration of NFC functionality into the wireless network connectivity module 16 and reusing the same sub-components, the embodiment shown in FIG. 1 contemplates a separate NFC module 24 .
  • the higher level data transfer link management functions are handled by a general purpose data processor 26 .
  • the general purpose data processor 26 executes programmed instructions that are stored in a memory 28 . These tangibly embodied instructions, when executed may perform the contemplated method of authenticating the user 12 with the mobile device 14 .
  • the mobile device 14 may have stored thereon programmed instructions that comprise software applications that provide functionality in addition to making and receiving telephone calls, such as simple message service (SMS) text messaging, e-mail, calendars/to-do, photography, videography, media playback, and web browsing, among many others.
  • SMS simple message service
  • Some advanced mobile devices 14 may have a dedicated graphics processor and other enhancements that accelerate performance, though for purposes of the present disclosure and the mobile device 14 , such components are understood to be subsumed within the term, general purpose data processor 26 .
  • the screen 30 is a liquid crystal display (LCD) device of varying dimensions fitted to the housing of the mobile device 14 .
  • Inputs for the computation and other instructions to the application are provided via a touch input panel 32 that may be overlaid on the screen 30 .
  • the screen 30 and the touch input panel 32 are integrated, however.
  • there may be alternative input modalities such as a keypad.
  • the arrangement of the keys may be different to fit within the dimensions of the mobile device 14 .
  • a microphone 34 for receiving audio or voice signals is included, as well as a speaker 36 for outputting audio.
  • a speaker 36 for outputting audio.
  • an integrated camera 38 comprised of a lens, an imaging sensor, and a dedicated image processor connected to the general purpose data processor 26 .
  • the camera 38 may be utilized to capture still images as well as a video stream, the data for which is stored on the memory 28 . Additional uses for the camera 38 are contemplated in accordance with various embodiments of the present disclosure, the details of which will be described more fully below.
  • mobile device 14 There are numerous variations of the mobile device 14 or smart phone that are currently available on the market. Some notable ones include the iPhone from Apple, Inc. and the DROID from Motorola, Inc. It is also contemplated that various embodiments of the present disclosure may be implemented on mobile devices 14 besides smart phones or cellular phones, such as tablet-type devices including the iPad from Apple, Inc., full features media player devices including the iPod again from Apple, Inc., and other portable digital assistant-type devices. The specifics of the mobile device 14 are presented by way of example only and not of limitation, and any other suitable mobile device 14 may be substituted.
  • the site resource 40 is a point of sale (POS) terminal 42 and its associated components.
  • the site resource 40 is an automated teller machine (ATM), and in yet another example, the site resource 40 is a personal computer system 46 .
  • the site resource 40 is protected from unauthorized access, and the disclosed method for authenticating the user 12 may be utilized to permit access.
  • the site resource 40 is understood to encompass any access-limited system, including physical facilities, financial accounts, and so forth. The following description will be in the context of the POS terminal 42 , but one of ordinary skill in the art will readily recognize the applicability or non-applicability and necessary substitutions for various disclosed features to implement the contemplated mobile device-based authentication in other contexts.
  • the user 12 provides credentials to both the site resource 40 and the mobile device 14 , both of which independently transmit this data to the remote authentication server 68 , also referred to as a central clearing house 98 to the extent additional functions besides authentication are implemented thereon.
  • the transmissions from the mobile device 14 may take place over a first transmission line 100
  • the transmissions from the site resource 40 may take place over a second transmission line 102 .
  • the first transmission line 100 may be secured with a first encoding site 104 that encrypts all traffic thereon.
  • the second transmission line 102 may be secured with a second encoding site 106 that encrypts all traffic thereon. It is expressly contemplated that the first encoding site 104 and the second encoding site 106 are separate and independent with respect to each other, and are not linked any way. Traffic on the respective transmission lines 100 , 102 is understood to be continuously encoded to reduce the likelihood of a successful intrusion.
  • the method of authenticating the user 12 begins with a step 200 of capturing a first biometric input from the user 12 on an integrated first biometric reader 48 on the mobile device 14 .
  • the mobile device 14 is understood to include a case 50 defined by opposed left and right sides 52 a , 52 b , respectively, opposed top and bottom sides 54 a , 54 b , a front face 56 on which the screen 30 and the touch input panel 32 is disposed and is coplanar therewith, and an opposite rear face 58 .
  • the biometric reader 48 may also be disposed on the front face 56 , though this is merely exemplary.
  • the biometric reader 48 may alternatively be disposed on any of the sides 52 , 54 , or the rear face 58 . Those having ordinary skill in the art will be capable of optimizing the position of the biometric reader 48 in accordance with the ergonomic needs of the user 12 . As an alternative to the integrated biometric reader 48 , it is also possible to attach an external variant via an external data communication port 62 typically included with the mobile device 14 .
  • the biometric reader 48 is a fingerprint sensor, and so the aforementioned first biometric input from the user 12 is the finger, or more specifically, the fingerprint.
  • the fingerprint sensor can be, for example, an optical sensor, an ultrasonic sensor, a passive capacitance sensor, or an active capacitance sensor.
  • the touch screen 32 may have sufficient resolution to not only detect touch input, but also to detect individual ridges and valleys of a fingerprint.
  • the biometric reader 48 is understood to be incorporated into or part of the touch screen 32 .
  • an imaging device such as the on-board camera 38 , with sufficient macro focus capabilities, may be utilized to capture an image of the fingerprint. It will be appreciated that any other type of sensor technology known in the art or otherwise can capture characteristics of a person's fingerprint can also be utilized.
  • biometrics and corresponding biometric readers in the mobile device 14 are also expressly contemplated. For instance, facial recognition and iris pattern recognition using a forward-facing camera 38 on the front face 56 of the case 50 may be possible. Additionally, the voice of the user 12 as recorded by the microphone 34 may also be utilized as the first biometric input. Although the features of the mobile device-based authentication will be described in the context of scanning fingerprints, it will be understood that any such other biometrics may be substituted. Thus, the user 12 who may not necessarily have intact fingers or clear fingerprints may also utilize the disclosed mobile device-based authentication.
  • the capture of the first biometric input may be initiated by specifying the same to a dedicated application running on the mobile device 14 .
  • a dedicated application running on the mobile device 14 .
  • the mobile device 14 may have an externally accessible hardware button 67 .
  • an indicator may be displayed on the user interface 60 , or the button 66 may be rendered in a subdued color to represent that no other function can be invoked at the same time.
  • the fingerprint is to be compared against an existing fingerprint stored remotely, so the specific finger (thumb, index, middle, ring, little) that is scanned is the same as that stored.
  • the user interface 60 may include directions to this effect.
  • an optional passcode entry dialog 72 as shown in FIG. 5B may be displayed.
  • the passcode entry dialog 72 may include activatable numerical buttons 74 that can be pressed to input a passcode.
  • the corresponding digits, which may be masked, may be displayed in a text box 76 .
  • the inputted passcode is compared to a preset passcode, and only when the two matches is access to the button 66 permitted.
  • the application interface may be also be segregated into an upper section 92 and a lower section 94 , with the button 66 being located in the lower section 94 .
  • the upper section 92 may display a barcode 96 , a QR code, or other machine readable graphical element for providing payment or discount information to a conventional reader without NFC capabilities.
  • e-commerce applications such as those available from Groupon and the like may be incorporated with the foregoing biometric input features of the present disclosure.
  • the method continues with a step 202 of deriving a first set of biometric data from the captured first biometric input.
  • a first set of biometric data In many embodiments of the fingerprint scanner, an image of the fingerprint is generated and stored in the memory 28 . Because comparison of the raw fingerprint image is computationally intensive and requires a substantial amount of processing power and memory, select highlights of pertinent points is derived. A much smaller dataset representative of the fingerprint is generated, and can be used as a basis for further comparison. Depending on security requirements and the degree of false positives or negatives acceptable, the number of elements in the first set of biometric data can be modified commensurately.
  • the method then proceeds to a step 204 of transmitting the first set of biometric data to a remote authentication server 68 , which is connected to the Internet 23 .
  • the mobile device 14 is also connected to the Internet 23 at least via the service provider 20 .
  • Other modalities by which a data communications link between the mobile device 14 and the Internet 23 can be established are also contemplated.
  • other identifying information such as a mobile device identifier number and an authentication server login account may be transmitted to the remote authentication server 68 . Due to the sensitivity of this information, the data communications link between the mobile device 14 and the remote authentication server 68 may be secured and encrypted to minimize the vulnerabilities associated with plaintext attack vectors.
  • the mobile device 14 may be placed in close proximity to an NFC receiver 70 that is connected to the site resource 40 .
  • NFC is presented by way of example only, and other competing technologies such as Bluetooth low power may also be utilized.
  • these wireless data transfer modalities is contemplated for most implementations, there are situations where hardwire transfers are appropriate as well.
  • the more likely available modality is a wired link with the mobile device 14 .
  • a secondary authentication instruction is transmitted to the site resource 40 in accordance with a step 206 .
  • the secondary authentication instruction can therefore be said to be transmitted to the site resource 40 ultimately in response to the receipt of the first biometric input.
  • the aforementioned step 204 may be omitted, that is, the first set of biometric data may be transmitted to the NFC receiver 70 instead of to the remote authentication server 68 .
  • the first set of biometric data will eventually reach the remote authentication server 68 , albeit not directly from the mobile device 14 .
  • the various steps of the method are described in a certain sequence, those having ordinary skill in the art will appreciate that some steps may take place before others, and that the order is exemplary only.
  • the method may include capturing a second biometric input from the user 12 on a second biometric reader 78 within a set time period following the receipt of the secondary authentication instruction.
  • a second set of biometric data is derived from the captured second biometric input in accordance with a step 210 .
  • the second biometric reader 78 may be any one of the more specific examples described above, such as fingerprint readers, cameras, and so on.
  • the second biometric input is understood to correspond to a second biometric feature of the user 12 .
  • the first biometric feature is the same as the second biometric feature.
  • the left thumb may be read by both the first biometric reader 48 as well as the second biometric reader 78 .
  • the first biometric feature will be different from the second biometric feature to decrease the likelihood of successful attacks.
  • the first biometric feature may be the right thumb, while the second biometric feature may be the left index finger.
  • This variation also contemplates the possibility of both of the hands of the user 12 being engaged to biometric readers concurrently or contemporaneously, though the other variation is possible where a reasonable delay between inputs are permitted before timing out.
  • the method continues with transmitting the second set of biometric data to the remote authentication server 68 from the site resource 40 .
  • the user 12 is authenticated for access to the site resource 40 .
  • the first set and second set of biometric data is validated against a pre-enrolled set of biometric data for the user 12 . If the validation fails, rather than step 214 , the method includes a step 216 of rejecting the user 12 for access to the site resource, and continues with a step 218 which may include one or more sub-procedures for additional security measures, the details of which will be considered more fully below.
  • the remote authentication server 68 includes a biometrics enrollment database 80 that stores records 82 of each user 12 registered or enrolled therewith. Each record 82 may include a user identifier 84 , an enrolled first biometric data set 86 and an enrolled second biometric data set 88 .
  • the captured biometric input corresponded to a biometric feature of the user 12 , with a reference or enrolled set being stored on the remote authentication server 68 for comparison and validation purposes.
  • the first biometric feature was the right thumb, while the second biometric feature was the left index finger.
  • Previously scanned versions of the biometric feature, and/or the corresponding set of biometric data is understood to be the aforementioned enrolled first biometric data set 86 and the enrolled second biometric data set 88 .
  • the record 82 may have other information such as a device identifier 90 that is unique to the mobile device 14 , such as an SSN (Subscriber Identity Module Serial Number), IMSI (International Mobile Subscriber Identifier), Wi-Fi MAC (Media Access Controller) number, and the like that further validate the mobile device 14 and by implication, the user 12 thereof.
  • SSN Subscriber Identity Module Serial Number
  • IMSI International Mobile Subscriber Identifier
  • Wi-Fi MAC Media Access Controller
  • the enrollment of the biometric data may be achieved in any number of conventional ways. For example, upon initial purchase of the mobile device 14 , the user 12 may be requested to go complete an enrollment procedure in which multiple biometric inputs from the user 12 are captured and uploaded to the remote authentication server 68 .
  • the user 12 is determined to be valid, and is permitted to utilize the site resource 40 .
  • the validation of the first biometric data set and the second biometric data set occurs substantially contemporaneously, that is, simultaneously, or at least perceptively simultaneously to the user 12 .
  • certain delays associated with the various data transmissions are expected, so the receipt and validation of the biometric data has a predefined timeout period. Even if there is a successful validation of the second set of biometric data, it the timeout period expires, there is an authentication failure.
  • a timeout period may also be enforced on the mobile device 14 .
  • the user interface 60 may display a countdown timer 90 .
  • the mobile device 14 is enabled to transmit the secondary authentication instruction to the site resource 40 , so long as it is in close proximity to the NFC receiver 70 .
  • further data transfers may be blocked unless the first biometric input is re-captured.
  • the countdown may be fifteen to twenty seconds in length, thought it may be any other suitable duration.
  • the duration of the countdown may be extended, possibly indefinitely, by pressing a remain active button 92 also generated on the user interface 60 . This countdown extension may be made either immediately before or after the first biometric input is captured.
  • the remote authentication server 68 may refuse to accept the first set of biometric data unless it is determined that the transmission originated from a location known to be geographically local to the site resource 40 .
  • One exemplary implementation may employ an identifier of the specific antenna tower 22 appended to the transmission of the first set of biometric data, as each antenna tower 22 has limited geographic coverage.
  • Another implementation may involve the retrieval of Global Positioning Satellite (GPS) coordinates from the mobile device 14 , and correlating it to the known geographic location of the site resource 40 .
  • GPS Global Positioning Satellite
  • This location data may be provided to the authentication server 68 upon installation of the site resource 40 , or may be transmitted together with the second set of biometric data while in use. It is understood that any transmission modality may be utilized, including hard wired and wireless connections. Those having ordinary skill in the art will recognize other possible location-based restrictions for the authentication procedure.
  • security sites to monitor for any and all erroneous, false, or compromised data/information transmissions.
  • the first security site 108 is understood to be separate and independent from the second in security site 110 .
  • each of the encoding sites 104 , 106 , the security sites 108 , 110 , and the remote authentication server 68 are understood to be independent with respect to each other, and are deployed in physically disparate locations, for example, in different cities or states. If there are security breaches in any one of these systems, it is possible to configure the same so that different governmental agencies such as the Federal Bureau of Investigation, Department of Homeland Security, the Central Intelligence Agency, the Secret Service, or private security contractors may be contacted.
  • the independent authentication but central notification is understood to reduce the possibility of successful breaches, as a coordinated attack on all five sites across disparate physical locations would be necessary otherwise.
