AU2014256361A1 - Client authentication - Google Patents

Client authentication Download PDF

Info

Publication number
AU2014256361A1
AU2014256361A1 AU2014256361A AU2014256361A AU2014256361A1 AU 2014256361 A1 AU2014256361 A1 AU 2014256361A1 AU 2014256361 A AU2014256361 A AU 2014256361A AU 2014256361 A AU2014256361 A AU 2014256361A AU 2014256361 A1 AU2014256361 A1 AU 2014256361A1
Authority
AU
Australia
Prior art keywords
client
authentication
communications network
client device
over
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
AU2014256361A
Inventor
Adrian James
Stephen Ryan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Onecheck Pty Ltd
Original Assignee
Onecheck Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Onecheck Pty Ltd filed Critical Onecheck Pty Ltd
Priority to AU2014256361A priority Critical patent/AU2014256361A1/en
Priority to PCT/AU2015/050667 priority patent/WO2016065413A1/en
Priority to AU2015337794A priority patent/AU2015337794A1/en
Publication of AU2014256361A1 publication Critical patent/AU2014256361A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G10MUSICAL INSTRUMENTS; ACOUSTICS
    • G10LSPEECH ANALYSIS OR SYNTHESIS; SPEECH RECOGNITION; SPEECH OR VOICE PROCESSING; SPEECH OR AUDIO CODING OR DECODING
    • G10L17/00Speaker identification or verification
    • G10L17/22Interactive procedures; Man-machine interfaces
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data
    • GPHYSICS
    • G10MUSICAL INSTRUMENTS; ACOUSTICS
    • G10LSPEECH ANALYSIS OR SYNTHESIS; SPEECH RECOGNITION; SPEECH OR VOICE PROCESSING; SPEECH OR AUDIO CODING OR DECODING
    • G10L17/00Speaker identification or verification
    • G10L17/06Decision making techniques; Pattern matching strategies
    • G10L17/10Multimodal systems, i.e. based on the integration of multiple recognition engines or fusion of expert systems

Abstract

A computer-implemented method (200) performed by an authentication server (103) for remotely receiving client authentication data over a communications network (107). The method includes receiving (210), over the communications network (107), a request from a client device (105) to initiate a client authentication session for remote authentication of a client (115). In response to the request, the method includes sending (220), over the communications network (107), an authentication challenge to the client device (105). The method further includes receiving (230), over the communications network (107), an audiovisual authentication response representative of the client (115) verbalising the authentication challenge at the client device, wherein the audiovisual authentication response of the client (115) forms at least part of the client authentication data for authenticating the client (115). Authentication 112 server C- 116 105 610 Organisation First C 13processinig" Client Base station device Client Client 112 Client device Client Fig. 1

