[go: up one dir, main page]

WO2024263035A1 - A computer implemented method for generating and storing a digital user id associated with a user and use thereof for authenticating a person - Google Patents

A computer implemented method for generating and storing a digital user id associated with a user and use thereof for authenticating a person Download PDF

Info

Publication number
WO2024263035A1
WO2024263035A1 PCT/NL2024/050329 NL2024050329W WO2024263035A1 WO 2024263035 A1 WO2024263035 A1 WO 2024263035A1 NL 2024050329 W NL2024050329 W NL 2024050329W WO 2024263035 A1 WO2024263035 A1 WO 2024263035A1
Authority
WO
WIPO (PCT)
Prior art keywords
computing device
user computing
biometric
user
mobile user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/NL2024/050329
Other languages
French (fr)
Inventor
Albert Piet VAN VEEN
Bernd Stefan KEGEL
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fastid BV
Original Assignee
Fastid BV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fastid BV filed Critical Fastid BV
Publication of WO2024263035A1 publication Critical patent/WO2024263035A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention is related to a computer-implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera.
  • the present invention is further related to a computer- implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera.
  • the invention is further related to a user computing device, and a system for authenticating a preregistered person in a third-party system.
  • banking establishments may make use of a, partially, digital authentication of a user which is inclined to open a bank account.
  • the user may upload data stored on a passport, which may be done via scanning the passport for example.
  • the prestored data of the passport may be authenticated against a picture taken by the user and uploaded to the same digital environment of the banking establishment.
  • the persons may trust the cyber security measures of the third-party service, they also become victim of the hack, since their data is stored with said service.
  • private, or even biometric data of the persons enrolled or registered with the third-party system may be stolen and/or used for malicious purposes by the hackers. This risk tends to grow as the number of services that need an authentication step starts to grow. Especially since a person may need to register for every service separately.
  • the authentication was intentionally kept at a distance from the person using the service, in other to ensure the quality of the authentication, the downsides, such as risk of hacking and sharing of private and/or biometric data or identity information, start to overshadow the benefit of authentication performed by the third-party system.
  • identity information for providing services from a service provider to a customer (user or person) has been accompanied by an increased danger of central interception and theft of that information from the service provider.
  • Identity theft occurs when someone uses, for example, password related data, a username, a Social Security number, a credit card number, or other identifying personal information of another without consent to commit fraud. Such fraud does often not only result in financial loss, but also a loss of trust, wherein both the service provider and the user can be considerably damaged.
  • An additional downside of these third-party systems is that the person using the system generally has no idea of where their data is stored, and also no idea as to what happens with their data. It may be the case that a part of their data is sold by the third party.
  • the present invention proposes a computer- implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the method comprises the steps of: i. retrieving, preferably via the mobile user computing device, prestored biometric personal data from at least one official identity document, such as a passport, associated with a user and storing said biometric personal data, preferably exclusively, onto the mobile user computing device, ii.
  • biometric data relate to at least one, preferably a plurality of biometric modalities, wherein preferably at least one of said biometric modalities constitutes a user liveness check by using the camera of the mobile computing device, and storing at least a part of said acquired additional biometric data onto the mobile user computing device, iii. comparing, by said mobile user computing device, at least a part of the biometric data stored during step i) and at least a part of the additional biometric data stored during step ii), iv.
  • the present invention allows for generating and storing a digital user ID which may be used in subsequent authentication processes.
  • the particular advantage of the present invention is that it allows a user to generate and to locally store a digital user ID for themselves, only by using the user’s (single) mobile user computing device. Hence, the mobile user device, which a user typically carries with themselves, holds only the digital user ID. Since the digital user ID is authenticated, the digital user ID may be validly used to authenticate a person during authentication processes of third-party systems.
  • Another particular advantage of the present invention is that the prestored biometric personal data retrieved from the official identity document are stored on the mobile user computing device. Hence, no need to share sensitive, valuable and personal data with a third-party system and/or with third parties. Sharing biometric data with a third party, which usually stores said data with the biometric data of other uses makes, as described before, the third party more prone to a hack, which may cause biometric data theft of the user from said third party, which is obviously undesired.
  • the present invention allows the user to remain in control of the prestored biometric personal data by only storing it locally, on the memory unit of the mobile user computing device.
  • the digital user ID is preferably stored encrypted on at least one memory unit of the mobile user computing device, more preferably on a secured area (protected area) of said at least one memory unit of the mobile user computing device.
  • the prestored biometric personal data comprises at least one high-resolution (colour) image of the face of associated with a user.
  • the prestored biometric personal data further comprises demographic and biometric information associated with the user, preferably fingerprint of at least one, preferably all fingers, an iris scan, a digital signature, a retinal scan.
  • the mobile user computing device is significantly less susceptible for a (targeted) hack, since it merely holds biometric data associated to a single person.
  • family members of the user may create a second or third or fourth digital user ID on the device of said user, allowing the mobile user computing device to store a digital user ID of the family members of the user.
  • the different digital user ID’s associated to the family members are stored on the mobile user device under e.g., different accounts and/or under different names.
  • the present invention further allows to make repetitive use of authentication steps within a third party system, which in current third party systems is typically rather cumbersome to the user.
  • the locally stored user ID may easily, and with low threshold, be used for local authentication of the user during use of a third party system, by authenticating the locally stored digital user ID against an image of the user for example.
  • the digital user ID may for example be used as a replacement for a password, or in addition to a password and/or existing login method.
  • the digital user ID, stored on the mobile user device may be applied in any third party system which requires a user to login.
  • the benefit of the local user ID is that it may be used in a decentralized manner compared to existing technologies which require a transfer of biometric data out of the storage of the mobile user device. That is, the digital user ID is stored on, and preferably exclusively used on the mobile user device. That is, when a third party system requires a user to login, this login may be authenticated locally, based on the stored digital user ID.
  • the mobile user device upon meeting a predefined degree of similarity between an image and the digital user ID may send an authentication signal to the third party system to grant the person access to the third party system, without in doing so sending any biometric data to said system.
  • the digital user ID is generated only once, thereafter it can be used for authentication purposes. Therefore, the present invention may provide for a quicker and more secure 1 :1 matching solution without the requirement to send biometric data to a central server for authentication purposes.
  • the present invention not only allows for maintaining control over the prestored biometric personal data retrieved from the at least one official identity document, but also the acquired additional biometric data from the user is stored locally, preferably on the memory unit of the mobile user computing device, thereby giving the user full control and ownership of the biometric data.
  • step iii) is performed by the at least one processor of the mobile user computing device. Since also the step of comparing is performed by the mobile user computing device, it is possible to generate an authenticated digital user ID essentially exclusively on the mobile user computing device. Hence, making it possible to establish a digital user ID, which is authenticated, locally on the mobile user computing device. As such, a user is not required to share any biometric data.
  • the digital user ID may be used with a wide range of third party systems which are compliant. Hence, eliminating the need for a user to generate a single user ID with all the separate third-party systems, and the associated risk of hacks of personal biometric data stored within said third party systems.
  • local shall be understood as decentralized, preferably not making use of a public server network, or a server network that is used by a plurality of users. The latter in any case as to the biometric data.
  • basic personal data This may be understood as simple personal data such as a name of a user or person. Such data can be freely shared since it does not constitute sensitive or may be less useful to malicious persons.
  • Other examples of basic personal data may for example be date of birth, place of birth, optionally a basic image of a person, wherein no biometric data is associated with said basic image, a username, a place of residence, or the like.
  • Biometric data may be understood as comprising at least some measurable and/or quantifiable characteristics of the person, such as a fingerprint, or key facial landmarks, or the like.
  • Such type of data is preferably not shared with any third party, since it may cause identity theft if stolen from the third party, e.g., when hacked.
  • Such basic personal data may be added, for example by the user, to the digital user ID as credentials.
  • step ii) acquiring additional biometric data from said user comprises the step of; recording of data at least one characteristic of the person, preferably by using the camera of the mobile user computing device, and; constructing, preferably by using the at least one processor of the mobile user computing device, biometric data, wherein said biometric data relate to a plurality of biometric modalities, related to the recorded data.
  • Biometric data in particular the biometric modalities may be understood as describing or defining measurable human characteristic, preferably wherein said biometric data, in particular the biometric modalities are stored and/or converted into one or more biometric data templates, which may comprise a set of stored biometric features. Since the biometric data may be highly sensitive, especially in the hands of malicious persons, it is generally not preferred to share said biometric data.
  • At least one biometric modality constitutes a selfie of the face of a user.
  • the selfie may for example be recorded with the at least one camera of the mobile user computing device. It is imaginable that it is sufficient to record merely a face part, rather than the entire face, such as for example an upper part of the face, during step ii).
  • the face is uncovered, although it is also feasible to retrieve sufficient biometric facial information from a partially covered face, such as when a user is wearing a mouth mask, sunglasses, and/or a hat.
  • step iii) a predetermined minimum degree of similarity may be detected by the mobile user computing device in order to guarantee a valid authentication of the identity of a user.
  • a face recognition analysis is performed based on the acquired additional biometric data, preferably the selfie, during step ii) and the prestored biometric personal data retrieved during step i). It is preferred that the comparison performed is at least partially based on a depth perception face recognition. It has proven that facial recognition with depth perception may be able to detect deep fake pictures, and hence may provide a more reliable outcome of the comparison step of step iii).
  • both at least one selfie of the face of a user and a user liveness check are acquired.
  • This is beneficial for the step of comparing, since it may allow to validate the user is a living person, and to verify the face based on the selfie image.
  • it is preferred that at least the selfie is compared with the prestored biometric personal data of step i), in particular a high-resolution image thereof.
  • a biometric template of at least one biometric modality preferably comprising a faceprint comprising data related to one or more facial landmark associated to a user’s face, such as face vectors, is stored on the mobile user computing device, wherein said biometric template is at least partially associated to user related biometric data.
  • the captured biometric modality acquired during step ii) is therefore preferably converted into a mathematical file and/or into one or more face vectors.
  • the template is a digital and/or mathematical representation of features or characteristics of the acquired additional biometric source data during step ii).
  • the biometric data retrieved and/or acquired, in particular the biometric template is encrypted prior to being stored on the memory unit. It is conceivable that the data is encrypted according to a public key infrastructure.
  • the biometric data collected during steps i) and ii) is preferably stored within a secure area (protected area) of at least one memory unit of the mobile user computing device.
  • PKI public key infrastructure
  • At least one biometric modality is a physiological biometric modality.
  • at least one biometric modality is chosen from the group of: fingerprints, vein recognition, iris recognition, retina scanning, facial recognition, ear recognition, finger geometry (the size and position of fingers), palm prints, voice recognition.
  • at least one biometric modality is a behavioural biometric modality, such as a keystroke recognition and/or -gait pattern recognition.
  • At least one biometric modality is recorded, by said user using at least one transducing component of the mobile user computing device during step ii).
  • Said at least one transducing component is preferably chosen from the group consisting of: a camera, a microphone, and/or a biometric sensor.
  • the recording can for example take place by making and/or by recording and/or by capturing a facial image, such as a selfie, a facial video of an entire face or face part, an iris video, a voiceprint, a fingerprint, a hand gesture, a fingerprint, finger vein, or a photo of a finger allowing the determination of the minutiae of said finger and/or the vein(s) of said finger.
  • the software used to recognise the recorded biometric is preferably a kind of living or dynamic piece of software running on or performed by the processor of the mobile user computing device, meaning that it will continuously improve based on historical data that is submitted by users.
  • the user is preferably guided through the process for generating a digital user ID.
  • One of the steps during this enrolment process is that the user may be guided in how to properly record a biometric characteristic associated to said user.
  • at least one host computing device provides recording instructions to the user via the messenger application, wherein said recording instructions define one or more minimum requirements relating to the quality of the biometric characteristic to be recorded. It is also imaginable that this guidance can be provided to the user via the mobile user computing device. These minimum requirements can be presented and communicated in various ways to the user, such as by text, audio, pictures or video.
  • the digital identity generated by the mobile user computing device is, at least partially stored, on a digital wallet of the mobile user computing device.
  • Said digital wallet may be allocated on the memory unit for example and is typically very well encrypted to further prevent theft.
  • the official identity document issued by a government is a passport, and/or an identity card, and/or an official identity document issued by a company or health service, such as a health insurance card a physical identity document, and/or a digital identity document.
  • the official identity document to according to the purpose of the present invention shall comprise prestored biometric personal data associated with a user.
  • the official identity document is compliant with the International Civil Aviation Organization (ICAO) DOC series 9303.
  • IAO International Civil Aviation Organization
  • use is made of the mobile user computing device for retrieving data from the at least one official identity document.
  • step i) at least one image of the at least one official identity document is made, preferably by using the mobile user computing device, wherein said image comprises biometric data associated to the identity of a person.
  • the image of the official identity document is preferably processed, for example by the processor of the mobile user computing device, to extract and/or deduce the prestored biometric personal data from the official identity document.
  • the official identity document comprises at least one chip, wherein the chip comprises at least a part of the prestored biometric data, wherein the user computing device is capable to retrieve at least a part of the prestored biometric data from said chip during step i).
  • the mobile user computing device is configured for retrieving the prestored biometric data from the chip via near field communication (NFC).
  • NFC near field communication
  • comparing is performed essentially entirely and/or exclusively based on data stored locally on the mobile user computing device.
  • Said data may include the retrieved prestored biometric personal data during step i) which are stored on the mobile user computing device. It is in particular preferred to use the chip of the at least one official identity document since it allows for direct local storage on the mobile user computing device.
  • the method further comprises the step of: v) removing at least a part of the biometric data stored and/or collected during step i) and/or step ii) from the mobile user computing device after completion of step iii) and/or iv).
  • the retrieved biometric personal data from the at least one official identity document and the acquired additional biometric data during steps i) and ii) are used for comparing, in particular authenticating, the identity of a user, or at least a measure of similarity between the recorded biometric during step ii) against the prestored biometric of step i). If the comparison yields a predetermined minimum degree of similarity, a digital user ID may be generated, and stored on the memory unit of the mobile user computing device. After generating the digital user ID, the retrieved and acquired biometric data is not needed per se, and may therefore be deleted in order to further prevent theft of sensitive data.
  • step iii) one or more one-to-one image matching checks are performed on the mobile user computing device, preferably by the at least one processor of the mobile user computing device.
  • at least one selfie of the face of a user is compared with the high-quality (colour) image prestored on the passport of a user.
  • step ii) and step iii) at least partially overlap in time.
  • a user uses the mobile user computing device to record, by using the mobile user computing device, a selfie of their face, which is subsequently compared (hence step iii), with a part of the prestored biometric personal data retrieved during step i). Since comparing of data may be done on the background, e.g., by a processor of the mobile user computing device, it is conceivable that the user records a liveness check during the comparison step iii). As such, partial overlap in time may be established between steps ii) and iii).
  • steps i) and ii) are each performed at least once. That is, for step iii), comparable data must be available.
  • step iii) use is made only of the camera of the mobile user computing device for recording of additional biometric data.
  • step iii) use is made of single modal biometric data associated with a single biometric modality stored during step ii), and/or wherein during step iii) use is made of multimodal biometric data associated with a plurality of biometric modalities stored during step ii).
  • multimodal biometric data which may typically be harder to fool
  • step iii) merely single modal biometric data is used.
  • said single modal biometric data may be formed by a selfie of the face of a user.
  • the selfie of the face of the user is captured, e.g., automatically, without the user required to do so, from the liveness check performed during step ii).
  • the liveness check may require the user to move their head left and right, and/or up and down, in order to be able to check the liveness.
  • the mobile user computing device e.g., by the processor, captures an image of the recorded video of the user moving their head, which screen capture may be sued as the single biometric modality stored during step ii).
  • the mobile user computing device is a smartphone, and wherein preferably the at least one memory unit is a non-volatile memory unit.
  • the mobile user computing device may alternatively be a tablet, a laptop, a desktop computer, a smartwatch or any other smart wearable device.
  • feature phones should be understood as a type or class of (mobile) phones that are visually and dimensionally similar to early generations of mobile phones.
  • the feature phones typically comprise press-buttons based inputs, such as a menu button and an “ok”, and “back” button, and a small, typically non-touch display.
  • the display may typically be a colour display.
  • the feature phones typically use an embedded operating system.