  • the disclosed authentication modality can be utilized for permitting access to and communication with other remote resources. These communications may take place over a gateway or secured transmission site 118 .
  • the site resource 40 and the mobile device may also be referred to as access channels to the secure transmission site 118 . Access to the secured transmission site 118 is granted upon authentication of the user 12 in accordance with the foregoing steps, and may therefore be necessary to communicate with the first and second security sites 108 , 110 , the encoding sites 104 , 106 , as well as the central clearing house 98 or the remote authentication server 68 .
  • each of these systems is independent of each other, and so all communications links to the secured transmission site 118 are likewise separate and independent.
  • the first security site 108 communicates with the secured transmission site 118 over an independent transmission line 109
  • the second security site 110 communicates with the secured transmission site 118 over another independent transmission line 111
  • the first encoding site 104 communicates with the secured transmission site 118 over yet another independent transmission line 105
  • the second encoding site 106 communicates with the secured transmission site 118 over an independent transmission line 107 .
  • the information and control at the central clearing house 98 is understood to be segregated from the authentication functionality. In all instances, it is understood that there is no “bleed through” between the transmission lines 105 , 107 , 109 , and 111 , that is, the communications from the security site or encoding site to the secured transmission site are not intermingled. Thus, in the event of an attack, breach, or power failure, the remaining systems can be linked together temporarily under and emergency protocol and remain operational to provide protection.
  • the present disclosure contemplates additional measures for tracking the unauthorized possessor of the mobile device 14 , or the unauthorized user of the site resource 40 .
  • This tracking may occur on a real-time basis, and electronically “follow” those rejected until the device is discarded or the tracking functions become disabled by the depletion of battery power, re-programming, and so forth.
  • the mobile device can capture a wide variety of data from the surrounding environment, including images, video, audio, GPS coordinates, key presses, function/software interactions, and so forth.
  • he captured images need not be limited to the unauthorized user of the device 14 , but other individuals who may be nearby and different environmental visual cues. To the extent the original unauthorized user transfers possession (either intentionally or unintentionally), the mobile device 14 can continue tracking, so long as power is available and no disabling actions are taken.
  • the mobile device 14 may include a secondary biometric reader 114 , which may optionally be engaged when an authentication fails.
  • Other modalities may include a revolving, partially adhesive tape that is treated to collect epithelial and keratinocyte cells, or blood erythrocytes.
  • the second biometric reader 114 is utilized only upon a failed authentication, it is also possible to use the same for re-verifying an already authenticated user, or simultaneously to authenticate the user in the first instance.
  • various physical security devices 112 that can communicate with the remote authentication server 68 , or any of the other contemplated security systems such as the aforementioned encoding sites 104 , 106 and the security sites 108 , 110 , may be activated in response to a failed authentication.
  • Physical security devices 112 include fixed cameras in the vicinity of the site resource 40 , as well as any other monitoring device that can be activated remotely, such as parking lot cameras by which the type of automobile and license plates can be captured, and traffic or roadside cameras to determine routes of travel. Additionally, it is expressly contemplated that the physical security devices 112 also encompass audible and visual alarms, as well as confinement and/or restraint systems such as doors and other barriers that lock down the immediate vicinity.
  • Various embodiments of the present disclosure thus contemplate an emergency mode that can surreptitiously activated by an alternative biometric.
  • An emergency mode may prove useful in hostage situations, blackmail, and so forth.
  • inputting the index finger may correspond to normal access
  • inputting the ring finger may correspond to emergency mode access.
  • This emergency biometric data set 116 may also be pre-enrolled with the biometrics enrollment database 80 and associated with the user identifier 84 . In conjunction with or independently of inputting the emergency biometric, it may be possible for the user 12 to input a distress code at the site resource 40 that activates the same functionality.
  • the response protocol may also differ depending on the combination of provided inputs. For instance, providing an emergency biometric on the mobile device 14 while providing a normal biometric at the site resource 40 may signal one condition, while providing an emergency biometric to both may signal another condition. In the former case, the user 12 may be signaling that the situation is under control and no immediate response is necessary, while in the latter, the user 12 may be signaling an immediate request for armed assistance. Beyond signaling that the user is in duress, by providing the same or a different alternative biometric, it may be possible for the one user to signal that a different, third party is under duress, possibly at a different location. This may be referred to as a protection service, and may be implemented on the remote authentication server 68 or any other designated system or network.
  • the various combinations of emergency/normal biometric inputs and their corresponding intended communications may be readily modified without departing from the scope of the present disclosure.
  • Security responses to the input of the emergency biometric, whether to signal user or third party distress may be more subdued than an outright unauthorized attempt, but may include the activation of the on-board camera 38 and the microphone 34 as discussed above, along with external audio/visual monitoring devices such as the aforementioned parking lot cameras and the like. Accordingly, the mobile device 14 may continue to record and transmit environmental information to the remote authentication server 68 , or the first security site 108 . Based on the information obtained via the mobile device 14 , the situation of the user may be evaluated in order to formulate a suitable response by security personnel. The objective is to not escalate the danger to the distressed user 14 , so more drastic measures such as activating confinement systems may not be appropriate.
  • Various response protocols to user as well as third party distress as indicated through the protection service will be recognized by those having ordinary skill in the art, including denying access, allowing limited access, directing the user to a false access site or false information, and continuing to monitor the user 12 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Finance (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Telephone Function (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The tracking of user authentication is disclosed. A first user biometric data set is received from a mobile device on an authentication server, and a second user biometric data set is received from a site resource on the authentication server. The second user biometric is transmitted from the site resource in response to receipt of an authentication command from the mobile device on the site resource. The user is rejected for access to the site resource if either one of the first set of biometric data and the second set of biometric data is not validated against respective first and second sets of pre-enrolled biometric data for the user. A security procedure is initiated on at least one of the mobile device and a remote physical device separate from the mobile device in response to the rejecting of the user for access to the site resource.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • The present application is a continuation-in-part of U.S. application Ser. No. 13/897,000 filed May 17, 2013 and entitled “MOBILE DEVICE-BASED AUTHENTICATION,” which is a continuation of U.S. application Ser. No. 13/246,676 filed Sep. 27, 2011 and entitled “MOBILE DEVICE-BASED AUTHENTICATION,” now issued as U.S. Pat. No. 8,473,748 on Jun. 25, 2013, the entire contents of both of which are hereby incorporated by reference.
    • STATEMENT RE: FEDERALLY SPONSORED RESEARCH/DEVELOPMENT
  • Not Applicable
    • BACKGROUND
  • 1. Technical Field
  • The present disclosure relates generally to biometric systems and access control, and more particularly, to mobile device-based authentication in connection with secure transactions.
  • 2. Related Art
  • The recognition of private property interests in general necessarily implicates the division of individuals into those with access, and those without access. Commensurate with the perceived and/or actual values of the property interests, security protocols must be established to ensure that authorized individuals readily have access, while unauthorized individuals are not, no matter what attacks and bypass attempts are made.
  • In the simplest context, one private property interest may be in a physical facility, and access to the inside may be safeguarded by a keyed mechanical lock on a door. The owner of the physical facility, along with any other individuals granted access thereby, may possess a key that unlocks the mechanical lock to open the door. Any other unauthorized individual who does not have the key will be unable to unlock the mechanical lock. The mechanical lock, of course, may be bypassed in any number of different ways, including picking the lock, destroying the lock and the door altogether, or by pilfering the key from the authorized individuals. To prevent unauthorized access despite such possible bypass attempts, the complexity of the lock may be increased, the strength of the lock and the door may be bolstered, and so forth. Increasingly sophisticated attacks may defeat these further safeguards, so security remains an ever-evolving field.
  • A property interest may also lie in an individual's bank accounts, credit card accounts, retail installment accounts, utilities accounts, or any other resource that is frequently encountered and used in modern day life, access to which must be properly limited by security systems. In many cases, these resources or property interests can be accessed electronically, and there are conventional security systems and devices that are currently in use. For example, access to monetary funds in a bank account may be possible via an automated teller machine (ATM). Before disbursing any funds, the bank (and hence the ATM) must ensure that the requestor is, indeed, who he asserts to be.
  • There are a variety of known techniques to authenticate, or verify, the identity of the requestor. Authentication may utilize one or more factors, which include something the requestor knows, something the requestor has, and something the requestor is. Most often, only one, or at most two factors are utilized because of the added cost and complexity of implementing additional authentication factors. In the ATM example, the ATM card with basic accountholder information encoded thereon is one factor (something the requestor has), and access to the account is granted only upon the successful validation of a corresponding personal identification number (PIN, or something the requestor knows). Conventional banking services are also accessible online through the Internet, and while most financial-related web services have additional security measures, access to some other less critical web services may be protected only with an account name and a password constituting a single factor (something the requestor/user knows).
  • The secret nature of passwords and PINs, at least in theory, is intended to prevent unauthorized access. In practice, this technique is ineffective because the authorized users oftentimes mistakenly and unwittingly reveal their passwords or PINs to an unauthorized user. Furthermore, brute-force techniques involving the entry of every combination of letters, numbers, and symbols, as well as dictionary-based techniques, may further compromise the effectiveness of such authentication systems. Because passwords and PINs must be memorized, users often choose words that are easier to remember, making it more susceptible to defeat by means of dictionary attacks. On the other hand, the more complex the passwords are required to be, and hence more difficult to remember, the more likely that the password will be written on something easily accessible, for both the legitimate and malicious user, in the vicinity of the computer. The usability of the PIN or password is an increasing concern due to the number of services that employ such security modalities.
  • As briefly mentioned above, various hardware devices may be employed as a second authentication factor. These include simple magnetic strip encoded cards such as the aforementioned ATM card, as well as radio frequency identification (RFID) devices, both of which require specific readers at the point of access. Greater levels of protection are possible with sophisticated tokens that generate unique codes or one-time passwords that are provided in conjunction with a first authentication factor. However, token devices are expensive to license, expensive to maintain, and cumbersome for the user to carry. As with any diminutive device, tokens are easy to lose, especially when it represents yet another addition to the clutter of items that must be managed and carried on the person on a daily basis; many individuals already have enough difficulty keeping track of keys, wallets, and mobile phones.
  • Acknowledging that the conventional mobile phone is ubiquitous and is kept readily accessible, such devices may also be employed as a second hardware authentication factor. Prior to accessing an online service, a one-time password may be sent to the mobile phone, the number for which is pre-registered with the service, as a Short Message Service (SMS) text message. Access is authorized when the same text message sent to the mobile phone is re-entered to the service.
  • Much functionality is converging upon the mobile phone, particularly those full-featured variants that have substantial computing resources for accessing the web, run various software applications, and so forth, which are referred to in the art as a smart phone. For instance, credit card payments and the act of physically presenting the physical card itself may be replaced with a software application running on the smart phone. The application may be in communication with a point of sale (POS) terminal via a modality such as Near Field Communication (NFC) or Bluetooth low energy, and transmits credit card payment information, such as credit card number, expiration date, billing ZIP code, and other such verification information. The POS terminal may then complete the payment process with the received information. Domestically, services such as Google Wallet are in existence and progressing toward widespread deployment. Besides NFC and Bluetooth low energy, it is possible to utilize RFID (Radio Frequency Identification) type devices that are encoded with the aforementioned data.
  • As an additional authentication measure, a third factor utilizes unique biometric attributes of a person such as fingerprints, retinal and facial patterns, voice characteristics, and handwriting patterns. Although prior biometric systems were challenging to implement because of the high costs associated with accurate reader devices and database systems for storing and quickly retrieving enrollment data, the increasing demand for biometrics-based security has resulted in the development of substantially improved reader devices, and user interfaces and back-end systems therefor. Currently there are fingerprint reader peripheral devices that are connectible to a Universal Serial Bus (USB) port on personal computer system, and restrict access without providing a valid, enrolled fingerprint. Mobile devices may also be incorporated with biometric readers, and front-facing video cameras such as those already existing in smart phones such as the Apple iPhone may be utilized for facial recognition.
  • As noted above, there are divergent proposals for solving the issue of authenticating a user of remote service resources and ensuring that the user is, indeed, who he asserts he is. Thus, there is a need in the art for an improved mobile device-based authentication in connection with secure transactions. Furthermore, while existing systems simply deny access to the requested service when authentication fails, there is a need in the art for additional security measures to be taken in response to a failed authentication.
    • BRIEF SUMMARY
  • In accordance with various embodiments of the present disclosure, there is contemplated a method for tracking user authentication. The method may include receiving a first user biometric data set from a mobile device on an authentication server. Additionally, the method may include receiving a second user biometric data set from a site resource on the authentication server. The second user biometric may be transmitted from the site resource in response to receipt of an authentication command from the mobile device on the site resource. There may additionally be a step of rejecting the user for access to the site resource if either one of the first set of biometric data and the second set of biometric data is not validated against respective first and second sets of pre-enrolled biometric data for the user stored independently of each other on the remote authentication server. Furthermore, the method may include initiating a security procedure on at least one of the mobile device and a remote physical device separate from the mobile device in response to the rejecting of the user for access to the site resource. Thus, real-time feedback from the user is possible for any possible security breaches, with immediate access to recent use. Furthermore, a user can be tracked under preset parameters, and additional desired and pertinent data can be accumulated for security purposes.
  • As an alternative to rejecting the user upon a failed biometric entry, the method may involve setting an emergency mode if either one of the first set of biometric data and the second set of biometric data is validated against a pre-enrolled emergency biometric data. The pre-enrolled emergency biometric data may be stored on the remote authentication server. Similarly, the method may continue with initiating a security procedure on at least one of the mobile device and a remote physical device separate from the mobile device in response to setting the emergency mode.