Description

1 Client authentication Technical Field [0001] The present disclosure relates to computer-implemented methods, computer systems, client device and computer programs for remotely receiving client authentication data for authenticating a client. Background [0002] Organisations often require clients to identify themselves and to provide documentation to authenticate the clients' identity. Conventionally, some organisations required a client (or potential client) to show, in person, physical forms of identity documents (such as a driver's licence, passport, birth certificate, etc.) to a representative of the organisation. The representative would then review the identity documents and compare them with the client, in their presence, to authenticate that client's identity. Such an authentication process may be used by organisations such as banks, mortgage brokers, insurance companies, other financial institutions, governments departments, etc. [0003] Some organisations offer their products and services remotely of the location of the representative of the organisation. For example, a client (or potential client) may be provided with the option to apply for a product or service through a webpage or application on a client's computing device. [0004] A user of the client device is also referred herein as a 'client'. [0005] Throughout this specification the word "comprise", or variations such as 'comprises" or "comprising", will be understood to imply the inclusion of a stated element, integer or step, or group of elements, integers or steps, but not the exclusion of any other element, integer or step, or group of elements, integers or steps.
2 [0006] Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is not to be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present disclosure as it existed before the priority date of each claim of this application. Summary [0007] The present disclosure provides a computer-implemented method performed by an authentication server for remotely receiving client authentication data over a communications network, the method including: (a) receiving, over the communications network, a request from a client device to initiate a client authentication session for remote authentication of a client; (b) in response to the request, sending, over the communications network, an authentication challenge to the client device; (c) receiving, over the communications network, an audiovisual authentication response representative of the client verbalising the authentication challenge at the client device, wherein the audiovisual authentication response of the client forms at least part of the client authentication data for authenticating the client. [0008] The method may include determining whether the audiovisual authentication response was received during a predetermined time period of the client authentication session. [0009] The computer implemented method may also include the step of determining whether the audiovisual authentication response was received during a predetermined time period is based on a time associated with step (c) and at least one of the preceding steps. [0010] In one form the computer-implemented method further includes the step of determining a session time period that begins in one of the steps preceding step (c) and ends at or after step (c) and the step of comparing the session time period with the predetermined time period.
3 [0011] In one form, the method further includes associating a time security flag with the client authorisation data, the time security flag indicative of a result of determining whether the audiovisual authentication response was received during the predetermined time period. [0012] In one form, the method further includes sending, over the communications network, an indication to the client device of a result of determining whether the audiovisual authentication response was received during the predetermined time period. [0013] In one form of the method, if the indication is that the session time period is outside the prescribed time period, the method further includes: terminating the client authentication session [0014] In a further form the computer-implemented method includes storing in a datastore the client authentication data including: the authentication challenge; and the audiovisual authentication response. [0015] In yet another form the computer-implemented method includes storing, in the datastore, the client authentication data and a time associated with step (c) and at least one of the preceding steps. [0016] In one form the computer-implemented method includes: initiating a secure connection, over the communications network, between the authentication server and a client device. [0017] In a further form the computer-implemented method includes: sending, via short message service communication protocol, an activation code addressed to a mobile phone number of the client; receiving, over the communications network, a response activation code from the client device, determining whether the response activation code corresponds with the activation code.
4 [0018] In a further form the computer-implemented method includes receiving, over the communications network, information representing an identity document of a client captured from an imaging device associated with the client device, wherein the information representing the identity document forms at least part of the client authentication data for authenticating the client. [0019] In a further form the computer-implemented includes: extracting, from the information representing the identity document of the client captured from the imaging device, personal information of the client; sending, over the communications network, to the client device the extracted personal information for confirmation as correct or editing by the client; and receiving, over the communications network, edited personal information or an indication that the extracted personal information are confirmed as correct. [0020] In one form, the information representing an identity document received from the client device include personal information of the client extracted from an image of the identity document by the client device. [0021] In another form the computer-implemented method includes: receiving, over the communications network, location data of the audiovisual authentication response of the client verbalising the authentication challenge at the client device, and location data of the client device in at least one of the preceding steps. The computer implemented method may further include: determining a maximum deviation between two or more of the received location data of the client device, determining a location security indicator associated with the client authentication data indicative of a result of a comparison between the maximum deviation of the location data with a predetermined location deviation. [0022] In one form the computer-implemented method includes: sending, over a communications network, to a third party one or more of the following: the client authentication data associated with the client; the personal information of the client; the email address of the client; the mobile number of the client; the time associated with 5 the client authentication data; the session time period; the indication of the result of determining whether the audiovisual response was received during the predetermined time period; a time security flag; one or more times; the location security indicator associated with the client authentication data; and one or more of the location data. [0023] In another form the computer-implemented method according to any one of the preceding claims wherein the authentication challenge code includes: a personal information component; and a random and/or pseudo-random component. [0024] In one form the audiovisual authentication response of the client is recorded by the client device. [0025] The present disclosure also provides a computer program including machine executable instructions to cause a processing device to implement the method described above. [0026] The present disclosure also provides a computer system for remotely receiving client authentication data over a communications network, the computer system including a first processing device to: (a) receive, over the communications network, a request from a second processing device of a client device to initiate a client authentication session for remote authentication of a client; (b) in response to the request, send, over the communications network, an authentication challenge to the client device; and (c) receive, from the second processing device over the communications network, an audiovisual authentication response representative of the client verbalising the authentication challenge at the client device, wherein the audiovisual authentication response of the client forms at least part of the client authentication data for authenticating the client. [0027] The present disclosure also provides a computer-implemented method performed by a client device for remotely sending client authentication data, over a communications network, during a remote authentication session, the method including: (a) sending, over the communications network, a request to initiate a client 6 authentication session for remote authentication; (b) receiving, over the communications network, an authentication challenge from an authentication server and sending, on a user interface of the client device, the authentication challenge to a client; and (c) sending, over the communications network, an audiovisual authentication response representative of the client verbalising the authentication challenge at the client device, wherein the audiovisual authentication response of the client forms at least part of the client authentication data for authenticating the client. [0028] In a further form the computer-implemented method includes sending, over the communications network, location data of the audiovisual authentication response of the client verbalising the authentication challenge at the client device. [0029] The present disclosure also provides a computer program including machine executable instructions to cause a processing device to implement the method performed by a client device described above. [0030] The present disclosure also provides a client device for remotely sending client authentication data, over a communications network, during a remote authentication session, the client device includes a second processing device to: (a) receive, over the communications network, an authentication challenge from a first processing device of an authentication server; (b) provide, on a user interface of the client device, the authentication challenge to a client; and (c) send, to the first processing device over the communications network, an audiovisual authentication response representative of the client verbalising the authentication challenge at the client device, wherein the audiovisual authentication response of the client forms at least part of the client authentication data for authenticating the client.