  • a smartphone should be understood as a type or class of (mobile) phones that performs many functions of a computer, typically provided with a touchscreen interface, internet access, and an extensive mobile operating system that allows for running, and downloading applications, multimedia functionality, alongside the core phone functions such as voice calls and text messaging.
  • the entire method as set forth above is performed by or runs at least partially on the processor of the mobile user computing device, for example in the form of an application, which the user may access via the mobile user computing device interface.
  • the processor is configured for requesting the user, hence via the mobile user computing device, to perform certain steps, possibly in a predetermined order. It may to this end be conceivable that upon starting the application for the first time, the user is presented with a screen which provides the user with the choice for starting the digital user ID generation process.
  • the application may dictate the user to retrieve prestored biometric personal data associated with an official identity document issued by a government. In line with the ownership of the sensitive data, it is preferred that the owner or maker of the application has no access to the biometric data and/or the digital user ID stored by the user and on the mobile user computing device.
  • the present invention provides a computer- implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the authentication method comprises the steps of: i. providing a third-party system requiring a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein third party system comprises prestored personal data and associated access rights associated with the preregistered person, ii. optionally sending an authentication request by said third party system to the mobile user computing device, wherein said authentication request comprises at least a part of the person data associated with the preregistered person, iii.
  • biometric data such as a selfie and/or liveness check
  • biometric data relating to at least one, preferably a plurality of biometric modalities, wherein preferably at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and/or wherein said locally stored digital user ID is generated by applying the method according to the invention, vi. in case the person is successfully authenticated during step v) generating authenticated basic personal data associated with said authenticated person and/or providing an authentication signal preferably by the user computing device and/or third party system, to the third party system, vii.
  • step vi) optionally comparing, on and by the mobile user computing device and/or by the third-party system, at least a part of the personal data associated with the preregistered person prestored in the third party system with the authenticated basic personal data generated during step vi), and viii. optionally providing an authentication signal, by the user computing device and/or third party system, to the third party system in case the comparison performed during step vii) meets a predetermined minimum degree of similarity, and ix. granting said person, by the third-party system, predefined access to said digital service and/or to said restricted environment upon receiving the authentication signal provided during step vi) and/or viii) by the third party system.
  • This aspect of the present invention allows to use a prestored digital user ID for authenticating a preregistered person which may yield different benefits.
  • it allows the person to remain in control of their biometric data.
  • the recorded biometric data during step iv) is recorded by, and preferably only stored on, the mobile user computing device.
  • the biometric data recorded during step iv) is recorded by a camera or biometric recording device of the third party system, and preferably forwarded to the mobile user computing device after recording, without central storage thereof in the third party system environment.
  • the digital user ID is prestored on the mobile user computing device, it is possible to perform an authentication step locally, hence on the mobile user computing device. This contributed to a decentralized system for both verification and authentication.
  • the prestored biometric personal data retrieved from the official identity document, nor the recorded or requested biometric data associated to the person need to be verified or send to the third-party system, such as a cloud environment, that requires an authentication.
  • the locally prestored digital user ID is generated applying the method according to the present invention. This particularly ensures a completely decentralized solution which only requires a communicative connection with the third party system, but does not require biometric data to be stored or shared, in particularly centrally, with the third party system.
  • the person may be able to use a single prestored digital user ID on the mobile user computing device for a number of third party systems.
  • the user may be able to use the single prestored digital user ID in relation to a plurality of third-party systems.
  • the latter preferably whilst remaining in control of the biometric data that is shared with the third-party system. This is beneficial since it is cumbersome for a person to generate an authenticated identity with each of said services individually.
  • the present invention therefore provides for a 1 -to-1 matching solution, wherein in particular the verification and authentication is performed exclusively in a decentral environment, particularly a mobile user device such as a phone. Therefore, the present invention circumvents the need to a 1-to-n or 1-to- many matching solution. It is to be particularly pointed out that both the initial verification or enrolment as well as the authentication later on are performed without sharing biometric data with a third party system. More importantly, since the digital user ID is stored locally on the mobile user computing device, and the verification step v) is performed on said mobile user computing device, it becomes possible for keeping full control of the biometric data. That is, preferably no biometric data is stored on a central server of the third party system. It shall be understood by the skilled person that the locally stored digital user ID according to this aspect of the invention needs to be generated only once, prior to being able to use it for authentication.
  • step v) may be performed partially on or by the third party system, in particular on a local processing unit of the third party system. According to the alternative embodiment, it is not required that the step v) of authenticating is performed on and by the mobile user computing device, but instead on and/or by the third party system. In that case, it may be required that some biometric data encompassed in the digitally stored user ID is shared with the third party system.
  • the following steps are performed: i) sending, preferably via BLE and/or NFC and/or a QR-code, an encrypted part of the digital user ID, in particular an encrypted facevector or other biometric modality towards the third party system by the user computing device; ii) sending, preferably via BLE and/or NFC and/or a QR-code, an encrypted private key associated to the digital user ID stored on the mobile user computing device towards the third party system by the user computing device iii) decrypting, by the third party system, the encrypted private key; iv) using the decrypted private key to decrypt the encrypted part of the digital user ID, in particular the facevector; v) obtaining biometric data associated with the user requesting authentication, preferably via a camera of the third party system and/or mobile user computing device; vi) comparing, by the third party system, the obtained biometric data of step v) with the decrypted faceve
  • step v) is performed by the third party environment according to, preferably local, 1 -to-1 matching.
  • This particular and alternative example may be suitable for application on an airport or other third party system which requires in line authentication, such as stadiums, concerts, or the like.
  • This alternative example does not require sharing of the private key via a cloud based environment, but allows for sharing using BLE connection, NFC connection, and/or a connection via QR-code.
  • the private key is preferably stored on the mobile user computing device after verification and generating a digital user ID.
  • the private key may be used to access at least a portion of the digital user ID.
  • the facevector is provided to the third party system via the aforementioned connection, however it is imaginable that it is stored on a backend.
  • the method may in that case comprise a step of checking whether both authentication steps are positive and meet the predefined level of similarity. In case both meet the required degree of similarity an authentication signal may be generated.
  • the method comprises the step of establishing a connection between the third party system and the mobile user computing device, preferably prior to step ii), wherein said connection is initiated by scanning a QR-code by the mobile user computing device and/or by connecting the mobile user computing device with the third party system via NFC and/or Bluetooth, in particular Bluetooth Low Energy.
  • the method comprises the step of receiving an authentication trigger, preferably prior to step ii), wherein said authentication trigger is initiated by scanning a QR-code by the mobile user computing device, in particular by a camera thereof, and/or by connecting the mobile user computing device with the third party system via NFC and/or Bluetooth, in particular Bluetooth Low Energy.
  • Said QR-code may for example be depicted on a gate on an airport where authentication is required prior to being authorized to proceed in the restricted area.
  • the gate may comprise an NFC placement or particular Bluetooth Low Energy (BLE) connection instruction.
  • BLE Bluetooth Low Energy
  • the local authentication may proceed as described above, that is on the mobile user computing device, without sending biometric data to the gate.
  • said authentication trigger is configured for initiating an authentication procedure and/or establishing a connection, such as a data or signal connection, between the mobile user computing device and the third party system. Similar solutions can be applied for authenticating access at stadiums or concerts, which typically involve lines and gates at an entrance which require a person to authenticate themselves.
  • This aspect allows to authenticate an identity of a person that is requesting access to the digital service and/or restricted environment against a prestored digital user ID, and additionally allows for comparing of the authenticated basic personal data with basic personal data of the preregistered person.
  • the first allows for validating whether the person requesting access is in fact the person associated with the prestored digital user ID, hence an authenticating step. However, it is also needed to check whether said authenticated person is in fact the person that is preregistered. To this end, the latter step is performed. If both steps are successful, an authentication signal may be established which may grant access.
  • authenticated basic personal data may for example be a name of the person. Since this is not sensitive data, this may optionally be shared with the third-party system.
  • authenticated basic personal data is stored on the mobile user device in case the authentication performed meets a predetermined minimum degree of similarity. This may additionally allow for later use of the authenticated basic personal data, for example as long as the mobile user computing device is not locked, since otherwise it may be difficult to guarantee the validity of the authenticated basic personal data.
  • the authenticated basic personal data is at least stored on the memory unit of the mobile user computing device up till, and preferably including, step viii). It is imaginable that essentially all biometric data related to the person is maintained on the mobile user computing device, in particular on the memory unit of the mobile user computing device.
  • biometric data related to the person may be sensitive, and dangerous if in the hands of a malicious person, it is preferred that the data is maintained on the mobile user computing device of the person instead of on a cloud computing device of a third party system together with biometric data associated to many other people registered with said third party system.
  • the restricted environment is a physical environment, such as a hotel room, and/or a stadium, and/or an airport area, such as access to a specific gate and/or passing customs control, and/or a gym, and/or a bank, and/or a bar.
  • the restricted environment is a digital environment, such as a digital bank environment, and/or a money transfer platform, and/or an investment platform and/or an insurance platform, and/or a digital governmental platform.
  • a ticket e.g., a ticket to a soccer match or concert, or plane ticket.
  • the person may need to be authenticated, this may be done through using the mobile user computing device to perform the authentication step.
  • a camera of the third party system is used for making a picture, which may in a particular embodiment be authenticated by the third party system against a preauthenticated image of a face of the user.
  • the person records a picture (preferably a selfie), that is preferably prior to going to the stadium and/or airport, which is authenticated against the locally stored digital user ID.
  • the picture is authenticated, said picture may be shared with the third party system as part of the basic personal data. This may allow the third party system to, by taking an image of the person entering the stadium and/or airport, validate the identity of the person against the pre-authenticated picture.
  • the method according to the present invention may for example be applied when a person requests to log in on said platform, or if the person is arranging a transfer of money.
  • the authentication according to the present invention may prevent someone other than the preregistered person from making unwanted actions. If a person has their banking application opened on their mobile, and puts their mobile phone away for a second, it could be possible that a third person may pick up the mobile phone and make a transfer. By using the method according to this aspect of the invention the person should authenticate on the point the transfer is made, hence said aforementioned unintended and unwanted transaction may be prevented since the person does not match the preregistered person.
  • the third-party system makes part and/or is connected to a server network, such as a cloud based server network, wherein the server network is configured to perform at least a part of step viii) and/or ix).
  • a server network such as a cloud based server network
  • the server network is configured to perform at least a part of step viii) and/or ix.
  • step iv) and/or v) are performed on and by the mobile user computing device, since this allows for not sharing biometric data with the third-party system whilst still performing a qualitative authentication step.
  • Steps viii) and/or ix) may to this end be performed either by the mobile user computing device and/or by the third-party system, such as said server network.
  • step vii) involves only a comparison of basic personal data, it is not required to perform this step on the mobile user device. That is, basic personal data is typically used by the person on a day-to-day basis, or even to register (e.g., name, date of birth, or the like).
  • Such data may not be very valuable to malicious persons and hence may be shared with and/or compared by the third-party system.
  • the person already has entered such basic personal data within the third-party system in order to (for example) book a hotel room, or a ticket to a stadium.
  • the third-party system may grant the person access (that is, in case the authenticated basic personal data matches the preregistered basic personal data).
  • the biometric data stored on the mobile user computing device is encrypted using a public key infrastructure.
  • the person, i.e., the owner, of the biometric data that is stored on the memory unit of the mobile user computing device is in control of the data.
  • the private key is not shared by the person, only the person will be able to access the biometric data.
  • the present invention provides for a user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the processor is configured to allow a digital user ID to be stored locally onto at least one memory unit of the user computing device, preferably wherein said locally stored digital user ID is at least partially based on data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device and/or wherein said locally stored digital user ID is generated by applying the method according to the present invention, wherein the user computing device is configured for use in a method according to the invention.
  • the digital user ID is stored on the memory unit of said user computing device, wherein said locally stored digital user ID is preferably based on: a. both biometric personal data retrieved from at least one official identity document, such as a passport, associated with a user, and b. additional biometric data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and preferably wherein said locally stored digital user ID is generated by applying the method according to the present invention.
  • the user computing device comprises a communication module for retrieving data from an official identity document, in particular for retrieving prestored biometric personal data from said official identity document, such as a passport, in particular wherein said data is stored on a memory unit, such as a chip of said official identity document.
  • the processor or an app stored on the memory unit of the user computing device is programmed to: i. authenticate, on said user computing device, recorded biometric data against a user ID locally stored on the user computing device, and/or ii. comparing, by the user computing device, prestored personal data associated with a person with authenticated basic personal data associated to an authenticated person of step i), and/or iii. provide an authentication signal from the user computing device to the third party system in case the comparison performed during step ii) meets a predetermined minimum degree of similarity, wherein a third party system may grant predefined user access upon receiving the authentication signal.
  • the present invention provides for a system for authenticating a preregistered person in a third party system, comprising: at least one user computing device, in particular according to the invention, comprising at least one memory unit, and at least one camera, and a digital user ID stored locally onto at least one memory unit of the user computing device, and at least one third party system which requires a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein the at least one user computing device is configured for authenticating a user, on the user computing device, based on the locally stored digital user ID and a recorded biometric modality, and for providing an authentication signal to the third party system if the authentication meets a predetermined minimum degree of similarity.
  • the same benefits apply as set forth with respect to the methods according to the present invention.
  • a computer-implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the method comprises the steps of: i. retrieving, preferably via the mobile user computing device, prestored biometric personal data from at least one official identity document, such as a passport, associated with a user and storing said biometric personal data onto the mobile user computing device, ii.
  • biometric data relate to a plurality of biometric modalities, wherein at least one of said biometric modalities constitutes a user liveness check by using the camera of the mobile computing device, and storing at least a part of said acquired additional biometric data exclusively onto the mobile user computing device, iii. comparing, by said mobile user computing device, at least a part of the biometric data stored during step i) and at least a part of the additional biometric data stored during step ii), iv.
  • step iii) one or more one-to-one image matching checks are performed on the mobile user computing device, preferably by the at least one processor of the mobile user computing device.
  • step i) and/or step ii) and/or step iv) the retrieved and/or acquired and/or generated data, in particular biometric data associated with a user, is exclusively stored on the mobile user computing device.
  • step ii) and step iii) at least partially overlap in time.
  • step iii) use is made of single modal biometric data associated with a single biometric modality stored during step ii), and/or wherein during step iii) use is made of multimodal biometric data associated with a plurality of biometric modalities stored during step ii).
  • a computer-implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera
  • the authentication method comprises the steps of: i. providing a third party system requiring a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein third party system comprises prestored personal data and associated access rights associated with the preregistered person, ii. optionally sending an authentication request by said third party system to the mobile user computing device, wherein said authentication request comprises at least a part of the person data associated with the preregistered person, iii.
  • biometric data such as a selfie and/or liveness check
  • biometric data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and/or wherein said locally stored digital user ID is generated by applying the method according to any of the preceding clauses, vi. in case the person is successfully authenticated during step v) generating authenticated basic personal data associated with said authenticated person and/or providing an authentication signal preferably by the user computing device and/or third party system, to the third party system, vii.
  • step vi) optionally comparing, on and by the mobile user computing device and/or by the third party system, at least a part of the personal data associated with the preregistered person prestored in the third party system with the authenticated basic personal data generated during step vi), and viii. optionally providing an authentication signal, by the user computing device and/or third party system, to the third party system in case the comparison performed during step vii) meets a predetermined minimum degree of similarity, and ix. granting said person, by the third party system, predefined access to said digital service and/or to said restricted environment upon receiving the authentication signal provided during step vi and/or viii) by the third party system.