  • According to another embodiment, there may be a method of authenticating a user to a site resource. The method may include capturing a first biometric input from the user on an integrated first biometric reader on a mobile device. The first biometric input may correspond to a first biometric feature of the user. There may be a step of deriving a first set of biometric data from the captured first biometric input, followed by transmitting the first set of biometric data to a remote authentication server from the mobile device. Additionally, there may be a step of capturing a second biometric input from the user on a second biometric reader connected to the site resource. This may proceed in response to the secondary authentication instruction. The second biometric input may correspond to a second biometric feature of the user. There may be a step of deriving a second set of biometric data from the captured second biometric input, then transmitting the second set of biometric data to the remote authentication server from the site resource. The method may include rejecting the user for access to the site resource if either one of the first set of biometric data and the second set of biometric data is not validated against respective first and second sets of pre-enrolled biometric data for the user stored independently of each other on the remote authentication server. Then, there may be a step of initiating a security procedure on at least one of the mobile device and a remote physical device separate from the mobile device in response to the rejecting of the user for access to the site resource. The first set of biometric data and the second set of biometric data are transmitted to the remote authentication server for validation.
  • Certain other embodiments of the present disclosure contemplate respective computer-readable program storage media that each tangibly embodies one or more programs of instructions executable by a data processing device to perform the foregoing method. The present disclosure will be best understood by reference to the following detailed description when read in conjunction with the accompanying drawings.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • These and other features and advantages of the various embodiments disclosed herein will be better understood with respect to the following description and drawings, in which:
  • FIG. 1 is a block diagram illustrating an exemplary environment in which embodiments of the present disclosure may be implemented;
  • FIG. 2 is a block diagram of another exemplary environment utilizing secured communications channels and external monitoring sites to provide additional layers of security for the methods of the present disclosure;
  • FIG. 3 is a flowchart illustrating one embodiment of the contemplated method for authenticating a user to a site resource;
  • FIG. 4 is a perspective view of a first embodiment of a mobile device which may be utilized in connection with the present disclosure including a fingerprint reader and a front-facing camera; and
  • FIGS. 5A, 5B and 5C show an exemplary user interface for a software application running on the mobile device for authenticating the user to the site resource in various states.
    •
  • Common reference numerals are used throughout the drawings and the detailed description to indicate the same elements.
    • DETAILED DESCRIPTION
  • The detailed description set forth below in connection with the appended drawings is intended as a description of the presently contemplated embodiments of mobile device-based authentication, and is not intended to represent the only form in which the disclosed invention may be developed or utilized. The description sets forth the various functions and features in connection with the illustrated embodiments. It is to be understood, however, that the same or equivalent functions may be accomplished by different embodiments that are also intended to be encompassed within the scope of the present disclosure. It is further understood that the use of relational terms such as first and second and the like are used solely to distinguish one from another entity without necessarily requiring or implying any actual such relationship or order between such entities.
  • The block diagram of FIG. 1 depicts one exemplary environment 10 in which various embodiments of the present disclosure may be implemented. A user 12 is in physical possession of a mobile device 14 that has various data processing and communications features as will be detailed more fully below. The mobile device 14 is a smart phone type apparatus that has a wireless network connectivity module 16 for placing telephone calls over a mobile telecommunications network 18 managed by a service provider 20, among other functions. The service provider 20 is understood to be connected to a greater telephone network 21. Currently several competing communication protocols, standards, and technologies such as CDMA2000, EDGE, UMTS, and so forth are deployed, depending on the service provider 20. As will be recognized by those having ordinary skill in the art, the wireless network connectivity module 16 includes components such as the RF (radio frequency) transceiver, the RF modulator/demodulator, the RF front end module, one or more antennas, digital/analog converters, among other minor components as implemented in conventional communications devices. As will also be recognized, the relatively short range of wireless transmissions between the mobile device 14, there are multiple antenna towers 22 a-c, for example, that provide coverage for separate geographic areas 24 a-c, respectively. The operational principles of the telecommunications network 18 in conjunction with the wireless network connectivity module 16 are well known in the art, and to the extent any specifics are described, it is by way of example only and not of limitation.
  • The wireless network connectivity module 16 may also be utilized for data communications besides voice telephone calls. In this regard, the service provider 20 may also have a link to the Internet 23, the utility for which will become more apparent below. Aside from utilizing the mobile telecommunications network 18, the wireless network connectivity module 16 may be configured for Wi-Fi (IEEE 8012.11x), Bluetooth, and the like. One data communications modality that is also understood to be incorporated into the mobile device 14 is Near Field Communication (NFC), which facilitates simple data transfers between closely positioned transceivers. Although some implementations may involve the integration of NFC functionality into the wireless network connectivity module 16 and reusing the same sub-components, the embodiment shown in FIG. 1 contemplates a separate NFC module 24.
  • Among other functions, the higher level data transfer link management functions are handled by a general purpose data processor 26. In particular, the general purpose data processor 26 executes programmed instructions that are stored in a memory 28. These tangibly embodied instructions, when executed may perform the contemplated method of authenticating the user 12 with the mobile device 14. Additionally, the mobile device 14 may have stored thereon programmed instructions that comprise software applications that provide functionality in addition to making and receiving telephone calls, such as simple message service (SMS) text messaging, e-mail, calendars/to-do, photography, videography, media playback, and web browsing, among many others. Some advanced mobile devices 14 may have a dedicated graphics processor and other enhancements that accelerate performance, though for purposes of the present disclosure and the mobile device 14, such components are understood to be subsumed within the term, general purpose data processor 26.
  • The results of the computation performed by the general purpose data processor 26, and in particular the user interface for the applications, is displayed or output to a screen 30. Commonly, the screen 30 is a liquid crystal display (LCD) device of varying dimensions fitted to the housing of the mobile device 14. Inputs for the computation and other instructions to the application are provided via a touch input panel 32 that may be overlaid on the screen 30. In some implementations, the screen 30 and the touch input panel 32 are integrated, however. Besides the touch input panel 32, there may be alternative input modalities such as a keypad. The arrangement of the keys may be different to fit within the dimensions of the mobile device 14. Along these lines, other input/output devices such as a microphone 34 for receiving audio or voice signals is included, as well as a speaker 36 for outputting audio. For providing visual data to the mobile device 14, there may be an integrated camera 38 comprised of a lens, an imaging sensor, and a dedicated image processor connected to the general purpose data processor 26. The camera 38 may be utilized to capture still images as well as a video stream, the data for which is stored on the memory 28. Additional uses for the camera 38 are contemplated in accordance with various embodiments of the present disclosure, the details of which will be described more fully below.
  • There are numerous variations of the mobile device 14 or smart phone that are currently available on the market. Some notable ones include the iPhone from Apple, Inc. and the DROID from Motorola, Inc. It is also contemplated that various embodiments of the present disclosure may be implemented on mobile devices 14 besides smart phones or cellular phones, such as tablet-type devices including the iPad from Apple, Inc., full features media player devices including the iPod again from Apple, Inc., and other portable digital assistant-type devices. The specifics of the mobile device 14 are presented by way of example only and not of limitation, and any other suitable mobile device 14 may be substituted.
  • Broadly, one aspect of the present disclosure contemplates the use of the mobile device 14 to authenticate the user 12 for access to a site resource 40. In one example illustrated in the block diagram of FIG. 1, the site resource 40 is a point of sale (POS) terminal 42 and its associated components. In another example, the site resource 40 is an automated teller machine (ATM), and in yet another example, the site resource 40 is a personal computer system 46. In each of these examples, the site resource 40 is protected from unauthorized access, and the disclosed method for authenticating the user 12 may be utilized to permit access. Accordingly, as referenced herein, the site resource 40 is understood to encompass any access-limited system, including physical facilities, financial accounts, and so forth. The following description will be in the context of the POS terminal 42, but one of ordinary skill in the art will readily recognize the applicability or non-applicability and necessary substitutions for various disclosed features to implement the contemplated mobile device-based authentication in other contexts.
  • One exemplary organization of exemplary environment and its constituent components is more broadly illustrated in FIG. 2. As will be described in more detail below, the user 12 provides credentials to both the site resource 40 and the mobile device 14, both of which independently transmit this data to the remote authentication server 68, also referred to as a central clearing house 98 to the extent additional functions besides authentication are implemented thereon. In this regard, the transmissions from the mobile device 14 may take place over a first transmission line 100, while the transmissions from the site resource 40 may take place over a second transmission line 102. The first transmission line 100 may be secured with a first encoding site 104 that encrypts all traffic thereon. Similarly, the second transmission line 102 may be secured with a second encoding site 106 that encrypts all traffic thereon. It is expressly contemplated that the first encoding site 104 and the second encoding site 106 are separate and independent with respect to each other, and are not linked any way. Traffic on the respective transmission lines 100, 102 is understood to be continuously encoded to reduce the likelihood of a successful intrusion.
  • With additional reference to the flowchart of FIG. 3, the method of authenticating the user 12 begins with a step 200 of capturing a first biometric input from the user 12 on an integrated first biometric reader 48 on the mobile device 14. As shown in FIG. 4, the mobile device 14 is understood to include a case 50 defined by opposed left and right sides 52 a, 52 b, respectively, opposed top and bottom sides 54 a, 54 b, a front face 56 on which the screen 30 and the touch input panel 32 is disposed and is coplanar therewith, and an opposite rear face 58. The biometric reader 48 may also be disposed on the front face 56, though this is merely exemplary. The biometric reader 48 may alternatively be disposed on any of the sides 52, 54, or the rear face 58. Those having ordinary skill in the art will be capable of optimizing the position of the biometric reader 48 in accordance with the ergonomic needs of the user 12. As an alternative to the integrated biometric reader 48, it is also possible to attach an external variant via an external data communication port 62 typically included with the mobile device 14.
  • In one embodiment, the biometric reader 48 is a fingerprint sensor, and so the aforementioned first biometric input from the user 12 is the finger, or more specifically, the fingerprint. The fingerprint sensor can be, for example, an optical sensor, an ultrasonic sensor, a passive capacitance sensor, or an active capacitance sensor. It is also contemplated that the touch screen 32 may have sufficient resolution to not only detect touch input, but also to detect individual ridges and valleys of a fingerprint. In such embodiments, the biometric reader 48 is understood to be incorporated into or part of the touch screen 32. Instead of the fingerprint sensor, an imaging device such as the on-board camera 38, with sufficient macro focus capabilities, may be utilized to capture an image of the fingerprint. It will be appreciated that any other type of sensor technology known in the art or otherwise can capture characteristics of a person's fingerprint can also be utilized.
  • Implementation of other types of biometrics and corresponding biometric readers in the mobile device 14 are also expressly contemplated. For instance, facial recognition and iris pattern recognition using a forward-facing camera 38 on the front face 56 of the case 50 may be possible. Additionally, the voice of the user 12 as recorded by the microphone 34 may also be utilized as the first biometric input. Although the features of the mobile device-based authentication will be described in the context of scanning fingerprints, it will be understood that any such other biometrics may be substituted. Thus, the user 12 who may not necessarily have intact fingers or clear fingerprints may also utilize the disclosed mobile device-based authentication.
  • The capture of the first biometric input may be initiated by specifying the same to a dedicated application running on the mobile device 14. With reference to an exemplary user interface 60 of the application shown in FIG. 5A, there may be an activatable button 66 that can be “pressed” by the user 12 with the appropriate, pre-designated finger positioned on the biometric reader 48. Instead of an application interface-based button 66, the mobile device 14 may have an externally accessible hardware button 67. As the biometric reader 48 acquires the image of the fingerprint, an indicator may be displayed on the user interface 60, or the button 66 may be rendered in a subdued color to represent that no other function can be invoked at the same time. The fingerprint is to be compared against an existing fingerprint stored remotely, so the specific finger (thumb, index, middle, ring, little) that is scanned is the same as that stored. To enforce the scanning of the proper finger, the user interface 60 may include directions to this effect.
  • Before displaying the activatable button 66 for initiating the capture of the biometric input, an optional passcode entry dialog 72 as shown in FIG. 5B may be displayed. In further detail, the passcode entry dialog 72 may include activatable numerical buttons 74 that can be pressed to input a passcode. The corresponding digits, which may be masked, may be displayed in a text box 76. The inputted passcode is compared to a preset passcode, and only when the two matches is access to the button 66 permitted.
  • As shown in FIG. 5C, the application interface may be also be segregated into an upper section 92 and a lower section 94, with the button 66 being located in the lower section 94. The upper section 92 may display a barcode 96, a QR code, or other machine readable graphical element for providing payment or discount information to a conventional reader without NFC capabilities. Along these lines, e-commerce applications such as those available from Groupon and the like may be incorporated with the foregoing biometric input features of the present disclosure.
  • Referring again to the flowchart of FIG. 3, the method continues with a step 202 of deriving a first set of biometric data from the captured first biometric input. In many embodiments of the fingerprint scanner, an image of the fingerprint is generated and stored in the memory 28. Because comparison of the raw fingerprint image is computationally intensive and requires a substantial amount of processing power and memory, select highlights of pertinent points is derived. A much smaller dataset representative of the fingerprint is generated, and can be used as a basis for further comparison. Depending on security requirements and the degree of false positives or negatives acceptable, the number of elements in the first set of biometric data can be modified commensurately.
  • The method then proceeds to a step 204 of transmitting the first set of biometric data to a remote authentication server 68, which is connected to the Internet 23. As indicated above, the mobile device 14 is also connected to the Internet 23 at least via the service provider 20. Other modalities by which a data communications link between the mobile device 14 and the Internet 23 can be established are also contemplated. Together with the first set of biometric data, other identifying information such as a mobile device identifier number and an authentication server login account may be transmitted to the remote authentication server 68. Due to the sensitivity of this information, the data communications link between the mobile device 14 and the remote authentication server 68 may be secured and encrypted to minimize the vulnerabilities associated with plaintext attack vectors.