7 Brief Description of Drawings [0031] Fig. 1 is a schematic diagram of an example system for remotely receiving client authentication data over a communications network for authenticating a client; [0032] Fig. 2(a) is a flowchart of an embodiment of a computer-implemented method performed by an authentication server for remotely receiving client authentication data over a communications network; [0033] Fig. 2(b) is a flowchart of an embodiment of a computer-implemented method performed by a client device for remotely sending client authentication data over a communications network; [0034] Fig. 3 is a flowchart of another embodiment of a computer-implemented method performed by an authentication server for remotely receiving client authentication data; [0035] Fig. 4 is a flowchart of a computer-implemented method for remotely receiving client authentication data performed on a client device that is complementary to the method in Fig. 3; [0036] Fig. 5 is a view of the user interface of a client device displaying the Terms and Conditions for the remote client authentication session; [0037] Fig. 6 is a view of the user interface of a client device displaying a prompt for the client to enter a mobile phone number; [0038] Fig. 7 is a view of the user interface of a client device displaying a notification that an activation code has been sent to the mobile phone; [0039] Fig. 8 is a view of the user interface of a client device displaying a prompt for the client to enter the activation code; 8 [0040] Fig. 9 is a view of the user interface of a client device displaying a list of suitable identity documents; [0041] Fig. 10 is a view of the user interface of a client device displaying a camera preview of an identity document; [0042] Fig. 11 is a view of the user interface of a client device displaying an image of the identity document in Fig. 10 and displaying extracted personal information for confirmation by the client; [0043] Fig. 12 is a view of the user interface of a client device displaying a camera preview of an alternative identity document; [0044] Fig. 13 is a view of the user interface of a client device displaying an image of the identity document in Fig. 12 and displaying extracted personal information for confirmation by the client; [0045] Fig. 14 is a view of the user interface of a client device displaying the authentication challenge and instructions for the client; [0046] Fig. 15 is a view of the user interface of a client device displaying the audiovisual authentication response for review by the client; [0047] Fig. 16 is a view of the user interface of a client device displaying a prompt for the client to enter an email address; [0048] Fig. 17 is a view of the user interface of a client device displaying a notification to the client that the client authentication session is complete on the client device; and [0049] Fig. 18 is a screen shot of information provided to an organisation that was received during the remote client authentication session.
9 Description of Embodiments Overview of the system for remotely receiving client authentication data [0050] Fig. 1 illustrates a system 100 for remotely receiving client authentication data in a remote authentication session that includes an authentication server 103 in communication with a client device 105 via a wide area communications network 107, 109 such as the Internet. [0051] The authentication server 103 includes a first processing device 111, and is generally operated by an organisation 113 (or a representative operating on behalf of the organisation) seeking to authenticate a client 115 remotely through the respective client device 105. For example, the organisation 113 may be a bank authenticating a potential client 115 (e.g. a bank customer) making an application for a loan through a client device 105. In one example, the first processing device is a web-server. [0052] The first processing device 111 has access to a datastore 123 to store and retrieve authentication session details, including client information and client authentication data. [0053] The client device 105 has a second processing device 112 and a user interface 116, and may be any suitable client device including a mobile communication device 117, a tablet computer, a laptop computer 119, a desktop computer, etc. The user interface 116 may include any one or more of a visual, audible, or tactile interface. The client 115 may interact with the system 100 through a software application installed on the client device 105, and/or through a web browser displayed on the client device 105.
10 Brief description of the method for remotely receiving client authentication data for authentication a client [0054] A computer-implemented method 200 performed by an authentication server 103 for remotely receiving client authentication data over a communications network 107, 109 will now be described with reference to the steps in the flowchart in Fig. 2(a). [0055] At block 210, the method 200 (at the authentication server) includes the authenticating server 103 receiving a request from a client device 105 to initiate the client authentication session for remote authentication of a client 115. [0056] At block 220, in response to the request received at block 210, the method 200 includes sending an authentication challenge, over the communications network 107, 109, the client device 105. This allows the user, being the client 115, to receive and respond to the authentication challenge. In one non-limiting example the authentication challenge may include a phrase and that the client responds to by verbalising (such as reading aloud) the authentication challenge. In another non limiting example, the authentication challenge may include a question that the client responds to by providing a verbal answer to the question. [0057] At block 230, the method 200 includes receiving, over the communications network, the audiovisual authentication response representative of the client verbalising the authentication challenge. The audiovisual authentication response of the client forms at least part of the authentication data for authenticating the client. [0058] The audiovisual authentication response can be reviewed by the organisation for authenticating the identity of the client in comparison with the authentication challenge and other information associated with that client. This may include, for example, comparing the facial features shown in the audiovisual authentication response with that of a visual representations of the client (such as a photograph or video) from identity documents or identity information in a database. This may also 11 include comparing the voice in the audiovisual authentication response with that of known characteristics of the client's voice. Brief description of the method for remotely sending client authentication data for authentication a client [0059] A computer-implemented method 212 performed by a client device 105 for remotely sending client authentication data over a communications network 107, 109 will now be described with reference to the steps in the flowchart in Fig. 2(b). These steps may be the counterpart to the steps performed by the authentication server 103 shown in Fig. 2(a) [0060] At block 232, the method 212 (at the client device) includes the client device 105 sending, over the communications network, a request to initiate a client authentication session for remote authentication of the client 115. This request is then received by the authentication server 103 as described in the above method 200 at block 210 [0061] At block 234, the method 212 includes the client device 105 receiving the authentication challenge from the authentication server 103 and providing, on a user interface 116 of the client device 105, the authentication challenge to a client 115. The authentication challenge that is received is the authentication challenge sent by the authentication server 103 as described in the above method 200 at block 220. [0062] At block 236, the method 212 includes the client device 105 sending an audiovisual authentication response representative of the client 115 verbalising the authentication challenge at the client device 105. The audiovisual authentication response of the client 115 forms at least part of the client authentication data for authenticating the client. The audiovisual authentication response is then received by the authentication server 103 as described in the above method 200 at block 230.
12 A method performed by an authentication server to operate a remote client authentication session over a communications network [0063] An overview of an embodiment of a method 300 performed by an authentication server to operate a remote client authentication session over a communication network will now be described with reference to the steps in the flowchart in Fig. 3, which shows: [0064] At block 320, a request from a client device 105 to initiate a client authentication session for remote authentication of a client is received by the authentication server 103. This is the same or similar to block 210. [0065] At block 301, a secure connection is initiated between a client device 105 and the authentication server 103. [0066] At block 303, acceptance by a client of the Terms and Conditions associated with the remote client authentication session is confirmed. Memory in the datastore 123 is then allocated for storing session details. [0067] At block 305, an activation code and an authentication challenge for the client authentication session is generated. [0068] At block 307, an active mobile phone number associated with the client is confirmed with the activation code. [0069] At block 309, identity document(s) associated with the client is received. Personal information in the identity document(s) is then confirmed with the client. [0070] At block 311, an authentication challenge is sent to the client device. This is the same, or similar to, block 220 described above. [0071] At block 313, an audiovisual authentication response representative of the client verbalising the authentication challenge of the client device is received. This is 13 the same, or similar to, block 230 described above. The