  • User computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the processor is configured to allow a digital user ID to be stored locally onto at least one memory unit of the user computing device, preferably wherein said locally stored digital user ID is at least partially based on data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device and/or wherein said locally stored digital user ID is generated by applying the method according to any of the clauses 1-15, wherein the user computing device is configured for use in a method according to any of the preceding clauses.
  • User computing device further comprising a communication module for retrieving data from an official identity document, in particular for retrieving prestored biometric personal data from said official identity document, such as a passport, in particular wherein said data is stored on a memory unit, such as a chip of said official identity document.
  • System for authenticating a preregistered person in a third-party system comprising:
  • At least one user computing device in particular according to one of the clauses 23-26, comprising at least one memory unit, and at least one camera, and a digital user ID stored locally onto at least one memory unit of the user computing device, and
  • the at least one user computing device is configured for authenticating a user, on the user computing device, based on the locally stored digital user ID and a recorded biometric modality, and for providing an authentication signal to the third-party system if the authentication meets a predetermined minimum degree of similarity.
  • FIG. 1 shows a non-limitative embodiment of a computer-implemented method for generating and storing a digital user ID
  • FIG. 2 shows a first embodiment of a computer-implemented method for authenticating a registered person
  • FIG. 3 shows a second embodiment of a computer-implemented method for authenticating a registered person
  • FIG. 4 shows a third embodiment of a computer-implemented method for authenticating a registered person
  • FIG. 5 shows a fourth embodiment of a computer-implemented method for authenticating a person.
  • FIG. 1 shows an embodiment for generating and storing a digital user ID which is associated with a user for subsequent authentication purposes 100. Some non- limitative examples of such authentication purposes are shown in the figures 2-4.
  • the computer-implemented method 100 makes use of a mobile user computing device 101.
  • Said mobile user computing device 101 is a mobile phone 101 , in particular a smartphone 101.
  • a tablet of laptop, or other mobile device 101 belonging to a user is used for the same purpose.
  • the mobile user computing device 101 comprises at least one processor 102, which processor 102 may be configured for starting, running, and closing applications on said mobile user computing device 101 .
  • the mobile user computing device 101 further comprises at least one memory unit 103, such as an SD card, network storage, memory chip, or the like.
  • the memory unit 103 preferably belongs or is part of to the mobile user computing device 101 , or at least allows for local storage of data and/or information.
  • the mobile user computing device 101 further comprises one or more recording devices 104, 105, such as a camera 104, for recording one or more biometric modalities related to the user.
  • a user may retrieve prestored biometric personal data 107, 108, 109, 110 from at least one official identity document 106 associated with a user.
  • the official identity is a passport 106, issued by a government.
  • the passport 106 is of the newer type, which comprises an NFC chip 107.
  • the passport comprises the data associated to a person such as a picture 108, basic information related to date of birth 110, place of birth 110, name, but also document related information 110, such as a document type, document number, or the like 110.
  • a part of the information may be incorporated into a code 109, typically situated along an edge of the identity document, which may also be referred to as a machine readable zone 109.
  • the user may use the mobile user computing device 101 to retrieve 116, preferably by scanning, the prestored biometric personal data 107, 108, 109, 110 from the official identity document 106. This may be done through the NFC chip 107.
  • the user may use a camera 104 of the mobile user computing device 101 to scan the official identity document 106 and to retrieve 116 the personal biometric data 107, 108, 109, 110.
  • the prestored biometric data 107, 108, 109, 110 retrieved 116 from the NFC chip 107 of the passport is preferably stored onto a memory unit 103 of the mobile user computing device 101.
  • the user may be requested to 117, or on own volition, record 111 biometric data 112 from themselves, for example by using a (selfie)camera 104 of the mobile user computing device 101 , or by using a fingerprint scanner 105 of the mobile user computing device 101.
  • the encircled portion 111 which reflects the step of recording 111 biometric data of the user, is performed on the same user computing device 101 , hence only a single mobile user computing device 101 is used in the method according to the invention 100 shown here. It is merely for illustrative purposes that this is indicated as a separate mobile user computing device 101 .
  • the recorded 111 and acquired biometric data related to the user comprises a plurality of biometric modalities, of which at least one constitutes a liveness check 112.
  • the biometric data is stored onto the mobile user computing device 101 , in particular the memory unit 103 thereof. It is conceivable that the biometric data is stored in an encrypted manner.
  • At least one biometric modality constitutes a selfie 112 of the face of the user. It is imaginable that not the selfie as such is stored onto the memory unit, but merely a biometric template, comprising a faceprint with data related to facial landmarks associated to the user’s face.
  • the two are compared 118. Comparing 118 of the prestored biometric personal data 113 and the recorded biometric data 112 occurs on the mobile user computing device 101 , in particular on a processor 102 thereof.
  • a digital user ID 115 is generated 114, preferably by the processor 102 of the mobile user computing device 101. Subsequently said generated digital user ID 115 is stored onto the mobile user computing device 101 , preferably the memory unit 103 thereof. It is conceivable that after generating 114 and storing the digital user ID 115 locally on the mobile user computing device 101 , any data stored on the mobile user computing device that was recorder 112 and/or obtained 116 is deleted. As such, all steps elucidated above may occur on, or by, the mobile user computing device 101.
  • the user Since the user has its own digital authenticated user ID, the latter may be user by a wide variety of third party systems, where authentication within such third party environments requires only the local presence of the digital user ID. This is a significant improvement, since the user does not require to separately authenticate themselves with a wide range of third party systems, which enlarges the risks of data leaks in one of such systems since these systems typically comprise vast amounts of data related to a large number of people, making them an interesting target to malicious persons.
  • Figure 2 shows an embodiment of the present invention related to a computer- implemented method for authenticating a preregistered person by using a mobile user computing device 200.
  • This particular figure shows an example of a user that is authenticated in order to be granted access to a hotel room 203 or an apartment 203.
  • a person 201 may register 219 themselves, by using the mobile user computing device 202, with a third party system 203.
  • a mobile phone 202 us used by the user 201 to access a webpage 204 of a hotel 203, where a check-in is performed.
  • the check-in typically requires a person to register 218 certain data 205, such as a name of the person 205 that is checking-in, the dates from and to which the person would like to make use of the hotel room 205, and optionally information relating to services of the hotel 205, in this case the choice for half board stays.
  • the personal data 205 is registered with the third party system 203, in this instance a cloud environment 216 of the hotel 203, such that the third party system 203 may associate a restricted environment 217 (e.g., hotel room, or breakfast room) as an access right to the preregistered user 205, possible for a restricted amount of time (e.g., the duration of the stay).
  • a restricted environment 217 e.g., hotel room, or breakfast room
  • the hotel room may share the basic personal data 206 associated to the preregistered person 205 with the mobile user computing device 202.
  • biometric data 211 may be recorded 212 by the person, such as by using the camera 212 of the mobile user computing device 202.
  • the separate mobile user computing device 202 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 202 is used for performing the method.
  • the same single mobile user computing device 202 is used for registering 219 and for authenticating 212.
  • the identity of the person may be authenticated 210 based on the recorded biometric data 211 and a digital user ID 215 that is locally stored 214 on the mobile user computing device 202.
  • said locally stored digital user ID 215 is obtained via the method as indicated in figure 1 . If the recorded biometric data 211 has a predetermined degree of similarity compared to the locally stored digital user ID 215, the identity of the person may be realized.
  • the authenticated basic personal data, corresponding to the conditional outcome of the authentication step 210, is compared against the prestored basic personal data 206 provided to the third party service 203.
  • an authentication signal 209 is provided by the user computing device 202, said signal may grant the person predefined access to the restricted hotel room 217.
  • the mobile user computing device 202 is used to request access to the hotel room 217, for example by means of an app of the hotel, which is running on 213 the mobile user computing device 202. By holding the mobile user computing device against a lock, or other part, of the hotel room 217, the person may request access.
  • the identity of the person is authenticated 210, as well as comparing that the authenticated identity matches the identity of the preregistered person 206 associated to the specific room.
  • essentially all checking steps are conducted on the mobile user computing device 202. That is, access is requested 207, in response to which access request, basic personal data 206 associated to the room 217 are, optionally in an encrypted manner, send 207 to the mobile user computing device 202.
  • the person is requested to authenticate 210 themselves, by recording biometric data of themselves 211 , which is authenticated 210 against a locally stored digital user ID 215.
  • the recorded biometric data is only stored 214 on the mobile user computing device 202 and needs not to be shared with the third party system (hotel) 203. If the recorded biometric data 211 matches the digital user ID 215, the person is successfully authenticated 210.
  • Authenticated basic personal data 206 such as a name, may be retrieved by the mobile user computing device 202 upon successful authentication 210. Said authenticated basic personal data may be compared with the preregistered basic personal data 206 received in response to the access request. If the basic personal data matches, an authentication or access signal 209 may be generated by the user computing device 202, and subsequently send to the hotel room 217. The hotel room 217, as the third party system may grant access to the room upon receiving said authentication signal 209.
  • the main benefit is that no biometric of the person needs to be shared with the third party system 203, which allows the person to remain in full control of the biometric data.
  • the only data that needs to be shared is the basic personal data, or a part thereof, in order to allow a comparison between an authenticated person and the preregistered person. This may also be based on specific characters of the basic personal data.
  • Figure 3 shows a slightly different embodiment of the same third party system 303 as indicated in figure 2. However, some steps slightly differ compared to the embodiment indicated in figure 2. The person similarly registers 319 themselves using e.g., a webpage 304 and/or an application of a third party system 303 via the user computing device 302.
  • Basic personal data 306a related to the preregistered person 205 may be stored, e.g., in a cloud environment 316 of the third party system 303.
  • the third party system 303 which in this instance is the hotel, may allocate a specific room to the preregistered person, and optionally restricted access to certain parts of the hotel, based on the data 305 of the preregistration.
  • the person 305 does not require to go through the reception, since the room is allocated on the basis of the preregistration 319.
  • a hotel room 317 may be communicated to the person via the cloud environment to the app or a mailing service on the mobile user computing device 302.
  • the third party system 303 Upon requesting access 307 to the specific room 317 associated to the preregistered person 306a, the third party system 303 needs to ensure that the person asking access 307 matches the preregistered person 306a. To this end, the person may require authenticating themselves on the mobile user computing device 302, e.g., based upon an authentication request 307 from the third party system 303. To this end, the person may, in particular on said mobile user computing device 302, record 312 biometric data 311 of themselves, which is authenticated 310a against a locally stored digital user ID 315. Also here, it is to be explicitly noted that the separate mobile user computing device 302 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 302 is used for performing the method 300.
  • authenticated basic personal data 306b e.g., name, age, gender
  • the authenticated basic personal data 306b may be shared 309a, possibly in an encrypted manner, with the cloud service 316 of the third party system (hotel).
  • the authenticated basic personal data 306b may be compared 310b with the basic personal data 306a related to the preregistered person 205.
  • FIG. 4 shows a different embodiment of the present invention related to a computer-implemented method for authenticating a preregistered person by using a mobile user computing device 400.
  • the third party system 403 may be an app 404 running on the mobile user computing device 402, for example a banking application 404.
  • a person 401 may access the banking application 404 through the mobile user computing device 401.
  • an access code is entered in order to enter the banking application 404.
  • the person may be allowed to perform several actions such as checking a savings account, making a (money) transfer 405, or adapting the settings.
  • the method according to the present invention may be used. That is, if the person 401 is willing to make a money transfer 405, a transfer request 405 is preregistered, corresponding to an amount to be transferred to a predetermined banking account, by the person 401 .
  • an authentication step 410a may be included to establish the money transfer.
  • basic personal data 406a may be preregistered, e.g., in the app 404 running on the mobile user computing device 402, or on the memory unit 414 of the mobile user computing device 402, or even on a cloud service 416 corresponding to the banking application 404.
  • the person is requested 407 to record 412 biometric data 411 , for example by using the camera 412 of the mobile user computing device 402.
  • the recorded biometric data 411 is authenticated 410a against a locally stored digital user ID 415, which may be stored on the memory unit 414 of the user computing device 402.
  • said locally stored digital user ID 415 is obtained according to the embodiment shown in figure 1.
  • authenticated basic personal data 406b related to the authenticated person may be shared 409a with the banking app.
  • the separate mobile user computing device 402 shown is the same as indicated on the top left.
  • a single mobile user computing device 402 is used for performing the method 400.
  • the same single mobile user computing device 402 is used for registering and for authenticating 412.
  • said authenticated basic personal data 406b is compared with the prestored basic personal data 406a.
  • an authentication signal 409b may be generated, either by the banking app 404 or the mobile user computing device 402 which may grant the person access to a certain restricted action, in this case making the money transfer 405.
  • the authentication signal comprises a (digital) certificate 408 which may be stored on the mobile user computing device 401 as a record of authenticated money transfer.
  • the authentication signal 409b may for example be a simple “go or no-go” type of signal.
  • Figure 5 shows an embodiment of the present invention related to a computer- implemented method 500 for authenticating a preregistered person by using a mobile user computing device.
  • This particular figure shows an example of a user that is authenticated in order to be granted access to a restricted area in an airport 503. Such a restricted area may be to pass customs control, or access to a particular gate to board a flight.
  • a person 501 may register 519 themselves, by using the mobile user computing device 502, with a third party system 503.
  • a mobile phone 502 us used by the user 501 to access a webpage 504 to book a flight.
  • the check-in typically requires a person to register 518 certain data 505, such as a name of the person 505 that is booking a flight, the data 505 may comprise data such as a date of birth, name, certain preferred options such as priority boarding and business class tickets 505.
  • the personal data 505 is registered with the third party system 503, in this instance a cloud environment 516 of the airport site 503, such that the third party system 503 may associate a restricted environment 517 (e.g., access to a business lounge, access to pass customs or a gate) as an access right to the preregistered user 505, possible for a restricted amount of time. It is possible that specific details, such as flight number, are shared with the third party service 503.
  • preregistering 519 no biometric data is shared with the third party system 503, merely basic personal data 506 associated to the preregistered person 505 is shared with the third party system 503.
  • the preregistered person 505 does not require to go to a desk at the airport, since the flight and other clearance right associated to the preregistered person 505.
  • an authentication of a person’s ID is required.
  • a user may use a user computing device 502, preferably the same as used to preregister, to request access 507 to the restricted area of the airport 503.
  • an authentication request may emerge on the mobile user computing device 502 of the user.
  • the connection may be established via BLE or NFC communication or a qr-code 517.
  • the authentication request 507 requires the person connecting to the gate via connection 517 to authenticate.
  • biometric data 511 may be recorded 512 by the person, such as by using the camera 512 of the mobile user computing device 502.
  • a camera or biometric recording device of the third party system 503 is used.
  • This may be a camera arranged in an access gate of the third party system. Said camera of the third party system 503 may record the biometric data 511 and forward it to the mobile user computing device 502, optionally in an encrypted manner such as an encrypted facevector.
  • the separate mobile user computing device 502 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 502 is used for performing the method. However, it is also conceivable that another mobile device which carries the digital user ID may be used. Thus, the same single mobile user computing device 502 is used for registering 519 and for authenticating 512 without the need to send biometric data to the third party system 503.
  • the identity of the person may be authenticated 510 based on the recorded biometric data 511 and a digital user ID 215 that is locally stored 514 on the mobile user computing device 502. Preferably wherein said locally stored digital user ID 515 is obtained via the method as indicated in figure 1 . If the recorded biometric data 511 has a predetermined degree of similarity compared to the locally stored digital user ID 515, the identity of the person may be realized. If the recorded image 511 meets a predefined degree of similarity to the prestored digital user ID, an authentication signal 509 may be generated and provided to the third part system 503 in order to allow the person within the restricted area.
  • authenticated basic personal data corresponding to the conditional outcome of the authentication step 510, is optionally compared against the prestored basic personal data 506 provided to the third party service 503.
  • an authentication signal 509 is provided by the user computing device 502, said signal may grant the person predefined access to the secured sites of the airport such as the gates, or business lounge.
  • the mobile user computing device 502 is used to request access to parts of the airport 517, for example by means of an app of the airport, or via gates which allow to establish a mutual connection with the mobile user computing device 502. By holding the mobile user computing device against a part of the gate 517, the person may request access.
  • the identity of the person is authenticated 510, as well as comparing that the authenticated identity matches the identity of the preregistered person 506 associated to the specific restricted area.
  • essentially all checking steps are conducted on the mobile user computing device 502. That is, access is requested 507, in response to which access request The airport 517, as the third party system may grant access to the restricted environment upon receiving said authentication signal 509.
  • the main benefit is that no biometric of the person needs to be shared with the third party system 503, which allows the person to remain in full control of the biometric data.
  • inventive concepts are illustrated by several illustrative embodiments. It is conceivable that individual inventive concepts, including inventive details, may be applied without, in so doing, also applying other details of the described embodiments. It is not necessary to elaborate on examples of all conceivable combinations of the above-described inventive concepts, as a person skilled in the art will understand numerous inventive concepts can be (re)combined in order to arrive at a specific application and/or alternative embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The present invention is related to a computer-implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera. The present invention is further related to a computer- implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera. The invention is further related to a user computing device, and a system for authenticating a preregistered person in a third-party system.