  • Sometime after capturing the first biometric input and deriving the first set of biometric data therefrom, the mobile device 14 may be placed in close proximity to an NFC receiver 70 that is connected to the site resource 40. The use of NFC herein is presented by way of example only, and other competing technologies such as Bluetooth low power may also be utilized. Furthermore, although the use of these wireless data transfer modalities is contemplated for most implementations, there are situations where hardwire transfers are appropriate as well. For example, when communicating the with personal computer system 46, the more likely available modality is a wired link with the mobile device 14. When within the operational transmission distance, or when otherwise ready to initiate a transmission, a secondary authentication instruction is transmitted to the site resource 40 in accordance with a step 206. The secondary authentication instruction can therefore be said to be transmitted to the site resource 40 ultimately in response to the receipt of the first biometric input. In some embodiments, the aforementioned step 204 may be omitted, that is, the first set of biometric data may be transmitted to the NFC receiver 70 instead of to the remote authentication server 68. The first set of biometric data will eventually reach the remote authentication server 68, albeit not directly from the mobile device 14. Along these lines, while the various steps of the method are described in a certain sequence, those having ordinary skill in the art will appreciate that some steps may take place before others, and that the order is exemplary only.
  • Next, according to step 208, the method may include capturing a second biometric input from the user 12 on a second biometric reader 78 within a set time period following the receipt of the secondary authentication instruction. Again, a second set of biometric data is derived from the captured second biometric input in accordance with a step 210. Like the first biometric reader 48, the second biometric reader 78 may be any one of the more specific examples described above, such as fingerprint readers, cameras, and so on.
  • The second biometric input is understood to correspond to a second biometric feature of the user 12. There may be implementations and configurations in which the first biometric feature is the same as the second biometric feature. For example, the left thumb may be read by both the first biometric reader 48 as well as the second biometric reader 78. Preferably, however, the first biometric feature will be different from the second biometric feature to decrease the likelihood of successful attacks. In another example illustrating this aspect, the first biometric feature may be the right thumb, while the second biometric feature may be the left index finger. This variation also contemplates the possibility of both of the hands of the user 12 being engaged to biometric readers concurrently or contemporaneously, though the other variation is possible where a reasonable delay between inputs are permitted before timing out.
  • In accordance with step 212, the method continues with transmitting the second set of biometric data to the remote authentication server 68 from the site resource 40. Now, with both the first set and the second set of biometric data as provided to the mobile device 14 and the site resource 40, respectively, per step 214, the user 12 is authenticated for access to the site resource 40. More particularly, the first set and second set of biometric data is validated against a pre-enrolled set of biometric data for the user 12. If the validation fails, rather than step 214, the method includes a step 216 of rejecting the user 12 for access to the site resource, and continues with a step 218 which may include one or more sub-procedures for additional security measures, the details of which will be considered more fully below.
  • As shown in the block diagram of FIG. 1, the remote authentication server 68 includes a biometrics enrollment database 80 that stores records 82 of each user 12 registered or enrolled therewith. Each record 82 may include a user identifier 84, an enrolled first biometric data set 86 and an enrolled second biometric data set 88. Previously, it was noted that the captured biometric input corresponded to a biometric feature of the user 12, with a reference or enrolled set being stored on the remote authentication server 68 for comparison and validation purposes. In the illustrated example, the first biometric feature was the right thumb, while the second biometric feature was the left index finger. Previously scanned versions of the biometric feature, and/or the corresponding set of biometric data is understood to be the aforementioned enrolled first biometric data set 86 and the enrolled second biometric data set 88. In addition to the foregoing, the record 82 may have other information such as a device identifier 90 that is unique to the mobile device 14, such as an SSN (Subscriber Identity Module Serial Number), IMSI (International Mobile Subscriber Identifier), Wi-Fi MAC (Media Access Controller) number, and the like that further validate the mobile device 14 and by implication, the user 12 thereof.
  • As will be recognized by those having ordinary skill in the art, the enrollment of the biometric data may be achieved in any number of conventional ways. For example, upon initial purchase of the mobile device 14, the user 12 may be requested to go complete an enrollment procedure in which multiple biometric inputs from the user 12 are captured and uploaded to the remote authentication server 68.
  • If it is determined that the pre-enrolled set of biometric data is matched to the received first set of biometric (from the mobile device 14) and the second set of biometric data (from the second biometric reader 78 connected to the site resource 40), then the user 12 is determined to be valid, and is permitted to utilize the site resource 40. The validation of the first biometric data set and the second biometric data set occurs substantially contemporaneously, that is, simultaneously, or at least perceptively simultaneously to the user 12. Of course, certain delays associated with the various data transmissions are expected, so the receipt and validation of the biometric data has a predefined timeout period. Even if there is a successful validation of the second set of biometric data, it the timeout period expires, there is an authentication failure.
  • A timeout period may also be enforced on the mobile device 14. Referring to FIG. 5A, after the first biometric input is captured, the user interface 60 may display a countdown timer 90. During the countdown, the mobile device 14 is enabled to transmit the secondary authentication instruction to the site resource 40, so long as it is in close proximity to the NFC receiver 70. Upon expiration of the countdown, further data transfers may be blocked unless the first biometric input is re-captured. In one embodiment, the countdown may be fifteen to twenty seconds in length, thought it may be any other suitable duration. The duration of the countdown may be extended, possibly indefinitely, by pressing a remain active button 92 also generated on the user interface 60. This countdown extension may be made either immediately before or after the first biometric input is captured.
  • For additional security, the remote authentication server 68 may refuse to accept the first set of biometric data unless it is determined that the transmission originated from a location known to be geographically local to the site resource 40. One exemplary implementation may employ an identifier of the specific antenna tower 22 appended to the transmission of the first set of biometric data, as each antenna tower 22 has limited geographic coverage. Another implementation may involve the retrieval of Global Positioning Satellite (GPS) coordinates from the mobile device 14, and correlating it to the known geographic location of the site resource 40. This location data may be provided to the authentication server 68 upon installation of the site resource 40, or may be transmitted together with the second set of biometric data while in use. It is understood that any transmission modality may be utilized, including hard wired and wireless connections. Those having ordinary skill in the art will recognize other possible location-based restrictions for the authentication procedure.
  • Referring again to the block diagram of FIG. 2, in addition to the foregoing authentication modalities that involve the remote authentication server 68, it is possible to utilize security sites to monitor for any and all erroneous, false, or compromised data/information transmissions. There may be separate security sites for each transmission line, though each of the security sites is contemplated to protect the authentication server 68 against physical and electronic breaches. For example, there may be a first security site 108 to monitor the validity of transmissions between the mobile device 14 and the remote authentication server 68 over the first transmission line 100, as well as a second security system 110 to monitor the validity of transmissions between the site resource 40 and the remote authentication server 68 over the second transmission line 102. Like the aforementioned first encoding site 104 and the second encoding site 106, the first security site 108 is understood to be separate and independent from the second in security site 110. Indeed, each of the encoding sites 104, 106, the security sites 108, 110, and the remote authentication server 68 are understood to be independent with respect to each other, and are deployed in physically disparate locations, for example, in different cities or states. If there are security breaches in any one of these systems, it is possible to configure the same so that different governmental agencies such as the Federal Bureau of Investigation, Department of Homeland Security, the Central Intelligence Agency, the Secret Service, or private security contractors may be contacted. The independent authentication but central notification is understood to reduce the possibility of successful breaches, as a coordinated attack on all five sites across disparate physical locations would be necessary otherwise.
  • Beyond authorizing the user 12 for access to the site resource 40, the disclosed authentication modality can be utilized for permitting access to and communication with other remote resources. These communications may take place over a gateway or secured transmission site 118. In this regard, the site resource 40 and the mobile device may also be referred to as access channels to the secure transmission site 118. Access to the secured transmission site 118 is granted upon authentication of the user 12 in accordance with the foregoing steps, and may therefore be necessary to communicate with the first and second security sites 108, 110, the encoding sites 104, 106, as well as the central clearing house 98 or the remote authentication server 68. As explained above, each of these systems is independent of each other, and so all communications links to the secured transmission site 118 are likewise separate and independent. Thus, the first security site 108 communicates with the secured transmission site 118 over an independent transmission line 109, while the second security site 110 communicates with the secured transmission site 118 over another independent transmission line 111. Similarly, the first encoding site 104 communicates with the secured transmission site 118 over yet another independent transmission line 105, and the second encoding site 106 communicates with the secured transmission site 118 over an independent transmission line 107. The information and control at the central clearing house 98 is understood to be segregated from the authentication functionality. In all instances, it is understood that there is no “bleed through” between the transmission lines 105, 107, 109, and 111, that is, the communications from the security site or encoding site to the secured transmission site are not intermingled. Thus, in the event of an attack, breach, or power failure, the remaining systems can be linked together temporarily under and emergency protocol and remain operational to provide protection.
  • As indicated above, when the authentication is unsuccessful for one reason or another in accordance with step 216, for example, when any biometric is rejected by any security modality disclosed herein, the present disclosure contemplates additional measures for tracking the unauthorized possessor of the mobile device 14, or the unauthorized user of the site resource 40. This tracking may occur on a real-time basis, and electronically “follow” those rejected until the device is discarded or the tracking functions become disabled by the depletion of battery power, re-programming, and so forth. In the interim, the mobile device can capture a wide variety of data from the surrounding environment, including images, video, audio, GPS coordinates, key presses, function/software interactions, and so forth. he captured images need not be limited to the unauthorized user of the device 14, but other individuals who may be nearby and different environmental visual cues. To the extent the original unauthorized user transfers possession (either intentionally or unintentionally), the mobile device 14 can continue tracking, so long as power is available and no disabling actions are taken.
  • Subsequent identification of unauthorized users, and to provide as much information thereon, is understood to be the purpose of this data acquisition, and the aforementioned image, video, and audio data is helpful in this regard. In addition to these modalities, it may also be possible to capture DNA samples directly via the mobile device 14. One possible implementation may utilize a DNA authentication device developed by Nucleix Ltd. of Tel Aviv, Israel, which can so capture samples from the user. Thus, the mobile device 14 may include a secondary biometric reader 114, which may optionally be engaged when an authentication fails. Other modalities may include a revolving, partially adhesive tape that is treated to collect epithelial and keratinocyte cells, or blood erythrocytes. Those having ordinary skill in the art will recognize that other devices that can also capture DNA samples for further processing and aiding in the identification of an unauthorized user can be substituted. Although in one contemplated embodiment the second biometric reader 114 is utilized only upon a failed authentication, it is also possible to use the same for re-verifying an already authenticated user, or simultaneously to authenticate the user in the first instance.
  • Security features other than those possible through the mobile device 14 are also contemplated. With reference again to the block diagram of FIG. 1, various physical security devices 112 that can communicate with the remote authentication server 68, or any of the other contemplated security systems such as the aforementioned encoding sites 104, 106 and the security sites 108, 110, may be activated in response to a failed authentication. Physical security devices 112 include fixed cameras in the vicinity of the site resource 40, as well as any other monitoring device that can be activated remotely, such as parking lot cameras by which the type of automobile and license plates can be captured, and traffic or roadside cameras to determine routes of travel. Additionally, it is expressly contemplated that the physical security devices 112 also encompass audible and visual alarms, as well as confinement and/or restraint systems such as doors and other barriers that lock down the immediate vicinity.
  • While a failed authentication in response to attempted use by a person other than the rightful user is the most typical use case, there may be some instances where an otherwise authorized user may desire to activate the aforementioned tracking and feedback modalities. For instance, the authorized user may, under duress, be coerced into providing access to the site resource 40. Various embodiments of the present disclosure thus contemplate an emergency mode that can surreptitiously activated by an alternative biometric. An emergency mode may prove useful in hostage situations, blackmail, and so forth. In the case of a fingerprint reader, inputting the index finger may correspond to normal access, while inputting the ring finger may correspond to emergency mode access. This emergency biometric data set 116 may also be pre-enrolled with the biometrics enrollment database 80 and associated with the user identifier 84. In conjunction with or independently of inputting the emergency biometric, it may be possible for the user 12 to input a distress code at the site resource 40 that activates the same functionality.
  • The response protocol may also differ depending on the combination of provided inputs. For instance, providing an emergency biometric on the mobile device 14 while providing a normal biometric at the site resource 40 may signal one condition, while providing an emergency biometric to both may signal another condition. In the former case, the user 12 may be signaling that the situation is under control and no immediate response is necessary, while in the latter, the user 12 may be signaling an immediate request for armed assistance. Beyond signaling that the user is in duress, by providing the same or a different alternative biometric, it may be possible for the one user to signal that a different, third party is under duress, possibly at a different location. This may be referred to as a protection service, and may be implemented on the remote authentication server 68 or any other designated system or network. The various combinations of emergency/normal biometric inputs and their corresponding intended communications may be readily modified without departing from the scope of the present disclosure.
  • Security responses to the input of the emergency biometric, whether to signal user or third party distress, may be more subdued than an outright unauthorized attempt, but may include the activation of the on-board camera 38 and the microphone 34 as discussed above, along with external audio/visual monitoring devices such as the aforementioned parking lot cameras and the like. Accordingly, the mobile device 14 may continue to record and transmit environmental information to the remote authentication server 68, or the first security site 108. Based on the information obtained via the mobile device 14, the situation of the user may be evaluated in order to formulate a suitable response by security personnel. The objective is to not escalate the danger to the distressed user 14, so more drastic measures such as activating confinement systems may not be appropriate. Various response protocols to user as well as third party distress as indicated through the protection service will be recognized by those having ordinary skill in the art, including denying access, allowing limited access, directing the user to a false access site or false information, and continuing to monitor the user 12.
  • The particulars shown herein are by way of example and for purposes of illustrative discussion of the embodiments of the present disclosure only and are presented in the cause of providing what is believed to be the most useful and readily understood description of the principles and conceptual aspects. In this regard, no attempt is made to show details of the present invention with more particularity than is necessary, the description taken with the drawings making apparent to those skilled in the art how the several forms of the present invention may be embodied in practice.

