[go: up one dir, main page]

WO2024263035A1 - Procédé mis en œuvre par ordinateur pour générer et stocker un identifiant numérique associé à un utilisateur et son utilisation pour authentifier une personne - Google Patents

Procédé mis en œuvre par ordinateur pour générer et stocker un identifiant numérique associé à un utilisateur et son utilisation pour authentifier une personne Download PDF

Info

Publication number
WO2024263035A1
WO2024263035A1 PCT/NL2024/050329 NL2024050329W WO2024263035A1 WO 2024263035 A1 WO2024263035 A1 WO 2024263035A1 NL 2024050329 W NL2024050329 W NL 2024050329W WO 2024263035 A1 WO2024263035 A1 WO 2024263035A1
Authority
WO
WIPO (PCT)
Prior art keywords
computing device
user computing
biometric
user
mobile user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/NL2024/050329
Other languages
English (en)
Inventor
Albert Piet VAN VEEN
Bernd Stefan KEGEL
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fastid BV
Original Assignee
Fastid BV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fastid BV filed Critical Fastid BV
Publication of WO2024263035A1 publication Critical patent/WO2024263035A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention is related to a computer-implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera.
  • the present invention is further related to a computer- implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera.
  • the invention is further related to a user computing device, and a system for authenticating a preregistered person in a third-party system.
  • banking establishments may make use of a, partially, digital authentication of a user which is inclined to open a bank account.
  • the user may upload data stored on a passport, which may be done via scanning the passport for example.
  • the prestored data of the passport may be authenticated against a picture taken by the user and uploaded to the same digital environment of the banking establishment.
  • the persons may trust the cyber security measures of the third-party service, they also become victim of the hack, since their data is stored with said service.
  • private, or even biometric data of the persons enrolled or registered with the third-party system may be stolen and/or used for malicious purposes by the hackers. This risk tends to grow as the number of services that need an authentication step starts to grow. Especially since a person may need to register for every service separately.
  • the authentication was intentionally kept at a distance from the person using the service, in other to ensure the quality of the authentication, the downsides, such as risk of hacking and sharing of private and/or biometric data or identity information, start to overshadow the benefit of authentication performed by the third-party system.
  • identity information for providing services from a service provider to a customer (user or person) has been accompanied by an increased danger of central interception and theft of that information from the service provider.
  • Identity theft occurs when someone uses, for example, password related data, a username, a Social Security number, a credit card number, or other identifying personal information of another without consent to commit fraud. Such fraud does often not only result in financial loss, but also a loss of trust, wherein both the service provider and the user can be considerably damaged.
  • An additional downside of these third-party systems is that the person using the system generally has no idea of where their data is stored, and also no idea as to what happens with their data. It may be the case that a part of their data is sold by the third party.
  • the present invention proposes a computer- implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes, wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the method comprises the steps of: i. retrieving, preferably via the mobile user computing device, prestored biometric personal data from at least one official identity document, such as a passport, associated with a user and storing said biometric personal data, preferably exclusively, onto the mobile user computing device, ii.
  • biometric data relate to at least one, preferably a plurality of biometric modalities, wherein preferably at least one of said biometric modalities constitutes a user liveness check by using the camera of the mobile computing device, and storing at least a part of said acquired additional biometric data onto the mobile user computing device, iii. comparing, by said mobile user computing device, at least a part of the biometric data stored during step i) and at least a part of the additional biometric data stored during step ii), iv.
  • the present invention allows for generating and storing a digital user ID which may be used in subsequent authentication processes.
  • the particular advantage of the present invention is that it allows a user to generate and to locally store a digital user ID for themselves, only by using the user’s (single) mobile user computing device. Hence, the mobile user device, which a user typically carries with themselves, holds only the digital user ID. Since the digital user ID is authenticated, the digital user ID may be validly used to authenticate a person during authentication processes of third-party systems.
  • Another particular advantage of the present invention is that the prestored biometric personal data retrieved from the official identity document are stored on the mobile user computing device. Hence, no need to share sensitive, valuable and personal data with a third-party system and/or with third parties. Sharing biometric data with a third party, which usually stores said data with the biometric data of other uses makes, as described before, the third party more prone to a hack, which may cause biometric data theft of the user from said third party, which is obviously undesired.
  • the present invention allows the user to remain in control of the prestored biometric personal data by only storing it locally, on the memory unit of the mobile user computing device.
  • the digital user ID is preferably stored encrypted on at least one memory unit of the mobile user computing device, more preferably on a secured area (protected area) of said at least one memory unit of the mobile user computing device.
  • the prestored biometric personal data comprises at least one high-resolution (colour) image of the face of associated with a user.
  • the prestored biometric personal data further comprises demographic and biometric information associated with the user, preferably fingerprint of at least one, preferably all fingers, an iris scan, a digital signature, a retinal scan.
  • the mobile user computing device is significantly less susceptible for a (targeted) hack, since it merely holds biometric data associated to a single person.
  • family members of the user may create a second or third or fourth digital user ID on the device of said user, allowing the mobile user computing device to store a digital user ID of the family members of the user.
  • the different digital user ID’s associated to the family members are stored on the mobile user device under e.g., different accounts and/or under different names.
  • the present invention further allows to make repetitive use of authentication steps within a third party system, which in current third party systems is typically rather cumbersome to the user.
  • the locally stored user ID may easily, and with low threshold, be used for local authentication of the user during use of a third party system, by authenticating the locally stored digital user ID against an image of the user for example.
  • the digital user ID may for example be used as a replacement for a password, or in addition to a password and/or existing login method.
  • the digital user ID, stored on the mobile user device may be applied in any third party system which requires a user to login.
  • the benefit of the local user ID is that it may be used in a decentralized manner compared to existing technologies which require a transfer of biometric data out of the storage of the mobile user device. That is, the digital user ID is stored on, and preferably exclusively used on the mobile user device. That is, when a third party system requires a user to login, this login may be authenticated locally, based on the stored digital user ID.
  • the mobile user device upon meeting a predefined degree of similarity between an image and the digital user ID may send an authentication signal to the third party system to grant the person access to the third party system, without in doing so sending any biometric data to said system.
  • the digital user ID is generated only once, thereafter it can be used for authentication purposes. Therefore, the present invention may provide for a quicker and more secure 1 :1 matching solution without the requirement to send biometric data to a central server for authentication purposes.
  • the present invention not only allows for maintaining control over the prestored biometric personal data retrieved from the at least one official identity document, but also the acquired additional biometric data from the user is stored locally, preferably on the memory unit of the mobile user computing device, thereby giving the user full control and ownership of the biometric data.
  • step iii) is performed by the at least one processor of the mobile user computing device. Since also the step of comparing is performed by the mobile user computing device, it is possible to generate an authenticated digital user ID essentially exclusively on the mobile user computing device. Hence, making it possible to establish a digital user ID, which is authenticated, locally on the mobile user computing device. As such, a user is not required to share any biometric data.
  • the digital user ID may be used with a wide range of third party systems which are compliant. Hence, eliminating the need for a user to generate a single user ID with all the separate third-party systems, and the associated risk of hacks of personal biometric data stored within said third party systems.