Description

A computer implemented method for generating and storing a digital user ID associated with a user and use thereof for authenticating a person
The present invention is related to a computer-implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera. The present invention is further related to a computer- implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera. The invention is further related to a user computing device, and a system for authenticating a preregistered person in a third-party system.
In recent years, the society is digitalizing in a fast pace where the use of (mobile) computing devices continue to grow. With this digitalizing society, it is getting less complicated to validate a person’s identity. Through the introduction of cloud computing systems, it has become more accessible for third party systems to provide an easily implementable authentication check. For example, banking establishments may make use of a, partially, digital authentication of a user which is inclined to open a bank account. The user may upload data stored on a passport, which may be done via scanning the passport for example. The prestored data of the passport may be authenticated against a picture taken by the user and uploaded to the same digital environment of the banking establishment. The bank will authenticate the identity of the person intending to open an account, and based on some background checks performed, open an account for the user in case the data meets an amount of similarity. In order to authenticate the person’s identity, the bank stores the data related to the user in an encrypted environment. This allows the bank to remain access to said data, to which a user typically approves.
However, since in recent days, more and more third-party services require a person to authenticate themselves. Not only is this a rather cumbersome procedure, but it also makes the person more fragile to cyber security crimes, such as identity theft. Over the years, a person may have their biometric data, or even data of their passport, stored with various third-party services. This data may be stored with the third party, such as in the form as an identity associated to a person. Since large numbers of persons may be enrolled to such third-party services, the third party may become a target to certain malicious persons, or groups of hackers. These hackers try to hack a third-party system, taking hostage of their data, including the data associated to a large number of persons. Although the persons may trust the cyber security measures of the third-party service, they also become victim of the hack, since their data is stored with said service. In some events, private, or even biometric data of the persons enrolled or registered with the third-party system may be stolen and/or used for malicious purposes by the hackers. This risk tends to grow as the number of services that need an authentication step starts to grow. Especially since a person may need to register for every service separately.
Although initially the authentication was intentionally kept at a distance from the person using the service, in other to ensure the quality of the authentication, the downsides, such as risk of hacking and sharing of private and/or biometric data or identity information, start to overshadow the benefit of authentication performed by the third-party system. The increased use of identity information for providing services from a service provider to a customer (user or person) has been accompanied by an increased danger of central interception and theft of that information from the service provider. Identity theft occurs when someone uses, for example, password related data, a username, a Social Security number, a credit card number, or other identifying personal information of another without consent to commit fraud. Such fraud does often not only result in financial loss, but also a loss of trust, wherein both the service provider and the user can be considerably damaged. An additional downside of these third-party systems is that the person using the system generally has no idea of where their data is stored, and also no idea as to what happens with their data. It may be the case that a part of their data is sold by the third party.
It is a first goal of the present invention to provide a method for generating a digital user ID for subsequent digital authentication purposes on a mobile user computing device that allows a person to maintain control over and/or without sharing sensitive personal data. It is a second goal of the present invention to provide a method for authenticating an identity of a person without sharing and/or to maintain control of sensitive personal data.
It is a third goal of the present invention to provide for a less complicated authenticating procedure of a preregistered person by using a mobile user computing device.
The present invention according to a first aspect thereto proposes a computer- implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the method comprises the steps of: i. retrieving, preferably via the mobile user computing device, prestored biometric personal data from at least one official identity document, such as a passport, associated with a user and storing said biometric personal data, preferably exclusively, onto the mobile user computing device, ii. acquiring, by using the mobile user computing device, additional biometric data from said user, wherein said biometric data relate to at least one, preferably a plurality of biometric modalities, wherein preferably at least one of said biometric modalities constitutes a user liveness check by using the camera of the mobile computing device, and storing at least a part of said acquired additional biometric data onto the mobile user computing device, iii. comparing, by said mobile user computing device, at least a part of the biometric data stored during step i) and at least a part of the additional biometric data stored during step ii), iv. generating, by said mobile user computing device, a digital user ID in case comparison performed during step iii) meets a predetermined minimum degree of similarity, and locally storing the generated digital user ID on at least one memory unit of the mobile user computing device. The present invention allows for generating and storing a digital user ID which may be used in subsequent authentication processes. The particular advantage of the present invention is that it allows a user to generate and to locally store a digital user ID for themselves, only by using the user’s (single) mobile user computing device. Hence, the mobile user device, which a user typically carries with themselves, holds only the digital user ID. Since the digital user ID is authenticated, the digital user ID may be validly used to authenticate a person during authentication processes of third-party systems. Another particular advantage of the present invention is that the prestored biometric personal data retrieved from the official identity document are stored on the mobile user computing device. Hence, no need to share sensitive, valuable and personal data with a third-party system and/or with third parties. Sharing biometric data with a third party, which usually stores said data with the biometric data of other uses makes, as described before, the third party more prone to a hack, which may cause biometric data theft of the user from said third party, which is obviously undesired. The present invention allows the user to remain in control of the prestored biometric personal data by only storing it locally, on the memory unit of the mobile user computing device. The digital user ID is preferably stored encrypted on at least one memory unit of the mobile user computing device, more preferably on a secured area (protected area) of said at least one memory unit of the mobile user computing device. Preferably, the prestored biometric personal data comprises at least one high-resolution (colour) image of the face of associated with a user. However, it is conceivable that the prestored biometric personal data further comprises demographic and biometric information associated with the user, preferably fingerprint of at least one, preferably all fingers, an iris scan, a digital signature, a retinal scan. The mobile user computing device is significantly less susceptible for a (targeted) hack, since it merely holds biometric data associated to a single person. Optionally, it is imaginable that family members of the user may create a second or third or fourth digital user ID on the device of said user, allowing the mobile user computing device to store a digital user ID of the family members of the user. However, in this case, it is preferred that the different digital user ID’s associated to the family members are stored on the mobile user device under e.g., different accounts and/or under different names. The present invention further allows to make repetitive use of authentication steps within a third party system, which in current third party systems is typically rather cumbersome to the user. The locally stored user ID may easily, and with low threshold, be used for local authentication of the user during use of a third party system, by authenticating the locally stored digital user ID against an image of the user for example. The digital user ID may for example be used as a replacement for a password, or in addition to a password and/or existing login method. The digital user ID, stored on the mobile user device may be applied in any third party system which requires a user to login. The benefit of the local user ID is that it may be used in a decentralized manner compared to existing technologies which require a transfer of biometric data out of the storage of the mobile user device. That is, the digital user ID is stored on, and preferably exclusively used on the mobile user device. That is, when a third party system requires a user to login, this login may be authenticated locally, based on the stored digital user ID. The mobile user device, upon meeting a predefined degree of similarity between an image and the digital user ID may send an authentication signal to the third party system to grant the person access to the third party system, without in doing so sending any biometric data to said system. Preferably, the digital user ID is generated only once, thereafter it can be used for authentication purposes. Therefore, the present invention may provide for a quicker and more secure 1 :1 matching solution without the requirement to send biometric data to a central server for authentication purposes.
The present invention not only allows for maintaining control over the prestored biometric personal data retrieved from the at least one official identity document, but also the acquired additional biometric data from the user is stored locally, preferably on the memory unit of the mobile user computing device, thereby giving the user full control and ownership of the biometric data. Preferably, step iii) is performed by the at least one processor of the mobile user computing device. Since also the step of comparing is performed by the mobile user computing device, it is possible to generate an authenticated digital user ID essentially exclusively on the mobile user computing device. Hence, making it possible to establish a digital user ID, which is authenticated, locally on the mobile user computing device. As such, a user is not required to share any biometric data. Another major benefit is that the digital user ID may be used with a wide range of third party systems which are compliant. Hence, eliminating the need for a user to generate a single user ID with all the separate third-party systems, and the associated risk of hacks of personal biometric data stored within said third party systems. By applying the method according to the present invention it is possible to locally generate a digital user ID. Here, local shall be understood as decentralized, preferably not making use of a public server network, or a server network that is used by a plurality of users. The latter in any case as to the biometric data.
Throughout this application, reference is made to basic personal data. This may be understood as simple personal data such as a name of a user or person. Such data can be freely shared since it does not constitute sensitive or may be less useful to malicious persons. Other examples of basic personal data may for example be date of birth, place of birth, optionally a basic image of a person, wherein no biometric data is associated with said basic image, a username, a place of residence, or the like. Biometric data may be understood as comprising at least some measurable and/or quantifiable characteristics of the person, such as a fingerprint, or key facial landmarks, or the like. Such type of data is preferably not shared with any third party, since it may cause identity theft if stolen from the third party, e.g., when hacked. Such basic personal data may be added, for example by the user, to the digital user ID as credentials.
It is imaginable that step ii) acquiring additional biometric data from said user comprises the step of; recording of data at least one characteristic of the person, preferably by using the camera of the mobile user computing device, and; constructing, preferably by using the at least one processor of the mobile user computing device, biometric data, wherein said biometric data relate to a plurality of biometric modalities, related to the recorded data. Biometric data, in particular the biometric modalities may be understood as describing or defining measurable human characteristic, preferably wherein said biometric data, in particular the biometric modalities are stored and/or converted into one or more biometric data templates, which may comprise a set of stored biometric features. Since the biometric data may be highly sensitive, especially in the hands of malicious persons, it is generally not preferred to share said biometric data.
Preferably, during step ii) at least one biometric modality constitutes a selfie of the face of a user. The selfie may for example be recorded with the at least one camera of the mobile user computing device. It is imaginable that it is sufficient to record merely a face part, rather than the entire face, such as for example an upper part of the face, during step ii). Preferably, the face is uncovered, although it is also feasible to retrieve sufficient biometric facial information from a partially covered face, such as when a user is wearing a mouth mask, sunglasses, and/or a hat. If not, the entire face is recorded, or if the face is partially covered, it is essential that during step iii) a predetermined minimum degree of similarity may be detected by the mobile user computing device in order to guarantee a valid authentication of the identity of a user. Preferably, during step iii) a face recognition analysis is performed based on the acquired additional biometric data, preferably the selfie, during step ii) and the prestored biometric personal data retrieved during step i). It is preferred that the comparison performed is at least partially based on a depth perception face recognition. It has proven that facial recognition with depth perception may be able to detect deep fake pictures, and hence may provide a more reliable outcome of the comparison step of step iii). Preferably, during step ii) both at least one selfie of the face of a user and a user liveness check are acquired. This is beneficial for the step of comparing, since it may allow to validate the user is a living person, and to verify the face based on the selfie image. During step iii), it is preferred that at least the selfie is compared with the prestored biometric personal data of step i), in particular a high-resolution image thereof.
It is imaginable that a biometric template of at least one biometric modality, preferably comprising a faceprint comprising data related to one or more facial landmark associated to a user’s face, such as face vectors, is stored on the mobile user computing device, wherein said biometric template is at least partially associated to user related biometric data. Hence, this may provide even further protection of the sensitive biometric data. The captured biometric modality acquired during step ii) is therefore preferably converted into a mathematical file and/or into one or more face vectors. Thus, the template is a digital and/or mathematical representation of features or characteristics of the acquired additional biometric source data during step ii). Not only does this occupy less storage of the memory unit, but it is also less valuable when stolen, in the event the mobile user computing device is hacked. Preferably, the biometric data retrieved and/or acquired, in particular the biometric template is encrypted prior to being stored on the memory unit. It is conceivable that the data is encrypted according to a public key infrastructure. Typically, at least a part of the biometric data collected during steps i) and ii) is preferably stored within a secure area (protected area) of at least one memory unit of the mobile user computing device. Once data, in particular based upon the generated digital user ID, is shared by the user computing device for authentication purposes, such as to get access to a services, these data are preferably encrypted with public key infrastructure (PKI) encryption keys.
According to a preferred embodiment during step ii) at least one biometric modality is a physiological biometric modality. Preferably at least one biometric modality is chosen from the group of: fingerprints, vein recognition, iris recognition, retina scanning, facial recognition, ear recognition, finger geometry (the size and position of fingers), palm prints, voice recognition. In addition, or alternatively, wherein during step ii) at least one biometric modality is a behavioural biometric modality, such as a keystroke recognition and/or -gait pattern recognition.
Preferably at least one biometric modality is recorded, by said user using at least one transducing component of the mobile user computing device during step ii). Said at least one transducing component is preferably chosen from the group consisting of: a camera, a microphone, and/or a biometric sensor. The recording can for example take place by making and/or by recording and/or by capturing a facial image, such as a selfie, a facial video of an entire face or face part, an iris video, a voiceprint, a fingerprint, a hand gesture, a fingerprint, finger vein, or a photo of a finger allowing the determination of the minutiae of said finger and/or the vein(s) of said finger. It is also imaginable to record a voiceprint in a noisy environment and/or while wearing a mouth mask, scarf, or other mouth covering object. In this latter case it is preferred that a neural network and/or algorithm, running or performed by the processor of the mobile user computing device, is used for the biometric analysis is programmed and/or has learned and/or is fed with sufficient data to be able to process the recorded voiceprint (while wearing a mouth mask) for comparison (and/or storage) purposes. Hence, the software used to recognise the recorded biometric is preferably a kind of living or dynamic piece of software running on or performed by the processor of the mobile user computing device, meaning that it will continuously improve based on historical data that is submitted by users. As such, events like changes in accents if a user moves to a different part of a country is accounted for by the present invention. The user is preferably guided through the process for generating a digital user ID. One of the steps during this enrolment process is that the user may be guided in how to properly record a biometric characteristic associated to said user. Here, it is imaginable that at least one host computing device provides recording instructions to the user via the messenger application, wherein said recording instructions define one or more minimum requirements relating to the quality of the biometric characteristic to be recorded. It is also imaginable that this guidance can be provided to the user via the mobile user computing device. These minimum requirements can be presented and communicated in various ways to the user, such as by text, audio, pictures or video. In case recording of a picture or video is requested, then it is often preferred to show a virtual picture frame on the screen of the mobile user computing device, wherein, by using the camera of the mobile user computing device, the user should try to fit his or her face within said picture frame. During and/or after this exercise, fiducial facial points are typically detected. Alternatively, an example picture can be sent to the user, or (interactive) feedback can be provided to instruct the user what to do, e.g., “stand closer”, “stand further back”.
It is imaginable that the digital identity generated by the mobile user computing device is, at least partially stored, on a digital wallet of the mobile user computing device. Said digital wallet may be allocated on the memory unit for example and is typically very well encrypted to further prevent theft.
Preferably, during step i) the official identity document issued by a government is a passport, and/or an identity card, and/or an official identity document issued by a company or health service, such as a health insurance card a physical identity document, and/or a digital identity document. The official identity document to according to the purpose of the present invention shall comprise prestored biometric personal data associated with a user. Preferably the official identity document is compliant with the International Civil Aviation Organization (ICAO) DOC series 9303. Preferably, during step i) use is made of the mobile user computing device for retrieving data from the at least one official identity document. It is conceivable that during step i) at least one image of the at least one official identity document is made, preferably by using the mobile user computing device, wherein said image comprises biometric data associated to the identity of a person. The image of the official identity document is preferably processed, for example by the processor of the mobile user computing device, to extract and/or deduce the prestored biometric personal data from the official identity document.