Claims (29)

1. A method for tracking user authentication, comprising:
receiving a first user biometric data set from a mobile device on an authentication server;
receiving a second user biometric data set from a site resource on the authentication server, the second user biometric being transmitted from the site resource in response to receipt of an authentication command from the mobile device on the site resource;
rejecting the user for access to the site resource if either one of the first set of biometric data and the second set of biometric data is not validated against respective first and second sets of pre-enrolled biometric data for the user stored independently of each other on the remote authentication server; and
initiating a security procedure independent of access to the site resource on either one or both of the mobile device and a remote physical device separate from the mobile device in response to the rejecting of the user for access to the site resource.
2. The method of claim 1, wherein the security procedure includes recording at least one image from an on-board camera on the mobile device.
3. The method of claim 1, wherein the security procedure includes recording at least one sequence of audio from an on-board microphone on the mobile device.
4. The method of claim 1, wherein the security procedure includes recording at least one sequence of combined video and audio from an on-board microphone and an on-board camera both on the mobile device.
5. The method of claim 1, wherein the security procedure includes capturing a DNA sample from a user of the mobile device.
6. The method of claim 1, wherein the security procedure includes storing a set of coordinates retrieved from an on-board geolocation module on the mobile device.
7. The method of claim 1, wherein the security procedure includes activating a remote physical security device from the remote authentication server.
8. The method of claim 7, wherein the remote physical security device is a video camera covering a vicinity of the user as reported by an on-board geolocation module on the mobile device.
9. The method of claim 7, wherein the remote physical security device is a confinement device activated against the user.
10. A method for tracking user authentication, the method comprising:
receiving a first user biometric data set from a mobile device on an authentication server;
receiving a second user biometric data set from a site resource on the authentication server, the second user biometric being transmitted from the site resource in response to receipt of an authentication command from the mobile device on the site resource;
setting an emergency mode if either one of the first set of biometric data and the second set of biometric data is validated against a pre-enrolled emergency biometric data different from a pre-enrolled authentication biometric data, the pre-enrolled authentication biometric data and the pre-enrolled emergency biometric data being stored on the remote authentication server; and
initiating a security procedure independent of access to the site resource on either one or both of the mobile device and a remote physical device separate from the mobile device in response to setting the emergency mode.
11. The method of claim 10, further comprising:
rejecting the user for access to the site resource if either one of the first set of biometric data and the second set of biometric data is not validated against respective first and second sets of the pre-enrolled authentication biometric data for the user stored independently of each other on the remote authentication server.
12. The method of claim 11, wherein the pre-enrolled authentication biometric data corresponds to a first biometric feature of the user, and the pre-enrolled emergency biometric data corresponds to a second biometric feature of the user different from the first biometric feature.
13. The method of claim 12, wherein the pre-enrolled emergency biometric data is for a first finger of the user, and the pre-enrolled authentication biometric data is for a second finger of the user.
14. The method of claim 10, further comprising:
setting a secondary emergency mode if either one of the first set of biometric data and the second set of biometric data is validated against a pre-enrolled secondary emergency biometric data stored on the remote authentication server;
wherein the secondary emergency mode corresponds to a third party being endangered, the third party being different from a user to which the first set of biometric data and the second set of biometric data correspond.
15. The method of claim 10, wherein the security procedure includes recording at least one image from an on-board camera on the mobile device.
16. The method of claim 10, wherein the security procedure includes recording at least one sequence of audio from an on-board microphone on the mobile device.
17. The method of claim 10, wherein the security procedure includes recording at least one sequence of combined video and audio from an on-board microphone and an on-board camera both on the mobile device.
18. The method of claim 10, wherein the security procedure includes capturing a DNA sample from a user of the mobile device.
19. The method of claim 10, wherein the security procedure includes activating a remote physical security device from the remote authentication server.
20. The method of claim 19, wherein the remote physical security device is a video camera covering a vicinity of the user as reported by an on-board geolocation module on the mobile device.
21. The method of claim 19, wherein the remote physical security device is a confinement device activated against the user.
22. The method of claim 10, further comprising:
denying access to the site resource.
23. The method of claim 10, further comprising:
permitting limited access to the site resource.
24. The method of claim 10, further comprising:
permitting access to a decoy site resource.
25. A method of authenticating a user to a site resource, comprising:
capturing a first biometric input from the user on an integrated first biometric reader on a mobile device, the first biometric input corresponding to a first biometric feature of the user;
deriving a first set of biometric data from the captured first biometric input;
transmitting the first set of biometric data to a remote authentication server from the mobile device;
transmitting a secondary authentication instruction to the site resource directly from the mobile device in response to receipt of the first biometric input;
capturing a second biometric input from the user on a second biometric reader connected to the site resource in response to the secondary authentication instruction, the second biometric input corresponding to a second biometric feature of the user;
deriving a second set of biometric data from the captured second biometric input;
transmitting the second set of biometric data to the remote authentication server from the site resource;
rejecting the user for access to the site resource if either one of the first set of biometric data and the second set of biometric data is not concurrently and independently validated against respective first and second sets of pre-enrolled biometric data for the user stored independently of each other on the remote authentication server; and
initiating a security procedure on at least one of the mobile device and a remote physical device separate from the mobile device in response to the rejecting of the user for access to the site resource;
wherein the first set of biometric data and the second set of biometric data are transmitted to the remote authentication server for validation.
26. The method of claim 25, wherein the user is rejected when the first set of biometric data and the second set of biometric data were captured and transmitted outside a predefined timeout period.
27. The method of claim 25, wherein the user is rejected when the first set of biometric data and the second set of biometric data were captured and transmitted from locations outside a predefined proximity to each other.
28. The method of claim 25, further comprising:
encrypting the first biometric data with a first encoding site prior to transmitting to the remote authentication server; and
encrypting the second biometric data with a second encoding site prior to transmitting to the remote authentication server;
wherein the first encoding site and the second encoding site are independent of each other.
29. A system for establishing a secure data communications link with a user device and a site resource, comprising:
a secured transmission gateway to which the user device connects and with which the secure data communications link is established;
a central verification clearinghouse system storing a first biometric data of a user;
a first independent encoding site linked to the user device over a first data transmission link, biometric data provided by a user on the user device being encoded by the first independent encoding site upon transmission to the central verification clearinghouse system on the first data transmission link;
a second independent encoding site linked to site resource over a second data transmission link independent of the first data transmission link, biometric data provided by the user on the site resource upon request responsive to an authentication instruction from the user device being encoded by the second independent encoding site upon transmission to the central verification clearinghouse system on the second data transmission link;
a first independent security site linked to the user device over the first data transmission link to monitor transmissions from the user device to the central verification clearinghouse system for security breaches;
a second independent security site linked to the site resource over the second data transmission link to monitor transmissions from the site resource to the central verification clearinghouse system for security breaches;
wherein the secured transmission gateway authorizes the secure data communications link with the user device upon a contemporaneous and independent verification of the biometric data by the central verification clearinghouse as encoded by the first independent encoding site and by the second independent encoding site and confirmations from each of the first and second independent security sites and the first and second encoding sites that no security breaches were encountered;
wherein the first independent security site, the first independent encoding site, the second independent security site, and the second independent encoding site communicate with the secured transmission gateway over respective independent data communications links.
US14/057,663 2011-09-27 2013-10-18 Mobile device-based authentication with enhanced security measures Abandoned US20150113616A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US14/057,663 US20150113616A1 (en) 2011-09-27 2013-10-18 Mobile device-based authentication with enhanced security measures
US14/213,684 US20140201537A1 (en) 2011-09-27 2014-03-14 Mobile device-based authentication with enhanced security measures providing feedback on a real time basis
US15/448,345 US20170180361A1 (en) 2011-09-27 2017-03-02 Mobile device-based authentication with enhanced security measures providing feedback on a real time basis