  • local shall be understood as decentralized, preferably not making use of a public server network, or a server network that is used by a plurality of users. The latter in any case as to the biometric data.
  • basic personal data This may be understood as simple personal data such as a name of a user or person. Such data can be freely shared since it does not constitute sensitive or may be less useful to malicious persons.
  • Other examples of basic personal data may for example be date of birth, place of birth, optionally a basic image of a person, wherein no biometric data is associated with said basic image, a username, a place of residence, or the like.
  • Biometric data may be understood as comprising at least some measurable and/or quantifiable characteristics of the person, such as a fingerprint, or key facial landmarks, or the like.
  • Such type of data is preferably not shared with any third party, since it may cause identity theft if stolen from the third party, e.g., when hacked.
  • Such basic personal data may be added, for example by the user, to the digital user ID as credentials.
  • step ii) acquiring additional biometric data from said user comprises the step of; recording of data at least one characteristic of the person, preferably by using the camera of the mobile user computing device, and; constructing, preferably by using the at least one processor of the mobile user computing device, biometric data, wherein said biometric data relate to a plurality of biometric modalities, related to the recorded data.
  • Biometric data in particular the biometric modalities may be understood as describing or defining measurable human characteristic, preferably wherein said biometric data, in particular the biometric modalities are stored and/or converted into one or more biometric data templates, which may comprise a set of stored biometric features. Since the biometric data may be highly sensitive, especially in the hands of malicious persons, it is generally not preferred to share said biometric data.
  • At least one biometric modality constitutes a selfie of the face of a user.
  • the selfie may for example be recorded with the at least one camera of the mobile user computing device. It is imaginable that it is sufficient to record merely a face part, rather than the entire face, such as for example an upper part of the face, during step ii).
  • the face is uncovered, although it is also feasible to retrieve sufficient biometric facial information from a partially covered face, such as when a user is wearing a mouth mask, sunglasses, and/or a hat.
  • step iii) a predetermined minimum degree of similarity may be detected by the mobile user computing device in order to guarantee a valid authentication of the identity of a user.
  • a face recognition analysis is performed based on the acquired additional biometric data, preferably the selfie, during step ii) and the prestored biometric personal data retrieved during step i). It is preferred that the comparison performed is at least partially based on a depth perception face recognition. It has proven that facial recognition with depth perception may be able to detect deep fake pictures, and hence may provide a more reliable outcome of the comparison step of step iii).
  • both at least one selfie of the face of a user and a user liveness check are acquired.
  • This is beneficial for the step of comparing, since it may allow to validate the user is a living person, and to verify the face based on the selfie image.
  • it is preferred that at least the selfie is compared with the prestored biometric personal data of step i), in particular a high-resolution image thereof.
  • a biometric template of at least one biometric modality preferably comprising a faceprint comprising data related to one or more facial landmark associated to a user’s face, such as face vectors, is stored on the mobile user computing device, wherein said biometric template is at least partially associated to user related biometric data.
  • the captured biometric modality acquired during step ii) is therefore preferably converted into a mathematical file and/or into one or more face vectors.
  • the template is a digital and/or mathematical representation of features or characteristics of the acquired additional biometric source data during step ii).
  • the biometric data retrieved and/or acquired, in particular the biometric template is encrypted prior to being stored on the memory unit. It is conceivable that the data is encrypted according to a public key infrastructure.
  • the biometric data collected during steps i) and ii) is preferably stored within a secure area (protected area) of at least one memory unit of the mobile user computing device.
  • PKI public key infrastructure
  • At least one biometric modality is a physiological biometric modality.
  • at least one biometric modality is chosen from the group of: fingerprints, vein recognition, iris recognition, retina scanning, facial recognition, ear recognition, finger geometry (the size and position of fingers), palm prints, voice recognition.
  • at least one biometric modality is a behavioural biometric modality, such as a keystroke recognition and/or -gait pattern recognition.
  • At least one biometric modality is recorded, by said user using at least one transducing component of the mobile user computing device during step ii).
  • Said at least one transducing component is preferably chosen from the group consisting of: a camera, a microphone, and/or a biometric sensor.
  • the recording can for example take place by making and/or by recording and/or by capturing a facial image, such as a selfie, a facial video of an entire face or face part, an iris video, a voiceprint, a fingerprint, a hand gesture, a fingerprint, finger vein, or a photo of a finger allowing the determination of the minutiae of said finger and/or the vein(s) of said finger.
  • the software used to recognise the recorded biometric is preferably a kind of living or dynamic piece of software running on or performed by the processor of the mobile user computing device, meaning that it will continuously improve based on historical data that is submitted by users.
  • the user is preferably guided through the process for generating a digital user ID.
  • One of the steps during this enrolment process is that the user may be guided in how to properly record a biometric characteristic associated to said user.
  • at least one host computing device provides recording instructions to the user via the messenger application, wherein said recording instructions define one or more minimum requirements relating to the quality of the biometric characteristic to be recorded. It is also imaginable that this guidance can be provided to the user via the mobile user computing device. These minimum requirements can be presented and communicated in various ways to the user, such as by text, audio, pictures or video.
  • the digital identity generated by the mobile user computing device is, at least partially stored, on a digital wallet of the mobile user computing device.
  • Said digital wallet may be allocated on the memory unit for example and is typically very well encrypted to further prevent theft.
  • the official identity document issued by a government is a passport, and/or an identity card, and/or an official identity document issued by a company or health service, such as a health insurance card a physical identity document, and/or a digital identity document.
  • the official identity document to according to the purpose of the present invention shall comprise prestored biometric personal data associated with a user.
  • the official identity document is compliant with the International Civil Aviation Organization (ICAO) DOC series 9303.
  • IAO International Civil Aviation Organization
  • use is made of the mobile user computing device for retrieving data from the at least one official identity document.
  • step i) at least one image of the at least one official identity document is made, preferably by using the mobile user computing device, wherein said image comprises biometric data associated to the identity of a person.
  • the image of the official identity document is preferably processed, for example by the processor of the mobile user computing device, to extract and/or deduce the prestored biometric personal data from the official identity document.
  • the official identity document comprises at least one chip, wherein the chip comprises at least a part of the prestored biometric data, wherein the user computing device is capable to retrieve at least a part of the prestored biometric data from said chip during step i).
  • the mobile user computing device is configured for retrieving the prestored biometric data from the chip via near field communication (NFC).
  • NFC near field communication
  • comparing is performed essentially entirely and/or exclusively based on data stored locally on the mobile user computing device.
  • Said data may include the retrieved prestored biometric personal data during step i) which are stored on the mobile user computing device. It is in particular preferred to use the chip of the at least one official identity document since it allows for direct local storage on the mobile user computing device.
  • the method further comprises the step of: v) removing at least a part of the biometric data stored and/or collected during step i) and/or step ii) from the mobile user computing device after completion of step iii) and/or iv).
  • the retrieved biometric personal data from the at least one official identity document and the acquired additional biometric data during steps i) and ii) are used for comparing, in particular authenticating, the identity of a user, or at least a measure of similarity between the recorded biometric during step ii) against the prestored biometric of step i). If the comparison yields a predetermined minimum degree of similarity, a digital user ID may be generated, and stored on the memory unit of the mobile user computing device. After generating the digital user ID, the retrieved and acquired biometric data is not needed per se, and may therefore be deleted in order to further prevent theft of sensitive data.