According to a preferred embodiment the official identity document comprises at least one chip, wherein the chip comprises at least a part of the prestored biometric data, wherein the user computing device is capable to retrieve at least a part of the prestored biometric data from said chip during step i). Preferably, wherein the mobile user computing device is configured for retrieving the prestored biometric data from the chip via near field communication (NFC). This is optionally combined with the step of making an image of the official identity document, to validate the prestored biometric personal data. Preferably, during step iii), comparing is performed essentially entirely and/or exclusively based on data stored locally on the mobile user computing device. Said data may include the retrieved prestored biometric personal data during step i) which are stored on the mobile user computing device. It is in particular preferred to use the chip of the at least one official identity document since it allows for direct local storage on the mobile user computing device.
It is imaginable and preferable that the method further comprises the step of: v) removing at least a part of the biometric data stored and/or collected during step i) and/or step ii) from the mobile user computing device after completion of step iii) and/or iv).
That is, the retrieved biometric personal data from the at least one official identity document and the acquired additional biometric data during steps i) and ii) are used for comparing, in particular authenticating, the identity of a user, or at least a measure of similarity between the recorded biometric during step ii) against the prestored biometric of step i). If the comparison yields a predetermined minimum degree of similarity, a digital user ID may be generated, and stored on the memory unit of the mobile user computing device. After generating the digital user ID, the retrieved and acquired biometric data is not needed per se, and may therefore be deleted in order to further prevent theft of sensitive data. Hence, it is conceivable that after performing the method by and on the mobile user computing device, no biometric data associated with the user remain on the memory unit of the mobile user computing device. Preferably, wherein during step i) and/or step ii) and/or step iv), the retrieved and/or acquired and/or generated data, in particular biometric data associated with a user, is exclusively stored, at least temporarily, on the mobile user computing device. That is, essentially no data is leaving the mobile user computing device during the steps of the method. This prevents that sensitive of valuable data is shared with a third party, contributing to the fact that the user may be in control of the data.
According to a preferred embodiment, during step iii) one or more one-to-one image matching checks are performed on the mobile user computing device, preferably by the at least one processor of the mobile user computing device. Preferably, during step iii) at least one selfie of the face of a user is compared with the high-quality (colour) image prestored on the passport of a user.
It is conceivable that step ii) and step iii) at least partially overlap in time. Hence, it may be possible that a user uses the mobile user computing device to record, by using the mobile user computing device, a selfie of their face, which is subsequently compared (hence step iii), with a part of the prestored biometric personal data retrieved during step i). Since comparing of data may be done on the background, e.g., by a processor of the mobile user computing device, it is conceivable that the user records a liveness check during the comparison step iii). As such, partial overlap in time may be established between steps ii) and iii). However, in order to perform step iii), it is preferred that steps i) and ii) are each performed at least once. That is, for step iii), comparable data must be available. Preferably, during step ii) use is made only of the camera of the mobile user computing device for recording of additional biometric data.
According to a preferred embodiment during step iii) use is made of single modal biometric data associated with a single biometric modality stored during step ii), and/or wherein during step iii) use is made of multimodal biometric data associated with a plurality of biometric modalities stored during step ii). Although it is preferred that use is made of multimodal biometric data, which may typically be harder to fool, it is conceivable that during step iii) merely single modal biometric data is used. Hence said single modal biometric data may be formed by a selfie of the face of a user. It is to this end imaginable that the selfie of the face of the user is captured, e.g., automatically, without the user required to do so, from the liveness check performed during step ii). For example, the liveness check may require the user to move their head left and right, and/or up and down, in order to be able to check the liveness. In this case it is possible that the mobile user computing device, e.g., by the processor, captures an image of the recorded video of the user moving their head, which screen capture may be sued as the single biometric modality stored during step ii).
Preferably, the mobile user computing device is a smartphone, and wherein preferably the at least one memory unit is a non-volatile memory unit. The mobile user computing device may alternatively be a tablet, a laptop, a desktop computer, a smartwatch or any other smart wearable device. To this end feature phones should be understood as a type or class of (mobile) phones that are visually and dimensionally similar to early generations of mobile phones. The feature phones typically comprise press-buttons based inputs, such as a menu button and an “ok”, and “back” button, and a small, typically non-touch display. The display may typically be a colour display. Moreover, the feature phones typically use an embedded operating system. A smartphone should be understood as a type or class of (mobile) phones that performs many functions of a computer, typically provided with a touchscreen interface, internet access, and an extensive mobile operating system that allows for running, and downloading applications, multimedia functionality, alongside the core phone functions such as voice calls and text messaging.
It is imaginable that the entire method as set forth above is performed by or runs at least partially on the processor of the mobile user computing device, for example in the form of an application, which the user may access via the mobile user computing device interface. By opening the application, the user may be able to perform the steps as described. Here it is conceivable that the processor is configured for requesting the user, hence via the mobile user computing device, to perform certain steps, possibly in a predetermined order. It may to this end be conceivable that upon starting the application for the first time, the user is presented with a screen which provides the user with the choice for starting the digital user ID generation process. Once the process is initiated, e.g., by clicking via a touchscreen or button of the mobile user computing device, the application may dictate the user to retrieve prestored biometric personal data associated with an official identity document issued by a government. In line with the ownership of the sensitive data, it is preferred that the owner or maker of the application has no access to the biometric data and/or the digital user ID stored by the user and on the mobile user computing device.
According to a second aspect the present invention provides a computer- implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the authentication method comprises the steps of: i. providing a third-party system requiring a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein third party system comprises prestored personal data and associated access rights associated with the preregistered person, ii. optionally sending an authentication request by said third party system to the mobile user computing device, wherein said authentication request comprises at least a part of the person data associated with the preregistered person, iii. requesting a person, via said mobile user computing device and/or third party system to record biometric data, such as a selfie and/or liveness check, iv. recording the requested biometric data by the person and by using the camera of the mobile user computing device and/or a third party system camera, v. authenticating, on and by the mobile user computing device, the recorded biometric data of said person against a digital user ID locally prestored on the mobile user computing device, wherein said locally stored digital user ID is preferably based on: a. both biometric personal data retrieved from at least one official identity document, such as a passport, associated with a user, and b. additional biometric data relating to at least one, preferably a plurality of biometric modalities, wherein preferably at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and/or wherein said locally stored digital user ID is generated by applying the method according to the invention, vi. in case the person is successfully authenticated during step v) generating authenticated basic personal data associated with said authenticated person and/or providing an authentication signal preferably by the user computing device and/or third party system, to the third party system, vii. optionally comparing, on and by the mobile user computing device and/or by the third-party system, at least a part of the personal data associated with the preregistered person prestored in the third party system with the authenticated basic personal data generated during step vi), and viii. optionally providing an authentication signal, by the user computing device and/or third party system, to the third party system in case the comparison performed during step vii) meets a predetermined minimum degree of similarity, and ix. granting said person, by the third-party system, predefined access to said digital service and/or to said restricted environment upon receiving the authentication signal provided during step vi) and/or viii) by the third party system.
This aspect of the present invention allows to use a prestored digital user ID for authenticating a preregistered person which may yield different benefits. First of all, it allows the person to remain in control of their biometric data. This is possible since the recorded biometric data during step iv) is recorded by, and preferably only stored on, the mobile user computing device. Alternatively, the biometric data recorded during step iv) is recorded by a camera or biometric recording device of the third party system, and preferably forwarded to the mobile user computing device after recording, without central storage thereof in the third party system environment. Since the digital user ID is prestored on the mobile user computing device, it is possible to perform an authentication step locally, hence on the mobile user computing device. This contributed to a decentralized system for both verification and authentication. This allows to provide for a 1 -to-1 matching solution. As such, neither the prestored biometric personal data retrieved from the official identity document, nor the recorded or requested biometric data associated to the person need to be verified or send to the third-party system, such as a cloud environment, that requires an authentication. Preferably, the locally prestored digital user ID is generated applying the method according to the present invention. This particularly ensures a completely decentralized solution which only requires a communicative connection with the third party system, but does not require biometric data to be stored or shared, in particularly centrally, with the third party system. Apart from the fact that no biometric data associated with the person needs to be shared with the third-party system, another benefit of this aspect of the invention is that the person may be able to use a single prestored digital user ID on the mobile user computing device for a number of third party systems. Hence, the user may be able to use the single prestored digital user ID in relation to a plurality of third-party systems. The latter preferably whilst remaining in control of the biometric data that is shared with the third-party system. This is beneficial since it is cumbersome for a person to generate an authenticated identity with each of said services individually. The present invention therefore provides for a 1 -to-1 matching solution, wherein in particular the verification and authentication is performed exclusively in a decentral environment, particularly a mobile user device such as a phone. Therefore, the present invention circumvents the need to a 1-to-n or 1-to- many matching solution. It is to be particularly pointed out that both the initial verification or enrolment as well as the authentication later on are performed without sharing biometric data with a third party system. More importantly, since the digital user ID is stored locally on the mobile user computing device, and the verification step v) is performed on said mobile user computing device, it becomes possible for keeping full control of the biometric data. That is, preferably no biometric data is stored on a central server of the third party system. It shall be understood by the skilled person that the locally stored digital user ID according to this aspect of the invention needs to be generated only once, prior to being able to use it for authentication.
In alternative or additional embodiment it is imaginable that step v) may be performed partially on or by the third party system, in particular on a local processing unit of the third party system. According to the alternative embodiment, it is not required that the step v) of authenticating is performed on and by the mobile user computing device, but instead on and/or by the third party system. In that case, it may be required that some biometric data encompassed in the digitally stored user ID is shared with the third party system. In order to provide for this, it is imaginable that, upon receiving an authentication request from the third party system, the following steps are performed: i) sending, preferably via BLE and/or NFC and/or a QR-code, an encrypted part of the digital user ID, in particular an encrypted facevector or other biometric modality towards the third party system by the user computing device; ii) sending, preferably via BLE and/or NFC and/or a QR-code, an encrypted private key associated to the digital user ID stored on the mobile user computing device towards the third party system by the user computing device iii) decrypting, by the third party system, the encrypted private key; iv) using the decrypted private key to decrypt the encrypted part of the digital user ID, in particular the facevector; v) obtaining biometric data associated with the user requesting authentication, preferably via a camera of the third party system and/or mobile user computing device; vi) comparing, by the third party system, the obtained biometric data of step v) with the decrypted facevector of step iv), and vii) in case the person is successfully authenticated during step vi) generating authenticated basic personal data associated with said authenticated person and/or providing an authentication signal preferably by the user computing device and/or third party system, to the third party system.
According to this embodiment, step v) is performed by the third party environment according to, preferably local, 1 -to-1 matching. This particular and alternative example may be suitable for application on an airport or other third party system which requires in line authentication, such as stadiums, concerts, or the like. This alternative example does not require sharing of the private key via a cloud based environment, but allows for sharing using BLE connection, NFC connection, and/or a connection via QR-code. The private key is preferably stored on the mobile user computing device after verification and generating a digital user ID. The private key may be used to access at least a portion of the digital user ID. Hence it is preferred that the facevector is provided to the third party system via the aforementioned connection, however it is imaginable that it is stored on a backend. Via a unique identifier it is possible to establish a verifiable connection between the third party system and the mobile user computing device. In the case of this additional step, a double authentication is achieved, via the third party system as well as via the mobile user computing device. Optionally the method may in that case comprise a step of checking whether both authentication steps are positive and meet the predefined level of similarity. In case both meet the required degree of similarity an authentication signal may be generated.
Preferably, the method comprises the step of establishing a connection between the third party system and the mobile user computing device, preferably prior to step ii), wherein said connection is initiated by scanning a QR-code by the mobile user computing device and/or by connecting the mobile user computing device with the third party system via NFC and/or Bluetooth, in particular Bluetooth Low Energy. Optionally, either as an additional step ii) or an alternative step ii) of the authentication process, the method comprises the step of receiving an authentication trigger, preferably prior to step ii), wherein said authentication trigger is initiated by scanning a QR-code by the mobile user computing device, in particular by a camera thereof, and/or by connecting the mobile user computing device with the third party system via NFC and/or Bluetooth, in particular Bluetooth Low Energy. Said QR-code may for example be depicted on a gate on an airport where authentication is required prior to being authorized to proceed in the restricted area. Alternatively, the gate may comprise an NFC placement or particular Bluetooth Low Energy (BLE) connection instruction. Upon establishing the connection, the local authentication may proceed as described above, that is on the mobile user computing device, without sending biometric data to the gate. Preferably, said authentication trigger is configured for initiating an authentication procedure and/or establishing a connection, such as a data or signal connection, between the mobile user computing device and the third party system. Similar solutions can be applied for authenticating access at stadiums or concerts, which typically involve lines and gates at an entrance which require a person to authenticate themselves.
This aspect allows to authenticate an identity of a person that is requesting access to the digital service and/or restricted environment against a prestored digital user ID, and additionally allows for comparing of the authenticated basic personal data with basic personal data of the preregistered person. The first allows for validating whether the person requesting access is in fact the person associated with the prestored digital user ID, hence an authenticating step. However, it is also needed to check whether said authenticated person is in fact the person that is preregistered. To this end, the latter step is performed. If both steps are successful, an authentication signal may be established which may grant access. Here, authenticated basic personal data may for example be a name of the person. Since this is not sensitive data, this may optionally be shared with the third-party system.
Preferably, during step v) and/or vi) authenticated basic personal data is stored on the mobile user device in case the authentication performed meets a predetermined minimum degree of similarity. This may additionally allow for later use of the authenticated basic personal data, for example as long as the mobile user computing device is not locked, since otherwise it may be difficult to guarantee the validity of the authenticated basic personal data. Preferably, the authenticated basic personal data is at least stored on the memory unit of the mobile user computing device up till, and preferably including, step viii). It is imaginable that essentially all biometric data related to the person is maintained on the mobile user computing device, in particular on the memory unit of the mobile user computing device. Since the biometric data related to the person may be sensitive, and dangerous if in the hands of a malicious person, it is preferred that the data is maintained on the mobile user computing device of the person instead of on a cloud computing device of a third party system together with biometric data associated to many other people registered with said third party system.
According to a preferred embodiment the restricted environment is a physical environment, such as a hotel room, and/or a stadium, and/or an airport area, such as access to a specific gate and/or passing customs control, and/or a gym, and/or a bank, and/or a bar. Yet, it is also conceivable that the restricted environment is a digital environment, such as a digital bank environment, and/or a money transfer platform, and/or an investment platform and/or an insurance platform, and/or a digital governmental platform. As to a stadium and/or airport, it may be conceivable that the user is preregistered by buying a ticket (e.g., a ticket to a soccer match or concert, or plane ticket). This typically involves providing basic personal data, such as a name, to the third party system (stadium and/or airport), which may be saved by said system. Upon entering the stadium, the person may need to be authenticated, this may be done through using the mobile user computing device to perform the authentication step. In this example, it is also optionally possible that a camera of the third party system is used for making a picture, which may in a particular embodiment be authenticated by the third party system against a preauthenticated image of a face of the user. For example, it is conceivable that the person records a picture (preferably a selfie), that is preferably prior to going to the stadium and/or airport, which is authenticated against the locally stored digital user ID. If the picture is authenticated, said picture may be shared with the third party system as part of the basic personal data. This may allow the third party system to, by taking an image of the person entering the stadium and/or airport, validate the identity of the person against the pre-authenticated picture.