audiovisual authentication response forms at least part of the client authentication data. [0072] At block 315, the authentication server 103 finalises the client authentication session with the client device 105. [0073] At block 317, the authentication server determines a session time period that includes at least the time between sending the authentication challenge to the user interface at block 311 and receiving the audiovisual authentication response at block 313. The session time period may be used for security and/or integrity purposes discussed in further detail below. [0074] At block 319, the authentication server determines a location security indicator associated with the client authentication data. The location security indicator is indicative of location data received from the client device at different stages of the client authentication session. [0075] At block 321, the authentication server 103 provides the session details to the organisation. This may include storing relevant session details in a datastore, or sending to a further computer system of the organisation. Relevant session details may include the authentication challenge and the audiovisual authentication response. This allows the organisation to recover the authentication challenge and the audiovisual authentication response at a later time to authenticate the client's identity. [0076] A corresponding method 350 performed by the client device 105 is illustrated in the flowchart of Fig. 4. A more in depth description of the method 300 performed by the authentication server 103 will now be described together with the steps of the method 350 performed by the client device 105.
14 Initiate secure connection (Block 320) [0077] The method 300 starts with deployment of a client application on the client device 105. The client application may be a native application to the client device 105, for example an application that runs on the operating system of the client device 105, such as iOS, Android, Windows. In another form, the client application may be a web browser. Thus on the client device 105, the deployment may include downloading the native client application and opening the client application. Alternatively, for the web application it may include using a web browser to access a uniform resource locator (URL). The client application provides the instructions to perform the steps of the method 300 at the client device 105 described herein. On deployment of the client application the client device 105 sends a request to initiate the client authentication session to the authentication server in block 351. [0078] At the authentication server 103, a server software application provides the instructions to perform the steps of the method 300. [0079] After the client application is deployed on the client device 105 and the request to initiate the client authentication session received 320, a secure connection, over the communications network 107, 109, is initiated and established between the authentication server 103 and the client device 105 in blocks 301, 353. The secure connection can include any appropriate security protocol(s). For example the secure connection can include secure sockets layer (SSL) and 2048 bit RSA encryption. The request for a secure connection 351 may be automatically initiated by the client device 105 when the client application is deployed, or by the authentication server 103 in response to a request for an authentication session from the client device 105 following deployment of the client application. The secure connection between the authentication server 103 and the client device 105 is maintained for the duration of the client authentication session.
15 Acceptance of Terms and Conditions (Block 303) [0080] The method 300 includes receiving acceptance of the Terms and Conditions from the client 115 at block 303. [0081] At block 355, the client device 105 checks that the Terms and Conditions associated with the remote client authentication session are up-to-date. This can include checking, over the communications network 107, 109, with the authentication server 103. If not, the authentication server 103 can send an updated Terms and Conditions to the client device 105. [0082] Alternatively, the Terms and Conditions are automatically sent from the authentication server 103 to the client device 105 in response to the deployment of the client application. In yet another alternative, the client device 105 may check whether the Terms and Conditions are up-to-date by checking if the client application itself is the latest version, whether by checking with the client authentication server 103 or with a third party (such as an application store such as the App Store for iOS or Play Store for Android). [0083] Once the up-to-date Terms and Conditions are confirmed, the Terms and Conditions 405 are displayed to the client 115 on the user interface 116 as shown in Fig. 5. This allows the client 115 to read the Terms and Conditions, and if in agreement, accept the Terms and Conditions. Once the Terms and Conditions 405 are accepted, confirmation of acceptance is sent by the client device 105, over the communications network, to the authentication server 103 at block 357. [0084] Upon receiving confirmation of acceptance of the Terms and Conditions, the authentication server 103 proceeds to allocate memory in the datastore 123 for storing session details. The allocation includes memory for client information, location data of the client device, and other session details discussed below. For example, the allocation of memory may include creating appropriate records in databases of a database management system (DBMS) stored on the datastore 123, where the DBMS 16 stores and manages all storage requirements of the authentication methods described here. Generate activation code and authentication challenge (Block 305) [0085] A prompt 410 on the user interface 116 is provided for the client 115 to enter the client's mobile phone number to the client device 105, as shown in Fig. 6. Once the mobile phone number is entered to the client device 105, the mobile number is sent to the authentication server 103 at block 359. [0086] The authentication server 103 stores the mobile phone number in the datastore 123 as part of the client information. [0087] In response to receiving the mobile phone number, an activation engine generates two codes: an activation code; and an authentication challenge (or a component of an authentication challenge) as provided at block 305. [0088] In one embodiment, the activation engine is part of the server application of the authentication server. In another embodiment, the activation engine may be part of a separate system that has a secure connection with the authentication server 103, whereby the activation code and authentication challenge is provided from the activation engine to the authentication server 103. [0089] The activation code is then sent, via short message service (SMS) communication protocol to the mobile phone number. The client, assuming the mobile phone number is active, will then receive the activation code on their mobile communication device (mobile phone) 117. [0090] Meanwhile, at the client device 105, a notification 415 appears on the user interface 116 that an activation code (activation key) has been sent by SMS to the mobile device 117 as shown in Fig. 7.
17 Confirm active mobile phone number with activation code (Block 307) [0091] The next step is to confirm the mobile phone 117 is active at block 307. A prompt 420 on the user interface 116 requests the client 115 to enter the activation code at the client device 105 as shown in Fig. 8. [0092] The activation code response entered into the client device 105 is sent, over the communications network 107, 109, to the authentication server 103 for confirmation in block 361. If the response activation code matches the activation code at the authentication server 103, the method continues to the next step. [0093] If the activation code response does not match, the authentication server 103 may terminate the client authentication session. Alternatively, error handling can be initiated, which may include providing a request through the user interface 116 to re enter the activation code. Receive and confirm information of identity documents (Block 309) [0094] The next step is to receive information from identity documents of the client 115 at block 309. [0095] As shown in Fig. 9, the client 115 is provided with a list 425 of suitable identity documents. This list may include a "points system", whereby each type of identity document is provided with a corresponding number of points. The allocated points may be a score for the identity documents based on their value for identification purposes. Thus the client may be required to show identification to satisfy at least a minimum number of points. The number of points may depend on the requirements of the organisation to be satisfied sufficient identity documents have been provided and/or satisfy regulatory requirements for identification.