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US13/246,676 US8473748B2 (en) 2011-09-27 2011-09-27 Mobile device-based authentication
US13/897,000 US20130254862A1 (en) 2011-09-27 2013-05-17 Mobile device-based authentication
US14/057,663 US20150113616A1 (en) 2011-09-27 2013-10-18 Mobile device-based authentication with enhanced security measures

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/897,000 Continuation-In-Part US20130254862A1 (en) 2011-09-27 2013-05-17 Mobile device-based authentication

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/213,684 Continuation-In-Part US20140201537A1 (en) 2011-09-27 2014-03-14 Mobile device-based authentication with enhanced security measures providing feedback on a real time basis

Publications (1)

Publication Number Publication Date
US20150113616A1 true US20150113616A1 (en) 2015-04-23

Family

ID=47912759

Family Applications (3)

Application Number Title Priority Date Filing Date
US13/246,676 Active US8473748B2 (en) 2011-09-27 2011-09-27 Mobile device-based authentication
US13/897,000 Abandoned US20130254862A1 (en) 2011-09-27 2013-05-17 Mobile device-based authentication
US14/057,663 Abandoned US20150113616A1 (en) 2011-09-27 2013-10-18 Mobile device-based authentication with enhanced security measures

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US13/246,676 Active US8473748B2 (en) 2011-09-27 2011-09-27 Mobile device-based authentication
US13/897,000 Abandoned US20130254862A1 (en) 2011-09-27 2013-05-17 Mobile device-based authentication

Country Status (4)

Country Link
US (3) US8473748B2 (en)
EP (1) EP2761427A4 (en)
CN (1) CN103907328B (en)
WO (1) WO2013048626A1 (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150242840A1 (en) * 2014-02-25 2015-08-27 Jpmorgan Chase Bank, N.A. Systems and methods for dynamic biometric configuration compliance control
US20170004296A1 (en) * 2014-03-28 2017-01-05 Panasonic Intellectual Property Management Co., Ltd. Biometric authentication method and biometric authentication system
US20170013462A1 (en) * 2015-07-09 2017-01-12 Mastercard International Incorporated Systems and Methods for Use in Authenticating Individuals, in Connection With Providing Access to the Individuals
US20170116600A1 (en) * 2015-10-27 2017-04-27 Mastercard International Incorporated Method and System for Performing Commercial Transactions Relating to or Purchased From a Vehicle
CN106993003A (en) * 2017-06-08 2017-07-28 湖南暄程科技有限公司 A kind of hospital's outer net login method and system
US20170318054A1 (en) * 2016-04-29 2017-11-02 Attivo Networks Inc. Authentication incident detection and management
DE102016115715A1 (en) 2016-08-24 2018-03-01 Fujitsu Technology Solutions Intellectual Property Gmbh A method of authenticating a user to a security device
US10424007B2 (en) 2015-12-07 2019-09-24 Mastercard International Incorporated Systems and methods for utilizing vehicle connectivity in association with payment transactions
US20190327228A1 (en) * 2018-04-24 2019-10-24 Apple Inc. Identity credential verification techniques
EP3649584A4 (en) * 2017-07-05 2021-04-07 Irisity AB PROCEDURE FOR VERIFICATION OF AN OPERATOR IN A SECURITY SYSTEM
US11005647B2 (en) * 2017-11-14 2021-05-11 Idemia Identity & Security France Method for processing an image executed by a terminal forming a “white box” environment
US11093597B2 (en) 2018-04-24 2021-08-17 Apple Inc. Identity credential verification techniques
US11579857B2 (en) 2020-12-16 2023-02-14 Sentinel Labs Israel Ltd. Systems, methods and devices for device fingerprinting and automatic deployment of software in a computing network using a peer-to-peer approach
US11580218B2 (en) 2019-05-20 2023-02-14 Sentinel Labs Israel Ltd. Systems and methods for executable code detection, automatic feature extraction and position independent code detection
US20230065289A1 (en) * 2021-08-25 2023-03-02 Bank Of America Corporation Account Establishment and Transaction Management Using Biometrics and Intelligent Recommendation Engine
US11616812B2 (en) 2016-12-19 2023-03-28 Attivo Networks Inc. Deceiving attackers accessing active directory data
US11625485B2 (en) 2014-08-11 2023-04-11 Sentinel Labs Israel Ltd. Method of malware detection and system thereof
US11695800B2 (en) 2016-12-19 2023-07-04 SentinelOne, Inc. Deceiving attackers accessing network data
US11716342B2 (en) 2017-08-08 2023-08-01 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US11888897B2 (en) 2018-02-09 2024-01-30 SentinelOne, Inc. Implementing decoys in a network environment
US11886591B2 (en) 2014-08-11 2024-01-30 Sentinel Labs Israel Ltd. Method of remediating operations performed by a program and system thereof
US11899782B1 (en) 2021-07-13 2024-02-13 SentinelOne, Inc. Preserving DLL hooks
US12432253B2 (en) 2024-04-16 2025-09-30 SentinelOne, Inc. Deceiving attackers accessing network data