Within the digital banking environment, the method according to the present invention may for example be applied when a person requests to log in on said platform, or if the person is arranging a transfer of money. The authentication according to the present invention may prevent someone other than the preregistered person from making unwanted actions. If a person has their banking application opened on their mobile, and puts their mobile phone away for a second, it could be possible that a third person may pick up the mobile phone and make a transfer. By using the method according to this aspect of the invention the person should authenticate on the point the transfer is made, hence said aforementioned unintended and unwanted transaction may be prevented since the person does not match the preregistered person. It is imaginable that the third-party system makes part and/or is connected to a server network, such as a cloud based server network, wherein the server network is configured to perform at least a part of step viii) and/or ix). Hence, according to the present invention it is important that step iv) and/or v) are performed on and by the mobile user computing device, since this allows for not sharing biometric data with the third-party system whilst still performing a qualitative authentication step. Steps viii) and/or ix) may to this end be performed either by the mobile user computing device and/or by the third-party system, such as said server network. During the latter two steps, it is compared whether the authenticated basic personal data, which is generated based on the outcome authentication step vi), matches the basic personal data of the preregistered person. This could for example be comparing an authenticated name of a person, with the preregistered name of a person. If the names match, this means the person requesting access is not only the authenticated, but also matches the preregistered person and hence access may be granted. Since step vii) involves only a comparison of basic personal data, it is not required to perform this step on the mobile user device. That is, basic personal data is typically used by the person on a day-to-day basis, or even to register (e.g., name, date of birth, or the like). Such data may not be very valuable to malicious persons and hence may be shared with and/or compared by the third-party system. In fact, during the preregistering, the person already has entered such basic personal data within the third-party system in order to (for example) book a hotel room, or a ticket to a stadium. Subjective to the outcome of comparison step vii), the third-party system may grant the person access (that is, in case the authenticated basic personal data matches the preregistered basic personal data).
Preferably the biometric data stored on the mobile user computing device is encrypted using a public key infrastructure. The person, i.e., the owner, of the biometric data that is stored on the memory unit of the mobile user computing device is in control of the data. As long as the private key is not shared by the person, only the person will be able to access the biometric data.
According to a different aspect the present invention provides for a user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the processor is configured to allow a digital user ID to be stored locally onto at least one memory unit of the user computing device, preferably wherein said locally stored digital user ID is at least partially based on data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device and/or wherein said locally stored digital user ID is generated by applying the method according to the present invention, wherein the user computing device is configured for use in a method according to the invention. As to the user computing device of the present invention, the same benefits as elucidated in the above apply mutatis mutandis. Said benefits also apply to specific aspects disclosed below. Preferably, wherein the digital user ID is stored on the memory unit of said user computing device, wherein said locally stored digital user ID is preferably based on: a. both biometric personal data retrieved from at least one official identity document, such as a passport, associated with a user, and b. additional biometric data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and preferably wherein said locally stored digital user ID is generated by applying the method according to the present invention.
Preferably, the user computing device comprises a communication module for retrieving data from an official identity document, in particular for retrieving prestored biometric personal data from said official identity document, such as a passport, in particular wherein said data is stored on a memory unit, such as a chip of said official identity document. Preferably, wherein the processor or an app stored on the memory unit of the user computing device is programmed to: i. authenticate, on said user computing device, recorded biometric data against a user ID locally stored on the user computing device, and/or ii. comparing, by the user computing device, prestored personal data associated with a person with authenticated basic personal data associated to an authenticated person of step i), and/or iii. provide an authentication signal from the user computing device to the third party system in case the comparison performed during step ii) meets a predetermined minimum degree of similarity, wherein a third party system may grant predefined user access upon receiving the authentication signal.
According to another aspect the present invention provides for a system for authenticating a preregistered person in a third party system, comprising: at least one user computing device, in particular according to the invention, comprising at least one memory unit, and at least one camera, and a digital user ID stored locally onto at least one memory unit of the user computing device, and at least one third party system which requires a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein the at least one user computing device is configured for authenticating a user, on the user computing device, based on the locally stored digital user ID and a recorded biometric modality, and for providing an authentication signal to the third party system if the authentication meets a predetermined minimum degree of similarity. To this end, the same benefits apply as set forth with respect to the methods according to the present invention.
Some non-limitative embodiments of the present invention are defined by the following set of non-limitative clauses, wherein:
1. A computer-implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the method comprises the steps of: i. retrieving, preferably via the mobile user computing device, prestored biometric personal data from at least one official identity document, such as a passport, associated with a user and storing said biometric personal data onto the mobile user computing device, ii. acquiring, by using the mobile user computing device, additional biometric data from said user, wherein said biometric data relate to a plurality of biometric modalities, wherein at least one of said biometric modalities constitutes a user liveness check by using the camera of the mobile computing device, and storing at least a part of said acquired additional biometric data exclusively onto the mobile user computing device, iii. comparing, by said mobile user computing device, at least a part of the biometric data stored during step i) and at least a part of the additional biometric data stored during step ii), iv. generating, by said mobile user computing device, a digital user ID in case comparison performed during step iii) meets a predetermined minimum degree of similarity, and locally storing the generated digital user ID on at least one memory unit of the mobile user computing device. Computer-implemented method according to clause 1 , wherein during step ii) at least one biometric modality constitutes a selfie of the face of a user. Computer-implemented method according to clause 1 or 2, wherein a biometric template of at least one biometric modality, preferably comprising a faceprint comprising data related to one or more facial landmark associated to a user’s face, is stored on the mobile user computing device, wherein said biometric template is at least partially associated to user related biometric data. Computer-implemented method according to clause 1 or 2, wherein during step ii) at least one biometric modality is a physiological biometric modality. Computer-implemented method according to any of the preceding clauses, wherein during step ii) at least one biometric modality is a behavioural biometric modality, such as a keystroke recognition and/or -gait pattern recognition. Computer-implemented method according to any of the preceding clauses, wherein during step i) use is made of the mobile user computing device for retrieving data from the at least one official identity document. Computer-implemented method according to any of the preceding clauses, wherein during step i) at least one image of the at least one official identity document is made, preferably by using the mobile user computing device, wherein said image comprises biometric data associated to the identity of a person. Computer-implemented method according to any of the preceding clauses, wherein the official identity document comprises at least one chip, wherein the chip comprises at least a part of the prestored biometric data, wherein the user computing device is capable to retrieve at least a part of the prestored biometric data from said chip during step i). 9. Computer-implemented method according to clause 8, wherein the mobile user computing device is configured for retrieving the prestored biometric data from the chip via near field communication (NFC).
10. Computer-implemented method according to any of the preceding clauses, wherein the method further comprises the step of: v) removing at least a part of the biometric data related to the plurality of biometric modalities from the mobile user computing device after step iii) or iv).
11 . Computer-implemented method according to any of the preceding clauses, wherein during step iii) one or more one-to-one image matching checks are performed on the mobile user computing device, preferably by the at least one processor of the mobile user computing device.
12. Computer-implemented method according to any of the preceding clauses, wherein during step i) and/or step ii) and/or step iv), the retrieved and/or acquired and/or generated data, in particular biometric data associated with a user, is exclusively stored on the mobile user computing device.
13. Computer-implemented method according to any of the preceding clauses, wherein step ii) and step iii) at least partially overlap in time.
14. Computer-implemented method according to any of the preceding clauses, wherein during step iii) use is made of single modal biometric data associated with a single biometric modality stored during step ii), and/or wherein during step iii) use is made of multimodal biometric data associated with a plurality of biometric modalities stored during step ii).
15. Computer-implemented method according to any of the preceding clauses, wherein the mobile user computing device is a smartphone, and wherein preferably the at least one memory unit is a non-volatile memory unit.
16. A computer-implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the authentication method comprises the steps of: i. providing a third party system requiring a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein third party system comprises prestored personal data and associated access rights associated with the preregistered person, ii. optionally sending an authentication request by said third party system to the mobile user computing device, wherein said authentication request comprises at least a part of the person data associated with the preregistered person, iii. requesting a person, via said mobile user computing device and/or third party system to record biometric data, such as a selfie and/or liveness check, iv. recording the requested biometric data by the person and by using the camera of the mobile user computing device and/or a third party system camera, v. authenticating, on and by the mobile user computing device, the recorded biometric data of said person against a digital user ID locally prestored on the mobile user computing device, wherein said locally stored digital user ID is preferably based on: a. both biometric personal data retrieved from at least one official identity document, such as a passport, associated with a user, and b. additional biometric data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and/or wherein said locally stored digital user ID is generated by applying the method according to any of the preceding clauses, vi. in case the person is successfully authenticated during step v) generating authenticated basic personal data associated with said authenticated person and/or providing an authentication signal preferably by the user computing device and/or third party system, to the third party system, vii. optionally comparing, on and by the mobile user computing device and/or by the third party system, at least a part of the personal data associated with the preregistered person prestored in the third party system with the authenticated basic personal data generated during step vi), and viii. optionally providing an authentication signal, by the user computing device and/or third party system, to the third party system in case the comparison performed during step vii) meets a predetermined minimum degree of similarity, and ix. granting said person, by the third party system, predefined access to said digital service and/or to said restricted environment upon receiving the authentication signal provided during step vi and/or viii) by the third party system.
17. Computer-implemented method according to clause 16, wherein during step v) and/or vi) authenticated basic personal data is stored on the mobile user device in case the authentication performed meets a predetermined minimum degree of similarity.
18. Computer-implemented method according to clause 16 or 17, wherein essentially all biometric data related to the person is maintained on the mobile user computing device, in particular on the memory unit of the mobile user computing device.
19. Computer-implemented method according to any of the clauses 16 - 18, wherein the restricted environment is a physical environment, such as a hotel room, and/or a stadium, and/or an airport area, and/or a gym, and/or a bank.
20. Computer-implemented method according to any of the clauses 16 - 19, wherein the restricted environment is a digital environment, such as a money transfer platform, and/or an insurance platform, and/or a governmental digital platform. 21 . Computer-implemented method according to any of the clauses 16 - 20, wherein biometric data stored on the mobile user computing device is encrypted using a public key infrastructure.
22. Computer-implemented method according to any of the clauses 16 - 21 , wherein the third party system makes part and/or is connected to a server network, such as a cloud based server network, wherein the server network is configured to perform at least a part of step viii) and/or ix).
23. User computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the processor is configured to allow a digital user ID to be stored locally onto at least one memory unit of the user computing device, preferably wherein said locally stored digital user ID is at least partially based on data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device and/or wherein said locally stored digital user ID is generated by applying the method according to any of the clauses 1-15, wherein the user computing device is configured for use in a method according to any of the preceding clauses.
24. User computing device according to clause 23, wherein the digital user ID is stored on the memory unit of said user computing device, wherein said locally stored digital user ID is preferably based on: a. both biometric personal data retrieved from at least one official identity document, such as a passport, associated with a user, and b. additional biometric data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and preferably wherein said locally stored digital user ID is generated by applying the method according to any of the clauses 1-15.
25. User computing device according to clause 23 or 24, further comprising a communication module for retrieving data from an official identity document, in particular for retrieving prestored biometric personal data from said official identity document, such as a passport, in particular wherein said data is stored on a memory unit, such as a chip of said official identity document.
26. User computing device according to any of clauses 23 - 25, wherein the processor or an app stored on the memory unit of the user computing device is programmed to: i. authenticate, on said user computing device, recorded biometric data against a user ID locally stored on the user computing device, and/or ii. comparing, by the user computing device, prestored personal data associated with a person with authenticated basic personal data associated to an authenticated person of step i), and/or iii. provide an authentication signal from the user computing device to the third-party system in case the comparison performed during step ii) meets a predetermined minimum degree of similarity, wherein a third-party system may grant predefined user access upon receiving the authentication signal.
27. System for authenticating a preregistered person in a third-party system, comprising:
- at least one user computing device, in particular according to one of the clauses 23-26, comprising at least one memory unit, and at least one camera, and a digital user ID stored locally onto at least one memory unit of the user computing device, and
- at least one third party system which requires a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein the at least one user computing device is configured for authenticating a user, on the user computing device, based on the locally stored digital user ID and a recorded biometric modality, and for providing an authentication signal to the third-party system if the authentication meets a predetermined minimum degree of similarity. The present invention will be elucidated in more detail based on the following non- limitative figures, wherein:
- Figure 1 shows a non-limitative embodiment of a computer-implemented method for generating and storing a digital user ID;
- Figure 2 shows a first embodiment of a computer-implemented method for authenticating a registered person;
- Figure 3 shows a second embodiment of a computer-implemented method for authenticating a registered person;
- Figure 4 shows a third embodiment of a computer-implemented method for authenticating a registered person; and
- Figure 5 shows a fourth embodiment of a computer-implemented method for authenticating a person.
Figure 1 shows an embodiment for generating and storing a digital user ID which is associated with a user for subsequent authentication purposes 100. Some non- limitative examples of such authentication purposes are shown in the figures 2-4. The computer-implemented method 100 makes use of a mobile user computing device 101. Said mobile user computing device 101 , as shown in this embodiment, is a mobile phone 101 , in particular a smartphone 101. Alternatively, it is also conceivable that a tablet of laptop, or other mobile device 101 belonging to a user is used for the same purpose. Preferably, the mobile user computing device 101 comprises at least one processor 102, which processor 102 may be configured for starting, running, and closing applications on said mobile user computing device 101 . The mobile user computing device 101 further comprises at least one memory unit 103, such as an SD card, network storage, memory chip, or the like. However, the memory unit 103 preferably belongs or is part of to the mobile user computing device 101 , or at least allows for local storage of data and/or information.