  • step iii) one or more one-to-one image matching checks are performed on the mobile user computing device, preferably by the at least one processor of the mobile user computing device.
  • at least one selfie of the face of a user is compared with the high-quality (colour) image prestored on the passport of a user.
  • step ii) and step iii) at least partially overlap in time.
  • a user uses the mobile user computing device to record, by using the mobile user computing device, a selfie of their face, which is subsequently compared (hence step iii), with a part of the prestored biometric personal data retrieved during step i). Since comparing of data may be done on the background, e.g., by a processor of the mobile user computing device, it is conceivable that the user records a liveness check during the comparison step iii). As such, partial overlap in time may be established between steps ii) and iii).
  • steps i) and ii) are each performed at least once. That is, for step iii), comparable data must be available.
  • step iii) use is made only of the camera of the mobile user computing device for recording of additional biometric data.
  • step iii) use is made of single modal biometric data associated with a single biometric modality stored during step ii), and/or wherein during step iii) use is made of multimodal biometric data associated with a plurality of biometric modalities stored during step ii).
  • multimodal biometric data which may typically be harder to fool
  • step iii) merely single modal biometric data is used.
  • said single modal biometric data may be formed by a selfie of the face of a user.
  • the selfie of the face of the user is captured, e.g., automatically, without the user required to do so, from the liveness check performed during step ii).
  • the liveness check may require the user to move their head left and right, and/or up and down, in order to be able to check the liveness.
  • the mobile user computing device e.g., by the processor, captures an image of the recorded video of the user moving their head, which screen capture may be sued as the single biometric modality stored during step ii).
  • the mobile user computing device is a smartphone, and wherein preferably the at least one memory unit is a non-volatile memory unit.
  • the mobile user computing device may alternatively be a tablet, a laptop, a desktop computer, a smartwatch or any other smart wearable device.
  • feature phones should be understood as a type or class of (mobile) phones that are visually and dimensionally similar to early generations of mobile phones.
  • the feature phones typically comprise press-buttons based inputs, such as a menu button and an “ok”, and “back” button, and a small, typically non-touch display.
  • the display may typically be a colour display.
  • the feature phones typically use an embedded operating system.
  • a smartphone should be understood as a type or class of (mobile) phones that performs many functions of a computer, typically provided with a touchscreen interface, internet access, and an extensive mobile operating system that allows for running, and downloading applications, multimedia functionality, alongside the core phone functions such as voice calls and text messaging.
  • the entire method as set forth above is performed by or runs at least partially on the processor of the mobile user computing device, for example in the form of an application, which the user may access via the mobile user computing device interface.
  • the processor is configured for requesting the user, hence via the mobile user computing device, to perform certain steps, possibly in a predetermined order. It may to this end be conceivable that upon starting the application for the first time, the user is presented with a screen which provides the user with the choice for starting the digital user ID generation process.
  • the application may dictate the user to retrieve prestored biometric personal data associated with an official identity document issued by a government. In line with the ownership of the sensitive data, it is preferred that the owner or maker of the application has no access to the biometric data and/or the digital user ID stored by the user and on the mobile user computing device.
  • the present invention provides a computer- implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the authentication method comprises the steps of: i. providing a third-party system requiring a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein third party system comprises prestored personal data and associated access rights associated with the preregistered person, ii. optionally sending an authentication request by said third party system to the mobile user computing device, wherein said authentication request comprises at least a part of the person data associated with the preregistered person, iii.
  • biometric data such as a selfie and/or liveness check
  • biometric data relating to at least one, preferably a plurality of biometric modalities, wherein preferably at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and/or wherein said locally stored digital user ID is generated by applying the method according to the invention, vi. in case the person is successfully authenticated during step v) generating authenticated basic personal data associated with said authenticated person and/or providing an authentication signal preferably by the user computing device and/or third party system, to the third party system, vii.
  • step vi) optionally comparing, on and by the mobile user computing device and/or by the third-party system, at least a part of the personal data associated with the preregistered person prestored in the third party system with the authenticated basic personal data generated during step vi), and viii. optionally providing an authentication signal, by the user computing device and/or third party system, to the third party system in case the comparison performed during step vii) meets a predetermined minimum degree of similarity, and ix. granting said person, by the third-party system, predefined access to said digital service and/or to said restricted environment upon receiving the authentication signal provided during step vi) and/or viii) by the third party system.
  • This aspect of the present invention allows to use a prestored digital user ID for authenticating a preregistered person which may yield different benefits.
  • it allows the person to remain in control of their biometric data.
  • the recorded biometric data during step iv) is recorded by, and preferably only stored on, the mobile user computing device.
  • the biometric data recorded during step iv) is recorded by a camera or biometric recording device of the third party system, and preferably forwarded to the mobile user computing device after recording, without central storage thereof in the third party system environment.
  • the digital user ID is prestored on the mobile user computing device, it is possible to perform an authentication step locally, hence on the mobile user computing device. This contributed to a decentralized system for both verification and authentication.
  • the prestored biometric personal data retrieved from the official identity document, nor the recorded or requested biometric data associated to the person need to be verified or send to the third-party system, such as a cloud environment, that requires an authentication.
  • the locally prestored digital user ID is generated applying the method according to the present invention. This particularly ensures a completely decentralized solution which only requires a communicative connection with the third party system, but does not require biometric data to be stored or shared, in particularly centrally, with the third party system.
  • the person may be able to use a single prestored digital user ID on the mobile user computing device for a number of third party systems.
  • the user may be able to use the single prestored digital user ID in relation to a plurality of third-party systems.
  • the latter preferably whilst remaining in control of the biometric data that is shared with the third-party system. This is beneficial since it is cumbersome for a person to generate an authenticated identity with each of said services individually.
  • the present invention therefore provides for a 1 -to-1 matching solution, wherein in particular the verification and authentication is performed exclusively in a decentral environment, particularly a mobile user device such as a phone. Therefore, the present invention circumvents the need to a 1-to-n or 1-to- many matching solution. It is to be particularly pointed out that both the initial verification or enrolment as well as the authentication later on are performed without sharing biometric data with a third party system. More importantly, since the digital user ID is stored locally on the mobile user computing device, and the verification step v) is performed on said mobile user computing device, it becomes possible for keeping full control of the biometric data. That is, preferably no biometric data is stored on a central server of the third party system. It shall be understood by the skilled person that the locally stored digital user ID according to this aspect of the invention needs to be generated only once, prior to being able to use it for authentication.
  • step v) may be performed partially on or by the third party system, in particular on a local processing unit of the third party system. According to the alternative embodiment, it is not required that the step v) of authenticating is performed on and by the mobile user computing device, but instead on and/or by the third party system. In that case, it may be required that some biometric data encompassed in the digitally stored user ID is shared with the third party system.