18 [0096] As an example, the organisation may set a minimum number of points required as two hundred. Referring to Fig. 9, the user interface 116 provides a list 425 of documents types including: * Australian Driver Licence: one hundred points * International Driver Licence: one hundred points * Australian Passport: one hundred points * International Passport: one hundred points. Therefore the client 115 would need to provide at least two documents (of one hundred points each) to cumulatively satisfy the minimum two hundred point requirement. [0097] Before receiving information from the identity document, the client 115 is prompted to select the type of identity document from the list 425 as shown in Fig. 9. [0098] The next step is to receive information of the identity document that is provided by the client. This may include photographing, scanning or uploading an image of the identification document. In the illustrated embodiment, this includes capturing a photograph of the identification document (being a Driver Licence) with an imaging device, such as a camera, of the client device 105 as shown in Fig. 10. [0099] When capturing the image of the identity document a preview window 430 and a preview 435 is provided to assist orientation and size of the image to be captured. The preview window 430 may be configured to match the type of document selected. For example, an international passport may have a different shape and/or size of the preview window 430 compared to one suitable for a Driver Licence. [0100] Captured information of the identity document, known as information representing the identity document, is then sent, over the communications network 107, 19 109 to the authentication server in block 363. In one embodiment, the authentication server 103 stores in the datastore 123 the information representing the identity document which forms part of the client authentication data. [0101] The information representing the identity document may be in different forms. In one form, the information representing the identity document is an image file format, such as a bitmap (bmp), joint photographic experts group (JPEG), portable network graphics (PNG), etc. In another form, the information representing the identity document may be in a document file format, such as Microsoft Word (DOC), portable document format (PDF), etc. In another embodiment, the client device 105 may include optical character recognition (OCR) to identify text in the image of the identification document. The text identified from the image of the identification may form at least part of the information representing the identity document sent by the client device 105 and received by the authentication server 103. [0102] After receiving the information representing the identity document, the relevant personal information of the client may be extracted. The extracted personal information could include, the name(s), date of birth, address, licence number, identity document number, expiration date of the identity document, etc. In one embodiment, the authentication server 103 extracts the personal information from the information representing the identity document. In an alternative embodiment, the personal information may be extracted from the information representing the identity document at the client device 105. [0103] The personal information is provided to the user interface 116 for confirmation by the client 115 as illustrated in Fig. 11. An image 440 of the identity document is displayed for reference to the client 115. The extracted personal information 445 is displayed for the client 115 to review. The client 115 is provided an opportunity to edit these details by selecting the edit icons 450 next to the personal information 445 to be edited. Once the client 115 is satisfied the personal information 445 is correct, the personal information 445 is confirmed by selecting the continue icon 455.
20 [0104] The confirmed personal information 445 is sent, over the communications network 107, 109, to the authentication server 103 in block 365. The authorisation server 103 in turn stores the confirmed personal information in the datastore 123. [0105] The method 300 may include capturing information from additional identity documents as required. Figs. 12 and 13 illustrate the user interface 116 of the client device 105 capturing an image of another identification document and confirmation of the personal information of that document. Send the authentication challenge client device (Block 311) [0106] The next step is to send the authentication challenge to the client device at block 311. The authentication server 103, having the authentication challenge (or a component of the authentication challenge) previously generated by the authentication engine, sends the authentication challenge to the client device 105. In one embodiment the authentication challenge is received by the client device 105 in block 367. The client device 105 in turn provides the authentication challenge to the client 115 on the user interface 116 in block 369. [0107] An example of providing the authentication challenge on the user interface 116 is shown in Fig. 14. A text box 460 is provided which includes instructions 465 to the client 115 and the authentication challenge 470. In this embodiment the instructions 465 include: requesting the client to activate the camera by interacting with camera icon 475; and to read aloud the authentication challenge. A preview image 490 from a camera of the client device 105 assists the client to direct the camera at the client's face. [0108] The authentication challenge 470, in this embodiment includes two components. The first component 480 includes personal information of the client which in this case is the name of the client 115. The personal information may have been extracted from the information representing the identity document, or alternatively, personal information that was otherwise provided by the client. The 21 second component 485 includes a random text, in this case the number "101888", that was generated by the activation engine. Receive an audiovisual authentication response (Block 313) [0109] The next step is for the authentication server 103 to receive the audiovisual authentication response at block 313. The camera of the client device 105 records audio and video (the "recorded video") of the client 115 reading aloud the authentication challenge 470 which becomes the audiovisual authentication response representative of the client verbalising the authentication challenge. The client 115 is provided with an opportunity to review the recorded video by interacting with the play or review icons 495 as shown in Fig. 15. The recorded video 500 is then played on the user interface 116 back to the client 115. If the client 115 is satisfied, the recorded video, being the audiovisual authentication response, is submitted by interacting with the continue icon 505. [0110] The recorded video is then sent from the client device 105, over the communications network 107, 109, to the authentication server 103 in block 371. The audiovisual authentication response, which is part of the client authentication data, is then stored in the datastore 123 for later use. Finalise client authentication session with client device (Block 315) [0111] At block 315, client authentication session between the authentication server 103 and the client device 105 is finalised. Referring to Fig. 16 a prompt 510 on the user interface 116 is provided to request the client 115 to enter their email address. The email address is received on the client device 105 and sent, over the communications network 107, 109, to the authentication server 103 at block 373. The authentication server 103 in turn saves the email address, as part of the client information, in the datastore 123.
22 [0112] A notification 515 is provided on the user interface 116 to inform the client 115 that the client authentication session is complete on the client device 105 side as shown in Fig. 17. The secure connection between the authentication server 103 and the client device 105 is then disconnected in blocks 315 and 375. [0113] Before the final notification 515 and disconnection of the secure connection, the method 300 may include a validation step. In one embodiment, the personal information extracted from the identity documents is validated against a database of client information (such as through a document verification service within the organisation or provided by a third party). Validation may include comparing the personal information, or information representing the identity document, with a record in a database of known client information. A notification is provided on the user interface 116 to inform the client 115 of the result of the validation. Determine session time period (Block 317) [0114] At block 317, the authentication server 103 determines a session time period that includes at least the time between sending the authentication challenge at block 220, 311 and receiving the audiovisual authentication response at block 250, 313. The session time period may be used to provide an indication of the time that a user at the client device 115 took to capture the audiovisual authentication response after the authentication challenge was sent to the client device 115. An indication of a short session time period suggests a smaller risk of a fraudulent audiovisual authentication response been created. Conversely, if the session time period was longer, there is an increased risk that the audiovisual authentication response could be fraudulent as a fraudulent user would have more time to create a fictitious audiovisual authentication response. [0115] The session time period is saved in the datastore 123 and associated with the client authentication session with the client 115. This can then be part of the session details provided to the organisation described below. The session time period may also be given an indicator or score that is indicative of the session time period being in a 23 time period that is less than a predetermined time period, or within predetermined time period parameters. [0116] In one alternative embodiment, the authentication server 103 determines the session time period during the client authentication session with the client device 105. This may include the authentication server 103, or the client device 105, starting a clock when the secure connection is initiated at block 301, and the subsequent monitoring (or determining) of the session time period. If the session time period reaches, and/or exceeds a predetermined time period before the session is finalised with the client device at block 315 the client authentication session is terminated. Alternatively, an indicator that the session time period reached or exceeded the predetermined time period is recorded with the session information. In one embodiment, one or more messages are provided to the user interface 116 of the client device 105 to inform the client 115 that the session time period has exceeded the allowable predetermined time. In a further embodiment, one or more messages are provided to the user interface 116 to inform the client 115 of the session time period, and/or warn of the session time period approaching the allowable predetermined period of time. In yet another embodiment, a message is provided to the user interface 116 to confirm that the session time period is less than the predetermined time period. In one embodiment, the predetermined time period is fifteen minutes. [0117] It is to be appreciated a determination of the session time period may be adjusted to determine the time period between particular steps in the method 300. For example, the determination of the session time period may, in one embodiment, be determination of the session time period between sending the authentication challenge to a user interface at block 311 and receiving, at the authentication server, the audiovisual authentication response at block 313. [0118] An advantage of one embodiment of this method is increased certainty that the person making the request for remote client authentication, presenting the client identity document, and responding to the authentication challenge is the same person. Another advantage of an embodiment of this method is to allow confirmation that 24 receiving information of the identity documents and receiving the audiovisual response to the authentication challenge was in a controlled timeframe. Determine a location security indicator (Block 319) [0119] The method 300 also includes comparing the location of the audiovisual authentication response of the client (which in one embodiment is corresponds with the location of the client device), and the location of the client device 105 in one or more of the other steps. The steps, of the client device 105, where location data of the client device 105 is sent to the authentication server 103 may include: * Confirmation of acceptance of the Terms and Conditions at block 355; * Providing the active mobile phone number at the client device 105 at block 359; * Confirmation of the active mobile number when entering the activation code at the client device at block 361; * At the beginning of the process of receiving information of the identity documents at block 363, such as when the user interface 116 displays a list of appropriate identity documents as shown at Fig. 9; * At the end of the process of receiving information of the identity documents, such as during confirmation by the client that the extracted personal information is correct at block 365 and as shown at Fig. 10; * Receiving the authentication challenge at block 367; * Sending the audiovisual authentication response at block 371; and * Sending the email address of the client 115 at block 373.
25 [0120] The location data may include latitude and longitude coordinates provided by a GPS (global positioning system) receiver at the client device 105. Alternatively, or in addition, the location data may include information derived from Wi-Fi information detected at the client device 105. In another embodiment the location data may include the IP (internet protocol) address of the client device. [0121] At block 319, the authentication server 103, that has received the location data at the plurality of steps, determines a maximum deviation between the corresponding locations. The authentication server 103 then determines a location security indicator that is indicative of the result of a comparison between the maximum deviations with a predetermined location deviation. The location security indicator is saved in the datastore 123 to form part of the session details associated with the client. [0122] In one form, the location security indicator can be used to generate warnings, or reject the client authentication data if the location of the client device 105 compared to the location capturing the audiovisual authentication response of the client is outside the predetermined location deviation. A relatively small maximum deviation is indicative that the user operating the client device 105 (at various steps described above) is at, or close to the same location as the person providing the authentication response. Conversely, a relatively large maximum deviation is indicative that the client device 105 has significantly moved during performance of the steps above, and or, one or more of the steps were performed by a device other than the same client device 105. This may be a security risk, and therefore it may be desirable to flag/warn or exclude client authentication data where the associated location security indicator indicates a maximum deviation that is greater than an allowable predetermined location deviation. Thus the method may include using the location security indicator to reject submission of client authentication data and/or terminate the client authentication session if it is determined they steps were performed by more than one client device 105. [0123] It is to be appreciated that the location security indicator at block 319 may be determined continuously by the authentication servers during the method 300. If the location security indicator indicates a maximum deviation greater than the allowable 26 predetermined deviation, a message may be sent to the user interface 116 to inform the client 115. An error handling process may also be included. [0124] In one embodiment, the predetermined location deviation is one hundred metres. Providing session details to an organisation (Block 321) [0125] At block 321 the session details are provided to the organisation who may wish to further scrutinise the client authentication data to authenticate the client. The session details in the datastore 123 may be accessed by the organisation through the authentication server 103. Alternatively, the information may be sent over a communications network to another location for review. In the example of a bank as the organisation, the session details may be provided to the bank manager, credit manager, and credit teams for review before approval of a loan application. [0126] An example of the session information provided to the organisation is shown in Fig. 18. A summary 600 of information received, including client authentication data, from the client authentication session is provided to the organisation. The information includes: * The audiovisual authentication response 601; * The authentication challenge 460 (or parts thereof), including the first component 480 and the second component 485. * The location data 601 of the audiovisual authentication response when it was recorded by the client device 105; * The date when the audiovisual authentication response was received; * An image of the identification document 605; 27 * The extracted personal information 445 from the identification document; * The location data 607 of the client device 105 when the camera of the client device 105 captured the image of the identification document 605. * The date 609 when the client device 105 received the information of the identity documents and/or confirmation of the personal information related to the identity documents. * Client information 611, including the name 613, address 615, mobile phone number 617, email address 619 and date of birth 621. * The type 623 of identification document used; * Reference number 625; and * The date 627 that the information is current for and/or last updated. [0127] The summary 600 may be used by a representative of the organisation to review the application. The representative may use the audiovisual authentication response to satisfy the representative that the person making the request for remote client authentication is the person identified as the client in the identity documents. Variations of the authentication challenge [0128] The authentication challenge 470 in the above described embodiment includes two components. It is to be appreciated that the authentication challenge 470 can, in other embodiments, include variations and other forms. For example, in one embodiment the authentication challenge includes a random text generated by the activation engine, and does not include personal information. In another example, the authentication challenge 470 includes pseudorandom text provided by a pseudorandom generator. In yet another example, the activation engine may provide the 28 authentication challenge 470 that is a reference number for the client authentication session, a client number, or an application number. This number may be provided serially (e.g. consecutively numbered from previous authentication sessions), or based in part on other variables such as, date, time, personal information of the client, etc. It is desirable to have an authentication challenge that, as a whole, is not easily predictable to a fraudulent user before the authentication challenge is sent by the authentication server 103 to the client device 105. This prevents a fraudulent user from being able to pre-prepare a fraudulent audiovisual authentication response. [0129] In another embodiment, the authentication challenge 470 is not limited to text. For example, the authentication challenge 470 may include an image, with accompanying instructions 465 for the client 115 to describe. For example, the image may include an image of a dog, and the accompanying instructions to describe the type of animal shown on the user interface. To decrease the likelihood of a fraudulent user predicting the authentication challenge, the image provided by the activation engine is one of a large plurality of images available in a datastore. [0130] In yet another embodiment the user interface 116 may present the authentication 470 as audibly. For example, the user interface 116 may, with a text-to speech module and speaker, request the user 115 to verbalise the response. This may be useful for clients that have visual impairments, are illiterate, or where English is not the user's primary language. Variation of authentication server - cloud based server [0131] In one embodiment the authentication server may be a cloud based server. Variation - Facial recognition [0132] In one embodiment the authentication server 103 may utilise facial recognition technology, performed by the authentication server, to compare the visual features of the person in the audiovisual authentication response with visual features of the 29 purported client 115. This may include comparison with a photograph of the client in the identity documents provided at block 363. Alternatively, it may include comparison with known facial features of a client from a database. Variation - Voice recognition [0133] In another embodiment the authentication server 103 may utilise voice recognition technology, performed by the authentication server, to compare the vocal features of the person in the audiovisual authentication response with vocal features of the purported client 115. This includes comparison with known vocal features of a client from a database. Variation - Signature recognition [0134] In another embodiment, the client 115 may be required to provide a signature on the client device 115. For example, this may include using a touch screen user interface 116 to provide the signature. The user device 105 can send the signature, over the communications network 107, 109, to the authentication server 103. The authentication server 103, using signature recognition technology, compares the signature sent from the user device 105 with a signature provided in one or more of the identity documents provided at block 363. Alternatively, the comparison may be performed with a known signature of the client from a database. [0135] It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the above-described embodiments, without departing from the broad general scope of the present disclosure. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.

Claims (25)

1. A computer-implemented method performed by an authentication server for remotely receiving client authentication data over a communications network, the method comprising: (a) receiving, over the communications network, a request from a client device to initiate a client authentication session for remote authentication of a client; (b) in response to the request, sending, over the communications network, an authentication challenge to the client device; (c) receiving, over the communications network, an audiovisual authentication response representative of the client verbalising the authentication challenge at the client device, wherein the audiovisual authentication response of the client forms at least part of the client authentication data for authenticating the client.
2. The computer implemented method according to claim 1 further comprising: determining whether the audiovisual authentication response was received during a predetermined time period of the client authentication session.
3. The computer implemented method according to claim 2, wherein the step of determining whether the audiovisual authentication response was received during a predetermined time period is based on a time associated with step (c) and at least one of the preceding steps.
4. The computer-implemented method according to either claim 2 or 3 comprises: determining a session time period that begins in one of the steps preceding step (c) and ends at or after step (c); and 31 comparing the session time period with the predetermined time period.
5. The computer-implemented method according to any one of claims 2 to 4, further comprising: associating a time security flag with the client authorisation data, the time security flag indicative of a result of determining whether the audiovisual authentication response was received during the predetermined time period.
6. The computer-implemented method according to any one of claims 2 to 5, further comprising: sending, over the communications network, an indication to the client device of a result of determining whether the audiovisual authentication response was received during the predetermined time period.
7. The computer-implemented method according to claim 6, wherein if the indication is that the session time period is outside the prescribed time period, the method further comprises: terminating the client authentication session.
8. The computer-implemented method according to any one of the preceding claims, wherein the method further comprises: storing in a datastore the client authentication data including: - the authentication challenge; and - the audiovisual authentication response.
9. The computer-implemented method according to any one of the preceding claims, wherein the method further comprises: 32 - storing, in a datastore the client authentication data and a time associated with step (c) and at least one of the preceding steps.
10. The computer-implemented method according to any one of the preceding claims, wherein after step (a) and before step (b) the method comprises: - initiating a secure connection, over the communications network, between the authentication server and a client device.
11. The computer-implemented method according to any one of the preceding claims further comprising: - sending, via short message service communication protocol, an activation code addressed to a mobile phone number of the client; - receiving, over the communications network, a response activation code from the client device, - determining whether the response activation code corresponds with the activation code.
12. The computer-implemented method any one of the preceding claims, further comprising: - receiving, over the communications network, information representing an identity document of a client captured from an imaging device associated with the client device, wherein the information representing an identity document forms at least part of the client authentication data for authenticating the client.
13. The computer-implemented method according to claim 12, the method further comprises: 33 - extracting, from the information representing an identity document of the client captured from the imaging device, personal information of the client; - sending, over the communications network, to the client device the extracted personal information for confirmation as correct or editing by the client; and - receiving, over the communications network, edited personal information or an indication that the extracted personal information is confirmed as correct.
14. The computer-implemented method according to claim 12, wherein the information representing an identity document received from the client device includes personal information of the client extracted from an image of the identity document by the client device.
15. The computer-implemented method according to claim any one of the preceding claims, further comprising: - receiving, over the communications network, location data of the audiovisual authentication response of the client verbalising the authentication challenge at the client device, and location data of the client device in at least one of the preceding steps.
16. The computer implemented method according to claim 15, further comprising: - determining a maximum deviation between two or more of the received location data of the client device; and - determining a location security indicator associated with the client authentication data indicative of a result of a comparison between the maximum deviation of the location data with a predetermined location deviation.
17. The computer-implemented method according to any one of the preceding claims, further comprising: 34 - sending, over a communications network, to a third party one or more of the following: - the client authentication data associated with the client; - the personal information of the client; - the email address of the client; - the mobile number of the client; - the time associated with the client authentication data; - the session time period; - the indication of the result of determining whether the audiovisual authentication response was received during the predetermined time period; - a time; - one or more time stamps; - the location security indicator associated with the client authentication data; and - one or more of the location data.
18. The computer-implemented method according to any one of the preceding claims wherein the authentication challenge comprises: - a personal information component; and - a random and/or pseudo-random component. 35
19. The computer-implemented method according to any one of the preceding claims, wherein the audiovisual authentication response of the client is recorded by the client device.
20. Computer program comprising machine-executable instructions to cause a processing device to implement the method according to any one of the preceding claims.
21. A computer system for remotely receiving client authentication data over a communications network, the computer system comprises a first processing device to: (a) receive, over the communications network, a request from a second processing device of a client device to initiate a client authentication session for remote authentication of a client; (b) in response to the request, send, over the communications network, an authentication challenge to the client device; and (c) receive, from the second processing device over the communications network, an audiovisual authentication response representative of the client verbalising the authentication challenge at the client device, wherein the audiovisual authentication response of the client forms at least part of the client authentication data for authenticating the client.
22. A computer-implemented method performed by a client device for remotely sending client authentication data, over a communications network, during a remote authentication session, the method comprising: (a) sending, over the communication network, a request to initiate a client authentication session for remote authentication; 36 (b) receiving, over the communications network, an authentication challenge from an authentication server and providing, on a user interface of the client device, the authentication challenge to a client; and (c) sending, over the communications network, an audiovisual authentication response representative of the client verbalising the authentication challenge at the client device, wherein the audiovisual authentication response of the client forms at least part of the client authentication data for authenticating the client.
23. A computer-implemented method according to claim 22 further comprising: - sending, over the communications network, location data of the audiovisual authentication response of the client verbalising the authentication challenge at the client device.
24. Computer program comprising machine-executable instructions to cause a processing device to implement the method according to claim 22 or 23.
25. A client device for remotely sending client authentication data, over a communications network, during a remote authentication session, the client device comprises a second processing device to: (a) receive, over the communications network, an authentication challenge from a first processing device of an authentication server; (b) provide, on a user interface of the client device, the authentication challenge to a client; and (c) send, to the first processing device over the communications network, an audiovisual authentication response representative of the client verbalising the authentication challenge at the client device, wherein the audiovisual authentication response of the client forms at least part of the client authentication data for authenticating the client.
AU2014256361A 2014-10-29 2014-10-29 Client authentication Abandoned AU2014256361A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU2014256361A AU2014256361A1 (en) 2014-10-29 2014-10-29 Client authentication
PCT/AU2015/050667 WO2016065413A1 (en) 2014-10-29 2015-10-27 Client authentication
AU2015337794A AU2015337794A1 (en) 2014-10-29 2015-10-27 Client authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
AU2014256361A AU2014256361A1 (en) 2014-10-29 2014-10-29 Client authentication

Publications (1)

Publication Number Publication Date
AU2014256361A1 true AU2014256361A1 (en) 2016-05-19

Family

ID=55856274

Family Applications (2)

Application Number Title Priority Date Filing Date
AU2014256361A Abandoned AU2014256361A1 (en) 2014-10-29 2014-10-29 Client authentication
AU2015337794A Abandoned AU2015337794A1 (en) 2014-10-29 2015-10-27 Client authentication

Family Applications After (1)

Application Number Title Priority Date Filing Date
AU2015337794A Abandoned AU2015337794A1 (en) 2014-10-29 2015-10-27 Client authentication

Country Status (2)

Country Link
AU (2) AU2014256361A1 (en)
WO (1) WO2016065413A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111771198A (en) * 2017-12-21 2020-10-13 尤尔实验室有限公司 Evaporator control

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6819219B1 (en) * 2000-10-13 2004-11-16 International Business Machines Corporation Method for biometric-based authentication in wireless communication for access control
EP1962280A1 (en) * 2006-03-08 2008-08-27 BIOMETRY.com AG Method and network-based biometric system for biometric authentication of an end user
EP2515497B1 (en) * 2011-04-18 2018-07-04 Werner Blessing Method for performing authentication in a distributed authentication system and authentication system
CN103973441B (en) * 2013-01-29 2016-03-09 腾讯科技(深圳)有限公司 Based on user authen method and the device of audio frequency and video
US10270748B2 (en) * 2013-03-22 2019-04-23 Nok Nok Labs, Inc. Advanced authentication techniques and applications

Also Published As

Publication number Publication date
AU2015337794A1 (en) 2017-06-15
WO2016065413A1 (en) 2016-05-06

Similar Documents

Publication Publication Date Title
US11709823B2 (en) Real time visual validation of digital content using a distributed ledger
US11240234B2 (en) Methods and systems for providing online verification and security
US10867293B2 (en) Image recognition-based payment requests
WO2019178914A1 (en) Fraud detection and risk assessment method, system, device, and storage medium
US20200211031A1 (en) System and method for automated processing of applications
CN105516198A (en) Identity verification systems and methods
CN106600294B (en) Method and system for rapidly identifying enterprise identity in financial field
US11665153B2 (en) Voice biometric authentication in a virtual assistant
CN113873088B (en) Interactive method and device for voice call, computer equipment and storage medium
AU2015337794A1 (en) Client authentication
CN107566422B (en) Third-party user verification method
CN113343211B (en) Data processing method, processing system, electronic device and storage medium
US20210112057A1 (en) Multi-party document validation
CN112367314B (en) Identity authentication method, device, computing equipment and medium
US10454914B2 (en) System and method for verifying user supplied items asserted about the user for searching
US11582044B2 (en) Systems and methods to timestamp and authenticate digital documents using a secure ledger
CN115022030B (en) Bank business handling request processing method and device based on blockchain
US20230318835A1 (en) Secure Authentication of Electronic Documents Via A Distributed System
KR102352959B1 (en) Method and server for management of identity number
CN114511941A (en) Anti-cheating sign-in method, apparatus, device, medium and program product
CN110738159A (en) Online shareholder guild method and device for changing actual control persons of enterprises
CN115689811A (en) Block chain-based electronic will advice generation method, asset inheritance method and system
JP2022116848A (en) Credit card application processing system and credit card application receiving method
CN113393318A (en) Bank card application wind control method and device, electronic equipment and medium
CN117808299A (en) Service handling method, device, equipment and medium

Legal Events

Date Code Title Description
MK1 Application lapsed section 142(2)(a) - no request for examination in relevant period