Preferably, the mobile user computing device 101 further comprises one or more recording devices 104, 105, such as a camera 104, for recording one or more biometric modalities related to the user. In order to generate the digital user ID 115, a user may retrieve prestored biometric personal data 107, 108, 109, 110 from at least one official identity document 106 associated with a user. In the embodiment depicted in this figure, the official identity is a passport 106, issued by a government. The passport 106 is of the newer type, which comprises an NFC chip 107. In addition, the passport comprises the data associated to a person such as a picture 108, basic information related to date of birth 110, place of birth 110, name, but also document related information 110, such as a document type, document number, or the like 110. A part of the information may be incorporated into a code 109, typically situated along an edge of the identity document, which may also be referred to as a machine readable zone 109. The user may use the mobile user computing device 101 to retrieve 116, preferably by scanning, the prestored biometric personal data 107, 108, 109, 110 from the official identity document 106. This may be done through the NFC chip 107. Alternatively, or additionally, the user may use a camera 104 of the mobile user computing device 101 to scan the official identity document 106 and to retrieve 116 the personal biometric data 107, 108, 109, 110. The prestored biometric data 107, 108, 109, 110 retrieved 116 from the NFC chip 107 of the passport is preferably stored onto a memory unit 103 of the mobile user computing device 101. Subsequently, the user may be requested to 117, or on own volition, record 111 biometric data 112 from themselves, for example by using a (selfie)camera 104 of the mobile user computing device 101 , or by using a fingerprint scanner 105 of the mobile user computing device 101. It is explicitly noted here that the encircled portion 111 , which reflects the step of recording 111 biometric data of the user, is performed on the same user computing device 101 , hence only a single mobile user computing device 101 is used in the method according to the invention 100 shown here. It is merely for illustrative purposes that this is indicated as a separate mobile user computing device 101 . Preferably the recorded 111 and acquired biometric data related to the user comprises a plurality of biometric modalities, of which at least one constitutes a liveness check 112. The biometric data is stored onto the mobile user computing device 101 , in particular the memory unit 103 thereof. It is conceivable that the biometric data is stored in an encrypted manner. Preferably, at least one biometric modality constitutes a selfie 112 of the face of the user. It is imaginable that not the selfie as such is stored onto the memory unit, but merely a biometric template, comprising a faceprint with data related to facial landmarks associated to the user’s face. After retrieving 116 and storing of the prestored biometric personal data 107, 108, 109, 110 from the official identity document 106 and acquiring 112 and storing of recorded biometric data, the two are compared 118. Comparing 118 of the prestored biometric personal data 113 and the recorded biometric data 112 occurs on the mobile user computing device 101 , in particular on a processor 102 thereof. If comparing 118 of the prestored biometric personal data 113 and the recorded biometric data 112 yields a predetermine minimum degree of similarity, a digital user ID 115 is generated 114, preferably by the processor 102 of the mobile user computing device 101. Subsequently said generated digital user ID 115 is stored onto the mobile user computing device 101 , preferably the memory unit 103 thereof. It is conceivable that after generating 114 and storing the digital user ID 115 locally on the mobile user computing device 101 , any data stored on the mobile user computing device that was recorder 112 and/or obtained 116 is deleted. As such, all steps elucidated above may occur on, or by, the mobile user computing device 101. In particular it is beneficial that during the entire process as set forth above, no data is to be shared with a third party. This may allow a user to maintain full control of all (biometric)data. Vulnerabilities in the storage of biometric data with third parties may be substantially eliminated. Moreover, it is less lucrative for hackers to attempt to steal the data, in particular since only data related to a singular person may be obtained, if at all. This allows for a safer generation of a validated digital user ID. The stored digital user ID may at a later point in time be used for authentication purposes within a third party system requiring authentication of a person. Since the user has its own digital authenticated user ID, the latter may be user by a wide variety of third party systems, where authentication within such third party environments requires only the local presence of the digital user ID. This is a significant improvement, since the user does not require to separately authenticate themselves with a wide range of third party systems, which enlarges the risks of data leaks in one of such systems since these systems typically comprise vast amounts of data related to a large number of people, making them an interesting target to malicious persons.
Figure 2 shows an embodiment of the present invention related to a computer- implemented method for authenticating a preregistered person by using a mobile user computing device 200. This particular figure shows an example of a user that is authenticated in order to be granted access to a hotel room 203 or an apartment 203. To this end, a person 201 may register 219 themselves, by using the mobile user computing device 202, with a third party system 203. In this example, a mobile phone 202 us used by the user 201 to access a webpage 204 of a hotel 203, where a check-in is performed. The check-in typically requires a person to register 218 certain data 205, such as a name of the person 205 that is checking-in, the dates from and to which the person would like to make use of the hotel room 205, and optionally information relating to services of the hotel 205, in this case the choice for half board stays. The personal data 205 is registered with the third party system 203, in this instance a cloud environment 216 of the hotel 203, such that the third party system 203 may associate a restricted environment 217 (e.g., hotel room, or breakfast room) as an access right to the preregistered user 205, possible for a restricted amount of time (e.g., the duration of the stay). It is possible that specific details, such as room number, are shared from the third party service 203 to the mobile user device 202. During preregistering 219, no biometric data is shared with the third party system 203, merely basic personal data 206 associated to the preregistered person 205 is shared with the third party system 203. The preregistered person 205 does not require to go to the reception, since the room is associated to the preregistered person 205. However, in order to avoid any person from accessing the room, an authentication of a person’s ID is required. To this end, a user may use a user computing device 203, preferably the same as used to preregister, to request access 207 to the room. Upon requesting access 207, for example by making contact with a, preferably communicative, lock of the hotel room 217 an authentication request may emerge on the mobile user computing device of the user. To this end, the hotel room may share the basic personal data 206 associated to the preregistered person 205 with the mobile user computing device 202. On the mobile user computing device 202 biometric data 211 may be recorded 212 by the person, such as by using the camera 212 of the mobile user computing device 202. Also here, it is to be explicitly noted that the separate mobile user computing device 202 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 202 is used for performing the method. Thus, the same single mobile user computing device 202 is used for registering 219 and for authenticating 212. The identity of the person may be authenticated 210 based on the recorded biometric data 211 and a digital user ID 215 that is locally stored 214 on the mobile user computing device 202. Preferably wherein said locally stored digital user ID 215 is obtained via the method as indicated in figure 1 . If the recorded biometric data 211 has a predetermined degree of similarity compared to the locally stored digital user ID 215, the identity of the person may be realized. The authenticated basic personal data, corresponding to the conditional outcome of the authentication step 210, is compared against the prestored basic personal data 206 provided to the third party service 203. In case a predetermined minimum degree of similarity is observed between the authenticated basic personal data and the preregistered basic personal data 206, an authentication signal 209 is provided by the user computing device 202, said signal may grant the person predefined access to the restricted hotel room 217. In this example, the mobile user computing device 202 is used to request access to the hotel room 217, for example by means of an app of the hotel, which is running on 213 the mobile user computing device 202. By holding the mobile user computing device against a lock, or other part, of the hotel room 217, the person may request access. However, in order to prevent anyone from being able to obtain access, it is required that the identity of the person is authenticated 210, as well as comparing that the authenticated identity matches the identity of the preregistered person 206 associated to the specific room. In this embodiment, essentially all checking steps are conducted on the mobile user computing device 202. That is, access is requested 207, in response to which access request, basic personal data 206 associated to the room 217 are, optionally in an encrypted manner, send 207 to the mobile user computing device 202. On the mobile user computing device 202, the person is requested to authenticate 210 themselves, by recording biometric data of themselves 211 , which is authenticated 210 against a locally stored digital user ID 215. The recorded biometric data is only stored 214 on the mobile user computing device 202 and needs not to be shared with the third party system (hotel) 203. If the recorded biometric data 211 matches the digital user ID 215, the person is successfully authenticated 210. Authenticated basic personal data 206, such as a name, may be retrieved by the mobile user computing device 202 upon successful authentication 210. Said authenticated basic personal data may be compared with the preregistered basic personal data 206 received in response to the access request. If the basic personal data matches, an authentication or access signal 209 may be generated by the user computing device 202, and subsequently send to the hotel room 217. The hotel room 217, as the third party system may grant access to the room upon receiving said authentication signal 209. The main benefit is that no biometric of the person needs to be shared with the third party system 203, which allows the person to remain in full control of the biometric data. The only data that needs to be shared is the basic personal data, or a part thereof, in order to allow a comparison between an authenticated person and the preregistered person. This may also be based on specific characters of the basic personal data. Figure 3 shows a slightly different embodiment of the same third party system 303 as indicated in figure 2. However, some steps slightly differ compared to the embodiment indicated in figure 2. The person similarly registers 319 themselves using e.g., a webpage 304 and/or an application of a third party system 303 via the user computing device 302. Basic personal data 306a related to the preregistered person 205 may be stored, e.g., in a cloud environment 316 of the third party system 303. Similarly, the third party system 303, which in this instance is the hotel, may allocate a specific room to the preregistered person, and optionally restricted access to certain parts of the hotel, based on the data 305 of the preregistration. The person 305 does not require to go through the reception, since the room is allocated on the basis of the preregistration 319. A hotel room 317 may be communicated to the person via the cloud environment to the app or a mailing service on the mobile user computing device 302. Upon requesting access 307 to the specific room 317 associated to the preregistered person 306a, the third party system 303 needs to ensure that the person asking access 307 matches the preregistered person 306a. To this end, the person may require authenticating themselves on the mobile user computing device 302, e.g., based upon an authentication request 307 from the third party system 303. To this end, the person may, in particular on said mobile user computing device 302, record 312 biometric data 311 of themselves, which is authenticated 310a against a locally stored digital user ID 315. Also here, it is to be explicitly noted that the separate mobile user computing device 302 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 302 is used for performing the method 300. Thus, the same single mobile user computing device 302 is used for registering 319 and for authenticating 312. If the recorded biometric data 311 meets a predetermined minimum degree of similarity, authenticated basic personal data 306b (e.g., name, age, gender) may be shared 309a, possibly in an encrypted manner, with the cloud service 316 of the third party system (hotel). Here, the authenticated basic personal data 306b may be compared 310b with the basic personal data 306a related to the preregistered person 205. If the basic personal data 306a meets a predetermined minimum degree of similarity compared 310b to the authenticated basic personal data 306b, an authentication signal 309b may be generated, in this case by the third party system 303, in order to grant the person access to the restricted environment (hotel room) 317. Hence, also in this embodiment, no biometric data needs to be shared with the third party system 303. Figure 4 shows a different embodiment of the present invention related to a computer-implemented method for authenticating a preregistered person by using a mobile user computing device 400. Here, the third party system 403 may be an app 404 running on the mobile user computing device 402, for example a banking application 404. A person 401 may access the banking application 404 through the mobile user computing device 401. Possibly, an access code is entered in order to enter the banking application 404. In the banking application, the person may be allowed to perform several actions such as checking a savings account, making a (money) transfer 405, or adapting the settings. In order to increase safety of the banking application 404, it is preferred to apply a better identity check for making money transfers 405. To this end, the method according to the present invention may be used. That is, if the person 401 is willing to make a money transfer 405, a transfer request 405 is preregistered, corresponding to an amount to be transferred to a predetermined banking account, by the person 401 . In other to prevent that money transfers can be made by malicious persons on the mobile user computing device 401 of another person, an authentication step 410a may be included to establish the money transfer. For example, basic personal data 406a may be preregistered, e.g., in the app 404 running on the mobile user computing device 402, or on the memory unit 414 of the mobile user computing device 402, or even on a cloud service 416 corresponding to the banking application 404. Upon the money transfer request 405, the person is requested 407 to record 412 biometric data 411 , for example by using the camera 412 of the mobile user computing device 402. The recorded biometric data 411 is authenticated 410a against a locally stored digital user ID 415, which may be stored on the memory unit 414 of the user computing device 402. Preferably, said locally stored digital user ID 415 is obtained according to the embodiment shown in figure 1. If, the recorded biometric data 411 matches, up to a predefined minimum degree of similarity, the locally stored digital user ID 415, authenticated basic personal data 406b related to the authenticated person may be shared 409a with the banking app. Also here, it is to be explicitly noted that the separate mobile user computing device 402 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 402 is used for performing the method 400. Thus, the same single mobile user computing device 402 is used for registering and for authenticating 412. In the banking app, preferably said authenticated basic personal data 406b is compared with the prestored basic personal data 406a. If the latter two match up to a predefined minimum degree of similarity, an authentication signal 409b may be generated, either by the banking app 404 or the mobile user computing device 402 which may grant the person access to a certain restricted action, in this case making the money transfer 405. It is conceivable that the authentication signal comprises a (digital) certificate 408 which may be stored on the mobile user computing device 401 as a record of authenticated money transfer. Alternative to the embodiment shown here, it is also conceivable that upon requesting a money transfer 405, prestored basic personal data 406a is shared with the mobile user computing device 402, and the step of comparing 410b the authenticated basic personal data 406b with the prestored basic personal data 406a is performed on the mobile user computing device 402. In this instance, the authentication signal 409b may for example be a simple “go or no-go” type of signal.
Figure 5 shows an embodiment of the present invention related to a computer- implemented method 500 for authenticating a preregistered person by using a mobile user computing device. This particular figure shows an example of a user that is authenticated in order to be granted access to a restricted area in an airport 503. Such a restricted area may be to pass customs control, or access to a particular gate to board a flight. To this end, a person 501 may register 519 themselves, by using the mobile user computing device 502, with a third party system 503. In this example, a mobile phone 502 us used by the user 501 to access a webpage 504 to book a flight. The check-in typically requires a person to register 518 certain data 505, such as a name of the person 505 that is booking a flight, the data 505 may comprise data such as a date of birth, name, certain preferred options such as priority boarding and business class tickets 505. The personal data 505 is registered with the third party system 503, in this instance a cloud environment 516 of the airport site 503, such that the third party system 503 may associate a restricted environment 517 (e.g., access to a business lounge, access to pass customs or a gate) as an access right to the preregistered user 505, possible for a restricted amount of time. It is possible that specific details, such as flight number, are shared with the third party service 503. During preregistering 519, no biometric data is shared with the third party system 503, merely basic personal data 506 associated to the preregistered person 505 is shared with the third party system 503. The preregistered person 505 does not require to go to a desk at the airport, since the flight and other clearance right associated to the preregistered person 505. However, in order to avoid any unauthorised person from accessing the airport, an authentication of a person’s ID is required. To this end, a user may use a user computing device 502, preferably the same as used to preregister, to request access 507 to the restricted area of the airport 503. Upon requesting access 507, for example by making contact with a, preferably communicative, part of a gate at customs or for boarding an authentication request may emerge on the mobile user computing device 502 of the user. The connection may be established via BLE or NFC communication or a qr-code 517. The authentication request 507 requires the person connecting to the gate via connection 517 to authenticate. On the mobile user computing device 502 biometric data 511 may be recorded 512 by the person, such as by using the camera 512 of the mobile user computing device 502. Alternatively, it is imaginable that instead of using the camera 512 of the mobile user computing device 502 a camera or biometric recording device of the third party system 503 is used. This may be a camera arranged in an access gate of the third party system. Said camera of the third party system 503 may record the biometric data 511 and forward it to the mobile user computing device 502, optionally in an encrypted manner such as an encrypted facevector. Also here, it is to be explicitly noted that the separate mobile user computing device 502 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 502 is used for performing the method. However, it is also conceivable that another mobile device which carries the digital user ID may be used. Thus, the same single mobile user computing device 502 is used for registering 519 and for authenticating 512 without the need to send biometric data to the third party system 503. The identity of the person may be authenticated 510 based on the recorded biometric data 511 and a digital user ID 215 that is locally stored 514 on the mobile user computing device 502. Preferably wherein said locally stored digital user ID 515 is obtained via the method as indicated in figure 1 . If the recorded biometric data 511 has a predetermined degree of similarity compared to the locally stored digital user ID 515, the identity of the person may be realized. If the recorded image 511 meets a predefined degree of similarity to the prestored digital user ID, an authentication signal 509 may be generated and provided to the third part system 503 in order to allow the person within the restricted area. Additionally, authenticated basic personal data, corresponding to the conditional outcome of the authentication step 510, is optionally compared against the prestored basic personal data 506 provided to the third party service 503. In case a predetermined minimum degree of similarity is observed between the authenticated basic personal data and the preregistered basic personal data 506, an authentication signal 509 is provided by the user computing device 502, said signal may grant the person predefined access to the secured sites of the airport such as the gates, or business lounge. In this example, the mobile user computing device 502 is used to request access to parts of the airport 517, for example by means of an app of the airport, or via gates which allow to establish a mutual connection with the mobile user computing device 502. By holding the mobile user computing device against a part of the gate 517, the person may request access. However, in order to prevent anyone from being able to obtain access, it is required that the identity of the person is authenticated 510, as well as comparing that the authenticated identity matches the identity of the preregistered person 506 associated to the specific restricted area. In this embodiment, essentially all checking steps are conducted on the mobile user computing device 502. That is, access is requested 507, in response to which access request The airport 517, as the third party system may grant access to the restricted environment upon receiving said authentication signal 509. The main benefit is that no biometric of the person needs to be shared with the third party system 503, which allows the person to remain in full control of the biometric data.
The above-described inventive concepts are illustrated by several illustrative embodiments. It is conceivable that individual inventive concepts, including inventive details, may be applied without, in so doing, also applying other details of the described embodiments. It is not necessary to elaborate on examples of all conceivable combinations of the above-described inventive concepts, as a person skilled in the art will understand numerous inventive concepts can be (re)combined in order to arrive at a specific application and/or alternative embodiment.
The ordinal numbers used in this document, like “first”, “second”, and “third” are used only for identification purposes. Hence, the use of expressions like a “second” component, does therefore not necessarily require the co-presence of a “first” component. By "complementary" components is meant that these components are configured to co-act with each other. However, to this end, these components do not necessarily have to have complementary forms. The verb “comprise” and conjugations thereof used in this patent publication are understood to mean not only “comprise”, but are also understood to mean the phrases “contain”, “substantially consist of’, “formed by” and conjugations thereof.