  • the following steps are performed: i) sending, preferably via BLE and/or NFC and/or a QR-code, an encrypted part of the digital user ID, in particular an encrypted facevector or other biometric modality towards the third party system by the user computing device; ii) sending, preferably via BLE and/or NFC and/or a QR-code, an encrypted private key associated to the digital user ID stored on the mobile user computing device towards the third party system by the user computing device iii) decrypting, by the third party system, the encrypted private key; iv) using the decrypted private key to decrypt the encrypted part of the digital user ID, in particular the facevector; v) obtaining biometric data associated with the user requesting authentication, preferably via a camera of the third party system and/or mobile user computing device; vi) comparing, by the third party system, the obtained biometric data of step v) with the decrypted faceve
  • step v) is performed by the third party environment according to, preferably local, 1 -to-1 matching.
  • This particular and alternative example may be suitable for application on an airport or other third party system which requires in line authentication, such as stadiums, concerts, or the like.
  • This alternative example does not require sharing of the private key via a cloud based environment, but allows for sharing using BLE connection, NFC connection, and/or a connection via QR-code.
  • the private key is preferably stored on the mobile user computing device after verification and generating a digital user ID.
  • the private key may be used to access at least a portion of the digital user ID.
  • the facevector is provided to the third party system via the aforementioned connection, however it is imaginable that it is stored on a backend.
  • the method may in that case comprise a step of checking whether both authentication steps are positive and meet the predefined level of similarity. In case both meet the required degree of similarity an authentication signal may be generated.
  • the method comprises the step of establishing a connection between the third party system and the mobile user computing device, preferably prior to step ii), wherein said connection is initiated by scanning a QR-code by the mobile user computing device and/or by connecting the mobile user computing device with the third party system via NFC and/or Bluetooth, in particular Bluetooth Low Energy.
  • the method comprises the step of receiving an authentication trigger, preferably prior to step ii), wherein said authentication trigger is initiated by scanning a QR-code by the mobile user computing device, in particular by a camera thereof, and/or by connecting the mobile user computing device with the third party system via NFC and/or Bluetooth, in particular Bluetooth Low Energy.
  • Said QR-code may for example be depicted on a gate on an airport where authentication is required prior to being authorized to proceed in the restricted area.
  • the gate may comprise an NFC placement or particular Bluetooth Low Energy (BLE) connection instruction.
  • BLE Bluetooth Low Energy
  • the local authentication may proceed as described above, that is on the mobile user computing device, without sending biometric data to the gate.
  • said authentication trigger is configured for initiating an authentication procedure and/or establishing a connection, such as a data or signal connection, between the mobile user computing device and the third party system. Similar solutions can be applied for authenticating access at stadiums or concerts, which typically involve lines and gates at an entrance which require a person to authenticate themselves.
  • This aspect allows to authenticate an identity of a person that is requesting access to the digital service and/or restricted environment against a prestored digital user ID, and additionally allows for comparing of the authenticated basic personal data with basic personal data of the preregistered person.
  • the first allows for validating whether the person requesting access is in fact the person associated with the prestored digital user ID, hence an authenticating step. However, it is also needed to check whether said authenticated person is in fact the person that is preregistered. To this end, the latter step is performed. If both steps are successful, an authentication signal may be established which may grant access.
  • authenticated basic personal data may for example be a name of the person. Since this is not sensitive data, this may optionally be shared with the third-party system.
  • authenticated basic personal data is stored on the mobile user device in case the authentication performed meets a predetermined minimum degree of similarity. This may additionally allow for later use of the authenticated basic personal data, for example as long as the mobile user computing device is not locked, since otherwise it may be difficult to guarantee the validity of the authenticated basic personal data.
  • the authenticated basic personal data is at least stored on the memory unit of the mobile user computing device up till, and preferably including, step viii). It is imaginable that essentially all biometric data related to the person is maintained on the mobile user computing device, in particular on the memory unit of the mobile user computing device.
  • biometric data related to the person may be sensitive, and dangerous if in the hands of a malicious person, it is preferred that the data is maintained on the mobile user computing device of the person instead of on a cloud computing device of a third party system together with biometric data associated to many other people registered with said third party system.
  • the restricted environment is a physical environment, such as a hotel room, and/or a stadium, and/or an airport area, such as access to a specific gate and/or passing customs control, and/or a gym, and/or a bank, and/or a bar.
  • the restricted environment is a digital environment, such as a digital bank environment, and/or a money transfer platform, and/or an investment platform and/or an insurance platform, and/or a digital governmental platform.
  • a ticket e.g., a ticket to a soccer match or concert, or plane ticket.
  • the person may need to be authenticated, this may be done through using the mobile user computing device to perform the authentication step.
  • a camera of the third party system is used for making a picture, which may in a particular embodiment be authenticated by the third party system against a preauthenticated image of a face of the user.
  • the person records a picture (preferably a selfie), that is preferably prior to going to the stadium and/or airport, which is authenticated against the locally stored digital user ID.
  • the picture is authenticated, said picture may be shared with the third party system as part of the basic personal data. This may allow the third party system to, by taking an image of the person entering the stadium and/or airport, validate the identity of the person against the pre-authenticated picture.
  • the method according to the present invention may for example be applied when a person requests to log in on said platform, or if the person is arranging a transfer of money.
  • the authentication according to the present invention may prevent someone other than the preregistered person from making unwanted actions. If a person has their banking application opened on their mobile, and puts their mobile phone away for a second, it could be possible that a third person may pick up the mobile phone and make a transfer. By using the method according to this aspect of the invention the person should authenticate on the point the transfer is made, hence said aforementioned unintended and unwanted transaction may be prevented since the person does not match the preregistered person.
  • the third-party system makes part and/or is connected to a server network, such as a cloud based server network, wherein the server network is configured to perform at least a part of step viii) and/or ix).
  • a server network such as a cloud based server network
  • the server network is configured to perform at least a part of step viii) and/or ix.
  • step iv) and/or v) are performed on and by the mobile user computing device, since this allows for not sharing biometric data with the third-party system whilst still performing a qualitative authentication step.
  • Steps viii) and/or ix) may to this end be performed either by the mobile user computing device and/or by the third-party system, such as said server network.
  • step vii) involves only a comparison of basic personal data, it is not required to perform this step on the mobile user device. That is, basic personal data is typically used by the person on a day-to-day basis, or even to register (e.g., name, date of birth, or the like).
  • Such data may not be very valuable to malicious persons and hence may be shared with and/or compared by the third-party system.
  • the person already has entered such basic personal data within the third-party system in order to (for example) book a hotel room, or a ticket to a stadium.
  • the third-party system may grant the person access (that is, in case the authenticated basic personal data matches the preregistered basic personal data).
  • the biometric data stored on the mobile user computing device is encrypted using a public key infrastructure.
  • the person, i.e., the owner, of the biometric data that is stored on the memory unit of the mobile user computing device is in control of the data.
  • the private key is not shared by the person, only the person will be able to access the biometric data.