Families Citing this family (104)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9020854B2 (en) 2004-03-08 2015-04-28 Proxense, Llc Linked account system using personal digital key (PDK-LAS)
US11206664B2 (en) 2006-01-06 2021-12-21 Proxense, Llc Wireless network synchronization of cells and client devices on a network
US9113464B2 (en) 2006-01-06 2015-08-18 Proxense, Llc Dynamic cell size variation via wireless link parameter adjustment
US7904718B2 (en) 2006-05-05 2011-03-08 Proxense, Llc Personal digital key differentiation for secure transactions
US9269221B2 (en) 2006-11-13 2016-02-23 John J. Gobbi Configuration of interfaces for a location detection system and application
US8659427B2 (en) 2007-11-09 2014-02-25 Proxense, Llc Proximity-sensor supporting multiple application services
US8171528B1 (en) 2007-12-06 2012-05-01 Proxense, Llc Hybrid device having a personal digital key and receiver-decoder circuit and methods of use
WO2009079666A1 (en) 2007-12-19 2009-06-25 Proxense, Llc Security system and method for controlling access to computing resources
WO2009102979A2 (en) 2008-02-14 2009-08-20 Proxense, Llc Proximity-based healthcare management system with automatic access to private information
US11120449B2 (en) 2008-04-08 2021-09-14 Proxense, Llc Automated service-based order processing
US9418205B2 (en) 2010-03-15 2016-08-16 Proxense, Llc Proximity-based system for automatic application or data access and item tracking
US9322974B1 (en) 2010-07-15 2016-04-26 Proxense, Llc. Proximity-based system for object tracking
FR2969437A1 (en) * 2010-12-16 2012-06-22 France Telecom METHOD FOR AUTHENTICATING A USER OF A TERMINAL FROM A SERVICE PROVIDER
US8857716B1 (en) 2011-02-21 2014-10-14 Proxense, Llc Implementation of a proximity-based system for object tracking and automatic application initialization
KR101182922B1 (en) * 2011-11-08 2012-09-13 아이리텍 잉크 Lock device and method using iris image for high security
EP2795553A4 (en) * 2011-12-21 2015-12-16 Intel Corp METHOD FOR AUTHENTICATING E-COMMERCE TRANSACTIONS ON MOBILE DEVICES USING BIOMETRIC DATA
US9208492B2 (en) 2013-05-13 2015-12-08 Hoyos Labs Corp. Systems and methods for biometric authentication of transactions
US9471919B2 (en) 2012-04-10 2016-10-18 Hoyos Labs Ip Ltd. Systems and methods for biometric authentication of transactions
WO2013155628A1 (en) * 2012-04-17 2013-10-24 Zighra Inc. Fraud detection system, method, and device
US10270587B1 (en) * 2012-05-14 2019-04-23 Citigroup Technology, Inc. Methods and systems for electronic transactions using multifactor authentication
US9832189B2 (en) * 2012-06-29 2017-11-28 Apple Inc. Automatic association of authentication credentials with biometrics
US10212158B2 (en) * 2012-06-29 2019-02-19 Apple Inc. Automatic association of authentication credentials with biometrics
US9819676B2 (en) 2012-06-29 2017-11-14 Apple Inc. Biometric capture for unauthorized user identification
US9959539B2 (en) 2012-06-29 2018-05-01 Apple Inc. Continual authorization for secured functions
US10171458B2 (en) 2012-08-31 2019-01-01 Apple Inc. Wireless pairing and communication between devices using biometric data
US9361439B1 (en) * 2012-10-04 2016-06-07 Roger Allen Bauchspies Virtual verification
US8837728B2 (en) 2012-10-16 2014-09-16 The Boeing Company Server algorithms to improve space based authentication
US9270660B2 (en) * 2012-11-25 2016-02-23 Angel Secure Networks, Inc. System and method for using a separate device to facilitate authentication
US8972296B2 (en) 2012-12-31 2015-03-03 Ebay Inc. Dongle facilitated wireless consumer payments
US20140197922A1 (en) * 2013-01-16 2014-07-17 Cygnus Broadband, Inc. System and method for positive identification on a mobile device
KR101627290B1 (en) * 2013-04-16 2016-06-21 구태언 Head-mounted display apparatus with enhanced secuirity and method for accessing encrypted information by the apparatus
US9405898B2 (en) 2013-05-10 2016-08-02 Proxense, Llc Secure element as a digital pocket
US9003196B2 (en) 2013-05-13 2015-04-07 Hoyos Labs Corp. System and method for authorizing access to access-controlled environments
US9084115B2 (en) 2013-05-13 2015-07-14 Dennis Thomas Abraham System and method for data verification using a smart phone
US11210380B2 (en) 2013-05-13 2021-12-28 Veridium Ip Limited System and method for authorizing access to access-controlled environments
US10331866B2 (en) 2013-09-06 2019-06-25 Apple Inc. User verification for changing a setting of an electronic device
US20150073998A1 (en) 2013-09-09 2015-03-12 Apple Inc. Use of a Biometric Image in Online Commerce
US10038691B2 (en) * 2013-10-08 2018-07-31 Princeton Identity, Inc. Authorization of a financial transaction
US10042994B2 (en) * 2013-10-08 2018-08-07 Princeton Identity, Inc. Validation of the right to access an object
US10025982B2 (en) 2013-10-08 2018-07-17 Princeton Identity, Inc. Collecting and targeting marketing data and information based upon iris identification
US9836647B2 (en) 2013-10-08 2017-12-05 Princeton Identity, Inc. Iris biometric recognition module and access control assembly
CN104574080A (en) * 2013-10-25 2015-04-29 腾讯科技(深圳)有限公司 Safe payment method as well as related equipment and system
CN104599122A (en) * 2013-10-31 2015-05-06 腾讯科技(深圳)有限公司 Quick payment method, related equipment and related system
US10855760B2 (en) * 2013-11-07 2020-12-01 Cole Asher Ratias Systems and methods for synchronizing content and information on multiple computing devices
US9424410B2 (en) * 2013-12-09 2016-08-23 Mastercard International Incorporated Methods and systems for leveraging transaction data to dynamically authenticate a user
US9838388B2 (en) 2014-08-26 2017-12-05 Veridium Ip Limited System and method for biometric protocol standards
PL3090525T3 (en) 2013-12-31 2021-11-22 Veridium Ip Limited System and method for biometric protocol standards
US20150220931A1 (en) 2014-01-31 2015-08-06 Apple Inc. Use of a Biometric Image for Authorization
WO2015120084A1 (en) 2014-02-04 2015-08-13 Secure Gravity Inc. Methods and systems configured to detect and guarantee identity
GB2522929A (en) * 2014-02-11 2015-08-12 Mastercard International Inc Transaction authorisation method and system
US10162955B2 (en) 2014-03-13 2018-12-25 Lg Electronics Inc. Mobile terminal and method for controlling same
WO2015157295A1 (en) * 2014-04-08 2015-10-15 Capital One Financial Corporation Systems and methods for transacting at an atm using a mobile device
US9691062B2 (en) * 2014-04-08 2017-06-27 Paypal, Inc. Systems and methods for wirelessly determining accepted forms of payment
US8838071B1 (en) 2014-04-30 2014-09-16 Oto Technologies Llc Secure communications smartphone system
US20150358333A1 (en) * 2014-06-04 2015-12-10 Grandios Technologies, Llc Geo-location and biometric presence security
US9881303B2 (en) 2014-06-05 2018-01-30 Paypal, Inc. Systems and methods for implementing automatic payer authentication
US10235512B2 (en) * 2014-06-24 2019-03-19 Paypal, Inc. Systems and methods for authentication via bluetooth device
WO2015199571A1 (en) * 2014-06-24 2015-12-30 Siemens Aktiengesellschaft System and method for the interaction of a human with at least one device to be controlled
US20150381614A1 (en) * 2014-06-25 2015-12-31 Qualcomm Incorporated Method and apparatus for utilizing biometrics for content sharing
WO2016018028A1 (en) * 2014-07-31 2016-02-04 Samsung Electronics Co., Ltd. Device and method of setting or removing security on content
US10187799B2 (en) 2014-08-19 2019-01-22 Zighra Inc. System and method for implicit authentication
US9705879B2 (en) * 2014-09-17 2017-07-11 Microsoft Technology Licensing, Llc Efficient and reliable attestation
MX2017003776A (en) 2014-09-24 2018-03-23 Princeton Identity Inc Control of wireless communication device capability in a mobile device with a biometric key.
CN205721792U (en) 2014-09-30 2016-11-23 苹果公司 Electronic equipment
FR3028123B1 (en) * 2014-11-05 2016-12-09 Jcdecaux Sa COMMUNICATION SYSTEM EQUIPPED WITH A RADIO BEACON
CN104410438B (en) * 2014-11-17 2017-12-19 上海鸿研物流技术有限公司 Recyclable physical distribution apparatus and its management method
US9563992B2 (en) * 2014-12-01 2017-02-07 Honeywell International Inc. System and method of associating, assigning, and authenticating users with personal protective equipment using biometrics
JP2018506872A (en) 2014-12-03 2018-03-08 プリンストン・アイデンティティー・インコーポレーテッド System and method for mobile device biometric add-on
US20160162900A1 (en) 2014-12-09 2016-06-09 Zighra Inc. Fraud detection system, method, and device
CN104574048B (en) * 2014-12-27 2018-04-06 小米科技有限责任公司 Resource transfers method and device
US20160321637A1 (en) * 2015-04-30 2016-11-03 Kevin Carvalho Point of sale payment using mobile device and checkout credentials
US20210390246A1 (en) * 2015-07-11 2021-12-16 Thinxtream Technologies Ptd. Ltd. System and method for contextual service delivery via mobile communication devices
US10715972B2 (en) * 2015-07-31 2020-07-14 CityBeacon IP BV Multifunctional interactive beacon with mobile device interaction
US11329980B2 (en) 2015-08-21 2022-05-10 Veridium Ip Limited System and method for biometric protocol standards
CN105405226A (en) * 2015-12-08 2016-03-16 天津市融通电子科技有限公司 POS device
WO2017100956A1 (en) * 2015-12-18 2017-06-22 Toc S.A. Method for authentication via a combination of biometric parameters
US10142328B1 (en) * 2015-12-19 2018-11-27 Securus Technologies, Inc. Account enrollment systems and processes
WO2017123702A1 (en) 2016-01-12 2017-07-20 Princeton Identity, Inc. Systems and methods biometric analysis
WO2017173228A1 (en) 2016-03-31 2017-10-05 Princeton Identity, Inc. Biometric enrollment systems and methods
US10373008B2 (en) 2016-03-31 2019-08-06 Princeton Identity, Inc. Systems and methods of biometric analysis with adaptive trigger
GB2552721A (en) * 2016-08-03 2018-02-07 Cirrus Logic Int Semiconductor Ltd Methods and apparatus for authentication in an electronic device
US10275590B2 (en) 2016-09-27 2019-04-30 Bank Of America Corporation Distributed trust as secondary authentication mechanism
GB2555660B (en) * 2016-11-07 2019-12-04 Cirrus Logic Int Semiconductor Ltd Methods and apparatus for authentication in an electronic device
US10360744B1 (en) * 2016-11-17 2019-07-23 Alarm.Com Incorporated Verified access to a monitored property
CN110178160B (en) 2017-01-23 2023-01-24 开利公司 Access control system with trusted third party
KR102302561B1 (en) * 2017-03-09 2021-09-15 삼성전자주식회사 Electronic device for performing authentication using a plurality of authentication methods and method of operating the same
WO2018187337A1 (en) 2017-04-04 2018-10-11 Princeton Identity, Inc. Z-dimension user feedback biometric system
EP3612966A4 (en) 2017-04-20 2020-12-30 Fingerprint Cards AB Access control for access restricted domains using first and second biometric data
KR102573482B1 (en) 2017-07-26 2023-08-31 프린스톤 아이덴티티, 인크. Biometric security system and method
WO2019094993A1 (en) * 2017-11-13 2019-05-16 Ford Randell James A system for identifying persons of interest
EP4274286A3 (en) * 2018-01-22 2023-12-27 Apple Inc. Secure login with authentication based on a visual representation of data
US10218708B1 (en) * 2018-06-21 2019-02-26 Capital One Services, Llc Systems for providing electronic items having customizable locking mechanism
US10778678B2 (en) * 2018-07-18 2020-09-15 Alibaba Group Holding Limited Identity identification and preprocessing
US11057377B2 (en) * 2018-08-26 2021-07-06 Ncr Corporation Transaction authentication
SG10201809804XA (en) * 2018-11-05 2020-06-29 Mastercard International Inc Methods and systems for adapting timeout period for authentication in payment processing
US10789347B1 (en) * 2019-07-18 2020-09-29 Alibaba Group Holding Limited Identification preprocessing
CN110457882B (en) * 2019-07-18 2020-10-30 创新先进技术有限公司 An identity recognition preprocessing, identity recognition method and system
US11509642B2 (en) * 2019-08-21 2022-11-22 Truist Bank Location-based mobile device authentication
US11550938B2 (en) * 2019-09-03 2023-01-10 Science Applications International Corporation Automatic device zeroization
TWI755322B (en) 2019-12-31 2022-02-11 華南商業銀行股份有限公司 Funding demand forecasting method and system
GB2591248A (en) * 2020-01-22 2021-07-28 John De Veer Tracking device
US11882452B2 (en) * 2020-11-20 2024-01-23 Bank Of America Corporation Monitoring for security threats associated with mobile devices that have been identified and logged
WO2022136263A1 (en) * 2020-12-22 2022-06-30 Precise Biometrics Ab A method for registering a user account for user identity authentication and a system thereof
US12277205B2 (en) 2021-09-20 2025-04-15 Apple Inc. User interfaces for digital identification

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090113529A1 (en) * 2001-03-01 2009-04-30 Sony Corporation Method and system for restricted biometric access to content of packaged media
US20100125635A1 (en) * 2008-11-17 2010-05-20 Vadim Axelrod User authentication using alternative communication channels
US20110040980A1 (en) * 2009-08-12 2011-02-17 Apple Inc. File Management Safe Deposit Box
US20110126273A1 (en) * 2008-12-01 2011-05-26 Mandeep Singh Bhatia System and method for enhanced data security
US20110214171A1 (en) * 2006-01-13 2011-09-01 Gregory Howard Wolfond Multi-Mode Credential Authentication
US20120278870A1 (en) * 2011-04-27 2012-11-01 International Business Machines Corporation Multiple independent authentications for enhanced security
US20140073289A1 (en) * 2012-09-11 2014-03-13 Wavemax Corp. 3g/4g mobile data offload via roaming in a network of shared protected/locked wi-fi access points