Claims

Claims
1. A computer-implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the authentication method comprises the steps of: i. providing a third party system requiring a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein third party system comprises prestored personal data and associated access rights associated with the preregistered person, ii. optionally sending an authentication request by said third party system to the mobile user computing device, wherein said authentication request preferably comprises at least a part of the person data associated with the preregistered person, iii. requesting a person, via said mobile user computing device and/or third party system to record biometric data, such as a selfie and/or liveness check, iv. recording the requested biometric data by the person and by using the camera of the mobile user computing device and/or a third party system camera, v. authenticating, on and by the mobile user computing device, the recorded biometric data of said person against a digital user ID locally prestored on the mobile user computing device, wherein said locally stored digital user ID is preferably based on: a. both biometric personal data retrieved from at least one official identity document, such as a passport, associated with a user, and b. additional biometric data relating to at least one, preferably a plurality of biometric modalities, wherein optionally at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; vi. in case the person is successfully authenticated during step v) generating authenticated basic personal data associated with said authenticated person and/or providing an authentication signal preferably by the user computing device and/or third party system, to the third party system, vii. optionally comparing, on and by the mobile user computing device and/or by the third party system, at least a part of the personal data associated with the preregistered person prestored in the third party system with the authenticated basic personal data generated during step vi), and viii. optionally providing an authentication signal, by the user computing device and/or third party system, to the third party system in case the comparison performed during step vii) meets a predetermined minimum degree of similarity, and ix. granting said person, by the third party system, predefined access to said digital service and/or to said restricted environment upon receiving the authentication signal provided during step vi) and/or viii) by the third party system.
2. Computer-implemented method according to claim 1 , wherein during step v) and/or vi) authenticated basic personal data is stored on the mobile user device in case the authentication performed meets a predetermined minimum degree of similarity.
3. Computer-implemented method according to claim 1 or 2, wherein the method comprises the step of establishing a connection between the third party system and the mobile user computing device, preferably prior to step ii), wherein said connection is initiated by scanning a QR-code by the mobile user computing device and/or by connecting the mobile user computing device with the third party system via NFC and/or Bluetooth, in particular Bluetooth Low Energy.
4. Computer-implemented method according to any of the preceding claims, wherein essentially all biometric data related to the person is maintained on the mobile user computing device, in particular on the memory unit of the mobile user computing device.
5. Computer-implemented method according to any of the preceding claims, wherein the restricted environment is a physical environment, such as a hotel room, and/or a stadium, and/or an airport area, and/or a gym, and/or a bank, and/or a festival.
6. Computer-implemented method according to any of the preceding claims, wherein the restricted environment is a digital environment, such as a money transfer platform, and/or an insurance platform, and/or a governmental digital platform.
7. Computer-implemented method according to any of the preceding claims, wherein biometric data stored on the mobile user computing device is encrypted using a public key infrastructure.
8. Computer-implemented method according to any of the preceding claims, wherein the third party system makes part and/or is connected to a server network, such as a cloud based server network, wherein the server network is configured to perform at least a part of step viii) and/or ix).
9. Computer implemented method according to any of the preceding claims, wherein during steps i)-ix), in particular step v), all biometric data remains on, preferably a storage unit thereof, the mobile user computing device.
10. Computer-implemented method according to any of the preceding claims, wherein the locally stored digital user ID of step v) is generated through a computer-implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the method comprises the steps of: i. retrieving, preferably via the mobile user computing device, prestored biometric personal data from at least one official identity document, such as a passport, associated with a user and storing said biometric personal data onto the mobile user computing device, ii. acquiring, by using the mobile user computing device, additional biometric data from said user, wherein said biometric data relate to at least on, preferably a plurality of biometric modalities, wherein preferably at least one of said biometric modalities constitutes a user liveness check by using the camera of the mobile computing device, and storing at least a part of said acquired additional biometric data exclusively onto the mobile user computing device, iii. comparing, by said mobile user computing device, at least a part of the biometric data stored during step i) and at least a part of the additional biometric data stored during step ii), iv. generating, by said mobile user computing device, a digital user ID in case comparison performed during step iii) meets a predetermined minimum degree of similarity, and locally storing the generated digital user ID on at least one memory unit of the mobile user computing device.
11 . Computer-implemented method according to claim 10, wherein during step ii) at least one biometric modality constitutes a selfie of the face of a user.
12. Computer-implemented method according to claim 10 or 11 , wherein a biometric template of at least one biometric modality, preferably comprising a faceprint comprising data related to one or more facial landmark associated to a user’s face, is stored on the mobile user computing device, wherein said biometric template is at least partially associated to user related biometric data.
13. Computer-implemented method according to any of claims 10-12, wherein during step ii) at least one biometric modality is a physiological biometric modality.
14. Computer-implemented method according to any of the claims 10-13, wherein during step ii) at least one biometric modality is a behavioural biometric modality, such as a keystroke recognition and/or -gait pattern recognition.
15. Computer-implemented method according to any of the claims 10-14, wherein during step i) use is made of the mobile user computing device for retrieving data from the at least one official identity document.
16. Computer-implemented method according to any of the claims 10-15, wherein during step i) at least one image of the at least one official identity document is made, preferably by using the mobile user computing device, wherein said image comprises biometric data associated to the identity of a person.
17. Computer-implemented method according to any of the claims 10-16, wherein the official identity document comprises at least one chip, wherein the chip comprises at least a part of the prestored biometric data, wherein the user computing device is capable to retrieve at least a part of the prestored biometric data from said chip during step i).
18. Computer-implemented method according to claim 17, wherein the mobile user computing device is configured for retrieving the prestored biometric data from the chip via near field communication (NFC).
19. Computer-implemented method according to any of the claims 10-18, wherein the method further comprises the step of: v) removing at least a part of the biometric data related to the plurality of biometric modalities from the mobile user computing device after step iii) or iv).
20. Computer-implemented method according to any of the claims 10-19, wherein during step iii) one or more one-to-one image matching checks are performed on the mobile user computing device, preferably by the at least one processor of the mobile user computing device.
21. Computer-implemented method according to any of the claims 10-20, wherein during step i) and/or step ii) and/or step iv), the retrieved and/or acquired and/or generated data, in particular biometric data associated with a user, is exclusively stored on the mobile user computing device.
22. Computer-implemented method according to any of the claims 10-21 , wherein step ii) and step iii) at least partially overlap in time.
23. Computer-implemented method according to any of the claims 10-22, wherein during step iii) use is made of single modal biometric data associated with a single biometric modality stored during step ii), and/or wherein during step iii) use is made of multimodal biometric data associated with a plurality of biometric modalities stored during step ii).
24. Computer-implemented method according to any of the claims 10-23, wherein the mobile user computing device is a smartphone, and wherein preferably the at least one memory unit is a non-volatile memory unit.
25. User computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the processor is configured to allow a digital user ID to be stored locally onto at least one memory unit of the user computing device, preferably wherein said locally stored digital user ID is at least partially based on data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device and/or wherein said locally stored digital user ID is generated by applying the method according to any of the claims 10-24, wherein the user computing device is configured for use in a method according to any of the preceding claims.
26. User computing device according to claim 25, wherein the digital user ID is stored on the memory unit of said user computing device, wherein said locally stored digital user ID is preferably based on: i. both biometric personal data retrieved from at least one official identity document, such as a passport, associated with a user, and ii. additional biometric data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and preferably wherein said locally stored digital user ID is generated by applying the method according to any of the claims 10-24.
27. User computing device according to claim 25 or 26, further comprising a communication module for retrieving data from an official identity document, in particular for retrieving prestored biometric personal data from said official identity document, such as a passport, in particular wherein said data is stored on a memory unit, such as a chip of said official identity document.
28. User computing device according to any of claims 25 - 27, wherein the processor or an app stored on the memory unit of the user computing device is programmed to: i. authenticate, on said user computing device, recorded biometric data against a user ID locally stored on the user computing device, and/or ii. comparing, by the user computing device, prestored personal data associated with a person with authenticated basic personal data associated to an authenticated person of step i), and/or iii. provide an authentication signal from the user computing device to the third-party system in case the comparison performed during step ii) meets a predetermined minimum degree of similarity, wherein a third-party system may grant predefined user access upon receiving the authentication signal.
29. System for authenticating a preregistered person in a third-party system, comprising:
- at least one user computing device, in particular according to one of the claims 10-24, comprising at least one memory unit, and at least one camera, and a digital user ID stored locally onto at least one memory unit of the user computing device, and
- at least one third party system which requires a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein the at least one user computing device is configured for authenticating a user, on the user computing device, based on the locally stored digital user ID and a recorded biometric modality, and for providing an authentication signal to the third-party system if the authentication meets a predetermined minimum degree of similarity.
30. Computer-implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, according to any of the claims 10-24.
PCT/NL2024/050329 2023-06-23 2024-06-24 A computer implemented method for generating and storing a digital user id associated with a user and use thereof for authenticating a person Pending WO2024263035A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
NL2035159 2023-06-23
NL2035159A NL2035159B1 (en) 2023-06-23 2023-06-23 A computer implemented method for generating and storing a digital user ID associated with a user and use thereof for authenticating a person

Publications (1)

Publication Number Publication Date
WO2024263035A1 true WO2024263035A1 (en) 2024-12-26

Family

ID=88207748

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NL2024/050329 Pending WO2024263035A1 (en) 2023-06-23 2024-06-24 A computer implemented method for generating and storing a digital user id associated with a user and use thereof for authenticating a person

Country Status (2)

Country Link
NL (1) NL2035159B1 (en)
WO (1) WO2024263035A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140337930A1 (en) * 2013-05-13 2014-11-13 Hoyos Labs Corp. System and method for authorizing access to access-controlled environments
US10698995B2 (en) * 2014-08-28 2020-06-30 Facetec, Inc. Method to verify identity using a previously collected biometric image/data
US20210117524A1 (en) * 2018-04-23 2021-04-22 Amadeus S.A.S. Biometric authentication method, system, and computer program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140337930A1 (en) * 2013-05-13 2014-11-13 Hoyos Labs Corp. System and method for authorizing access to access-controlled environments
US10698995B2 (en) * 2014-08-28 2020-06-30 Facetec, Inc. Method to verify identity using a previously collected biometric image/data
US20210117524A1 (en) * 2018-04-23 2021-04-22 Amadeus S.A.S. Biometric authentication method, system, and computer program

Also Published As

Publication number Publication date
NL2035159B1 (en) 2025-01-07

Similar Documents

Publication Publication Date Title
US20250298877A1 (en) Biometric authentication
US9189612B2 (en) Biometric verification with improved privacy and network performance in client-server networks
US10440019B2 (en) Method, computer program, and system for identifying multiple users based on their behavior
US9262615B2 (en) Methods and systems for improving the security of secret authentication data during authentication transactions
US10042993B2 (en) Access control through multifactor authentication with multimodal biometrics
US20220114245A1 (en) Method and system for performing user authentication
EP2685401B1 (en) Methods and systems for improving the security of secret authentication data during authentication transactions
JP7364057B2 (en) Information processing device, system, face image update method and program
CN112005231A (en) Biometric authentication method, system and computer program
US20150082390A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
US12212564B2 (en) Mobile enrollment using a known biometric
JP7151928B2 (en) AUTHENTICATION SERVER, AUTHENTICATION SERVER CONTROL METHOD AND PROGRAM
US10482225B1 (en) Method of authorization dialog organizing
CN113158154A (en) Mobile device, verification terminal device and identity verification method
Papaioannou et al. User authentication and authorization for next generation mobile passenger ID devices for land and sea border control
US12019719B2 (en) Method and electronic device for authenticating a user
NL2035159B1 (en) A computer implemented method for generating and storing a digital user ID associated with a user and use thereof for authenticating a person
US11165772B2 (en) Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data
US12141255B2 (en) Method for authenticating a user on client equipment
JP7248184B2 (en) Server, system, method and program
WO2022237550A1 (en) Access control authentication method, apparatus and system for preventing privacy leak

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24737190

Country of ref document: EP

Kind code of ref document: A1