  • the present invention provides for a user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the processor is configured to allow a digital user ID to be stored locally onto at least one memory unit of the user computing device, preferably wherein said locally stored digital user ID is at least partially based on data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device and/or wherein said locally stored digital user ID is generated by applying the method according to the present invention, wherein the user computing device is configured for use in a method according to the invention.
  • the digital user ID is stored on the memory unit of said user computing device, wherein said locally stored digital user ID is preferably based on: a. both biometric personal data retrieved from at least one official identity document, such as a passport, associated with a user, and b. additional biometric data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and preferably wherein said locally stored digital user ID is generated by applying the method according to the present invention.
  • the user computing device comprises a communication module for retrieving data from an official identity document, in particular for retrieving prestored biometric personal data from said official identity document, such as a passport, in particular wherein said data is stored on a memory unit, such as a chip of said official identity document.
  • the processor or an app stored on the memory unit of the user computing device is programmed to: i. authenticate, on said user computing device, recorded biometric data against a user ID locally stored on the user computing device, and/or ii. comparing, by the user computing device, prestored personal data associated with a person with authenticated basic personal data associated to an authenticated person of step i), and/or iii. provide an authentication signal from the user computing device to the third party system in case the comparison performed during step ii) meets a predetermined minimum degree of similarity, wherein a third party system may grant predefined user access upon receiving the authentication signal.
  • the present invention provides for a system for authenticating a preregistered person in a third party system, comprising: at least one user computing device, in particular according to the invention, comprising at least one memory unit, and at least one camera, and a digital user ID stored locally onto at least one memory unit of the user computing device, and at least one third party system which requires a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein the at least one user computing device is configured for authenticating a user, on the user computing device, based on the locally stored digital user ID and a recorded biometric modality, and for providing an authentication signal to the third party system if the authentication meets a predetermined minimum degree of similarity.
  • the same benefits apply as set forth with respect to the methods according to the present invention.
  • a computer-implemented method for generating and storing a digital user ID associated with a user for subsequent digital user authentication purposes wherein the method makes of use of a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the method comprises the steps of: i. retrieving, preferably via the mobile user computing device, prestored biometric personal data from at least one official identity document, such as a passport, associated with a user and storing said biometric personal data onto the mobile user computing device, ii.
  • biometric data relate to a plurality of biometric modalities, wherein at least one of said biometric modalities constitutes a user liveness check by using the camera of the mobile computing device, and storing at least a part of said acquired additional biometric data exclusively onto the mobile user computing device, iii. comparing, by said mobile user computing device, at least a part of the biometric data stored during step i) and at least a part of the additional biometric data stored during step ii), iv.
  • step iii) one or more one-to-one image matching checks are performed on the mobile user computing device, preferably by the at least one processor of the mobile user computing device.
  • step i) and/or step ii) and/or step iv) the retrieved and/or acquired and/or generated data, in particular biometric data associated with a user, is exclusively stored on the mobile user computing device.
  • step ii) and step iii) at least partially overlap in time.
  • step iii) use is made of single modal biometric data associated with a single biometric modality stored during step ii), and/or wherein during step iii) use is made of multimodal biometric data associated with a plurality of biometric modalities stored during step ii).
  • a computer-implemented method for authenticating a preregistered person by using a mobile user computing device comprising at least one processor, at least one memory unit, and at least one camera
  • the authentication method comprises the steps of: i. providing a third party system requiring a person to authenticate themselves to permit access to a digital service and/or to a restricted environment, wherein third party system comprises prestored personal data and associated access rights associated with the preregistered person, ii. optionally sending an authentication request by said third party system to the mobile user computing device, wherein said authentication request comprises at least a part of the person data associated with the preregistered person, iii.
  • biometric data such as a selfie and/or liveness check
  • biometric data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device; and/or wherein said locally stored digital user ID is generated by applying the method according to any of the preceding clauses, vi. in case the person is successfully authenticated during step v) generating authenticated basic personal data associated with said authenticated person and/or providing an authentication signal preferably by the user computing device and/or third party system, to the third party system, vii.
  • step vi) optionally comparing, on and by the mobile user computing device and/or by the third party system, at least a part of the personal data associated with the preregistered person prestored in the third party system with the authenticated basic personal data generated during step vi), and viii. optionally providing an authentication signal, by the user computing device and/or third party system, to the third party system in case the comparison performed during step vii) meets a predetermined minimum degree of similarity, and ix. granting said person, by the third party system, predefined access to said digital service and/or to said restricted environment upon receiving the authentication signal provided during step vi and/or viii) by the third party system.
  • User computing device comprising at least one processor, at least one memory unit, and at least one camera, wherein the processor is configured to allow a digital user ID to be stored locally onto at least one memory unit of the user computing device, preferably wherein said locally stored digital user ID is at least partially based on data relating to a plurality of biometric modalities, wherein at least one of said biometric modalities preferably constitutes a user liveness check by using the camera of the mobile user computing device and/or wherein said locally stored digital user ID is generated by applying the method according to any of the clauses 1-15, wherein the user computing device is configured for use in a method according to any of the preceding clauses.
  • User computing device further comprising a communication module for retrieving data from an official identity document, in particular for retrieving prestored biometric personal data from said official identity document, such as a passport, in particular wherein said data is stored on a memory unit, such as a chip of said official identity document.
  • System for authenticating a preregistered person in a third-party system comprising:
  • At least one user computing device in particular according to one of the clauses 23-26, comprising at least one memory unit, and at least one camera, and a digital user ID stored locally onto at least one memory unit of the user computing device, and
  • the at least one user computing device is configured for authenticating a user, on the user computing device, based on the locally stored digital user ID and a recorded biometric modality, and for providing an authentication signal to the third-party system if the authentication meets a predetermined minimum degree of similarity.
  • FIG. 1 shows a non-limitative embodiment of a computer-implemented method for generating and storing a digital user ID
  • FIG. 2 shows a first embodiment of a computer-implemented method for authenticating a registered person
  • FIG. 3 shows a second embodiment of a computer-implemented method for authenticating a registered person
  • FIG. 4 shows a third embodiment of a computer-implemented method for authenticating a registered person
  • FIG. 5 shows a fourth embodiment of a computer-implemented method for authenticating a person.
  • FIG. 1 shows an embodiment for generating and storing a digital user ID which is associated with a user for subsequent authentication purposes 100. Some non- limitative examples of such authentication purposes are shown in the figures 2-4.
  • the computer-implemented method 100 makes use of a mobile user computing device 101.
  • Said mobile user computing device 101 is a mobile phone 101 , in particular a smartphone 101.
  • a tablet of laptop, or other mobile device 101 belonging to a user is used for the same purpose.
  • the mobile user computing device 101 comprises at least one processor 102, which processor 102 may be configured for starting, running, and closing applications on said mobile user computing device 101 .
  • the mobile user computing device 101 further comprises at least one memory unit 103, such as an SD card, network storage, memory chip, or the like.
  • the memory unit 103 preferably belongs or is part of to the mobile user computing device 101 , or at least allows for local storage of data and/or information.
  • the mobile user computing device 101 further comprises one or more recording devices 104, 105, such as a camera 104, for recording one or more biometric modalities related to the user.
  • a user may retrieve prestored biometric personal data 107, 108, 109, 110 from at least one official identity document 106 associated with a user.
  • the official identity is a passport 106, issued by a government.
  • the passport 106 is of the newer type, which comprises an NFC chip 107.
  • the passport comprises the data associated to a person such as a picture 108, basic information related to date of birth 110, place of birth 110, name, but also document related information 110, such as a document type, document number, or the like 110.
  • a part of the information may be incorporated into a code 109, typically situated along an edge of the identity document, which may also be referred to as a machine readable zone 109.
  • the user may use the mobile user computing device 101 to retrieve 116, preferably by scanning, the prestored biometric personal data 107, 108, 109, 110 from the official identity document 106. This may be done through the NFC chip 107.
  • the user may use a camera 104 of the mobile user computing device 101 to scan the official identity document 106 and to retrieve 116 the personal biometric data 107, 108, 109, 110.
  • the prestored biometric data 107, 108, 109, 110 retrieved 116 from the NFC chip 107 of the passport is preferably stored onto a memory unit 103 of the mobile user computing device 101.
  • the user may be requested to 117, or on own volition, record 111 biometric data 112 from themselves, for example by using a (selfie)camera 104 of the mobile user computing device 101 , or by using a fingerprint scanner 105 of the mobile user computing device 101.
  • the encircled portion 111 which reflects the step of recording 111 biometric data of the user, is performed on the same user computing device 101 , hence only a single mobile user computing device 101 is used in the method according to the invention 100 shown here. It is merely for illustrative purposes that this is indicated as a separate mobile user computing device 101 .
  • the recorded 111 and acquired biometric data related to the user comprises a plurality of biometric modalities, of which at least one constitutes a liveness check 112.
  • the biometric data is stored onto the mobile user computing device 101 , in particular the memory unit 103 thereof. It is conceivable that the biometric data is stored in an encrypted manner.
  • At least one biometric modality constitutes a selfie 112 of the face of the user. It is imaginable that not the selfie as such is stored onto the memory unit, but merely a biometric template, comprising a faceprint with data related to facial landmarks associated to the user’s face.
  • the two are compared 118. Comparing 118 of the prestored biometric personal data 113 and the recorded biometric data 112 occurs on the mobile user computing device 101 , in particular on a processor 102 thereof.
  • a digital user ID 115 is generated 114, preferably by the processor 102 of the mobile user computing device 101. Subsequently said generated digital user ID 115 is stored onto the mobile user computing device 101 , preferably the memory unit 103 thereof. It is conceivable that after generating 114 and storing the digital user ID 115 locally on the mobile user computing device 101 , any data stored on the mobile user computing device that was recorder 112 and/or obtained 116 is deleted. As such, all steps elucidated above may occur on, or by, the mobile user computing device 101.
  • the user Since the user has its own digital authenticated user ID, the latter may be user by a wide variety of third party systems, where authentication within such third party environments requires only the local presence of the digital user ID. This is a significant improvement, since the user does not require to separately authenticate themselves with a wide range of third party systems, which enlarges the risks of data leaks in one of such systems since these systems typically comprise vast amounts of data related to a large number of people, making them an interesting target to malicious persons.
  • Figure 2 shows an embodiment of the present invention related to a computer- implemented method for authenticating a preregistered person by using a mobile user computing device 200.
  • This particular figure shows an example of a user that is authenticated in order to be granted access to a hotel room 203 or an apartment 203.
  • a person 201 may register 219 themselves, by using the mobile user computing device 202, with a third party system 203.
  • a mobile phone 202 us used by the user 201 to access a webpage 204 of a hotel 203, where a check-in is performed.
  • the check-in typically requires a person to register 218 certain data 205, such as a name of the person 205 that is checking-in, the dates from and to which the person would like to make use of the hotel room 205, and optionally information relating to services of the hotel 205, in this case the choice for half board stays.
  • the personal data 205 is registered with the third party system 203, in this instance a cloud environment 216 of the hotel 203, such that the third party system 203 may associate a restricted environment 217 (e.g., hotel room, or breakfast room) as an access right to the preregistered user 205, possible for a restricted amount of time (e.g., the duration of the stay).
  • a restricted environment 217 e.g., hotel room, or breakfast room
  • the hotel room may share the basic personal data 206 associated to the preregistered person 205 with the mobile user computing device 202.
  • biometric data 211 may be recorded 212 by the person, such as by using the camera 212 of the mobile user computing device 202.
  • the separate mobile user computing device 202 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 202 is used for performing the method.
  • the same single mobile user computing device 202 is used for registering 219 and for authenticating 212.
  • the identity of the person may be authenticated 210 based on the recorded biometric data 211 and a digital user ID 215 that is locally stored 214 on the mobile user computing device 202.
  • said locally stored digital user ID 215 is obtained via the method as indicated in figure 1 . If the recorded biometric data 211 has a predetermined degree of similarity compared to the locally stored digital user ID 215, the identity of the person may be realized.
  • the authenticated basic personal data, corresponding to the conditional outcome of the authentication step 210, is compared against the prestored basic personal data 206 provided to the third party service 203.
  • an authentication signal 209 is provided by the user computing device 202, said signal may grant the person predefined access to the restricted hotel room 217.
  • the mobile user computing device 202 is used to request access to the hotel room 217, for example by means of an app of the hotel, which is running on 213 the mobile user computing device 202. By holding the mobile user computing device against a lock, or other part, of the hotel room 217, the person may request access.
  • the identity of the person is authenticated 210, as well as comparing that the authenticated identity matches the identity of the preregistered person 206 associated to the specific room.
  • essentially all checking steps are conducted on the mobile user computing device 202. That is, access is requested 207, in response to which access request, basic personal data 206 associated to the room 217 are, optionally in an encrypted manner, send 207 to the mobile user computing device 202.
  • the person is requested to authenticate 210 themselves, by recording biometric data of themselves 211 , which is authenticated 210 against a locally stored digital user ID 215.
  • the recorded biometric data is only stored 214 on the mobile user computing device 202 and needs not to be shared with the third party system (hotel) 203. If the recorded biometric data 211 matches the digital user ID 215, the person is successfully authenticated 210.
  • Authenticated basic personal data 206 such as a name, may be retrieved by the mobile user computing device 202 upon successful authentication 210. Said authenticated basic personal data may be compared with the preregistered basic personal data 206 received in response to the access request. If the basic personal data matches, an authentication or access signal 209 may be generated by the user computing device 202, and subsequently send to the hotel room 217. The hotel room 217, as the third party system may grant access to the room upon receiving said authentication signal 209.
  • the main benefit is that no biometric of the person needs to be shared with the third party system 203, which allows the person to remain in full control of the biometric data.
  • the only data that needs to be shared is the basic personal data, or a part thereof, in order to allow a comparison between an authenticated person and the preregistered person. This may also be based on specific characters of the basic personal data.
  • Figure 3 shows a slightly different embodiment of the same third party system 303 as indicated in figure 2. However, some steps slightly differ compared to the embodiment indicated in figure 2. The person similarly registers 319 themselves using e.g., a webpage 304 and/or an application of a third party system 303 via the user computing device 302.
  • Basic personal data 306a related to the preregistered person 205 may be stored, e.g., in a cloud environment 316 of the third party system 303.
  • the third party system 303 which in this instance is the hotel, may allocate a specific room to the preregistered person, and optionally restricted access to certain parts of the hotel, based on the data 305 of the preregistration.
  • the person 305 does not require to go through the reception, since the room is allocated on the basis of the preregistration 319.
  • a hotel room 317 may be communicated to the person via the cloud environment to the app or a mailing service on the mobile user computing device 302.
  • the third party system 303 Upon requesting access 307 to the specific room 317 associated to the preregistered person 306a, the third party system 303 needs to ensure that the person asking access 307 matches the preregistered person 306a. To this end, the person may require authenticating themselves on the mobile user computing device 302, e.g., based upon an authentication request 307 from the third party system 303. To this end, the person may, in particular on said mobile user computing device 302, record 312 biometric data 311 of themselves, which is authenticated 310a against a locally stored digital user ID 315. Also here, it is to be explicitly noted that the separate mobile user computing device 302 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 302 is used for performing the method 300.
  • authenticated basic personal data 306b e.g., name, age, gender
  • the authenticated basic personal data 306b may be shared 309a, possibly in an encrypted manner, with the cloud service 316 of the third party system (hotel).
  • the authenticated basic personal data 306b may be compared 310b with the basic personal data 306a related to the preregistered person 205.
  • FIG. 4 shows a different embodiment of the present invention related to a computer-implemented method for authenticating a preregistered person by using a mobile user computing device 400.
  • the third party system 403 may be an app 404 running on the mobile user computing device 402, for example a banking application 404.
  • a person 401 may access the banking application 404 through the mobile user computing device 401.
  • an access code is entered in order to enter the banking application 404.
  • the person may be allowed to perform several actions such as checking a savings account, making a (money) transfer 405, or adapting the settings.
  • the method according to the present invention may be used. That is, if the person 401 is willing to make a money transfer 405, a transfer request 405 is preregistered, corresponding to an amount to be transferred to a predetermined banking account, by the person 401 .
  • an authentication step 410a may be included to establish the money transfer.
  • basic personal data 406a may be preregistered, e.g., in the app 404 running on the mobile user computing device 402, or on the memory unit 414 of the mobile user computing device 402, or even on a cloud service 416 corresponding to the banking application 404.
  • the person is requested 407 to record 412 biometric data 411 , for example by using the camera 412 of the mobile user computing device 402.
  • the recorded biometric data 411 is authenticated 410a against a locally stored digital user ID 415, which may be stored on the memory unit 414 of the user computing device 402.
  • said locally stored digital user ID 415 is obtained according to the embodiment shown in figure 1.
  • authenticated basic personal data 406b related to the authenticated person may be shared 409a with the banking app.
  • the separate mobile user computing device 402 shown is the same as indicated on the top left.
  • a single mobile user computing device 402 is used for performing the method 400.
  • the same single mobile user computing device 402 is used for registering and for authenticating 412.
  • said authenticated basic personal data 406b is compared with the prestored basic personal data 406a.
  • an authentication signal 409b may be generated, either by the banking app 404 or the mobile user computing device 402 which may grant the person access to a certain restricted action, in this case making the money transfer 405.
  • the authentication signal comprises a (digital) certificate 408 which may be stored on the mobile user computing device 401 as a record of authenticated money transfer.
  • the authentication signal 409b may for example be a simple “go or no-go” type of signal.
  • Figure 5 shows an embodiment of the present invention related to a computer- implemented method 500 for authenticating a preregistered person by using a mobile user computing device.
  • This particular figure shows an example of a user that is authenticated in order to be granted access to a restricted area in an airport 503. Such a restricted area may be to pass customs control, or access to a particular gate to board a flight.
  • a person 501 may register 519 themselves, by using the mobile user computing device 502, with a third party system 503.
  • a mobile phone 502 us used by the user 501 to access a webpage 504 to book a flight.
  • the check-in typically requires a person to register 518 certain data 505, such as a name of the person 505 that is booking a flight, the data 505 may comprise data such as a date of birth, name, certain preferred options such as priority boarding and business class tickets 505.
  • the personal data 505 is registered with the third party system 503, in this instance a cloud environment 516 of the airport site 503, such that the third party system 503 may associate a restricted environment 517 (e.g., access to a business lounge, access to pass customs or a gate) as an access right to the preregistered user 505, possible for a restricted amount of time. It is possible that specific details, such as flight number, are shared with the third party service 503.
  • preregistering 519 no biometric data is shared with the third party system 503, merely basic personal data 506 associated to the preregistered person 505 is shared with the third party system 503.
  • the preregistered person 505 does not require to go to a desk at the airport, since the flight and other clearance right associated to the preregistered person 505.
  • an authentication of a person’s ID is required.
  • a user may use a user computing device 502, preferably the same as used to preregister, to request access 507 to the restricted area of the airport 503.
  • an authentication request may emerge on the mobile user computing device 502 of the user.
  • the connection may be established via BLE or NFC communication or a qr-code 517.
  • the authentication request 507 requires the person connecting to the gate via connection 517 to authenticate.
  • biometric data 511 may be recorded 512 by the person, such as by using the camera 512 of the mobile user computing device 502.
  • a camera or biometric recording device of the third party system 503 is used.
  • This may be a camera arranged in an access gate of the third party system. Said camera of the third party system 503 may record the biometric data 511 and forward it to the mobile user computing device 502, optionally in an encrypted manner such as an encrypted facevector.
  • the separate mobile user computing device 502 shown is the same as indicated on the top left. Hence, also here only a single mobile user computing device 502 is used for performing the method. However, it is also conceivable that another mobile device which carries the digital user ID may be used. Thus, the same single mobile user computing device 502 is used for registering 519 and for authenticating 512 without the need to send biometric data to the third party system 503.
  • the identity of the person may be authenticated 510 based on the recorded biometric data 511 and a digital user ID 215 that is locally stored 514 on the mobile user computing device 502. Preferably wherein said locally stored digital user ID 515 is obtained via the method as indicated in figure 1 . If the recorded biometric data 511 has a predetermined degree of similarity compared to the locally stored digital user ID 515, the identity of the person may be realized. If the recorded image 511 meets a predefined degree of similarity to the prestored digital user ID, an authentication signal 509 may be generated and provided to the third part system 503 in order to allow the person within the restricted area.
  • authenticated basic personal data corresponding to the conditional outcome of the authentication step 510, is optionally compared against the prestored basic personal data 506 provided to the third party service 503.
  • an authentication signal 509 is provided by the user computing device 502, said signal may grant the person predefined access to the secured sites of the airport such as the gates, or business lounge.
  • the mobile user computing device 502 is used to request access to parts of the airport 517, for example by means of an app of the airport, or via gates which allow to establish a mutual connection with the mobile user computing device 502. By holding the mobile user computing device against a part of the gate 517, the person may request access.
  • the identity of the person is authenticated 510, as well as comparing that the authenticated identity matches the identity of the preregistered person 506 associated to the specific restricted area.
  • essentially all checking steps are conducted on the mobile user computing device 502. That is, access is requested 507, in response to which access request The airport 517, as the third party system may grant access to the restricted environment upon receiving said authentication signal 509.
  • the main benefit is that no biometric of the person needs to be shared with the third party system 503, which allows the person to remain in full control of the biometric data.
  • inventive concepts are illustrated by several illustrative embodiments. It is conceivable that individual inventive concepts, including inventive details, may be applied without, in so doing, also applying other details of the described embodiments. It is not necessary to elaborate on examples of all conceivable combinations of the above-described inventive concepts, as a person skilled in the art will understand numerous inventive concepts can be (re)combined in order to arrive at a specific application and/or alternative embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Collating Specific Patterns (AREA)

Abstract

La présente invention concerne un procédé mis en œuvre par ordinateur pour générer et stocker un identifiant numérique associé à un utilisateur à des fins d'authentification numérique ultérieure, le procédé faisant appel à un dispositif informatique mobile comprenant au moins un processeur, au moins une unité de mémoire et au moins une caméra. La présente invention concerne en outre un procédé mis en œuvre par ordinateur pour authentifier une personne préenregistrée à l'aide d'un dispositif informatique d'utilisateur mobile comprenant au moins un processeur, au moins une unité de mémoire et au moins une caméra. L'invention concerne en outre un dispositif informatique d'utilisateur, et un système d'authentification d'une personne préenregistrée dans un système tiers.
PCT/NL2024/050329 2023-06-23 2024-06-24 Procédé mis en œuvre par ordinateur pour générer et stocker un identifiant numérique associé à un utilisateur et son utilisation pour authentifier une personne Pending WO2024263035A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
NL2035159 2023-06-23
NL2035159A NL2035159B1 (en) 2023-06-23 2023-06-23 A computer implemented method for generating and storing a digital user ID associated with a user and use thereof for authenticating a person

Publications (1)

Publication Number Publication Date
WO2024263035A1 true WO2024263035A1 (fr) 2024-12-26

Family

ID=88207748

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NL2024/050329 Pending WO2024263035A1 (fr) 2023-06-23 2024-06-24 Procédé mis en œuvre par ordinateur pour générer et stocker un identifiant numérique associé à un utilisateur et son utilisation pour authentifier une personne

Country Status (2)

Country Link
NL (1) NL2035159B1 (fr)
WO (1) WO2024263035A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140337930A1 (en) * 2013-05-13 2014-11-13 Hoyos Labs Corp. System and method for authorizing access to access-controlled environments
US10698995B2 (en) * 2014-08-28 2020-06-30 Facetec, Inc. Method to verify identity using a previously collected biometric image/data
US20210117524A1 (en) * 2018-04-23 2021-04-22 Amadeus S.A.S. Biometric authentication method, system, and computer program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140337930A1 (en) * 2013-05-13 2014-11-13 Hoyos Labs Corp. System and method for authorizing access to access-controlled environments
US10698995B2 (en) * 2014-08-28 2020-06-30 Facetec, Inc. Method to verify identity using a previously collected biometric image/data
US20210117524A1 (en) * 2018-04-23 2021-04-22 Amadeus S.A.S. Biometric authentication method, system, and computer program

Also Published As

Publication number Publication date
NL2035159B1 (en) 2025-01-07

Similar Documents

Publication Publication Date Title
US20250298877A1 (en) Biometric authentication
US9189612B2 (en) Biometric verification with improved privacy and network performance in client-server networks
US10440019B2 (en) Method, computer program, and system for identifying multiple users based on their behavior
US9262615B2 (en) Methods and systems for improving the security of secret authentication data during authentication transactions
US10042993B2 (en) Access control through multifactor authentication with multimodal biometrics
US20220114245A1 (en) Method and system for performing user authentication
EP2685401B1 (fr) Procédés et systèmes permettant d'améliorer la sécurité des données d'authentification secrète lors de l'authentification de transactions
JP7364057B2 (ja) 情報処理装置、システム、顔画像の更新方法及びプログラム
CN112005231A (zh) 生物特征认证方法、系统和计算机程序
US20150082390A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
US12212564B2 (en) Mobile enrollment using a known biometric
JP7151928B2 (ja) 認証サーバ、認証サーバの制御方法及びプログラム
US10482225B1 (en) Method of authorization dialog organizing
CN113158154A (zh) 移动装置、验证终端装置及身份验证方法
Papaioannou et al. User authentication and authorization for next generation mobile passenger ID devices for land and sea border control
US12019719B2 (en) Method and electronic device for authenticating a user
NL2035159B1 (en) A computer implemented method for generating and storing a digital user ID associated with a user and use thereof for authenticating a person
US11165772B2 (en) Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data
US12141255B2 (en) Method for authenticating a user on client equipment
JP7248184B2 (ja) サーバ、システム、方法及びプログラム
WO2022237550A1 (fr) Procédé, appareil et système d'authentification de contrôle d'accès pour empêcher une fuite de confidentialité

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24737190

Country of ref document: EP

Kind code of ref document: A1