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7523067B1 (en) 2000-08-02 2009-04-21 Softbankbb Corporation Electronic settlement system, settlement apparatus, and terminal
US7921297B2 (en) * 2001-01-10 2011-04-05 Luis Melisendro Ortiz Random biometric authentication utilizing unique biometric signatures
US7623970B2 (en) 2001-04-17 2009-11-24 Panasonic Corporation Personal authentication method and device
US20040022422A1 (en) 2002-08-02 2004-02-05 Masaki Yamauchi Authentication apparatus and authentication method
US7043754B2 (en) 2003-06-12 2006-05-09 Michael Arnouse Method of secure personal identification, information processing, and precise point of contact location and timing
US20050090267A1 (en) * 2003-10-24 2005-04-28 Kotzin Michael D. Method and apparatus for enabling a device by proximity
US20070186099A1 (en) 2004-03-04 2007-08-09 Sweet Spot Solutions, Inc. Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method
US20050255840A1 (en) 2004-05-13 2005-11-17 Markham Thomas R Authenticating wireless phone system
US20050273626A1 (en) 2004-06-02 2005-12-08 Steven Pearson System and method for portable authentication
US8079079B2 (en) * 2005-06-29 2011-12-13 Microsoft Corporation Multimodal authentication
US20070030120A1 (en) * 2005-08-02 2007-02-08 Echolock, Inc. Security access control system and associated methods
US20070155418A1 (en) 2005-12-29 2007-07-05 Jeng-Jye Shau Expandable functions for cellular phones
US7904718B2 (en) * 2006-05-05 2011-03-08 Proxense, Llc Personal digital key differentiation for secure transactions
US20080120707A1 (en) 2006-11-22 2008-05-22 Alexander Ramia Systems and methods for authenticating a device by a centralized data server
US9191822B2 (en) * 2007-03-09 2015-11-17 Sony Corporation Device-initiated security policy
US20080271122A1 (en) 2007-04-27 2008-10-30 John Edward Nolan Granulated hardware resource protection in an electronic system
US20090169070A1 (en) 2007-12-28 2009-07-02 Apple Inc. Control of electronic device by using a person's fingerprints
EP2088550A1 (en) * 2008-02-08 2009-08-12 SkiData AG Method for ordering location-specific services
US8302167B2 (en) 2008-03-11 2012-10-30 Vasco Data Security, Inc. Strong authentication token generating one-time passwords and signatures upon server credential verification
US9009796B2 (en) * 2010-11-18 2015-04-14 The Boeing Company Spot beam based authentication
US20120166810A1 (en) * 2010-12-27 2012-06-28 Leon Tao Biometrically Securing and Transmitting Data

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090113529A1 (en) * 2001-03-01 2009-04-30 Sony Corporation Method and system for restricted biometric access to content of packaged media
US20110214171A1 (en) * 2006-01-13 2011-09-01 Gregory Howard Wolfond Multi-Mode Credential Authentication
US20100125635A1 (en) * 2008-11-17 2010-05-20 Vadim Axelrod User authentication using alternative communication channels
US20110126273A1 (en) * 2008-12-01 2011-05-26 Mandeep Singh Bhatia System and method for enhanced data security
US20110040980A1 (en) * 2009-08-12 2011-02-17 Apple Inc. File Management Safe Deposit Box
US20120278870A1 (en) * 2011-04-27 2012-11-01 International Business Machines Corporation Multiple independent authentications for enhanced security
US20140073289A1 (en) * 2012-09-11 2014-03-13 Wavemax Corp. 3g/4g mobile data offload via roaming in a network of shared protected/locked wi-fi access points

Cited By (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150242840A1 (en) * 2014-02-25 2015-08-27 Jpmorgan Chase Bank, N.A. Systems and methods for dynamic biometric configuration compliance control
US20170004296A1 (en) * 2014-03-28 2017-01-05 Panasonic Intellectual Property Management Co., Ltd. Biometric authentication method and biometric authentication system
US12235962B2 (en) 2014-08-11 2025-02-25 Sentinel Labs Israel Ltd. Method of remediating operations performed by a program and system thereof
US11625485B2 (en) 2014-08-11 2023-04-11 Sentinel Labs Israel Ltd. Method of malware detection and system thereof
US11886591B2 (en) 2014-08-11 2024-01-30 Sentinel Labs Israel Ltd. Method of remediating operations performed by a program and system thereof
US12026257B2 (en) 2014-08-11 2024-07-02 Sentinel Labs Israel Ltd. Method of malware detection and system thereof
US9775044B2 (en) * 2015-07-09 2017-09-26 Mastercard International Incorporated Systems and methods for use in authenticating individuals, in connection with providing access to the individuals
US20170013462A1 (en) * 2015-07-09 2017-01-12 Mastercard International Incorporated Systems and Methods for Use in Authenticating Individuals, in Connection With Providing Access to the Individuals
US20170116600A1 (en) * 2015-10-27 2017-04-27 Mastercard International Incorporated Method and System for Performing Commercial Transactions Relating to or Purchased From a Vehicle
US11093997B2 (en) 2015-12-07 2021-08-17 Mastercard International Incorporated Systems and methods for utilizing vehicle connectivity in association with payment transactions
US10424007B2 (en) 2015-12-07 2019-09-24 Mastercard International Incorporated Systems and methods for utilizing vehicle connectivity in association with payment transactions
US10467682B2 (en) 2015-12-07 2019-11-05 Mastercard International Incorporated Systems and methods for utilizing vehicle connectivity in association with payment transactions
US10542044B2 (en) * 2016-04-29 2020-01-21 Attivo Networks Inc. Authentication incident detection and management
US20170318054A1 (en) * 2016-04-29 2017-11-02 Attivo Networks Inc. Authentication incident detection and management
DE102016115715A1 (en) 2016-08-24 2018-03-01 Fujitsu Technology Solutions Intellectual Property Gmbh A method of authenticating a user to a security device
US11695800B2 (en) 2016-12-19 2023-07-04 SentinelOne, Inc. Deceiving attackers accessing network data
US12261884B2 (en) 2016-12-19 2025-03-25 SentinelOne, Inc. Deceiving attackers accessing active directory data
US11997139B2 (en) 2016-12-19 2024-05-28 SentinelOne, Inc. Deceiving attackers accessing network data
US11616812B2 (en) 2016-12-19 2023-03-28 Attivo Networks Inc. Deceiving attackers accessing active directory data
US12418565B2 (en) 2016-12-19 2025-09-16 SentinelOne, Inc. Deceiving attackers accessing network data
CN106993003A (en) * 2017-06-08 2017-07-28 湖南暄程科技有限公司 A kind of hospital's outer net login method and system
EP3649584A4 (en) * 2017-07-05 2021-04-07 Irisity AB PROCEDURE FOR VERIFICATION OF AN OPERATOR IN A SECURITY SYSTEM
US11611552B2 (en) 2017-07-05 2023-03-21 Irisity AB Method for verifying an operator in a security system
US11716342B2 (en) 2017-08-08 2023-08-01 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US11973781B2 (en) 2017-08-08 2024-04-30 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US11716341B2 (en) 2017-08-08 2023-08-01 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US11722506B2 (en) 2017-08-08 2023-08-08 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US12363151B2 (en) 2017-08-08 2025-07-15 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US12244626B2 (en) 2017-08-08 2025-03-04 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US12206698B2 (en) 2017-08-08 2025-01-21 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US11838305B2 (en) 2017-08-08 2023-12-05 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US11838306B2 (en) 2017-08-08 2023-12-05 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US11876819B2 (en) 2017-08-08 2024-01-16 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US12177241B2 (en) 2017-08-08 2024-12-24 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
US11005647B2 (en) * 2017-11-14 2021-05-11 Idemia Identity & Security France Method for processing an image executed by a terminal forming a “white box” environment
US12341814B2 (en) 2018-02-09 2025-06-24 SentinelOne, Inc. Implementing decoys in a network environment
US11888897B2 (en) 2018-02-09 2024-01-30 SentinelOne, Inc. Implementing decoys in a network environment
US20190327228A1 (en) * 2018-04-24 2019-10-24 Apple Inc. Identity credential verification techniques
US11093597B2 (en) 2018-04-24 2021-08-17 Apple Inc. Identity credential verification techniques
US10972459B2 (en) * 2018-04-24 2021-04-06 Apple Inc. Identity credential verification techniques
US12169556B2 (en) 2019-05-20 2024-12-17 Sentinel Labs Israel Ltd. Systems and methods for executable code detection, automatic feature extraction and position independent code detection
US11790079B2 (en) 2019-05-20 2023-10-17 Sentinel Labs Israel Ltd. Systems and methods for executable code detection, automatic feature extraction and position independent code detection
US11580218B2 (en) 2019-05-20 2023-02-14 Sentinel Labs Israel Ltd. Systems and methods for executable code detection, automatic feature extraction and position independent code detection
US11748083B2 (en) 2020-12-16 2023-09-05 Sentinel Labs Israel Ltd. Systems, methods and devices for device fingerprinting and automatic deployment of software in a computing network using a peer-to-peer approach
US11579857B2 (en) 2020-12-16 2023-02-14 Sentinel Labs Israel Ltd. Systems, methods and devices for device fingerprinting and automatic deployment of software in a computing network using a peer-to-peer approach
US12423078B2 (en) 2020-12-16 2025-09-23 Sentinel Labs Israel Ltd. Systems, methods and devices for device fingerprinting and automatic deployment of software in a computing network using a peer-to-peer approach
US11899782B1 (en) 2021-07-13 2024-02-13 SentinelOne, Inc. Preserving DLL hooks
US12259967B2 (en) 2021-07-13 2025-03-25 SentinelOne, Inc. Preserving DLL hooks
US20230065289A1 (en) * 2021-08-25 2023-03-02 Bank Of America Corporation Account Establishment and Transaction Management Using Biometrics and Intelligent Recommendation Engine
US11803898B2 (en) * 2021-08-25 2023-10-31 Bank Of America Corporation Account establishment and transaction management using biometrics and intelligent recommendation engine
US12432253B2 (en) 2024-04-16 2025-09-30 SentinelOne, Inc. Deceiving attackers accessing network data

Also Published As

Publication number Publication date
EP2761427A1 (en) 2014-08-06
US8473748B2 (en) 2013-06-25
WO2013048626A1 (en) 2013-04-04
EP2761427A4 (en) 2015-06-17
CN103907328A (en) 2014-07-02
CN103907328B (en) 2017-08-22
US20130081119A1 (en) 2013-03-28
US20130254862A1 (en) 2013-09-26

Similar Documents

Publication Publication Date Title
US20150113616A1 (en) Mobile device-based authentication with enhanced security measures
US20170180361A1 (en) Mobile device-based authentication with enhanced security measures providing feedback on a real time basis
US12361777B2 (en) System and method for providing credential activation layered security
US11101993B1 (en) Authentication and authorization through derived behavioral credentials using secured paired communication devices
US12056975B1 (en) System and method for secure pair and unpair processing using a dynamic level of assurance (LOA) score
US9531710B2 (en) Behavioral authentication system using a biometric fingerprint sensor and user behavior for authentication
US10776464B2 (en) System and method for adaptive application of authentication policies
US8483659B2 (en) Methods and systems for recovering lost or stolen mobile devices
US9652760B2 (en) Receiving fingerprints through touch screen of CE device
US20170264608A1 (en) Visual biometric authentication supplemented with a time-based secondary authentication factor
US11171951B2 (en) Device interface output based on biometric input orientation and captured proximate data
KR20190007374A (en) Mobile security countermeasures
KR101345018B1 (en) Teminal and security certification system therewith
US20240187242A1 (en) Identity verification system, user device and identity verification method
US11960587B2 (en) Methods, systems and computer program products for monitoring or controlling user access at a point-of-service
US20190132312A1 (en) Universal Identity Validation System and Method
CN100583734C (en) Method for realizing volatile secret key and separated checking module by collecting human characteristic
Goud et al. Enhanced security for smart door using biometrics and OTP
US20160086180A1 (en) Using biometrics to recover password in customer mobile device
Pote Safe and Convenient Cash Withdrawal: A Cardless ATM Mechanism via Smart Mobile Banking Application
Abu-Saymeh et al. An application security framework for near field communication
US20240346122A1 (en) Methods, systems and computer program products for monitoring or controlling user access at a point-of-service
Muhammad A study on cell phone security: Authentication techniques
Han et al. Biometric authentication for mobile computing applications
Rose-Keziah et al. Modeling Effective Information Security in Mobile Banking System

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION